Liability for Known Vulnerabilities Bill Introduced

Rep Mark Sloan (R,CA) introduced the Liability for Known Vulnerabilities Act today. The bill would make manufacturers of computer controlled equipment used in hospitals and schools financially liable for deaths and serious injuries that resulted from cyberattacks on those institutions using vulnerabilities that had been reported to the vendor more than six months before the attack. Sloan’s Los Angeles office says that the bill is a direct response to the attack on the Angels Memorial Hospital earlier this week that killed four people.

The four deaths in the hospital’s intensive care ward occurred when power back up systems failed to restore power to critical medical monitoring systems and medical devices during a power outage caused by local storms. The uninterruptable power system’s (UPS) control system had been breached by an unidentified hacker using vulnerabilities in the SotoPower HMI. Those vulnerabilities had been publicly reported to SotoPower last June by Israeli researchers. SotoPower reported Tuesday that they were still working on fixes for the reported vulnerabilities.

Sloan told reporters that an independent review of the Israeli research confirmed that the three reported vulnerabilities, including a path traversal vulnerability and a hard-coded credential vulnerability, were relatively easy to fix. “Security researchers looking at this week’s attack reported that those vulnerabilities were used to gain access to the system at Angels Memorial,” the Congressman explained, “Those basic vulnerabilities should not take six months to correct.”

Sloan’s bill would establish a prima facie case for product liability in any case where a cyber attack at a school or hospital resulted in deaths or serious injuries and the attack was facilitated by vulnerabilities that had been identified more than six months earlier.

CAUTIONARY NOTE: This is a future news story –

Hospital Deaths Due to UPS Hack

The Angels Memorial Hospital in Los Angeles announced today that three deaths overnight in their intensive care ward were due to cyberattacks on the hospital’s backup power system. A local power outage led to the failure of critical medical devices when the hospital’s UPS systems failed to switch power to the battery backups designed to take over in the event of local grid failures. The hospital has not released the names of the victims.

The Federal Bureau of Inquiry is investigating the apparent cyberattack that stopped the UPS control system from activating the backup power system. “Potential suspects have not yet been identified,” Johnathan Quest, FBI spokesperson, told reporters this afternoon; “But we are in the very early stages of the investigation.”

SotoPower has been identified as the manufacturer of the uninterruptable power supply system used by Angels Memorial. Jake Hanley, company spokesperson, told reporters in a brief statement that the company was cooperating fully with investigators. “The security of our systems is a high-priority for our company,” Hanley said.

In the early summer of 2022, the Israeli cybersecurity firm, BuddaHack, published a report outlining three vulnerabilities in the SotoPower HMI, the control system used in the medical facility power backup system. Last month the federal ECS-CERT, published an advisory about the same vulnerabilities. “SotoPower did not respond to our coordination efforts about the vulnerabilities reported by BuddaHack,” Immanuel C Securitage told reporters this afternoon. “We have no indication that the vulnerabilities have been addressed.”

Hanley responded to questions about the reported vulnerabilities, “We are continuing to work on remediation efforts,” he said; “Our web site includes instructions to protect systems from outside access.”

Ira Haaretz, a researcher with BuddaHack, told me that the vulnerabilities identified last summer could allow an attacker with access to the hospital network to reprogram the UPS control system. “These access control vulnerabilities provide a relatively low-skilled attacker with the ability to obtain administrative level access,” Haaretz said; “They do not require any significant programing capabilities beyond changing a publicly available URL.”

A wrongful death lawsuit was filed today in Los Angles Superior Court on behalf of one of the families. Details were not available when this article was published.

 

CAUTIONARY NOTE: This is a future news story –