Ordr protects three of the top five healthcare organizations in the U.S., and thousands of hospital sites all over the world with our connected device security platform, powered by our device knowledge base of millions of devices. We are a healthcare-first company and continue to innovate to help our customers address their connected medical device security challenges. Today, we’re excited to launch Ordr Clinical Defender 8.1, with a Full-Lifecycle Vulnerability Management Platform. This release is based on feedback from our healthcare customers, and is specifically optimized to enable HTM teams to see, prioritize and address all connected medical vulnerabilities and clinical risks.

Why is this a priority?

Quite simply, when you secure your devices, you secure patient care. The more efficient HTM teams are at managing and addressing vulnerabilities for healthcare devices, the better the organization is at delivering safe, connected care. But vulnerability management in healthcare is challenging. The exploding growth of connected devices, coupled with increasing vulnerabilities, a rise in cyberattacks and limited resources introduce various complexities.

In this blog, I discuss why this is a monumental challenge for many organizations, how Ordr is solving it, and the best practices you should consider. Here are the key topics, for those who want to skip to the sections important to them.

1. Vulnerability Management in Healthcare is Complex
2. Medical Device Full-Lifecycle Vulnerability Management
   • Device Classification
   • Vulnerability Identification (for the Whole Hospital)
   • Ownership Assignment (using a Centralized Platform)
   • Clinical Prioritization (to Improve Patient Care)
   • Compliance and Remediation (With maximum ROI)
3. Best Practices and Ordr for Healthcare Vulnerability Management

1. Vulnerability Management in Healthcare Is Complex

At the healthcare organizations Ordr work with, we see medical devices with a wide variety of make, model, and modalities from multiple manufacturers. Hospitals have at least about 2000 unique medical device types with 20 possible operating system variations. Each of the OS embedded has numerous variations with different levels of patching. It is not uncommon to see the total number of vulnerabilities as a multiplication of the number of device types and the associated vulnerabilities for each to amount to tens of thousands. This is a huge challenge unless a robust program (combined with technology) tackles it efficiently with the right prioritization methodology.

Moreover, growing ransomware attacks and the recently introduced cybersecurity bill indicate an urgency for quickly and efficiently tackling device vulnerabilities. However, this can be daunting for Healthcare Technology Management (HTM) professionals tasked with managing and maintaining the vast assortment of hospital tools and devices.

2. Medical Device Full-Lifecycle Vulnerability Management

2.1 Device Classification

It is critical that every device connected to a hospital environment is accurately accounted for and monitored 24×7. Ordr’s passive technology using packet captures and deep packet inspection provides the most comprehensive and granular inventory of devices in a healthcare environment. No other platform can confidently track and monitor 100% of every single connected device in a hospital. Other tools like Vulnerability Scanners only know about the devices they scan, and endpoint agents only know about the devices they are installed on. Ordr moves this process from a one-time activity that happens periodically to continuous monitoring of devices connecting to the network and continuous tracking of new vulnerabilities published daily.

Ordr has comprehensive and accurate classification methods to understand a medical device’s make, model deeply, and modality (how it is configured and deployed in a specific hospital) and then accurately understand the underlying OS down to its patch levels. Once a device’s OS and patch level are determined, Ordr’s vulnerability matching engine compares that to publicly available vulnerability databases, FDA notices, manufacturer’s declarations, etc., to get a complete list of all vulnerabilities. This is one of the most challenging aspect of vulnerability management that Ordr simplifies for HTM users.

2.2 Vulnerability Identification for the Whole Hospital

Vulnerability management starts with visibility. It is critical to be able to gain granular visibility and complete asset inventory for every device in the hospital.

• Medical devices – The complexity of vulnerability management with most hospital equipment is trifold.

1. Medical equipment very often cannot be scanned like IT endpoints that run standard operating systems. An utterly passive mechanism is needed to understand their vulnerabilities based on how they operate. Since these medical devices provide patient care 24×7, any scanning attempt that intensely interrogates the devices with various deep and continuous scans can cause severe disruption in the device’s performance and more often brings down the device in the middle of providing patient care.
2. Patch Tuesday isn’t an option. Hospital IT teams cannot simply download a patch from OS providers like Microsoft. Every change in the underlying OS needs some level of retesting of the medical device for recalibration of the performance and could also trigger an FDA validation for critical compliance. Usually, manufacturers provide patches; in practice, that patch is hard to come by quickly when a vulnerability is detected. Patching is an activity that needs to be done in close cooperation with the manufacturer and is a carefully planned activity so as not to disturb the patient care workflow.
3. Medical manufacturers do not always provide a Software Bill of Materials (SBOM), Manufacturer Disclosure Statement for Medical Device Security (MDS2), and other field-deployment-related guidance on risk, which could make the vulnerability management life cycle complex in the long run.

• OT devices – While all enterprises depend on operational systems like building management, elevators, HVAC, UPS, etc., to function smoothly, the criticality is exponential in healthcare. Imagine an operating theater without power or access to elevators and an ER without the ability to admit new patients or access diagnostic systems. A hospital is a single unified inter-dependent entity where all systems need to function at the highest level of resiliency. An attack on one is an attack on all. Identifying vulnerabilities on these devices requires passive methods of understanding the OT systems. For instance. OT systems like building management systems need to be accurately inventoried and classified to understand its make/model/OS/patch levels and its associated vulnerabilities correlated to well-known vulnerability repositories like ICS-CERT.
• IoT devices (including office equipment and security/surveillance devices) – While these include everything from office equipment (printers, phones, video conferencing systems), sound bars to treadmills, vending machines, and gaming devices in rec rooms, hospital IT teams typically do not isolate these systems very well. The criticality of video cameras, badge readers, security alarms, and digital wall clocks is still high in hospitals but has the same issue as standard office equipment. Most scanning solutions do not offer the make and model details. Again, passive techniques to detect their device type make/model/OS/patch level are needed to assess their vulnerabilities accurately.
  • Combined and interconnected with other medical equipment, they pose a massive challenge as it is easy for a hacker to compromise them and move laterally. For instance accessing these insecure devices and then, quickly laterally move and take over a Picture Archiving and Communication System (PACS) server that has thousands of patient scan images would be mission impacting
  • Understanding the exact device types of IoT like make/model/OS/patches and associated vulnerabilities require various additional techniques like making direct queries to the device using protocols these devices speak to, interrogating and getting their operational characteristics and executing probes to get an accurate picture of the OS/patch level and the software installed on those devices.
• IT devices – Most scanning tools can periodically scan IT devices, understand their vulnerabilities, and generate a report. Ordr has APIs built for well-known vulnerability scanning platforms to kick start a scan, pull information from it, correlate it to devices in Ordr’s device database, and store it for management. However, IT devices need to be monitored continuously, covering the complete software stack installed on them and accurately tracking users logging on to the devices and local accounts created that are not under the control of the AD/Domain controller.

Every device everywhere (including those at remote clinics, and behind VPN/gateways)

More importantly, being unable to manage vulnerabilities for IT devices going off the grid and dialing back in from remote locations leaves enormous blind spots. This also applies to telemedicine and remote clinics. A care provider’s laptop while off grid accessing precious medical records is still a high risk one that needs to be monitored continuously. Vulnerability scanners need the device connected to the corporate network to send scanning packets to extract data based on their response. This is done both with full authentication and sometimes without authentication. But if the device is remote, there is no way to run scans continuously.

With the changing remote-hybrid work landscape, laptops connecting to insecure sites, possibly pulling malicious software, making an update or running wrong patches, and inaccurate/outdated inventory of software installed on that machine while they are off the grid pose a considerable risk. The nature of hybrid means they may not come and connect back to the corporate network any time soon and only click through VPN and other means.

Ordr “whole hospital” approach enables visibility for every device connected to the healthcare network – medical devices, OT devices, IoT devices to traditional IT systems. Clinical Defender 8.1 introduces our Ordr Software Inventory Collector. This feature uses features available in each device’s  OS to send reports of software inventory of those systems along with the latest OS patch level for continuous monitoring. This enables visibility for Windows, MAC, and Linux devices connected via VPN even if they are offline.

Utilizing Vulnerability Scanners Effectively in a Clinical Environment

Unleashing any scanner in a hospital environment can be a dangerous move. The chance of knocking down a clinical device is exceptionally high. Unfortunately, vulnerability scanners do not have good visibility into the type of device and tend to scan all the devices broadly in a sweep in a specific subnet.

The Ordr platform provides the orchestration layer to send scan jobs to the vulnerability scanners with a list of IPs that excludes critical medical devices for scans and then pull those reports for storage in the Ordr platform.

2.3 Ownership Assignment Using a Centralized Platform

Consolidating vulnerabilities

The need for a central platform to be a repository of all devices and their associated vulnerabilities is paramount now, given the increase in attacks and the complexity associated with vulnerability management in healthcare settings.

Vulnerability scanning platforms typically produce a report each time they scan using a set of IP addresses. When vulnerability scans happen every quarter or six months, during which the IP address of devices changes, there is no way to correlate two consecutive scan reports from a vulnerability scanner to understand the progress made in vulnerability management.

Ordr is the only platform that correlates these IP addresses to MAC addresses, and then the device makes/model/type to help prioritize and understand clinical business risk.

Assigning ownership

Sometimes ownerships cross the device type boundaries and can be complicated. An HTM department may own almost all medical and office-connected devices in a building that even includes phones, printers, nurse call stations and endpoints in clinical diagnostics. It is not a simple case of assigning ownership based on device group or type. A flexible, scalable, and easy transfer of ownership based on region and location is essential. Also, asset/CMDB data like ownership, cost center, and business criticality need to be considered while assigning ownership. Each department within a hospital that takes ownership of the vulnerabilities must assign further these vulnerabilities to each person responsible for those devices to prioritize and focus the  work accordingly.

Enhancements to Ordr Data Shaper allow each HTM user to focus on the devices and insights that align precisely with their specific business function group and role. For instance, vulnerabilities are prioritized and assigned to individual HTM personnel based on device type, hospital ID, department, cost center, etc. Ordr Custom Tags help improve workflows, for instance moving the vulnerabilities from one person to another, adjust severity, add comments, and track state change.  The product customizes itself to show only those vulnerabilities on the front dashboard to track progress and provides summary management reports at many levels.

2.4 Clinical Prioritization to Improve Patient Care

With hundreds of thousands of devices reporting hundreds of vulnerabilities, organizing and prioritizing becomes daunting. A disciplined approach is needed to prioritize them according to business impact and assign them to the right owners inside the organization.

