Title: Universal Connectivity Board Product Security White Paper

Product Security White Paper

Universal Connectivity Board (UCB) with ConnectAssure

STERIS is committed to providing secure products to our Customers due to the significant
role that our medical devices play in their patient care and healthcare delivery services.
STERIS understands the increasing cybersecurity threats to the healthcare and public health
sector. We are committed to incorporating industry-recognized cybersecurity guidance and
practices in the development, deployment, installation, continuous monitoring, and
maintenance of our medical devices. We are also committed to complying with applicable
regional, federal, and local privacy and security laws and regulations, including HIPAA Security
Rule, HITECH ACT and other regulations.

STERIS continuously strives to implement reasonable administrative, technical, and physical

safeguards to help protect against security incidents and privacy breaches involving the
Universal Connectivity Board, provided the product is used in accordance with STERIS’s
instructions for use. However, it is well understood in the security and healthcare industry
that the threat landscape and sophistication of threat actors are continuously and rapidly
evolving. A shared responsibility in maintaining security and privacy safeguards is the best
approach to minimizing the impact of malicious attacks and unanticipated errors that exploit
unanticipated vulnerabilities. We appreciate, and will investigate as soon as possible, any
raised concerns. Where appropriate, we will address the issue with product changes, technical
bulletins and/or responsible disclosures to Customers and Regulators.

STERIS improves security and privacy throughout the UCB lifecycle by adopting practices
such as:

 Product and Supplier Risk Assessment

 Privacy and Security by Design
 Secure Coding Practices and Analysis
 Vulnerability and Patch Management
 Vulnerability Scanning and Security Testing
 Access Controls appropriate to Customer Data
 Incident Response
 Information Sharing and Coordinated Vulnerability Disclosure

Complaints about the Company’s compliance with HIPAA Rules or its Privacy Policy should
be provided in writing to the Privacy Officer. Complaints should be made through the
Company Integrity Helpline, which can be accessed by phone or through electronic
reporting.

Electronic reporting:
- Within the United States: www.reportlineweb.com/steris
- International: https://iwf.tnwgrc.com/steris

Phone numbers:
- Within the United States: 1-855-326-9721
- International: Refer to: https://www.steris.com/about/business/code-of-conduct
UCB w/ CAT Product Security Whitepaper
1
 Title: Universal Connectivity Board Product Security White Paper

The purpose of this document is to detail how our security and privacy practices have been
applied to the Universal Connectivity Board.

Summary - Data Privacy and Security

This table provides a quick summary of the STERIS UCB Connectivity solution from data
privacy and security perspective. Multiple terms like UCB are introduced here. Refer to
further sections in this document for details.

Key Question Description

PHI data PHI data is not collected or transmitted or stored
PII data PII data is not collected from STERIS Equipment
or transmitted to STERIS Servers.
Machine data (like Cycle Tapes and Alarms) is
transmitted by UCB. This data can be viewed by
Customers through ConnectAssure Viewer or
through connected compatible tracking system.
Remote login and Access to STERIS UCB installed in Customer premises with STERIS
Software deployed on Customer Equipment does not allow Remote Access or
Premises Login.
Authentication Machine data is transmitted via SSL connections
using JSON tokens to authenticate the
communication
Software Upgrades Software Upgrades are done remotely and
automated. UCB regularly checks for available
upgrades and downloads them. Customer Users
can be provisioned to receive Email notifications
about upcoming updates and confirmation/re-
scheduling of upgrades (future).
System Hardening UCBs installed on Customer premises allow
installation of only STERIS signed software.
Untrusted software cannot be installed.
Vulnerability Scanning Vulnerability Scanning is performed on the UCB
by STERIS using Qualys Web Application
Scanning prior to release of any UCB
configuration or OS change
Third-party Penetration Testing Third-party penetration testing was performed
on UCB before initial release to Customers. As
part of every release, risk assessment may be
conducted to identify potential vulnerabilities
depending on the impact of changes. Further
third-party penetration tests may be conducted
based on risk assessment.

UCB w/ CAT Product Security Whitepaper

2
 Title: Universal Connectivity Board Product Security White Paper

System Architecture

Connectivity to STERIS Equipment is illustrated in the System context diagram below and
each sub-system is described further below.

STERIS Equipment
This is STERIS Equipment supported by STERIS Connectivity Architecture. This is typically a
STERIS Infection Prevention Technology (IPT) product like a Sterilizer, Washer / Disinfector
or Automated Endoscope Reprocessor sending data to ConnectAssure Technology software.

