Process-Aware Attacks on Medication Control of Type-I Diabetics Using Infusion Pumps

George Stergiopoulos, Panayiotis Kotzanikolaou, Charalambos Konstantinou, Achilleas Tsoukalis

Research output: Contribution to journalArticlepeer-review


As medical infusion pumps are known to be vulnerable to cybersecurity threats, industrial reports, guidelines, and state-of-the art research have focused on securing such devices. This includes hardening a pump's network communications, wireless interfaces, and patching software flaws that can allow adversaries to compromise the device's usability and potentially lead to adverse effects on patients. Still, a very small percentage of this work has focused on securing devices against process-aware attacks that target the business logic behind medical treatment processes, even though it is widely known that deviations or disruptions in continuous medication administration may be harmful, even lethal. In this work, we first develop a threat model on an insulin infusion pump used for blood glucose regulation in Type-I diabetics. We then set up a generalized Simulink model of common insulin pumps used for Type-I diabetic treatment and perform a volume control assessment to investigate the probability of process-aware cyber-attacks to cause patient harm through microalterations on continuous medical administration that stay within operational limits but manage to impact a patient's health. We achieve this by manipulating the business process logic behind semiautomatic drug administration on the insulin pump model that uses continuous glucose monitoring systems. We validate attack models capable of causing adverse impact on patients through performance degradation of the drug administration processes.
Original languageEnglish (US)
Pages (from-to)1-12
Number of pages12
JournalIEEE Systems Journal
StatePublished - Jan 25 2023

Bibliographical note

KAUST Repository Item: Exported on 2023-01-27
Acknowledgements: This work was supported by the European Union and Greek National Funds Through the Operational Program Competitiveness, Entrepreneurship and Innovation, Under the Call and in part by the MELITY project under the call Research—Create—Innovate under Grant T1EDK-01958. The research reported in this article was also supported by the King Abdullah University of Science and Technology (KAUST), Saudi Arabia.

ASJC Scopus subject areas

  • Control and Systems Engineering
  • Electrical and Electronic Engineering


Dive into the research topics of 'Process-Aware Attacks on Medication Control of Type-I Diabetics Using Infusion Pumps'. Together they form a unique fingerprint.

Cite this