USB + GLP = WTF?

This one is kind of tricky. You want to have a closed computerized system in your laboratory. But on the other hand, you want to be able to have USB access to your system, in case a service technician has to save documents on a flash device. And here exactly starts the problem…

Do you know how to flash a USB ROM, to get this device to install “software” as a “USB Driver” or to download data silently? You don`t? This technique exists! And hold in the wrong hands, it opens a super massive vulnerability in unsecured computer systems. The most important questions here are: Do you trust your service engineer/employee? Are you prepared for such attacks? Do you really need USB connectivity?

Personally, I do not know how to be 100% save and I hope to get valuable inputs…

One direct action could be, to use hardware USB port blockers for all open ports (http://www.lindy-usa.com/usb-port-blocker-pack-of-4-color-code-pink-40450.html) and register your must have hardware (like your mice and keyboard) in the device manager, then block everything else. Inputs on this topic are highly appreciated!!

Also read this article (https://www.kb.cert.org/vuls/id/889747) and/or search Google for keywords like “usb rom vulnerability windows”, “usb rom vulnerability mac”, “bad usb”.

Published in General, HowTo

Comments

  1. Rob van Blijswjk

    You have several options to solve this. Below some ideas which are based on personal experience and may be can help you.

    Many companies have IT and Government rules and regulations for this kind of matter. Depends on which market you are working. Pharmaceuticals (i.e.FDA) have more restricted rules than some commercial testing (i.e. ASTM/ISO) labs. The laboratory is responsible to be complaint with rules and regulatory.

    At first:
    Try to think about these rules when buying/selecting or supplying such systems for a GLP lab. This should be part of the URS and validation approach of the system for GLP. Datahandling, support, backup and restore, etc. in should be in the requirements for the system.

    Think about the following questions during setting these requirements (in relation to the original question):
    If you have an closed IT system, how do you want to make backups of Operating systems, software and data? How do you save and ensure raw data? Is there a (time driven) backup created or and image? And how do you transfer data to i.e. a LIMS, ELN or SDMS system? Or is a printer connected and store the papers in GLP archive? Are there different user accounts for the PC configured? May be create also 1 service account which has more rights (network yes/no) than the general lab user.
    I prefer to use one of these directions to get data from the system instead of installing vulnerable software on the system. This has a potential (unknown) danger to the working of the validated system!

    If the system is damaged or out of order and needs to be repaired, then the status of GLP changes in my idea. A (partial) re-validation is needed to get back in validation status. During the repair actions a vendor can discuss with the owner how to solve the problem. (replacement, assistance from IT department needed?)

    A Service Level Agreement (SLA) or support contract with a Non-Disclosure-Agreement (NDA) can be setup during the buying process. This NDA should cover the trusted relation between vendor and customer.

Your email address will not be published. Required fields are marked *