Harbor Labs partnered with a medical device manufacturer preparing for a 510(k) premarket submission. In executing its cybersecurity risk management process, Harbor Labs identified two critical security gaps the manufacturer had to address before submission. The identified gaps included the use of third-party networking components that the manufacturer could not control or influence beyond applying security best practices to configuration and firmware management, and a lack of secure boot and firmware update security controls.

Third-Party Networking Components

To address third-party device trust and supply chain risk, Harbor Labs assessed each networking component individually with administrative access to the device’s configuration utility. Using this access, Harbor Labs was able to:

1. Obtain firmware version information for a software composition analysis (CVE lookup).
2. Document third-party component names and version strings in a CycloneDx SBOM, providing automated vulnerability lookup.
3. Cross-validate each component against a public CVE database.
4. Investigate third-party device manufacturer support and software update and patch practices.
5. Manually audit the device as it was configured by the medical device manufacturer and intended for deployment.
6. Run network analysis and fingerprinting tools to ensure the device’s configuration is correct and enforced.

Harbor Labs then helped the manufacturer create cybersecurity labeling regarding the above in its Instructions for Use (IFUs), outlining safe configuration and maintenance of the third-party components.

Secure Boot and Firmware Update

Harbor Labs designed a PKI-based digital signature protocol that used NIST-approved algorithms to achieve firmware and firmware update authentication. To accomplish its design, Harbor Labs:

1. Verified that the manufacturer’s selected microcontroller supported the required cryptographic engine and SHA-256 hashing to validate firmware signature.
2. Configured secure boot logic to validate ECDSA signatures using a key pair generated via an open-source crypto library, wolfSSL, ensuring compatibility.
3. Recommended the root private key be stored in a tamper-evident Hardware Security Module (HSM) with multi-party control using Shamir’s secret sharing.
4. Recommended the firmware signing key be managed via a Key Management Service (KMS).
5. Implemented a robust firmware update process requiring that update packages be digitally signed, version-checked, and cryptographically verified before installation.

These controls ensured rollback prevention, boot-time verification, and certificate revocation.

Harbor Labs provided practical solutions to help the manufacturer meet FDA cybersecurity guidelines. Their guidance allowed the manufacturer to continue using third-party components without sacrificing transparency or control and to establish a secure, flexible firmware lifecycle. The result was a more resilient product and a smoother path toward regulatory approval and customer trust.