For risk prioritization, the CVSS is an excellent proxy for understanding the severity of vulnerabilities. Still, it is also essential to look at other frameworks such as ANSI, AAMI, NIST, ISO, FAIR, Risk IT, or JGERR, for supplemental guidance and a more comprehensive understanding to recalibrate them, going back to the foundational principles of Integrity, availability, and confidentiality.

Since healthcare organizations have complex organizational boundaries based on clinical and patient care and not according to the IT needs of a typical enterprise, organizing the data according to ownership is essential.

Ordr’s deep and comprehensive visibility of devices, their operating context, and traffic flows provides a number of key indicators to answer the following considerations for prioritization. Ordr insights can be used as a way to flexibly assess the risk score of a device. Risk score customization helps to prioritize and assign resources to work on the most pressing vulnerabilities.

• How widely does this vulnerability affect the device population of an enterprise?
• What is the level of business criticality concerning cost or other metrics?
• What is the impact to hospital brand and service if impacted – send ambulances to nearby hospitals and postpone elective surgeries?
• How well is the vulnerability exploited in healthcare – like the MAUI ransomware from Korea was targeting healthcare very closely?
• How open these systems are to the external world from a firewall policy perspective?
• How open these devices are to other device in the network with respect to isolation and segmentation perspective?
• How much PHI/PII these devices, that includes medical workstations and servers have? the more they serve as a central server, the more priority they need to get to resolve their vulnerabilities quickly.
• How tightly these devices are configured with respect to open ports?
• How well they are managed with domain controllers; If the device is not part of the domain controller scrutiny should be made more closely on those devices?
• How well they follow data encryption standards and how well they use strong ciphers while transferring data?

Clinical risk assessment

In the hospital, the risk is derived from various device related factors and operating conditions. While understanding the cyber threat is foundational, the clinical context in which the device operates in a patient care setting is a critical consideration. Business impact needs to be quantified on how quickly and broadly these risks affect the operational resilience and how well one can safeguard the devices carrying PHI/PII data. Without this clinical risk-driven prioritization, patient care availability and safety cannot be guaranteed.

Ordr Clinical Risk Scores deliver the following details about devices and clinical risks, and can be customized by every organization:

• Aggregate Cyber Risk (vulnerabilities, external access to phishing/C&C type sites), Internal Communications (access from unprotected non-medical devices, the criticality of the device)
• Environmental Risk (Polluted medical VLAN, isolated or segmented device, access thru wireless, etc.)
• PHI Exposure Risk (sending data without encryption or with weak ciphers, based on manufacturers’ disclosure, device portability, etc.)
• Clinical, Operational Risk (Physical Risk, equipment in ER vs. OR vs. stroke protocol center, is the device mission criticality of the device, what mitigations are applied, and location of the device)

2.5 Compliance and Remediation with Maximum ROI

Once healthcare organizations have a central platform with vulnerability information from different sources independent of how it is collected, workflow organization is critical.

Some of the critical capabilities essential to managing vulnerabilities efficiently can be found using the new “Business Function Grouping” feature in Ordr Clinical Defender 8.1. They include the ability to:

• Assign vulnerable devices based on hospital ID, department (HTM, endpoint, infosec, facility, etc.). Each department needs to focus and work on the devices they are responsible for and assign individuals who would work on those vulnerabilities. It is also possible to completely restrict those individual users to only those devices that they are responsible for. You also need a platform to do this much more dynamically, filtering by any business function grouping of devices.
• Create a focus group. For example, if this month’s goal is to work on all medical servers (like PACS) that house a lot of PHI data, then filter and have only those devices present every time one logs into the tool that month.
• Assign custom tags to draw attention to a co-worker, so the device passes from one person to another.
• Temporarily ignore some vulnerabilities. Often manufacturer-provided patches are unavailable immediately, or these devices are in the research department, not put into routine patient care, and are isolated from the rest of the hospital operation
• Modify risk, although the original risk per the attached CVE could be very high based on the operator’s judgment. Ability to clear vulnerabilities once patches are applied. Sometimes it is conceivable to increase the risk and priority of vulnerabilities of specific devices like CTs and ultrasounds in stroke protocol trauma centers.
• Track the status of vulnerabilities that fixed, assigned, or ope with the name of the person working on it.

Reporting and Compliance Enterprise-Wide

While manpower and budgets are a key consideration to determine the return on investment, the time it takes to remediate is also a critical as the longer there is an exposure window, the greater the chance of a breach.  Resources need to be applied in an intelligent way to remediate critical vulnerabilities and get maximum return on investment.

Ordr offers an ability to keep a close watch on progress using various metrics and reporting as follows:

• Generate reports on-demand. For example, the flexibility to run select region, hospital, department, ownership, OS, and device type allows running reports on the fly.
• Customize reports for senior management visibility.
• Provide APIs that send data to a central corporate-wide tracking database.

Ordr makes reporting and customizations easy with a customizable risk score to adjust the weight ages for vulnerabilities, executive reports to provide summary insights into vulnerable devices, and a dedicated vulnerability report highlighting the impact of new open vulnerabilities on the organization.

Ordr also integrates and exchanges information with leading enterprise vulnerability scanners like Tenable and Rapid7 to provide enterprise wide reporting capability. Ordr also integrates with CMDB solutions like ServiceNow and their vulnerability management systems, allowing healthcare organizations to run corporate-wide reports for governance. Ordr collects medical and other device data and sends all the granular classification details, vulnerabilities, context, security, and operating details to these platforms.

Remediation

Based on various prioritizations, a project plan needs to be maintained, and remediation efforts tracked. Ordr provides an easy way to clear a vulnerability, change the state of the device and a comment field to add notes on the multiple steps towards remediation (called the vendor, the patch is available at this date, etc.

3. Best Practices for Vulnerability Management in Healthcare

Ordr recommends creating focus groups for each owner, with dedicated efforts on addressing critical vulnerabilities within 30 days, and with continued efforts by a few focus groups at a time. Once critical vulnerabilities are addressed, drill into high-risk vulnerabilities with the same focus group and ownership approach and remediate them within 60 days, It is always good to test the patches in a test or lab scenario before incorporating them on devices in clinical setting to reduce risks of downtime.

Ordr also recommends understanding device types and designing a strategy according to the device groups such as:

• IT systems that are not in clinical function – it is highly recommended that those devices are updated with the latest and most secure OS levels and associated patch levels.
• Medical devices that run  Windows (a large device group in a hospital) – it may be impossible to upgrade the OS versions as it might trigger calibration and certification; in this case apply all the patches within their OS level.
• Medical devices that are unique versions supplied by the manufacturer — a patch request must be made to the manufacturer; it is important to fix these vulnerabilities ASAP
• IoT and OT – since neither the IT teams nor the supplier may be available to provide patches, the best course would be to segment them into specific network segments or VLANs, and closely control their interactions with the rest of the clinical devices.

Whether patches are available or not, it is best practice to follow the following proactive prevention best practices:

• Restrict external connections and allow only those absolutely critical connections to manufacturer’s sites at the perimeter firewall
• Understand supervisory protocols like RDP that are sometimes opened for manufacturing diagnostics and closely watch and close those just as soon as the maintenance window is over.
• Watch for all supervisory protocols like SSH, Telnet, RCP, etc., and make sure they are all only allowed from admin jump servers handled by authorized admins.
• Apply zero trust policies to only allow the most crucial and relevant communications for every device at the switch level if they are wired, at the AP/wireless-controller level if they are connected thru wireless, or at the firewall level both at the perimeter and the data center.

Ordr Clinical Defender with Vulnerability Management

Ordr is the only comprehensive and integrated platform that simplifies vulnerability lifecycle management for healthcare organizations of all sizes. We introduced Clinical Defender earlier this year, addressing HTM challenges with precision focus, and have now proudly added vulnerability management as we continue to innovate and address our customers’ most critical challenges. Clinical Defender now aggregates  vulnerabilities for various device groups across all vulnerability management solutions, organizes them by hospital/department/owner, prioritizes by risk, and tracks the complete lifecycle from the initial assessment of a device to final remediation.

We are grateful to the various healthcare users that worked with our engineering and PM teams on this release.

To learn more about Ordr Clinical Defender 8.1 and how it can help your HTM team stay on top of connected device security, visit the Clinical Defender page.

Side Note: In a typical HTM department, inherent operating system (OS) vulnerabilities due to unpatched systems are the highest priority, much before tackling other security issues that may require implementing zero trust segmentation policies. This article discusses only vulnerabilities related to inherent OS/Patch levels. Check out other behavior and traffic flow related vulnerability discussions:

• Detecting Ryuk Ransomware with Ordr – Security Bulletin
• Solving IoT Security Challenges with Behavioral Analytics – Blog Post
• Ordr Security Brief and Response to Maui Ransomware – Blog Post
• Building a Better Second Line of Defense – Blog Post

Tactics, Techniques, Procedures and Recommendations of How to Triage

Perspective on the increase in ransomware attacks

Ransomware continues to make the headlines as researchers warn of a seven-fold increase compared to 2019. Healthcare is a very lucrative target, with attacks increasing by 350% in Q4 of 2019 (compared to Q4 2018) and continuing to rise through 2020. The pandemic provided a significant opportunity for any threat actor looking to target healthcare providers, as the focus shifted from a holistic look at patient care, health outcomes, experience, revenue, and security to health outcomes. In addition, there has been a mass influx in connected devices deployed in facilities without the proper purview of IT and Security teams, leading to an incomplete asset inventory and clear visibility of how/where devices are communicating.

Ransomware as a viable threat to healthcare organizations has led to sophisticated attackers with complex and targeted campaigns. The recent wave of ransomware campaigns looks more like a hands-on hack than an autonomous piece of malware propagating across the network. The operators facilitating the recent ransomware attacks are heavily incentivized to make sure their malware is extremely effective at propagating diverse networks. We have seen simple pieces of malware like trojan droppers install remote control functionality and backdoors which allow these ransomware operators to then get on to the healthcare network and then run tools like Cobalt Strike to privilege escalate themselves to admin. Once admin privileges have been granted, these ransomware operators begin turning off the malware detection and incident response programs on the infected devices. We’ve seen these operators use tools like Mimikatz to dump memory and gather local admin passwords or common user passwords on systems. Once common passwords have been gathered, the network is theirs for the taking. In organizations that use Remote Desktop Protocol (RDP) on workstations and servers, we’ve seen these compromised local administrator accounts used to install and distribute the ransomware. We’ve also seen these attackers run PsExec and PowerShell scripts remotely by mounting remote shares (like IPC$ and C$) using the compromised credentials. If local or commonly utilized credentials cannot be gathered from initially infected host we’ve seen them pivot to other hosts, or use common exploits kits to propagate throughout the network. These operators are skilled and unfortunately most healthcare providers and healthcare delivery organizations are trivial to compromise once these ransomware operators are inside.