Universal Connectivity Board (UCB)

The UCB is an optional Connectivity Kit hardware manufactured and assembled by STERIS.
The UCB is available for specific STERIS Healthcare IPT Equipment to retrieve machine data.
It directly connects to the STERIS Equipment using the available network interfaces (Ethernet
or Serial) supported by the Equipment. When a UCB is installed, it isolates STERIS Equipment
from other networks acting as a dedicated Gateway (UCB as forwarding proxy) for the
Equipment.

Each UCB is provisioned with unique X.509 PKI Client Certificates to authenticate and
hardened by applying Chain of Trust method, refer to section System Hardening Standards for
more details.

UCB w/ CAT Product Security Whitepaper

3
 Title: Universal Connectivity Board Product Security White Paper

UCB establishes communication on TLS transport channel. Authentication and Authorization

of UCB is done in the following way:

- Client Certificate based UCB Authentication – UCB leverages the X.509 PKI Standard.
Client Certificate is installed by STERIS in the UCB during manufacturing.
- UCB Authorization – UCB is authorized to submit data for the Equipment Serial Number
for which the UCB was provisioned. If a UCB Client certificate is compromised and
installed on another UCB or any untrusted device, any data sent by these devices is
rejected.

Certificate Management Service

Certificate Management Service is responsible for the Certificate Life Cycle Management. This
service provisions and manages the certificates provided by STERIS for use on UCB. The UCB
must maintain a connection to the Certificate Management Service to ensure secured,
authenticated communications. The UCB requires connection to the Certificate Management
Service to achieve the following:

- Provisioning UCB during manufacturing and assembly by STERIS with a unique X.509
PKI Client Certificate before shipping
- Certification Rotation on a regular basis per assessment by STERIS and may change
over time based on revised assessments.
- As of this version of this document, Certificates are valid for one year from the time of
manufacturing of the UCB and auto rotated every three months when UCB is connected
to STERIS Certificate Management Service.

Remote Software Upgrade Service

Remote Software Upgrade Service is hosted on SaaS platform hosted by STERIS Vendor.
UCB connects to the Remote Software Upgrade Service regularly and checks for availability
of software upgrades. End-to-end security is addressed through the following measures:

- UCB Software patches/images are code-signed. This allows only code trusted and
signed by designated STERIS certificate to be installed on the UCB.
- Only trusted UCBs can download UCB Software. Each UCB is provisioned with a unique
Client Certificate. Only Client Certificates signed by the STERIS Certificate Authority
can successfully authenticate to the Remote Upgrade Service for downloading software
updates.

The above measures ensure UCB is protected from the possibility of any spurious or
unauthenticated software, even when STERIS software updates are hosted on STERIS
Vendor’s SaaS platform.

UCB w/ CAT Product Security Whitepaper

4
 Title: Universal Connectivity Board Product Security White Paper

Hardware Specifications

Universal Connectivity Board

o DFI EC900 with Serial/Ethernet cables for direct connection to Equipment and
Hospital Network
o ARM-Based Fanless Embedded System
o 2GB DDR3L memory onboard
o 8GB eMMC for storage
o Rich I/O ports: 2GbE, 2 COM, 2 USB 2.0, 1 USB OTG

Operating Systems

UCB (installed on Customer Premises)

 Embedded Linux based on Linux Kernel 5.4

Remote Upgrade Service

 IoT Rollouts is a fully managed cloud service provided as Software-as-a-Service

Network Ports and Services

Following URLs and ports are required to be open for UCB to access Remote Software Upgrades:

Application/Service Purpose URL

STERIS Key Management x.509 Key Management for https://pckeys.steris.com:443
Service UCB
Remote Software Upgrades Remote Software Upgrades https://api.eu1.bosch-iot-
to UCB to UCB rollouts.com:443

* Web sockets based: This service requires WebSocket to be enabled. Ensure your (STERIS
Customer) firewall allows requests to pass through to the Host and all URLs of this host.

Sensitive Data Transmitted

 Equipment machine and cycle data is transmitted. No PHI or PII data is transmitted
 Data in Transit: Encrypted
 Data at Rest (in UCB): Not Encrypted

Sensitive Data Stored

 PII data – None

 PHI data – None

UCB w/ CAT Product Security Whitepaper

5
 Title: Universal Connectivity Board Product Security White Paper

Network/Data Flow/System Architecture Diagram

For overall System Architecture diagram, refer to diagram below, repeated from page 5.

