Connected devices and risk are a widely recognized by-product of the rapidly evolving digital age in which we operate today. But the rate at which IT, Internet of Things (IoT), Internet of Medical Things (IoMT) and Operational Technology (OT) devices are at risk of being compromised varies, says Daniel dos Santos, Head of Security Research , Forescout Vedere Laboratories; the cybersecurity research arm of Forescout.
Some are significantly more vulnerable than others as cybercriminals continue to innovate at a rapid pace to gain access to and exploit connected devices to achieve their goals.
The growing number and variety of connected devices in every industry presents new challenges for organizations to understand and manage the risks they face. The attack surface now includes IT, IoT and OT in almost every organization, with the addition of IoMT in healthcare, leading to increased vulnerabilities in interconnected networks.
In fact, according to a recent report by the Ponemon Institute, 65 percent of responding organizations say IoT and OT devices are among the least secure parts of their networks, while 50 percent say attacks on these devices have increased[i]. IT and IT security professionals in 88% of these organizations have connected IoT devices to the Internet, 56% have connected OT devices to the Internet, and 51% have connected the OT network to the IT network.
The reality is that connected devices exist across all industries today and continue to pose significant and pervasive security risks for organizations across all sectors, as many are still vulnerable to known and legacy vulnerabilities. To identify risk points inherent in device types, industries, and cybersecurity policies, recent research analyzed the risk posture of over 19 million devices across financial services, government, healthcare, manufacturing, and retail to uncover the riskiest connected devices of 2022.
The results have shown that:
IT devices remain a popular target
IT equipment such as computers, servers, routers, and wireless access points are among the riskiest as they remain the main target of malware, including ransomware, and the main first entry points for malicious actors. These actors exploit vulnerabilities on internet-exposed devices, such as B. servers running unpatched operating systems and business applications, or use social engineering and phishing techniques to trick employees into running malicious code on their computers.
Routers and wireless access points, as well as other devices in the network infrastructure, are increasingly becoming a gateway for malware and advanced persistent threats. Routers are risky because they are often exposed online, connect internal and external networks, have dangerous open ports, and have many vulnerabilities that are often quickly exploited by malicious actors.
Hypervisors, or specialized servers that host virtual machines (VMs), have become a prime target for ransomware gangs in 2022 because they allow attackers to encrypt multiple VMs at the same time – ransomware developers are moving towards languages like Go and Rust, which is easier to cross-compile and can target both Linux and Windows.
IoT devices are more difficult to patch and manage
A growing number of IoT devices on enterprise networks are being actively exploited because they are more difficult to patch and manage than IT devices. IoT devices are compromised due to weak credentials or unpatched vulnerabilities, mainly to become part of distributed denial-of-service (DDoS) botnets.
IP cameras, VoIP and video conferencing systems are the riskiest IoT devices as they are often exposed on the internet and there is a long history of threat actor activity targeting them. For example, in 2019 APT28 compromised VoIP phones for initial access to multiple networks, in 2021 Conti aimed to move cameras internally in affected organizations, and in 2022 both UNC3524 and TAG-38 have video conferencing and cameras for use targeted as command and control infrastructure.
ATMs appear in the rankings because of their apparent mission-critical importance in financial organizations and also because data suggests that many ATMs sit alongside other IoT devices such as security cameras and physical security systems, which are often unprotected.
Printers include not only multifunctional printers and copiers used in the networked office, but also specialty devices for printing receipts, labels, tickets, wristbands and other applications. Although printers are not commonly associated with cyber risks, they should be. Like IP cameras, they have been exploited in attacks by threat actors such as APT28 and repeatedly spammed by hacktivists. And just like ATMs, printers are often connected to sensitive devices, such as point-of-sale systems for receipt printers and traditional privileged-user workstations for office printers.