Healthcare organizations that have vulnerable services on the edge of their network get compromised easily by autonomous scripts that are constantly scanning the internet. Once compromised, the script drops a payload that includes all of the tools the operators need for privilege escalation, exploitation, and lateral movement. Many healthcare organizations have flat networks, and utilize common local administrator accounts on largely unpatched systems. It is common to find legacy and largely unsupported operating systems like Windows XP running on both workstations and critical medical devices which cannot be patched and are running vulnerable services like SMBv1 that are available to the entire network. Simply put, once the initial compromise happens, it is largely trivial for these ransomware operators to infect an entire healthcare organization within a few hours.

Let’s discuss the 3 most common ransomware campaigns that are targeting healthcare providers and healthcare delivery organizations and what their TTPs are:

Zeppelin

Brief Description:

The Zeppelin ransomware is believed to be operated by a Russian cybercrime group however very little is known about the operators. The initial infection code checks to make sure it will not infect machines located in Belorussia, Kazakhstan, Russian Federation, or Ukraine. The Zeppelin ransomware code is largely is based on a purchasable ransomware variant known as VegaLocker which is available on multiple hacking and ransomware as a service websites and forums. The initial infections of Zeppelin began in the beginning of 2019.

What does a Zeppelin Compromise typically look like (TTPs):

1. Typically, a spam or phishing email is received by an organization that includes an infected document that download and installs malware onto the system.
   1. Some initial infections appear to be Vidar Spyware or the CobaltStrike penetration tester toolkit.
2. Recently the Zeppelin operators appear to be exploiting vulnerable RDP, Apache Tomcat, and Oracle Weblogic servers available on the internet.
3. Once connected to the infected system the operators will install PowerShell scripts and PsExec.
   • In some Zeppelin instances a legitimate remote desktop application called ScreenConnect is initially installed (if it doesn’t already exist). The Zeppelin operators will connect to the ScreenConnect service and install the PowerShell scripts, privilege escalation tools, and PsExec.
4. The Zeppelin operators will run a set of PowerShell Anti-Anti-Virus scripts and turn off logging to prevent detection and subsequently dump memory looking for local accounts that can be used to either propagate throughout the network or compromise the domain controller.
5. Typically, the Zepplin operators attempt to compromise the domain controller and once compromised they create a domain admin account to distribute the Zeppelin ransomware throughout the network.
   • The domain admin account that is typically created is called “SQLSvc”.
   • If the domain controller is difficult to compromise, they attempt to distribute the Zeppelin ransomware using compromised credentials dumped from memory of infected systems and propagate through file deployment and execution by PsExec.
6. Once on the Domain Controller, they deploy a command to all connected devices to download Anti-Anti-Virus and Anti-Backup scripts along with the Zeppelin ransomware.
   • The Zeppelin operators utilize the certutil command on Windows to download and infect machines with the scripts and ransomware.
7. Finally, the scripts and Zeppelin ransomware is executed on all connected devices via PsExec.

Ryuk

Brief Description:

The Ryuk (aka Conti) ransomware is known to be operated by Russian cybercrime group. The Ryuk ransomware was largely based on a previous ransomware codebase known as Hermes which was possibly created by a North Korean hacking group and is purchasable from multiple hacking and ransomware as a service websites and forums. The Russian cybercrime group started targeting healthcare organizations in late 2018.

What does a Ryuk Compromise typically look like (TTPs):

1. A spam or phishing email is received by an organization that includes an infected document that drops a trojan downloader/bot that includes several tools for remote access, privilege escalation, and lateral movement.
   • The most common malware that is installed is (Emotet, TrickBot, QBot).
   • Many believe that the Ryuk operators are working with the Emotet and TrickBot deployers in order to purchase previously infected systems within large networks.
2. The Ryuk operators gain access to the Emotet/TrickBot compromised machine typically through a PowerShell script that launches a reverse shell that connects to the Ryuk operators.
3. Once on the infected system the Ryuk operators turn off all PowerShell logging and run Anti-Anti-Virus scripts to prevent detection.
4. Common lateral movement, privilege escalation, and exploit kits are downloaded onto the infected machine.
   • It is common for the Ryuk operators to utilize the PowerShell Empire post exploitation kit.
5. The Ryuk operators dump the infected machines memory looking for local accounts that are used on Workstations and Servers throughout the network.
   • If local credentials are not found, the operators will use common exploit kits.
6. Lateral movement and infection happen either via RDP or through PsExec.
   • Typically, the domain controller is initially targeted and if compromised the domain controllers will typically be used to distribute the scripts and Ryuk ransomware to all connected users/computers.
7. Anti-Anti-Virus and Anti-Backup/Recovery scripts are run on soon to be infected machines in order to prevent both detection and recovery from the Ryuk ransomware.
8. The Ryuk ransomware is deployed to all machines using PsExec and a local service is created and started to run the Ryuk binary.
9. The Ryuk operators sometimes oversee the infection to ensure that it is successful and once infected they start emailing employees informing them of the infection and to reach out to them via an anonymous email where payments are later discussed. The payment amounts typically vary depending on the size and the revenue of the organization that is infected.

Sodinokibi/Sodin/REvil

Brief Description:

Sodinokibi (aka Sodin, REvil) is another ransomware-as-a-service operation which started in April of 2019 and is believed to be created and operated most likely by the same Russian group behind the popular GandCrab ransomware. In early 2019 the Sodinokibi group is believed to have hired affiliate hackers with a guaranteed payment of $50,000 USD and between 60% to 70% cut of the revenue after payments were secured from victims. The developers of this ransomware regularly post updates and new functionality to their code. Once installed, Sodinokibi ransomware initially looks for the computers language settings and will not infect if the set language is used in most former Soviet Union or Middle Eastern countries. The Sodinokibi ransomware has been seen using several TTP’s including manual and automated drive-by compromises using spam/phishing attacks, common exploits, and previously compromised passwords.

What does a Sodinokibi Compromise typically look like (TTPs):

1. It is difficult to describe the typical attack method used to deploy the Sodinokibi ransomware as there are several which leads some security professionals to believe that Sodinokibi is being operated by multiple cybercrime organizations.
2. Sodinokibi has been seen distributed as a spam or phishing email that is received by an organization that includes a heavily obfuscated malicious JavaScript that includes PowerShell scripts that will turn off logging, disable antivirus functionality, and ultimately installs the Sodinokibi ransomware.
3. The Sodinokibi operators also appear to be exploiting vulnerable WebLogic and RDP servers available on the internet.
4. After the initial infection the Sodinokibi operators drop various exploit and privilege escalations kits to laterally move throughout the network.
   • Similar to Zeppelin the Sodinokibi operators typically use the certutil command on Windows to download their scripts, exploit kits, and ransomware payload to infected machines.
5. Once infected with the Sodinokibi ransomware, the malicious binary deletes all file shadow copies on the infected system and disables recovery mode in order to ensure that the encrypted files could not be restored from a local backup.
6. The Sodinokibi ransomware includes several persistence and Anti-Anti-Virus and Anti-Backup/Restore functionality making the installation easy. This functionality makes it more autonomous for the operators which is why we sometimes see Sodinokibi installed in simple drive by attacks on vulnerable internet facing servers and services.

One concerning tactic that most ransomware as a service operators are starting to employ is to exfiltrate several important files from an infected organization and threaten to both publicly disclose the breach and publish the important documents on their blogs typically hosted on the Dark Web. We’ve seen many ransomware operators publicly announce and release sensitive material for companies that did not pay the ransom.

Recommendations on using Ordr to Protect Against Ransomware

1. Discover and identify your weak points​
   • Identify devices running legacy versions of Windows that are running SMBv1 (such as Windows XP and Windows 7) The Ordr IoT Discovery Program allows you to quickly identify these devices. In Ordr’s Rise of The Machines Report, we identified that 15-19 percent of our deployments had IoT devices running on legacy operating systems Windows 7 (or older).
   • Identify devices with known vulnerabilities as attackers will try to exploit them them. Use Ordr’s built-in scanner or take advantage of our integration with vulnerability management solutions like Rapid7 and Tenable.
   • Identify high-risk and vulnerable devices that cannot be patched. Using Ordr integration with winRM, you can identify device operating systems and status of patches.
2. Enable proactive segmentation​
   • Using Ordr, systems that cannot be patched need to be isolated.  Ordr allows you to easily create segmentation policies that restrict devices to only sanctioned communications required for their functions.
   • Work with Ordr and our firewall and networking infrastructure partners to enforce these segmentation policies in your existing infrastructure.
3. Monitor for Ransomware Indicators​
   • Identify anomalous communication using the Ordr Flow Genome. This can include discovery of sequential scans on the internal network, and anomalous SMB, RDP, and RPC communications utilized in lateral movement.
   • Alert on common exploits and known ransomware payload URLs used in lateral movement such as EternalBlue.
   • Alert on common C2 communications to known ransomware payload servers; when infected machines reach out to these malicious sites, the Ordr product will alert on them.
   • Track user logon/logoff activities using Ordr. Our platform provides a mechanism to pull user logon and log off activities from Active Directory and also track locally created users. This allows you to ensure the right users have access to vulnerable machines and identify any anomalous user accounts created within the network by threat actors

If you’ve already been attacked by ransomware, here are recommendations on how to deal with it, as described previously in this blog, A Primer on Preparing for and Responding to Ransomware for Users of IoT and IoMT. Note that with ransomware examples in this blog, there are no decryptors available at this time.

If you have questions about ransomware protection, please contact us at info@ordr.net. We work with a number of excellent integrators and managed security providers who specialize in protecting healthcare and other industries that are heavily invested in the use of connected devices.

The Internet of Things (IoT) and other connected devices have been integral to the efficient operation of manufacturing lines for decades. Security of the production line was maintained by isolating equipment in what was known as the Purdue Methodology—air gapping the network to keep it out of reach from threat actors. But as digital supply chains required hyperconnectivity to enable data exchange and greater levels of automation, the air gap was bridged, and manufacturers became vulnerable. A new Purdue Method is needed.