Secure Coding Standards and IT Network Risk Management

Application/Service Purpose IT-Network Risk

Management
Universal Connectivity Equipment Machine Data IEC TR 80001-2-8: 2016
Board (UCB) Interface
STERIS Key Management x.509 Key Management for OWASP
Service UCB
Remote Software Upgrades Remote Software Upgrades IoT Rollouts are checked
(based on IoT Rollout) to UCB against OWASP Top 10,
OWASP API Top 10.
Additionally, Bosch.IO
organization and locations
are certified ISO 27001

UCB w/ CAT Product Security Whitepaper

6
 Title: Universal Connectivity Board Product Security White Paper

Software Bill of Materials (SBOM)

STERIS has created the Software Bill of Materials (SBOM) for UCB and updates the same
regularly. For requesting SBOM, contact: [email protected].

System Hardening Standards

UCB
Connectivity
Name of Standard Version Number Source of Standard
Component
UCB High Assurance
Secure Boot & Chain of Trust HABv4 Booting (HAB) on
i.MX6
dm-verity with
Code Signing for UCB
1 signed hash using
Software
STERIS private key
PKI x.509 Digital Certificates
V3 PKI
for Authentication
Transport Channel Security TLS 1.2, 1.3 TLS

UCB Chain of Trust

A chain of trust is established by validating each software component from the end entity up
to the root certificate. It is intended to ensure that only trusted software can be installed
and executed.

UCB establishes chain of trust in the following manner:

- UCB is an embedded Linux system with three major components. Bootloader, kernel
and root filesystem.
- All the components are signed, and the signatures are checked during boot.

Illustration below elaborates how each component is validating the signature of next
component in the boot chain thereby resulting in only STERIS signed components installable
on the UCB. If existing UCB software if altered by any means, the chain of trust will fail and
UCB will not start the altered component in the chain.

UCB w/ CAT Product Security Whitepaper

7
 Title: Universal Connectivity Board Product Security White Paper

 UCB implements a secure boot process where the bootloader, kernel and root file
system are signed.
 Signature of all the components is verified during the boot process.
 High Assurance Boot (HAB) is used for validating the signature of the first stage
bootloader.
 Bootloader will check the signature of the FIT image.
 FIT image is a container that contains Linux kernel image, device tree and an initial
ramdisk.
 Kernel runs the init program from the ramdisk image, which has the logic to verify
the integrity of the final root filesystem before mounting it.

Malware Protection & Malware-free Shipping

Table below elaborates the Malware Protection and Malware-free Shipping measures taken
by STERIS.

Application/Service Purpose Standards

STERIS MQTT Broker Interface to UCB to transmit Azure Web Application
Endpoint Equipment data to Firewall, Crowdstrike Falcon
ConnectAssure

STERIS Key Management x.509 Key Management for Azure Web Application
Service UCB Firewall, Crowdstrike Falcon

Remote Software Upgrades Remote Software Upgrades Software artifacts are code-
(IoT Rollout) to UCB signed. Only STERIS signed
software can be installed on
UCB

Universal Connectivity Equipment interface to UCB is imaged in STERIS

Board (UCB) collect Equipment machine premises with applicable
data quality controls to ensure
trusted and tested software
is imaged. Refer to Chain of
trust in the section System
Hardening Standards. No
explicit malware defense
available, only STERIS
signed software can be
installed

In addition, for the UCB, STERIS is subscribed to monitor changes to UCB’s SOUP software
from Cybersecurity perspective and incorporate the changes as suggested by third party
(vendor for monitoring SOUP software).

UCB w/ CAT Product Security Whitepaper

8
 Title: Universal Connectivity Board Product Security White Paper

Authentication Authorization

Target Application/Service
Source System Target Standard Comment
Application/Service
UCB STERIS Key MAC Address and Unique UCB MAC
Management Service Server Address and Time-
Authentication limited registration of
UCB to Key
Management Service.
Registration done
during UCB kitting
process in STERIS
premises
UCB Remote Software PKI X.509 Client Remote Software
Upgrade Service Authentication. Upgrade of UCB
Mutual
Authentication
between UCB &
Remote Software
Upgrade Service

Network Controls

Installed facility (Healthcare Delivery Organization)

STERIS understands and supports Cybersecurity as a shared responsibility of HDOs and
MDMs. STERIS is a member of Industry collaboration platforms to help drive stronger
standards into the design and manufacturing of Medical Devices. STERIS is a member of
Health-ISAC, which is the global, peer-to-peer intelligence sharing community for the
healthcare sector, specifically communicating and collaborating in a trustworthy environment
to proactively prevent, detect, mitigate and respond to cybersecurity and physical security
threats.

STERIS will collaborate with HDOs to respond to any queries on Cybersecurity as HDOs assess
the network controls required to further improve Security in the network context the UCB is
deployed in HDO premises.