X-ray machines and patient monitors are among the riskiest IoMT devices
Connected medical devices are obviously risky due to their potential impact on healthcare and patient safety. There have been many ransomware attacks on healthcare system IT networks, penetrating medical devices and rendering them unusable, such as USA and Ireland since 2020.
Ranked as the most risky, DICOM workstations, nuclear medicine systems, imaging devices and PACS are all medical imaging-related devices and share a few things in common: they often run older vulnerable IT operating systems and have extensive network connectivity to share and use image files the DICOM standard for sharing these files.
DICOM defines both the format for storing medical images and the communication protocol used to exchange them. The protocol supports message encryption, but its use is configured by healthcare organizations. Through unencrypted communication between different organizations, attackers could obtain or manipulate medical images, including to spread malware.
Additionally, patient monitors are among the most commonly used medical devices in healthcare organizations and also among the most vulnerable. Like medical imaging devices, they often communicate using unencrypted protocols, meaning attackers can tamper with their readings.
OT devices are mission critical but inherently insecure
Over the past decade, government-sponsored attacks on OT systems and devices have become commonplace. The research found that manufacturing has the highest percentage of high-risk devices (11 percent), but what is even more concerning is the increase in cybercriminal and hacktivist activity targeting these devices. Recently, ransomware groups repeatedly gained access to water utility SCADA systems, and hacktivists gained access to the HMI of a water treatment plant in Florida.
Overall, PLCs and HMIs are the riskiest OT devices as they are highly critical, allow full control of industrial processes and are known to be inherently insecure. Although PLCs are not often connected to the internet, many HMIs are connected to the internet to enable remote control or management. These devices are not only common in critical infrastructure sectors like manufacturing, but also in sectors like retail, where they drive logistics and warehouse automation.
However, other observed risky OT devices are much more widespread than PLCs and HMIs. For example, uninterruptible power supplies (UPS) coexist with computers, servers, and IoT devices in many enterprise and data center networks. UPSs play a crucial role in data center power monitoring and energy management. Attacks on these devices can have physical effects such as: B. cutting off power at a critical location or manipulating voltage to damage sensitive equipment.
Environmental monitoring and building automation systems are critical to facility management, which is a common need in most organizations. Smart buildings perfectly illustrate a cross-industry realm where IT, IoT and OT converge on the same network. There are several examples of smart buildings being exploited by threat actors to disable controllers, recruit vulnerable physical access control devices for botnets, or leverage engineering workstations for first access. These devices dangerously mix the inherently insecure nature of OT with the internet connectivity of IoT and are often found exposed online even in critical locations.
Protection of devices at multiple levels
Both device manufacturers and users are responsible for developing and maintaining their cybersecurity defenses, a perspective reinforced by regulatory developments.
It is imperative that manufacturers use secure software development lifecycles. This includes processes such as code reviews, vulnerability scans and penetration tests. Most importantly, these processes are not limited to software produced by manufacturers, but to all components that go into a device, including third-party libraries.
As for regulatory developments, the proposed EU regulation on cybersecurity requirements, if implemented, will oblige vendors to obtain cybersecurity certification for IoT devices. From a user perspective, there are also major efforts to make disclosure of cybersecurity incidents mandatory, which would no doubt compel organizations to improve their security posture.
Unfortunately, there isn’t a single quick fix for protecting connected devices. But there are practical steps all organizations can take, starting with creating a complete, automated, and continuous inventory of all network resources. Once all devices and their configurations are known, a risk assessment can be performed to highlight the devices that require special attention, either because they are insecure or mission-critical.
Mitigation measures can then be implemented. Measures include patching known vulnerabilities, hardening devices by disabling unused services, using strong and unique passwords, segmenting networks to isolate risky devices, and employing extensive network monitoring to detect attempts to exploit devices.
Protecting connected devices from attacks is a shared responsibility. We all must help uncover the risks and protect our infrastructures from increasingly sophisticated tactics. And it all starts with uncovering potential cracks in our armor.
See also https://www.forescout.com/blog/.