Fortunately, the means to protect connected devices on the production line is available. The following article offers insights and best practices to help guide an IoT security strategy for manufacturers.

The use of IoT in manufacturing continues to accelerate and evolve, as do the threats that come with the convergence of OT and IT. Recently, NSA and CISA released an alert warning manufacturers of potential security vulnerabilities in their OT systems. The alert cited an increase in the number of threats to OT assets including ransomware, spear phishing attacks, and the modification of control logic parameters, among others.

The primary driver of the emerging threats to OT is the unification of OT devices and systems with IT and IoT, or as NSA describes it, the proliferation of “internet accessible operational technology.” This increase in the number of OT devices and systems that integrate with IT is the result of developments in technology, evolving features and capabilities, the movement of network access control vendors into OT, as well as mergers and acquisitions.

In this article, we look at some of the use cases for IoT in manufacturing, as well as the challenges and opportunities that manufacturers face at the intersection of OT/IT. But first, a couple of quick definitions.

https://www.youtube.com/embed/Ex1_s6bsYr8?feature=oembed

What is IoT in manufacturing?

IoT in manufacturing is the subset of the industrial internet of things (IIoT) specific to manufacturing applications. IIoT is the network of sensors and devices that connect to computer systems and industrial software applications.

While IIoT refers to industries such as retail, utilities, or transport, IoT in manufacturing specifically applies to the Internet-connected sensors and devices used to track and produce goods more efficiently.

Both IoT in manufacturing and IIoT are themselves part of the broader internet of things (IoT), which comprises all the internet connected devices and sensors across domains. When people talk about IoT in practice, however, they’re typically referring to the consumer applications—such as smart home devices—so we’ll stick to using the term IIoT for sake of clarity.

What is operational technology (OT)?

Operational technology (OT) consists of hardware and software components that monitor, control, and create changes in industrial equipment, devices, assets, processes, or events. OT technology systems may control industrial elements such as engines, conveyors, valves, or machines that are directly connected to the manufacturing process.

While OT systems were once commonly siloed from IT (or at least thought of as distinct from IT), the present trend is toward more integration of IT and OT systems. Three primary factors are driving this convergence of IT/OT:

1. Increased reliance on/availability of remote operations and monitoring
2. Outsourcing OT asset management and/or maintenance
3. Decentralized workforces

The trend toward more unified OT/IT systems and greater IoT connectivity in manufacturing brings new capabilities and control for manufacturers, but also some risks. In the next section, we’ll explore some IoT in manufacturing use cases, benefits and challenges, as well as some of the ways manufacturers can mitigate these risks.

Use cases: IoT in Manufacturing

The digital transformation of the manufacturing industry is changing the way production environments and supply chains work by improving efficiencies, automating processes, and adding intelligence.

But challenges accompany these opportunities, and manufacturers will need a strategy if they are to successfully capitalize on these benefits without compromising security or efficiency. Before we look at some specific use cases, it’s important to consider some of the needs manufacturers will face as IT/OT continue to converge:

• Visibility – Decisions about which OT devices and systems will be used are increasingly being made by multiple stakeholders in the supply chain. Manufacturers need visibility into all of these devices, as well as a system for asset discovery, classification, and segmentation for those with security vulnerabilities.
• Compliance – IoT, IT, and OT compliance depends on navigating an increasingly complex system of regulations. Understanding which devices are governed by each specific set of standards can help manufacturers cultivate robust security and remain in compliance.
• Efficiency – Aging devices put manufacturers at risk of losing efficiency as operating systems become obsolete or outdated. Recognizing which devices can still be secured can increase their longevity and avoid downtime.
• Intellectual property – As the number of attacks on OT and IoT devices continues to increase, manufacturers are at increased risk for theft of intellectual property. Manufacturers need a strategy for identifying business-critical devices and flagging abnormal behavior in order to protect their most valuable assets.

Manufacturers already rely on IoT devices and connectivity to drive production, quality control, and machine utilization, and additional use cases continue to evolve as OT/IT merge. These include the rise of predictive maintenance, real-time monitoring, remote management, and the collection of consumer insights.

Predictive maintenance

With the aid of sensors and the increase in data from manufacturing equipment, companies can now detect and predict failure before it occurs. For example, an analytical model may find that a machine has a high probability of failing when it breaches a specific temperature threshold. With this information, the monitoring applications can alert the machine operators when the event occurs, and they can then promptly replace it before causing larger issues with production.

According to Fortune Business Insights, the global market for predictive maintenance is expected to grow at a CAGR of 29.8% through 2026. That makes predictive maintenance one of the most rapidly expanding aspects of IIOT technology.

Monitoring in real time

Anyone in the production process can have access to data in real-time, which means anticipating and rapidly responding to changes or incidents that may impact production. Ultimately, this kind of real-time monitoring helps prevent down time and speeds up production.

Remote management

IIoT connected devices and digitally controlled machinery allow for fully remote operation of a production line. Many businesses choose a hybrid approach, in which some parts of the production line are automated and/or remotely controlled, with others operated by humans. Remote management has become more prevalent now that workforces are becoming less centralized.

Supply chain asset management and tracking

IIoT devices can help businesses understand how different parts of the supply chain are operating by tracking and monitoring how both raw materials and finished products move through the different production and transportation processes. This can not only help understand the overall state of production, but also glean insights into areas that could be optimized or costs that could be reduced.

For example, a complex supply chain may receive raw materials from numerous different vendors. A backup in just one of these deliveries can cause a bottleneck in production and cause expensive delays. By tracking how all materials are moving through the organization, management can quickly understand exactly where the issue is and make necessary adjustments to resolve it before causing larger delays.

Digital twins

Digital twins are computer-modeled simulations of a physical object or process. For example, a 3-D model of a building is a digital twin of the actual facility. While traditionally used to plan the structure and characteristics of a physical manufactured product, a digital twin can be used in conjunction with IoT systems to map out the digital representation of a production line to test and simulate changes to the manufacturing processes. Digital twins can also be used to mirror processes and model diagnostics.

For example, a business may want to understand the effect of changing the speed of a specific process. Using a digital twin and data from IIoT sensors, it could rather run a computer simulation to understand the impact of the speed change on the rest of the production line.

Building and operational systems

Manufacturing environments include a variety of operational technologies and devices, including HVAC, surveillance, access control, and energy systems. IIoT systems can be added to these to monitor their status and even adjust them remotely.

By doing so, these operational technologies can become intertwined with the broader supply chain and digital models. For instance, the climate systems may have an effect on the quality of the production process and therefore that data can be combined with the machinery data to run predictive maintenance and other types of models that may otherwise be difficult without the environmental context.

Collecting consumer insights

Manufacturers can use connected tools to gather data on consumer usage and track demand patterns. As a result, business managers remain agile and able to adjust the product to stay ahead of these trends. This increased responsiveness allows even large companies to be nimble and maximize customer satisfaction.

Challenges to IIoT in manufacturing

The merging of OT and IT technologies, as well as the increased accessibility of IoT devices present manufacturers with opportunities to minimize disruptions, streamline production, remotely access and monitor data, and ultimately drive revenue. But there are other considerations that manufacturers must take into account if they are to fully realize all the potential that OT, IT, and IoT offer.

Security & threat protection

According to Gartner, 75% of all OT security solutions will be provided by multifunction platforms that integrate with IT by 2025. With the exponential growth of connected devices in manufacturing facilities, these IIoT devices create an expanded attack surface. Threat prevention will become even more important as more OT devices interface with IT.

The threat of attacks has far reaching implications for manufacturers: in addition to disrupting production processes, attacks can also impact revenue and—in the worst-case scenario—compromise employee safety on the manufacturing floor. The security of these devices is critical to maximize uptime and optimize manufacturing processes, particularly as many remain in service for years and may become more vulnerable to attacks as they age.

Asset management

Manufacturers have an increasingly large inventory of assets to discover, evaluate, classify, and manage. The proliferation of IoT-accessible OT devices will only increase as the number of decision-makers in the supply chain expands, remote management of facilities and processes becomes more prevalent, and workforces become less centralized. Knowing exactly which assets are vulnerable is critical for providing adequate security measures and for maintaining production processes.

Operational resilience

According to a recent Gartner Risk Management Survey, one of the most common risk priority areas identified by respondents is the need for improved operational resilience for OT systems. That means understanding risks, anticipating potential disruptions, and planning for business continuity in the event of an incident, attack, or other breakdown in the production process. As the number of internet accessible OT devices increases, planning for operational resilience will become more complex.

Regulatory compliance

The patchwork of regulations governing OT/IT/IOT devices can be particularly challenging for manufacturers, and this problem will only continue as more and more devices and processes are integrated into the IIOT. Being able to map each device or component to the correct regulations plays a critical role in maintaining security and meeting regulatory requirements.

Secure all your connected devices

Manufacturing companies are embracing the convergence of IT and OT in hopes of capitalizing on the benefits brought by internet accessible OT devices. These benefits include more control over production processes, access to real-time data from remote locations, the ability to decentralize their workforce, and improved efficiencies that drive revenue growth.

As more OT devices become IoT-compatible, and as OT and IT security protocols continue to merge, manufacturers should have a plan for discovering and assessing all of their connected devices, including those used throughout their supply chains.

Most importantly, these devices must be evaluated and secured against the growing threat of security breaches. Ordr Systems Control Engine (SCE) can enable visibility and security of all your connected manufacturing devices. Try a demo of Ordr to learn how to keep your manufacturing devices—and the data they collect and share—safe and secure.

Introduction

As Ordr has gained momentum over the years, the breadth and depth of our data lake have exponentially grown, with more customers adopting Ordr and extending our solution to protect more parts of their environments. More customers and more departments of each customer’s environment mean more devices, which means more data being ingested to our platform. The growth of our data lake can also be attributed to more external inputs as we increasingly take in new sources of device context data to provide deeper insights and help our customers understand risk.

The rate of data growth we have seen creates unique challenges on the visualization side. Recently we paused to think about how our solution could better organize and present vast amounts of rich analytical data in a way that is both accessible and valuable for our users. It is truly an art indeed on how to balance the desire for simplicity with the appetite for the rich context that goes with it.

As our user base expands to new roles and personas, the product must adapt to different outcomes relevant to each user. Each user’s level of expertise and area of interest may vary, and workflows must cater to these users seamlessly. A product must meet the needs of different roles without the need to fork and build a dedicated version to satisfy the diverse needs of each user. A daunting task is less often discussed but is nevertheless critical to maximizing value for users.