UCB w/ CAT Product Security Whitepaper

9
 Title: Universal Connectivity Board Product Security White Paper

UCB
IP address for the UCB can be assigned the following ways:

DHCP Unreserved – this is the option preferred by STERIS.

DHCP Reserved – The MAC address of the UCB can be provided by STERIS at the time of UCB
installation, or before installation but after shipping from the factory. Contact your STERIS
Equipment Service Technician for further information.
Static IP – must be provided before shipping of UCB from factory. Contact your STERIS
Equipment Service Technician for further information.

Audit Logging

Application/Service Purpose Audit logging capabilities PII in Record

Audit log retention
UCB Connectivity ‐ Certificate None 7 Years
Board and download
software that ‐ Configuration
collects events
equipment
machine data
and transmits
further for
Remote
Monitoring
STERIS Key x.509 Key ‐ Certificate delivery None 7 Years
Management Management for to UCB
Service UCB ‐ Certificate Signing
Requests
‐ Certificate
Revocations
‐ User logins
Remote Software Remote Software ‐ Events related to None 7 Years
Upgrades Upgrades to UCB creating a software
upgrade and target
list of Equipment
group the upgrade
should be applied
to are logged with
read only
permissions

UCB w/ CAT Product Security Whitepaper

10
 Title: Universal Connectivity Board Product Security White Paper

Remote Access is Not Supported

UCB is an embedded device initiating outgoing communication with required endpoints. Login
to UCB through Remote Access software is not supported.

Patch Management

If the UCB is allowed access to the Remote Software Upgrade endpoint, the UCB performs
regular checks for new software updates and downloads the software to install the upgrade
at a pre-defined time (Sunday, 3AM UTC).
Future (planned functionality): Customers may elect to receive notifications when new
software updates are available. Customers can modify update schedule for the current
pending update and setup default schedule (day of week and time) for future updates.
The following process is adopted to apply software updates to the UCB:

‐ New image of the UCB is signed by STERIS certificate and uploaded to Bosch Rollout
service
‐ UCB regularly checks for any available updates by authenticating itself to Bosch Rollout
‐ UCB downloads software and verifies digital signatures and integrity of the software
‐ Once the pre-defined scheduled time for software update is met, UCB reboots with the
new image (updated software). UCB verifies that a cycle is not running before
rebooting. If a cycle is running, UCB will re-attempt after the cycle has been
completed.
‐ If the UCB fails to reboot with the new image, re-attempt is made three times. If the
UCB fails to boot after three attempts with the new image, UCB is rebooted with the
previous working version
‐ Currently there is no provision to manually update UCB software onsite by STERIS
Field Service Engineers.

Service Handling

This section describes maintenance/repair activities that may or may not be performed on
an as-needed basis by STERIS Service.

Application/Service/Hardware Service Aspect Notes

UCB Login to UCB via ‐ Not allowed
STERIS laptop ‐ No PII/PHI data is stored on UCB
UCB USB based updates ‐ Not allowed currently
to UCB
UCB Component/Repair ‐ UCB Single Board Computer (DFI
or Service by STERIS EC 900) to be replaced if required.
Equipment Service Power/Network Connectivity
Technician cables can be replaced if required

UCB w/ CAT Product Security Whitepaper

11
 Title: Universal Connectivity Board Product Security White Paper

End-of-Life and End-of-Support

STERIS follows an internal process to provide end-of-life and end-of-support notifications

directly to Customers, where appropriate. Currently there is no plan for end-of-life or end-
of-support for this device and/or service.

Third-Party Product Cybersecurity Security Program Audit

Our Corporate IT program is committed to ongoing NIST CSF maturity Level monitoring by
an independent third party.

Using an independent third party, our Corporate IT Cybersecurity Program is assessed

periodically to assess the operating effectiveness of its security controls in relation to the NIST
CSF program objectives.

Our IT Corporate Cybersecurity Program assessments focus on the following areas:

1. Identify: Asset Management
2. Identify: Business Environment
3. Identify: Governance
4. Identify: Risk Assessment
5. Identify: Risk Management Strategy
6. Identify: Supply Chain Risk Management
7. Protect: Access Control
8. Protect: Awareness and Training
9. Protect: Data Security
10. Protect: Information Protection Policies and Procedures
11. Protect: Maintenance
12. Protect: Protective Technology
13. Detect: Anomalies and Events
14. Detect: Security Continuous Monitoring
15. Detect: Detection Processes
16. Respond: Response Planning
17. Respond: Communication
18. Respond: Analysis
19. Respond: Mitigation
20. Respond: Improvements
21. Recover: Recovery Planning
22. Recover: Improvements
23. Recover: Communications

Our Product Cybersecurity Program is migrating to the NIST CSF framework and will enroll in
the same maturity assessment program as our IT Corporate Cybersecurity Program.

