Abstract
Connected Medical Devices (CMDs) face many critical cybersecurity challenges. Cybersecurity risk assessment is the industry de facto standard process to assess and mitigate potential cybersecurity risks. However, current cybersecurity risk assessments in the CMD domain are typically static, and many situations are highly dynamic involving changing circumstances of patient care priorities or new vulnerabilities detected at runtime. Thus, there is a clear need to support dynamic, runtime cybersecurity risk assessment where new events are reflected automatically in risk levels, and appropriate controls are recommended for unacceptable risks to return the residual risk to an acceptable level. In the EU project NEMECYS, we are developing an approach to dynamic cyber risk assessment for CMDs. The objective of this paper is to provide a high-level introduction to the NEMECYS project, and then explain in more detail our proposed dynamic cyber risk assessment approach for CMDs.