With full awareness of our challenge, we set off to radically improve how we present our ever-increasing data in the most impactful, simple way to our expanding universe of users.

The Approach

As part of our product design process, we decided on an iterative approach called “design thinking,” a process defined as:

A bottom-up, non-linear, team-based iterative process that seeks to understand and empathize with users deeply, challenge existing assumptions, redefine problems, and brainstorm innovative solutions to prototype and test with customers.

Design thinking gave us a framework of 5 stages that include:

Empathize > Define > Ideate > Prototype > Test

With the design thinking framework, we set up a series of workshops and enrolled a range of users from our customers and prospects representing a variety of user roles to provide us both depth and breadth of insights and feedback we needed to collect requirements.

We started the process by asking our users the simple question:

How can we design a better user experience to make the data we provide in Ordr simple to understand and valuable for you and your role?

Some of the key requirements we heard from our design partners included:

• Organize information to fit my role and help me filter out the noise so I can focus on the information I need.
• Surface insights most relevant to my role and make them clear. Insights are the road signs that help me make decisions as I look at data.
• Allow me to “shape” and organize data to fit my needs in a fast and fluid way.
• Help me maintain the context of my data so I don’t “lose my place” as I move around the application.
• Let me see different views so I can analyze data from different perspectives and uncover insights that might otherwise be missed.
• Prioritize content over color to me understand the structure of my data without unnecessary visual distractions.

The New Model Emerges

A key takeaway from the workshops was understanding that one user’s noise is often another user’s signal. It was clear that the new model needed to present data in a simple, customizable way without sacrificing the impact or richness of the data.

A query language approach is a good option, but it could not address the signal-to-noise problem without impacting other user requirements we had gathered during the workshops. For a query language approach to be successful, a user needs to know what they’re looking for and needs to become proficient in the new syntax and semantics of the language. This impacts adoption and time to value – two things we were not willing to sacrifice.

Our analytics engine is rooted in the foundational principle of surfacing a constant stream of prioritized insights in real-time vs. waiting for a user to “ask” for data using a query. In our view, the solution would come from a comprehensive understanding of the intersection between increasing data richness and a variety of UI/UX information retrieval approaches working together to achieve the desired result.

Pillars of the Model

From our learnings in the workshops, we defined the following seven pillars that guided the design of the UI/UX presentation model.

PILLAR 1: Create a clear consolidated experience for each role

Our users have distinct roles, backgrounds, traits, abilities, and dispositions. We expect this diversity will continue to expand and increase in complexity.

Scoping data coming into the UI based on a user role allows us to reduce the less relevant data (noise) and deliver a clean baseline of data (signal) for each user. With this in mind, we established a persona-based user experience, which requires filtering data from the data lake for a specific role and persona.

Persona-based filtering is easier said than done. The whole platform needs to run dynamic queries in the backend to customize itself on the fly. For example:

• An inventory and asset management workflow requires data on devices and relevant vulnerabilities.
• A security incident response workflow requires data on the latest alarms across all assets.
• A forensics workflow requires data on traffic flows and patterns.

For example, we designed a user role for Healthcare Technology Management (HTM) that switches the entire UI dashboard and shows only data relevant to their role and daily workflow needs.

The UI adapts to these wildly diverse use cases and data requirements while catering to each user’s role.

PILLAR 2: Provide each user with contextual insights

Insights offer users top-level guidance like a road sign to separate the signal from the noise. Our model uses computationally intensive methods to surface insights in real-time, tailored explicitly for each role.

Each user requires a different dashboard and depth of context for the workflow they are interested in to be presented as top-level data.

PILLAR 3: Allow each user to shape data relevant to their role

Data Shaping controls the scope of data allowing each user to either explore data or “set and forget” a view for specific workflows. Data Shaping reduces clutter by reducing the number of devices displayed, making it easier to slice and dice the data more cleanly.

For example, in our system, setting the data shaper to a specific location only shows the devices in that location and associated data. Whether the user is in a sub-section of the product or moving across the hundreds of panels, they see only data relevant to that location.

Another example is a radiology technician using the shaper to focus on radiology-related devices. The entire product today customizes itself to radiology devices across all panels and screens. That radiology technician can now work on security, traffic analytics, vulnerability management, risk management, or policy provisioning without being shown the “noise” created by other non-radiology devices.

PILLAR 4: Enable context-aware search across the entire UI

When the data set accumulates over time into several terabytes, launching a generic search that takes more processing time to respond back after several seconds does not usually present a good user experience. But tailoring the search function to each panel where the user is currently focused on reduces the data set to search and narrowing search parameters resulting in faster query time as well as better user experience.

As an example, in each table and each panel, search parameters differ as follows:

• Device detail table provides a search function on thousands of device attributes.
• The security alarm panel provides a search capability using alarm categories as parameters.
• The traffic analytics panel provides a search capability related to traffic/flow parameters.
• The application panel provides a search based on destination URL or application protocol details like port numbers.
• Search enabled in every column of a table with parameters within that column for further quick deep dive of data.

Implementing context-aware search in each panel when there are hundreds of panels is a huge undertaking. But now that it is designed in, it is well worth the effort to minimize complexity for the user.

PILLAR 5: Allow users to easily share findings and views

Once a user has reduced a view to a list of devices that need further action, that view, including the entire context, can be easily shared with others as a URL. Another user clicking that URL comes back to the same screen with a list of devices without having to search and filter for attributes. This is a perfect example of how context gets naturally amplified with the power of sharing. Our system today allows users to save the context at various places in the navigation workflow and share it with their colleagues.

PILLAR 6: Allow users to enforce policies quickly without losing context

The action framework allows users to take quick action on any device, alarm, or vulnerability without losing context in the UI. For example, today with this release, a user can identify a list of vulnerable devices and move that complete list to a quarantine VLAN with a single click. Another example is too easily clear a series of alarms associated with devices that have the same make and model with one click. Invoking an action that requires multiple steps in action sequence right within the context without losing focus is critical to get workflows accomplished quickly.

PILLAR 7: Allow users to define their own region/location for easy aggregation

Ordr gathers location information from various sources including switches, access points, and network management systems. Device location is extremely granular in Ordr and is helpful to track a device as it moves through an organization or locates a device that has gone missing. It is critical to know exactly where a device that is affected by malware/ransomware is connected in the network (switch/port or AP/SSID or VPN (Virtual Private Network) or external).

But for manageability purposes, users want to use location to view all devices in a specific region, site, or location within that site. A location means something different from user to user, so customization is critical. The need to present data based on business function was a key driver for this, and it avoids all the clutter. For example, a user responsible for the Phoenix division can use location to focus on the devices in the Phoenix location only and not have to see devices in other locations. Our ability to aggregate micro-locations into administrative regions is very well received by our customers, given the distributed nature of the various hospital chains as well as the continuous changes in organizational hierarchy due to mergers and acquisitions.

Combining the Pillars

Ordr provides users with details on over a thousand attributes for each device. Attributes include details such as device OS, software stack, vulnerabilities, where the device connects from, connection methods, what the device communicates with internally and externally, risks based on behavior, context information from various tools, and users who have logged into the device.

Ordr is indeed a complex and dynamic system with vast amounts of data and potentially limitless insights. Using all seven pillars in combination, we believe our approach dramatically improves the signal for each user and does so in the context of their specific workflows to ensure they can use our platform and insights efficiently. This platform approach also supports our quest to make the complex problem of securing every connected device simple.

We recently launched Ordr 8 Clinical Defender with persona-based workflows designed for healthcare HTM users. With this new release, we applied the pillar framework above and created a foundation for a scalable platform that will produce many persona-based workflows operating on a single customizable and robust backend data set.

We received some excellent feedback as we shared our latest release and here are some of the things we heard:

“It is refreshing to work with a vendor that listens and empathizes with issues and pain points from customers. It’s exciting to see the rubber meet the road regarding suggestions and requests.”

“Loved what I saw in the review of new GUI.”

“Data shaper simplifies my current operation dramatically.”

“I like simplified search and its’ consistency throughout the product.”

“Location-based shaper is huge both for remote clinic management and for M&A (Mergers & Acquisitions) situations.”

Moving forward, we will keep working with our customers and prospects as design partners in this “design thinking” framework to continually evolve our platform. In the end, it is all the constant customer feedback that makes Ordr an excellent product.

We will be back soon with more updates on how the Ordr platform continues to evolve.

As the war in Ukraine broke out in late Feb, security teams around the globe took notice. Russia has long been a focus in the fight against cybercrime, and their aggression raised concerns to new levels with fears that cyberattacks could increase with a focus on the US and other western countries. On March 21, 2022, President Biden confirmed the rising concerns with a statement warning of a potential increase in Russian cyber activity targeting the US, allies, and partners. As organizations across the globe were taking steps to improve cyber defenses, we heard from many of our customers asking what Ordr could do to help improve security, threat prevention, and the ability to monitor their environments. A primary requirement was the ability to identify devices in their environments that had communications with potentially malicious Russian sites.

By continuously analyzing network data, Ordr uncovers all connected device communications within an organization as well as communications to external sites. We also assess the risk for these communications and provide that insight to every customer in our UI. To make these insights a little easier to access, we created a focused report that our customers could run to get a quick view of the exact flow level details of medical devices communicating with Russian sites and assess the risk. You can learn more about the report in this video:

While our customers could collect some of this data from various tools across their environment, only Ordr combines communication insights with device context.  This triangulation methodology from multiple sources helps them understand the risk of communication and provides them with the details needed to pinpoint the device at risk and quickly craft the proper response to eliminate the threat.

Helping Everyone Understand the Risk

Ordr’s continuous analysis of network data and the report highlighting communications to Russia is available to all Ordr customers, providing necessary details to help them understand and quickly respond to potential threats. We also wanted to share our insights beyond Ordr’s customers to help others understand the potential risk to their environment.

The threats uncovered below focus on medical devices; however, these threats are not limited to just medical devices or the healthcare industry. Attackers target connected devices in all industries, including manufacturing, financial services, retail, and utilities. Attacks not only target medical devices but also operational technology (OT) devices such as HVAC systems, elevator controls, and connected cameras that are common across all industries. Many of these devices are critical to business operations even if it seems there is no direct connection, and a successful breach could have a significant impact. For example, an attack that takes an HVAC system offline could create unsafe conditions in the emergency ward and hamper patient care.