UCB w/ CAT Product Security Whitepaper

12
 Title: Universal Connectivity Board Product Security White Paper

Security Testing

Internal Security Testing

Application/Service/Hardware Product Development Types of Testing to uncover

Phase Vulnerabilities & Tools used
UCB Product Development ‐ Static Analysis (FxCops)
& Ongoing Releases ‐ Code Review
‐ Vulnerability Scans
(Qualys)
‐ Searching NVD for third-
party vulnerabilities
‐ Cybersecurity Risk
Assessment

Third-Party Security Testing

Application/Service/Hardware Last performed Types of Testing to uncover

Vulnerabilities & Tools used
UCB March 2022 Third-party Penetration testing
RM Cloud Services February 2022 Qualys Web Application Scanning
Third-party Penetration testing

Manufacturer’s Disclosure Statement for Medical Device Security

Otherwise known as the MDS2 form, the form for this product can be requested through your
STERIS Sales or Service representatives.

Disclaimer

The information contained in this Product Security White Paper is for reference purposes only.
Nothing contained in this document or relayed verbally to any Customer will be deemed to
amend, modify or supersede the terms and conditions of any written agreement between
such Customer and STERIS, or STERIS’s subsidiaries or affiliates (collectively, “STERIS”).
STERIS does not make any promises or guarantees to Customer that any of the methods or
suggestions described in this Product Security White Paper will restore Customer’s systems,
resolve any issues related to any malicious code or achieve any other stated or intended
results.

UCB w/ CAT Product Security Whitepaper

13
 Title: Universal Connectivity Board Product Security White Paper

Abbreviations

• BU – Business Unit
• CSF – Cybersecurity Framework
• HAB – High Assurance Boot
• Healthcare Delivery Organization ‐ HDO
• H‐ISAC – Health Information Sharing and Analysis Center (https://h‐isac.org/)
• IPT – Infection Prevention Technologies ‐ https://www.steris‐healthcare.com/products/ipt
• IT – Information Technology
• MDM – Medical Device Manufacturer
• MDS2 – Manufacturer Disclosure Statement (MDS) for Medical Device Security
• NIST – National Institute of Standards and Technology
• NVD – National Vulnerability Database
• PII – Personally Identifiable Information
• PHI – Personal Health Information
• PS – Product Security
• PSO – Product Security Officer
• PSM – Product Security Manager
• PKI – Public Key Infrastructure
• RM – Remote Monitoring
• OWASP – Open Web Application Security Project ‐ https://owasp.org/
• CWE – Common Weakness Enumeration ‐ https://www.sans.org/top25‐software‐errors/
• SOUP – Software of the Unknown Provenance
• SPD – Sterile Processing Department
• TLS – Transport Layer Security
• UCB – Universal Connectivity Board
• USB – Universal Service Bus
• UTC – Coordinated Universal Time
• X.509 – Standard format for public key certificates

Revision History

Rev Revision Description Rationale for Change Author

1.0 Initial Release For use with CAT STERIS R&D and Service Teams

UCB w/ CAT Product Security Whitepaper

14
 Title: Universal Connectivity Board Product Security White Paper

References

References (URLs as accessed on April 14th, 2022)

1. Public Key Infrastructure - https://www.govinfo.gov/content/pkg/GOVPUB-C13-
2269bdd37ca40015a4075fa2a1bdfa9a/pdf/GOVPUB-C13-
2269bdd37ca40015a4075fa2a1bdfa9a.pdf
2. Zero Trust - https://www.microsoft.com/en-us/security/business/zero-trust
3. High Assurance Booting on i.MX6 - https://community.nxp.com/t5/i-MX-Solutions-
Knowledge-Base/High-Assurance-Booting-HAB-on-i-MX6/ta-p/1114450
4. Implementing dm-verity - https://source.android.com/security/verifiedboot/dm-
verity
5. Azure Application Gateway TLS policy overview https://docs.microsoft.com/en-
us/azure/application-gateway/application-gateway-ssl-policy-overview

For Further Information, contact:

STERIS Corporation
5960 Heisley Rd.
Mentor, OH 44060–1834 • USA
440–354–2600 • 800–548–4873
www.steris.com

The base language of this document is ENGLISH.

Any translations must be made from the base language document.

©2022, STERIS Corporation. All rights reserved.

This document is intended for the exclusive use of STERIS Customers, including architects
or designers.

Reproduction in whole or in part by any party other than a Customer is prohibited.

UCB w/ CAT Product Security Whitepaper

15