How Life Sciences Companies can Mitigate the Risks of "Meltdown" & "Spectre"

Early last week news outlets and online publishers broke news of a critical flaw in computer chips manufactured by chip giant Intel. These chips, some of the most commonly used chips globally have two significant vulnerabilities that allow malicious persons to hack into the computer’s internal CPU and memory, which can lead to the complete compromise of a system. The exploit was discovered by researchers in Germany who wrote in disbelief to news agencies as they described their findings. These exploits have been named Meltdown and Spectre, click the link to learn more about what each of these consist of.

While Intel CEO, Brian Krzanich, has claimed that fixes are on the way for serious chip security flaws, many security and hardware experts say we will be feeling the effect of these flaws for many years to come, primarily because these chips effect almost ever device on the planet. These experts also claim that the flaws that have been discovered reflect a fundamental hardware defect that can’t be fixed short of a recall.

While this may seem like an end of the world Armageddon scenario for more IT leaders, there are some steps that CIOs and IT professionals can take to mitigate the risks of the exploits. Following the news breaking, our platform team (who is tasked with the security of our Montrium Connect platform) put their heads together to create an action plan for life sciences organizations to limit the effects of the exploit. The following is our thoughts on what you should do next.

The Life Sciences Intel Chip Exploit Action Plan

So first things first, let's just set the scene. This action plan isn't going to remedy all of the current issues associated with the Intel Chip flaw, unfortunately we don't have a magic wand that can wash away 20 years of bad chip design. However, we do have some critical steps that will help mitigate the risks and limit the effects of these exploits.

Here's what platform manager, Samuel Collier had to say on the matter:

Unlike other issues that have come up in recent years, this one is in the hardware of the chips themselves.  That's the fun part - there are steps to limit these effects, which is essentially to apply all updates, but nothing to completely eliminate it.  It's not that software behaves badly, it's that the chips themselves are designed badly, and it's ALL chips (Intel, AMD, ARM) - newsflash!

The Techie explanation...

Essentially, processors are designed to be more efficient by making multiple predictions of the future - they get 1 problem with 2 possible answers, and rather than wait until it actually makes the calculation, it jumps ahead to the next step (then just discards the wrong answers as it figures it out). It sounds weird, but it actually works well for multi-core processors. This 'false prediction' leads to a way an attacker can exploit the system - and no amount of software is going to fully fix it.

Now, there are three things that are important to provide the 'best possible', but imperfect, protection:

1. Patch everything...

Essentially, processors are designed to be more efficient by making multiple predictions of the future - they get 1 problem with multiple possible answers (such as what value is stored in memory), and rather than wait until it actually makes the calculation, it jumps ahead to the next step before ensuring it’s actually correct. It then just discards the wrong answers as it figures it out. It sounds weird, but it actually works well for multi-core processors and is an important performance feature. This 'false prediction' leads to a way an attacker can exploit the system - and no amount of software is going to fully fix it. 

There are conflicting reports on the patches themselves – Intel has claimed that they can patch most modern processors to make them immune to Spectre and Meltdown, though there is a potentially 30% performance hit. A patch was also released and subsequently retracted for AMD processors, after reports it caused the dreaded blue screen of death on many PC’s, in some cases causing them to simply not boot up anymore.

Now, there are three things that are important to provide the 'best possible', but imperfect, protection:

2. Apply standard security practices

Standard security practices are somewhat effective - as a user would still need to compromise a computer or server in some small way first before exploiting this.  As briefly mentioned above, there are two related vulnerabilities that have come from the chip flaw: Spectre and Meltdown.

The good news is in the case of both Spectre and Meltdown, some local access to the system is required initially in order to actually exploit the system.  A network connection alone is not enough to exploit either of these – the bad guys have to have access in some way first. As such, a likely vector for the execution of an attack based on these would likely be the typical culprits of malware, or a malicious website.

Comprehensive coverage with a good security software, employee training for information security awareness, as well as robust isolation of physical systems, would reduce the likelihood of the vulnerabilities being exploited, albeit not with 100% success.

Using a cloud provider who has good security would be good step for both of these.

3. Plan for new hardware when it becomes available

Finally, plan for new hardware when it becomes available.  The issue is really in the physical silicon, so new silicon is required to fully fix it, but of course this will take months\years to fully come out. Ensure that your IT teams or software vendor is monitoring hardware releases to ensure these upgrades to hardware are planned when available.

 

To conclude..

While you should be mindful of the recent exposed vulnerabilities, trust in the industry and Intel to release hardware and software patches in the coming months to remedy some of the issues that have come with these flaws. However, taking the steps to mitigate these risks will be an important step in ensuring that the effects of the recent news are limited and don't effect how you operate.

If you're a Montrium customer and have specific questions about how we are mitigating the risks of the Intel chip vulnerabilities, feel free to reach out to info@montrium.com.

Finally, how are you mitigating the risks? Do you have any thoughts or steps to add that life science organizations should be undertaking? Comment below!

 The Microsoft Azure Cloud

About the Author: Sam Collier

Request a demo - Montrium

Recent Posts