SINTEF researcher Marie Moe has a pacemaker. To her surprise, she discovered that it can be hacked. She recently held a presentation about the dangers when "everything" is connected to the Internet. Photo: Andreas Buarø

Researcher’s heart problems uncover security gap

Marie Moe, who is a SINTEF researcher in cybersecurity, discovered that her heart is being regulated by a pacemaker which can be hacked.

“I was shocked to discover that my pacemaker could be connected to the internet”, says Marie Moe. “It was then I realised that it’s possible for some computer nerd to hack the system and effectively control my heart. It was a very unpleasant experience”, she says.

She recently attended the 2017 Lerchendal Conference in Trondheim, Norway, themed ‘Digital Force for Change’, where cybersecurity was one of the subsidiary topics. Moe’s personal experience of the importance of this subject has resulted in her currently leading a SINTEF project looking into pacemakers and their security.

“My pacemaker can be hacked and the personal data it contains stolen”, she says. “In the worst case, human error by a hacker could be fatal. Or I could become exposed to blackmail. We cannot trust this technology. We’re very vulnerable now that anything and everything can be connected to the internet”, she explains.

Cyber wars have arrived!

The security challenges linked to what is perhaps the world’s greatest invention – the internet – do not only affect individuals. In 2014, industry giant Statoil was caught off guard when an IT technician pressed the wrong button, got in behind the firewall, and brought production to a standstill. Since then, there have been many similar incidents both on oil platforms and onshore installations that potentially could have been very dangerous. The Ukraine was subjected to a hacker attack which resulted in large segments of the country’s finance system being put out of action.

“We’re now in the middle of what could be called cyberwarfare and cyber criminality”, says Sofie Nystrøm, who is Director of the Center for Cyber and Information Security (CCIS). “It’s a situation that we don’t quite know how to handle. We need to a get a lot of experts putting their heads together, and more and more looking into this field”, she says.

Several studies are now demonstrating that Norway is a world leader in digitisation both within the private and public sectors. They also show that we are facing some major potential challenges when it comes to cybersecurity.

“The internet we have today was not designed to handle oil and gas, electricity distribution or transport systems”, says Nystrøm. It is built on very unstable foundations”, she says.

Clueless health personnel

The results of Moe’s project are not ready yet, but she is already travelling the world and telling her story about this vital topic. Five years ago her life was turned upside down when she experienced a fall and later found out that there was something wrong with her heart. A pacemaker was fitted, but none of the health personnel she came into contact with had any knowledge about the fact that it could be connected to the internet.

“This function is now switched off, and when the time comes to fit a new pacemaker, I’ll ask to have one that can’t be hooked up to the internet”, says Moe.

When nations or companies are subject to hacker attacks, this doesn’t only frighten individuals, but can also result in financial losses.

“A survey of cyber attacks shows that in 2016 they cost the global community USD 445 billion”, says Håkon Haugli, who is CEO at Abelia, a Norwegian federation of technology companies. This is big money, and the survey has shown that our understanding of this subject is woefully inadequate”, he says.

What is the most important thing we can do to boost security?

“We must continue to promote a security culture at individual, corporate and national levels”, says Haugli. “In Norway we tend to trust our employers and the public authorities, but it’s only a small step from trust to naivety. I also believe that stricter legislation linked to cybersecurity may put pressure on developers and suppliers”, he says.

Moe believes that suppliers must be made to feel a greater sense of responsibility when it comes to security.

“There’s probably a good deal of technology out there that shouldn’t be connected to the internet – if for no other reason than that it’s insufficiently mature” she says.