**1. Introduction**

Implantable therapeutic tools are becoming progressively interdependent through the internet of things (IoT) in order to audit vital signs and improve patients' quality of life. Yet, the IoT imposes major vulnerabilities with such interconnection, and any disturbance could cause significant destruction or life-impeding demands [1,2]. An adversary may construct various attacks to jeopardize both IoT implantable therapeutic equipment and networks [3]. Table 1 illustrates some recent cyberattack incidents that occurred in the medical field. Thus, it is not easy to design and protect medical devices that are able to cope with equipment failures and connectivity and operating systems faults [4]. Security and privacy concerns should also be considered, such as identification, data integrity, confidentiality, authentication, and user and service privacy [5]. A recent survey [6] studied over one hundred medical tools to consider their protection worries with a focus on reported cyberattacks including tampering, sni ffing, and unauthorized access. The survey also studied available mitigation methods to handle these worries.



**Table 1.** *Cont*.

Attack graphs provide a viewable technique to determine risks within interoperable systems.The actions needed to conduct an attack can be identified utilizing this technique. The identification of attacks helps engineers to establish defensive actions in order to eliminate the execution of an attack [14]. For instance, a method is presented by [15] for indicating the best placement of a collection of IoT tools within an institution using a traditional attack graph which is augmented to consider the substantial placement of IoT tools and their connectivity effectiveness.

Attack graphs can also help forensic investigators to identify many possible attack paths. An empirical study is provided by [16] on the growth of using data gathered by smartphone tools (developed to correlate a therapeutic tool) as digital clue in legal cases. A report is included about evidence which is possibly helpful in a digital forensics inspection.

A digital inspection system is proposed by [17] for the examination of fatal attack scenarios on cardiac implantable medical devices (IMDs). The system reports the identification and regeneration of possible attack scenarios that result in a patient's death. An approach of three stages is proposed, along with a collection of approaches to use in every stage. In the first stage, the approach aids determining the reason for a death based on the therapeutic conclusions gathered by the IMD. Second, the approach follows the entries and system logs gathered from the IMD under consideration, which determine the critical actions associated with distant access and construction. The technique aims to collect the possible attack scenarios that could achieve similar impact in the gathered log proof, as if they had been conducted. A library of threats and a model checking established algorithm are utilized to conduct the automatic reformation which is made in forward chaining. The third stage of the approach correlates the generated scenarios, identifies the most persuasive composite of medical and vocational scenarios, and confirms the presence of abnormal attitude in the chosen composite that caused a patient's death.

The main contribution of this work manifests an approach for developing attack graphs for the pacemaker automatic remote monitoring system (PARMS). This demands a general specification of system model (design and communications, units, resources, protections, vulnerabilities, and attack instances), and exploration of the security concerns. The model and the security properties are encoded using architecture analysis and design language (AADL) [18] and verified using JKind checker embedded software [19]. The developed attack graph contains the attack scenarios causing system compromise through gaining ability to alter the settings of the home monitoring device. Thus, controlling the wireless pacemaker and jeopardizing the patient's life. The resulting graph is visualized utilizing Graphviz [20]. The rest of this paper is organized as follows: Section 1.1 reviews the relevant work. Section 2 presents the modeling process of the pacemaker automatic remote monitoring system (PARMS). Section 3 illustrates attack graph construction and visualization for the PARMS. Section 4 recaps and discusses some forthcoming work.

#### *1.1. Related Work*

Di fferent papers were investigated in the literature for modelling attack graphs for medical devices. A model-based system, a safety and security co-engineering (MB3SE) technique, and a correlated toolchain for the implementation of medical equipment was proposed by [21]. The toolchain included architecture modelling and safety and cyber-security risk analysis tools. Explanations for security concerns of 5G networks aiding electronic healthcare applications were presented by [22]. The explanations incorporated knowledge graph development, automated attack and protection technologies, and a security testbed.