Before getting into the details of our findings, here’s an extremely brief overview of how Ordr works and some of the details we uncover for each device:

Device Insights Provided by Ordr

Ordr analyzes data collected from multiple points in the network to discover every connected device.  We also uncover details to accurately classify every device and identify devices with vulnerabilities and potential threats. With our approach to collecting and analyzing network data we provide granular device insights without the need for agents or scanning and no impact on device operations.

Ordr insights help customers understand the exact devices connected in their environment, how those devices fit into the organization, and their potential risk. Ordr device details include:

• MAC Address – Important detail but identifying a device by its MAC alone can be limiting and misleading.
• IP Address – Since IP addresses can change, Ordr provides a historical view of a device’s IP addresses.
• Operating System – Helps to identify devices running an outdated or unpatched OS.
• Device Profile – Includes the manufacturer and model.
• Device Group – How the organization has grouped the device and its role in the environment (e.g., medical, mobile, office equipment, facilities).
• Device Type – Details including exact model number and firmware version to understand specific threats that may impact the device.
• Device Category – The type of device (e.g., CT scanner, infusion pump, patient monitor)
• Device Location – The exact physical and network location including the switch/port or access point/SSID the device connects to.

Communication Insights Provided by Ordr

Ordr also uncovers internal and external communication insights for each device by analyzing network data. This post focuses specifically with devices communicating with Russian sites but could also be used to identify communications with other restricted or high-risk countries. Ordr insights specific to devices communicating with external sites include:

• Destination IP – IP address of the site communicated with.
• Destination Domain Name – Domain name of the site communicated to.
• Destination City – Approximation of the site’s city. NOTE: Obfuscation techniques will impact accuracy (e.g., The Onion Router (Tor), VPN, etc.).
• URL – Complete the URL of the communication.
• URL Category – Category of the site (e.g., gaming, shopping, advertising, government, military, etc.).
• Reputation score 1 – URL reputation derived from a leading threat feed.
• Reputation score 2 – URL reputation derived from another leading threat feed.
• Receive Bytes – Number of bytes received by devices from the site.
• Transmit Bytes – Number of bytes transmitted to the site from devices.
• Last Activity – Timestamp of the last activity from devices to or from the site.
• Incident Type – Classification of the destination site (e.g., malicious URL, SPAM URL, etc.).
• Incident Score – Determined by aggregating multiple factors of device communications
• Aggregate Score – Determined by aggregating multiple factors of a device and its communications (e.g., vulnerabilities based on OS version, east-west communication analyzed using IDS signatures, external communication with malicious websites, etc.).
• Risk State – Overall assessment of device risk and potential impact to the organization (i.e., Critical, High, Medium, Low).

Ordr Analysis and Findings

For the insights that follow, the Ordr platform performed deep analysis on data aggregated and anonymized from 50 large health care chains, each consisting of multiple hospitals. The details below focus on medical devices used in healthcare settings such as infusion pumps, patient monitors, EEG/ECG, MRI/CT scanners, X-Rays, ultrasounds, medical gateways, medical workstations running medical apps, medical servers used to process and store patient data, and other connected device in the clinical setting delivering patient care. As mentioned previously, these threats are not limited to healthcare devices or the healthcare industry.

The goal of this analysis is to shed light on the potential threats so that organizations across all industries can be better prepared and take proper steps to secure their environments.

NOTE ON METHODOLOGY

• All data was aggregated and anonymized before analysis. None of the following details pertain to a specific customer, manufacturer, or device.
• Network Time Protocol (NTP) is a required service, and some devices may have legitimate reasons to communicate with Russian hosted NTP servers. Communications to Russian NTP sites have been removed from this analysis.

Top Russian Domains by Traffic

The first analysis highlights Russian domains that were identified for sustaining the highest levels of traffic into and out of the organizations we analyzed. While these domains may look somewhat benign, each may have the potential to be used to distribute malware or perform other malicious activities. Many of these sites are known to generate intrusive online ads and collect personal information. Device communications to any of these domains should be scrutinized to determine if communication is required and expected.

• *.yandex.ru
• *.ssp.rambler.ru
• ssp.adriver.ru
• sm.rtb.mts.ru
• *.rutarget.ru
• counter.yadro.ru

Devices Communicating with the Largest Number of URLs

The next analysis identifies device types that have communications with the largest number of Russian URLs. Many of these devices perform critical functions in healthcare environments and we can infer these types of devices are top targets for attackers.

Devices Communicating with the Smallest Number of URLs

The following medical device types have communications with the least number of Russian URLs compared the devices listed above. Like the devices above, many of these devices provide critical functions in healthcare environments and although they communicate with fewer Russian URLs, this activity should still be scrutinized to determine if communications are required and expected.

• Video Digitizer Recorder
• Coagulation Meter
• Perimetry System
• Blood Gas Analyzer
• Radio Fluoroscopy
• Surgical System
• X-ray Volume Imaging
• MR Image Analysis System
• Mobile X-ray System
• Molecular Diagnostics System
• ECG
• Anesthesia Cart
• Hematology Analyzer
• Digital Radiography System
• EEG
• PET/CT System
• Computed Tomography
• PET Scanner
• Patient Monitoring
• Mammography
• MRI Analyzer
• Dental X-ray System
• X-ray System
• SPECT System

Devices with the Most Received Data on a per Device Basis

Focus using our analysis on individual devices, the following details highlight the device types with the most amount of data received from Russian sites per device. Even if outbound communication is blocked by a firewall, the fact that these devices are receiving this volume of data from Russian sites should be of concern, and communication should be scrutinized to determine if communications are required and expected.

Device Category (Received bytes per device)

• CT Scanner  (700K)
• Infusion Pump  (160k)
• Medical Workstations (95K)
• X-Ray (47K)
• CT Scanner (21K)
• Hematology (19K)
• PACS (22K)
• Radiotherapy (7K)
• Ultrasound (5K)

Device Categories with the Most Received Data

Since a single organization may have multiple units of each device, we aggregated and analyzed device data to highlight the device categories with the most amount of data received from Russian sites. As with the other categories these devices provide critical functions in healthcare environments.

• EEG Workstation
• Ultrasound Image Management
• Infusion Pump
• Glucose Monitor
• Medical Workstation
• EHR Workstation
• PACS Workstation

Device Categories with the Most Transmitted Data

Since a single organization may have multiple units of each device, we aggregated and analyzed device data to highlight the device categories with the most amount of data transmitted to Russian sites. These devices provide critical functions in healthcare environments and are also found in the list above, highlighting device categories receiving the most data from Russian sites.

• Ultrasound Image Management
• EHR Workstation
• Medical Workstation
• PACS Workstation
• EEG Workstation
• Infusion Pump

Categories of Sites Communicating the Most with Medical Devices

Looking at the types of Russian sites communicating with the device data we analyzed, the following shows the distribution of site categories communicating with medical devices. As with the Top Russian Domains by Traffic analysis above, many of these categories may look benign; however, each may have the potential to be used to distribute malware or perform other malicious activities.

Device Types and Reputation Score of Sites

Looking at the reputation score of destination URLs, the following chart highlights device types and the reputation of the Russian sites they communicate with. Sites with a low reputation score (e.g., 10) are determined to be very suspicious with a high probability of being malicious. As an example, these sites could host a Command and Control (C&C) server and a connection could be used to download malware such as ransomware to a device and orchestrate the spread across an environment.

Malicious Russian Site Example

The site counter.yadro.ru is a known malicious site advertisement that has had several reports in the past of downloading malware. The following device types analyzed had frequent transactions with this site.

• Patient Monitor
• PACS Workstation
• EEG Workstation
• Blood Analyzer

Here is a list of the offenders by device type with the number of URLs they are reaching out to.

Cities With the Most Communications

The following analysis highlights the top Russian cities with the most traffic to and from the devices we analyzed. Since attackers commonly use techniques to obscure their details, it is not always easy to determine the exact location of malicious activity. However, by analyzing the site IP address, it can be possible to provide insight and an approximation of the potential location.

Protecting Your Environment

Identifying potentially malicious activity and understanding risk is a critical first step to protecting any environment. Ordr customers regularly generate and review their detailed reports showing devices in their environment that have communicated with Russian sites. That report not only identifies these communications but also provides detailed analysis to help customers understand and address the potential risk in their environments.

Ordr also helps customers eliminate risk by dynamically generating policies for enforcement across their existing security and network infrastructure. Ordr has Integrations with leading firewall vendors and can automatically push policies to limit the sites with which devices are allowed to communicate. Examples might be manufacturer maintenance, software update, and services such as image enhancements for medical imaging.

If a device is already infected and spreading malware, Ordr can quickly push policies to switches or wireless controllers to isolate them and stop the spread of the attack. Ordr can also push proactive zero-trust policies to switches or wireless controllers, allowing only a pre-determined set of devices and flows to and from any medical device.

If you want to learn more about the Ordr solution, the insights we provide to uncover the risk of Russian communications, and how you can improve the security for your connected devices, reach out for a personalized demo.

The healthcare industry relies on connected devices to deliver patient care, and power hospital operations. These devices – from infusion pumps and MRIs to video cameras and HVAC systems need to be protected from cyberattacks such as ransomware. Additionally, these devices may include protected healthcare information (PHI) that need to be secured.

In order to ensure patient safety and protect all of these devices from abuse and attack, healthcare organizations need a whole hospital cybersecurity strategy. A whole hospital healthcare cybersecurity strategy ensures that every connected medical device and any device that includes data that qualifies as Protected Healthcare Information (PHI) or Personally Identifiable Information (PII) is secured.

As this article explains, the proliferation of connected devices makes it challenging to develop healthcare cybersecurity strategies that address all security requirements related to PHI, and can protect them against attacks to ensure patient safety. But with the right tools and methodologies, organizations can overcome these challenges to ensure they meet–or, even better, surpass–the minimal data security and privacy mandates that apply to PHI and PII in healthcare.

What is healthcare cybersecurity?

Healthcare cybersecurity measures are the tools and strategies that healthcare organizations use to ensure patient safety and maintain the privacy of sensitive healthcare data. Healthcare cybersecurity ensures that sensitive healthcare data stays restricted, and can only be accessed by parties like a patient’s doctor.

Healthcare cybersecurity protects healthcare organizations from external threats, like ransomware or hackers seeking to steal sensitive personal information to sell on the Dark Web. It also safeguards information against internal threats: these include malicious internal actors like disgruntled employees of a hospital, as well as users who inadvertently place sensitive information at risk. For example, hospital employees who fall prey to phishing schemes could risk hackers gaining access to sensitive patient information.

To deliver complete protection against data security risks, healthcare cybersecurity must be able to enforce data protection requirements over any and all systems used by medical organizations. For example, in a hospital, healthcare cybersecurity tools typically need to protect the following:

• Prescribing systems, which hospital doctors use to generate and manage prescriptions.
• Practice management support systems, which store patient healthcare information.
• Clinical decision support systems, where doctors manage information related to patient care.
• Radiology information systems, which store medical images and radiology data associated with individual patients.
• Internet of Medical Things devices, such as infusion pumps and remote patient monitoring devices, which collect healthcare data from individuals.
• Operational Technology devices, such as HVAC systems and elevator control infrastructure,  could impact hospital operations, delay medical procedures, or put patient safety at-risk if compromised.
• Internet of Things devices such as smart speakers and smart screens, which may also collect data that can be associated with individual patients. Plus, attackers may use these devices as an initial threat vector, and use lateral movement to move deeper into a network.

These connected devices are critical to patient safety or empowering hospital operations, have the potential to generate and store PHI or PII, and must be protected against cyber attacks and data exfiltration risks.

In addition to securing diverse types of systems, healthcare cybersecurity must address the needs of multiple stakeholders. Hospital staff members must understand healthcare cybersecurity policies and resources to ensure they manage sensitive data responsibly, and keep abreast of constantly evolving cyber threats. For example, HTM and biomedical teams can leverage insights from healthcare cybersecurity tools to help with their day to day tasks, such as locating medical devices, identifying those with vulnerabilities, and taking advantage of utilization details to better plan patching and maintenance work.

Vendors who supply digital services and resources to healthcare organizations, too, have a role to play in healthcare cybersecurity. They are responsible for following robust cybersecurity practices to protect data that is stored or managed within their systems and devices. The same is true of healthcare security and IT teams, who play the leading role in hardening IT systems that store PHI or PII, as well as in identifying and responding to cybersecurity attacks.

To understand what healthcare cybersecurity looks like in practice across various contexts, let’s look at a few common examples of specific systems and devices that healthcare cybersecurity strategies typically need to cover.

Email

Although you may not think of email as a type of sensitive medical data storage system, the reality is that email inboxes store information like patient data. For that reason, email must be secured in order to meet mandates related to PHI and PII security.

In addition, email can be an attack vector for hackers who distribute malware or execute phishing campaigns via email. For that reason, it’s critical to secure email systems as part of healthcare cybersecurity in order to prevent the theft of private data.

Medical Devices

It’s common for hospitals and doctors’ offices to use a variety of medical  devices to deliver healthcare. For example, nurses may use medical PC stations to keep track of patient records, or doctors might carry tablets to issue prescriptions.

If malicious actors gain physical access to these devices, they could access sensitive data stored within them or gain unauthorized access to other systems and data in the organization. They may even plant malware to carry out remote attacks later. Healthcare cybersecurity solutions must protect these devices against both types of threats.

Connected IoT devices

In addition to traditional IT devices, a wide variety of connected or smart devices are used across healthcare organizations, like Internet-controlled HVAC sensors and elevator controllers. If these devices aren’t properly monitored, secured, and patched as part of a healthcare cybersecurity strategy, they will be compromised.

Legacy systems

A legacy system is any type of system that is no longer supported by its manufacturer, but that is still in use: for example, an operating system that has reached its “end of life” date or an application whose vendor has gone out of business. Updating healthcare technology tends to be a complicated and expensive process. This means that healthcare organizations frequently depend on legacy systems until they find the time or resources to migrate to newer ones.

Legacy systems are vulnerable to attack because they no longer receive security updates or patches. Documentation about maintaining the systems is typically out of date.

Nonetheless, to protect against all potential cyber threats, healthcare cybersecurity tools must be able to protect data stored in legacy systems, even if support from the systems’ developers is no longer available.

Healthcare cybersecurity threats

For healthcare organizations today, it’s not a question of if they will face cyber attacks, but when. Breaches and attempted breaches against healthcare organizations are at an all-time high. That’s largely due to the fact that healthcare data presents such alluring targets for hackers, who encrypt sensitive data and hold it hostage for exorbitant ransoms.

Attackers use a variety of techniques in their efforts to access prized healthcare information. Some of these techniques include:

Malware

Malware is malicious software that gives attackers unauthorized access to systems or information stored on them. Malware enables threat actors to steal credentials, collect data, or gain control of  systems in order to move laterally or cause disruption to services.

Ransomware

Ransomware is a special type of malware designed to encrypt data, rendering it unusable to the organization that owns it. After encryption occurs, attackers demand a ransom from the organization in order to decrypt the victim’s files. Unless the targeted organization has proper backups in place, it’s forced to choose between paying the ransom or suffering a major disruption to its operations.

Phishing

Phishing is a cyber attack technique in which threat actors trick users into sharing sensitive information. For instance, they might send emails impersonating IT staff or with malicious links to convince employees to share usernames and passwords. If the phishing attack succeeds, the hackers can then use the sensitive data to gain unauthorized access to systems and exfiltrate data, plant malware, or execute ransomware attacks.

Data exposure

Data exposure occurs when lost laptops, insecure physical systems, or IT breaches make sensitive information accessible to unauthorized parties. Data exposure is not an attack, per se, because it’s not the result of a malicious activity by hackers. But the end result–the exposure of sensitive information–is the same as it would be in the case of conventional cyber attacks.

Insider threats

Insiders, like hospital staff, have legitimate access to various systems. If employees intentionally or accidentally misuse those systems, they place sensitive data at risk. This is especially true if the systems are configured with excess permissions that grant internal users more access than they need.

System vulnerabilities

Unpatched software, out of date software, recalled devices, and banned devices could  be subject to system vulnerabilities. Information about vulnerabilities is often published in public databases, recall information is available from manufacturers, and banned devices are available from organizations such as the FDA. Hackers can easily find and exploit these known vulnerabilities and vulnerable devices to plant malware or gain access to vulnerable systems, and place the entire organization at risk.

Healthcare cybersecurity best practices

Although every healthcare organization’s security risks and requirements are different, there are healthcare cybersecurity best practices that every healthcare organization should follow to mitigate the risk to patient safety and of the misuse of PHI and PII.

Achieve visibility

You can’t protect what you can’t see. For that reason, maintaining comprehensive and continuously up-to-date visibility across the whole hospital is the first step in healthcare cybersecurity.

Comprehensive visibility means knowing about all assets that are connected to your organization’s network, the services those assets provide, the data those devices collect, manage or access, and which security safeguards are (or aren’t) in place to protect the devices. Visibility also ensures that you are aware of vulnerabilities that place devices, services, and data at risk. This way, you have a complete view of the attack surface and can assess for vulnerabilities and potential risks and monitor for threats.

Perform risk assessments

Risk assessments are systematic evaluations of healthcare cybersecurity vulnerabilities and threats that exist and the level of risk each one poses. Risk assessments may also be used to document measures that organizations have taken to prevent breaches.

Healthcare organizations should perform risk assessments on a regular basis–at least once a year, if not more often–as part of their security strategy and may be required to meet compliance requirements or to obtain cyber insurance. Risk assessment procedures should be updated whenever new devices or services are deployed.

Implement security controls

Security controls, meaning tools and procedures that organizations use to harden systems against attack, go a long way toward minimizing healthcare cybersecurity risks. Foundational security control measures include tools such as antivirus software, which can help to prevent malware attacks. Data backup and restoration platforms recover compromised data following a ransomware breach. Data encryption, network firewalls, incident response planning, and multi-factor authentication also help to establish baseline security defenses for healthcare systems.

Connected device security tools and solutions, such as Ordr, are also critical to discover and classify every device in healthcare systems, inspect East-West traffic for malware or communications to a malicious domain, and identify vulnerabilities within devices. In particular, within a healthcare environment, these connected device security tools MUST be designed to operate in a healthcare environment – for example, the discovery and vulnerability identification process cannot impact sensitive medical device operations. Therefore, these devices must offer an “agentless, passive” approach to security.

Zero Trust

Many modern healthcare organizations have adopted Zero Trust as a core cybersecurity strategy. With Zero Trust the minimum necessary permissions are put in place to control access to healthcare systems and data and reduce risk. Zero Trust principles can be applied to users, devices, data assets, and services in order to restrict communication and mitigate the risk of abuse.

An example of Zero Trust is the use of network access control (NAC) to control device and user access to the network and services. Another example is network segmentation, sometimes referred to as microsegmentation, a technique that isolates devices on the network and prevents unnecessary communications.

Educate staff

Education such as cybersecurity awareness training ensures that healthcare workers are aware of risk and  follow best practices to protect patients, services, and data. Healthcare staff should know how to spot threats, like phishing emails, and to react appropriately. They must also be aware of the risks posed by both external and internal threats.

Staff education is also a means of spreading awareness of legal requirements related to healthcare cybersecurity, such as those imposed by HIPAA, so that workers can do their part to adhere to compliance rules.

Healthcare cybersecurity laws and regulations

HIPAA, or the Health Insurance Portability and Accountability Act, is the best-known of several laws and regulations that governing bodies created to enforce healthcare cybersecurity best practices. Although complying with these mandates is not the only reason why healthcare organizations should protect sensitive data, it’s often a core motivator. This means that a familiarity with healthcare laws and regulations is an important component of healthcare cybersecurity.

HIPAA contains several provisions that impact the security of healthcare data. One, known as the Privacy Rule and defined in 45 CFR Part 160 and Subparts A and E of Part 164, establishes permitted and required uses and disclosures of PHI. It also deems PHI to be individually identifiable, and therefore subject to specific security requirements.

In addition, 45 CFR Part 160 and Part 164, Subparts A and C set forth specific security requirements related to PHI that are stored electronically, since most healthcare data is stored this way today. These requirements are referred to as the HIPAA Security Rule. Finally, HIPAA imposes (in 45 CFR §§ 164.400-414) a Breach Notification Rule that generally requires organizations to notify affected users in the event of a cybersecurity breach involving PHI.

Beyond HIPAA, other legal regulations may apply to healthcare data. For example, 42 CFR Part 2 is a law that protects patient records created by programs that receive federal funding to treat substance use disorders. It establishes very specific and extensive privacy requirements related to PHI in this context.