An approach is presented by [23] for developing attack trees for IMDs which receive two inputs: functional workflow and a hazard study of the IMD in consideration. A process-modeling software is utilized to illustrate the IMD system as it is arranged, booted up, and managed by the caregiver. Hazards can be identified as system states that are built-in unprotected for the user. Hazard study requires determining system states that will ultimately cause critical harm to the patient.

Threat modeling is examined in medical cyber physical systems (MCPS) by [24]. This includes the roles of stakeholders and system components, trust models, threat models, and threat analysis. An abstract architecture is also sketched for an MCPS to demonstrate various threat modeling options.

A methodology has been developed by [2] for generating attack trees for patient controlled analgesia (PCA-IMD). This process contains four steps: (1) process modeling, (2) fault tree analysis (FTA), (3) attack tree generation, and (4) quantification. First, the user of the PCA-IMD takes a depiction of the workflow of the PCA-IMD and constructs a process-modeling design for it. Once the process model is constructed, the IMD user establishes the distinct hazards that can happen as a result of running the system, leading to extra infusion.

Two internal activities are studied by [25], involving the utilization of Universal Serial Bus (USB) drives and Compact Disc Read-Only Memory (CD-ROM) as the entrance methods leading to data loss in the healthcare firm surroundings. The generated augmented threat trees show the vulnerabilities abused, the actions required to abuse them, and the fingerprint implemented by the attackers' functionalities. A Markov models set is developed by [26] for a healthcare IoT foundation, that enables the consideration of the particularity of clients' machines, connectivity, advancement of data stream, and protection and security worries of these elements.

The modeling and study of cyberattacks utilizing a multimodal graph technique is shown by [27]. This work illustrates how cyber actions, parties, targets, and networks that gathered them can be modeled using a multimodal graph, such that multiple graphs of distinct modalities are connected to show the features of the attack.

A framework is presented by [28] for modeling and assessing security of the IoT which incorporates preprocessing, security model generation using a hierarchical attack representation model (HARM), conception and repository, security study, and transformations and updates. In the scheme, an IoT, security model generators, and an evaluator are implemented.

The authors of [29] investigated whether the ideas of model checking and attack tree refinement correspond to using an IoT healthcare illustrative example. The extension by model checking and the enclosing of attack trees into the Isabelle internal scheme permitted the investigation of this correspondence utilizing the analytical strict and automated proof assistance of Isabelle. Hence, reassessing the interpretation of state evolution in model checking and importing a variation that showed the attack sequences. This permitted the conversion of attack paths established by model checking into the attack tree refinement procedure.

An attack graph-based study is presented by [4] of attacks on a certain interoperability surrounding to provide patient pain medication (PCA) among multiple levels of interoperability from simple data gathering to complete closed loop control. Explanations of the potential prevention methods are determined for every class of attack vectors. The work showed that security has a deep impact on the safety of medical device interoperability and the patients they are provided to.

Conceptual graphs are collected by [30] with Dung's disputation system that supplied convenient extensions for dependable selection procedures, all adapted to telemedicine in general and tele-expertise in particular. The work implemented the visual graph of attacks where distinct interpretation of the reasoning logic is adapted to verify the possible adequate arguments.

A systematic threat-modeling approach is proposed by [31] to investigate IMD security. The attack tree approach provided an overall and organized scheme of the strengths and weaknesses of the IMD system. The work showed a systematic method for conducting system-level security examination to incorporate various potential attack surfaces. The research done by [14] demonstrated attack graph modeling on hypothetical ambulatory medical equipment. The research examined specific attacks that jeopardized ambulatory equipment, like physical attacks and social engineering.

#### **2. Pacemaker Automatic Remote Monitoring System (PARMS) Modeling**

In this work, the pacemaker automatic remote monitoring system (PARMS) is modeled to illustrate how hacking into the pacemaker's system imposes life-threatening risks to patients. The model includes system topology, possible attack instances, and the system's formal description.