Additionally, the National Institute of Standards and Technology’s (NIST) Framework provides guidance, guidelines, and practices for organizations to reduce their cybersecurity risk. Developed in 2014 and updated in 2018, the framework also helps organizations and businesses better manage risk and cybersecurity communications. Overall, the NIST framework gives organizations a common language and systemic methodology for risk management.

The framework itself is made of three components: core, tiers, and profiles. The core helps organizations manage and reduce risks in a way that compliments their current cybersecurity practices. The profiles allows organizations to identify areas where existing processes can be optimized and new processes can be implemented. Finally, the tiers asks organizations to consider how strictly their cybersecurity program will comply with NIST standards.

Likewise, the HHS 405(d) Health Industry Cybersecurity Practices (HICP), which is integrated into the NIST framework, lays out specific guidelines for healthcare cybersecurity standards. According to the HHS, the top threats for cybersecurity are:

• Email phishing
• Ransomware attacks
• Loss or theft of equipment
• Accidental or intentional data loss
• Connected medical device attacks that impact patient safety

Both the NIST framework and the HHS 405(d) operate to protect healthcare agencies and patients.

Protect Your Whole Hospital

Healthcare cybersecurity threats come in many forms and apply to a wide variety of systems. For that reason, healthcare organizations should establish a comprehensive cybersecurity strategy including protections that can defend all of their assets–ranging from conventional IT systems, Internet Medical of Things devices, and unsupported legacy systems to connected facilities devices, Internet of Things devices, and beyond–against all types of attacks, risks, and threats. Organizations must also maintain comprehensive visibility across the entire organization including  high risk assets and whether they are secure. And they must be aware of specific regulatory mandates and implement protections necessary to comply.

Ordr can help with a whole hospital approach to healthcare cybersecurity. By automatically discovering and accurately classifying all connected devices that healthcare organizations  depend on, we maintain a continuously updated inventory to provide comprehensive visibility into healthcare systems, vulnerabilities, and risk. In addition, Ordr can help organizations enforce healthcare cybersecurity best practices based on Zero Trust principals, helping organizations protect critical data and services, meet strict compliance and data privacy mandates and ultimately, ensure patient safety.

Cybersecurity attacks are an ever present concern—a hydra that spawns new heads after each known head is vanquished. One of those newly spawned nightmares is trying to protect Internet of Things (IoT), Internet of Medical Things (IoMT), and Operational Technology (OT) devices as they become network enabled and part of the bigger cybersecurity picture. This is something that traditional cybersecurity tools aren’t built to handle.

These devices are used in many industries—healthcare, financial services, transportation, manufacturing, and education, just to name a few. IoT, IoMT, and OT devices, as well as traditional systems and resources, must be protected by a thorough plan. The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) helps your organization build a solution customized to fit your business and needs.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework is a technology neutral security structure built upon cutting-edge global standards, existing guidelines, and developed practices that is capable of evolving to meet business requirements and keep up with technological advancement. The NIST Cybersecurity Framework is intended as a complement to an organization’s existing cybersecurity strategy and risk management plan. It provides the means to continue with current policies and procedures, while also discovering areas of potential improvement, better means of communication, and/or increased industry alignment.

The NIST Cybersecurity Framework Core can be used by any sector with any infrastructure because it is adaptable, flexible, and based on business-driven implementation. The NIST Cybersecurity Framework is a top-ranked structural foundation on which a company can build the cybersecurity program best suited to their unique business profile.

The Core breaks the controls and practices into five service lanes to be addressed concurrently:

1. Identify (ID)
2. Protect (PR)
3. Detect (DE)
4. Respond (RS)
5. Recover (RC)

Importance of the NIST Cybersecurity Framework

The NIST Cybersecurity Framework is built upon tried-and-true practices, so you can apply proven solutions to real problems by leveraging the framework for guidance. It enhances compliance with industry standards and regulations, as well as helps mitigate vulnerabilities by exposing previously unseen risk.

The framework also aids with zeroing in on a company’s true risks, increasing both efficiency and resource management. In addition, the NIST Cybersecurity Framework (CSF) refines asset management to ensure the company maintains accurate inventory.

While security teams understand the threat landscape and cybersecurity needs, stakeholders and other company teams don’t have this detailed understanding. NIST CSF bridges the gap between IT and business departments by laying a reasonable path that focuses on specific outcomes. The framework enhances conversations with these groups and helps explain why certain actions and resources are necessary to achieve a fully mature cybersecurity solution.

The five core functions of the NIST Cybersecurity Framework allow for a company to start at any point. Whether your company is using cutting edge cybertech or relying on legacy systems, there are benefits to be reaped by employing the framework.

When applying NIST CSF, a practitioner should leverage the framework against a controlset outlined by the NIST publication they are attempting to adhere to. For example, 800-53 rev5 (Security and Privacy Controls for Information Systems and Organizations) are often used as the core set of standards for healthcare organizations as it helps in protection of personally identifiable information (PII). The control spreadsheet outlines a list of controls or control enhancements outlined by the control text column (that is to say, ‘do i have this control?’). Often controls are satisfied by technologies you have or need to have in your environment. A solution such as Ordr could help meet the requirements of CM-8 (System Component Inventory) and satisfy PM-5 (System Inventory) requirements. These controls speak directly to the framework.

Let’s take an example for 800-53 mapped to the CSF for ID.AM-1: Physical devices and systems within the organization are inventoried. To satisfy this functional category and subcategory you need controls CM-8 and PM-5. As you see, to satisfy the CSF you need to first decide what publication you would like to adhere to. 800-53 is popular but others may be relevant to your organization  and contain similar control maps.

The NIST Cybersecurity Framework Core Elements

The Core framework divides security activities into five high-level functions that include Identify, Protect, Detect, Respond, and Recover. As a whole, these functions provide a company with the means of managing risks by organizing all pertinent information, addressing potential threats, and continuously learning from previous ventures.

1. Identify (ID)

Identify is the NIST Cybersecurity Framework function that brings together business context, critical support functions and resources, and risk management. The goal of Identify is to define the critical business landscape for your organization so adequate protection can be implemented around it. Organizations should also consider all processes, procedures, and policies that revolve around the organization’s compliance regulation, legal considerations, risk factors, operational requirements, and environment.

This includes the following recommended tasks:

• Establish Asset Management policies and procedures, and identify all physical devices, systems, software platforms, and applications that are IT assets, including their criticality where possible.
• Establish an organization-wide security policy, and address cybersecurity issues/risks via governance and risk management policies and procedures.
• Determine the legal requirements and regulations to be enforced, including privacy requirements or civil liberties, and develop a method for the management of such.
• Identify and document any asset vulnerabilities, and utilize vulnerability and threat information available from information sharing forums and sources.
• Determine and document potential threats from both internal and external threat actors and evaluate threats, vulnerabilities, probabilities, and impacts to determine risks.
• Identify how the organization supports the business environment, including any supply chain roles or critical infrastructure implications.
• Identify constraints, priorities, assumptions, and risk tolerances to develop a supply chain risk management strategy.

Your organization should employ a platform that allows for passive discovery with in-depth details, agentless software tracking, and data flow monitoring. Ideally, this includes support of connected devices such as IoT, IoMT, and OT devices. This platform will be capable of providing relevant information to assist the risk management process, such as risk scores per device. The platform also should be able to identify and manage devices and/or communications that involve regulated data, such as payment card industry (PCI) data or medical information protected by HIPAA such as protected health information (PHI).

Consider a solution that can monitor incidents and risk for both traditional devices and IoT devices. The solution should be able to detect anomalies and network intrusions, as well as bad URL/site connections, with detailed trend analysis. A platform such as Ordr also provides a risk score to assist with prioritization, and should be capable of both scheduled and ad-hoc reporting.

2. Protect (PR)

The Protect function is about safeguarding to prevent, limit, or contain any impacts from potential cybersecurity incidents. It’s a crucial piece of ensuring the continued delivery of vital services.

This includes the following tasks:

• Manage both credentials and identities for authorized users and devices.
• Manage remote access.
• Use separation of duties and the principle of least privilege to help develop a robust method of access management.
• Protect network integrity, including network segregation where warranted.
• Protect data-at-rest.
• Formally manage assets in the transfer, removal, and disposition stages.
• Implement protections against data leaks.
• Keep the production environment separate from testing and development environments.
• Create and maintain a baseline configuration of IT/OT control systems.
• Implement a system development life cycle (SDLC) to manage systems.
• Develop and implement a vulnerability management plan.
• Control access to assets and systems while keeping in mind the least functionality principle.
• Protect both control networks in communications.
• A key piece of implementing Protective Technology is using a system that can restrict access to IoT and OT devices. Ordr’s offering is capable of tracking said devices and the communication patterns of each system.

A good solution should employ artificial intelligence (AI) that can establish baseline communication behavior and transform the baseline into security policies that are device specific, such as limiting traffic to only approved systems to reduce the IoT/IoMT/OT attack surface. As an example, microsegmentation policy can be created to limit IoT/IoMT/OT device communications such as restricting external communications as well as communications with internal systems not required for normal operations. A security platform such as Ordr can continuously monitor all communication and detect devices trying to connect to malicious sites, unauthorized networks, or receive malicious communications. Such a solution  also provides domain separation between environments by creating and enforcing microsegmentation policy. Choose a solution that can track an asset’s SDLC as it relates to cybersecurity.

Another capability to look for in a solution is the ability to integrate security intel feeds as well as integration with a vulnerability management platform. Security intel feeds provide insights into known vulnerabilities and associated risk with the ability to identify impact to your environment. Vulnerability management capabilities will help to ensure that remediation and mitigation tasks can be coordinated and tracked across teams as you look to reduce or eliminate risk. Ordr’s offering is capable of integrating security intel feed data to identify connected devices with known vulnerabilities. The solution also provides native vulnerability management capabilities as well as the ability to integrate with other 3rd party vulnerability management tools.

3. Detect (DE)

Detect is the section of the NIST Cybersecurity Framework that focuses on the development and implementation of capabilities, tasks, and activities required to identify incidents precipitated by a cybersecurity event. This functionality enables the organization to discover cybersecurity incidents quickly and efficiently.

Consider these tasks:

• Establish a baseline of network operations and expected data patterns for systems and users and ensure it stays maintained.
• Analyze all detected events to understand attack methods and intended targets.
• Aggregate and correlate event data from multiple sensors and sources.
• Determine the impact of events.
• Establish incident alert thresholds.
• Monitor the network to detect any potential cybersecurity events.
• Monitor the physical environment to detect potential cybersecurity incidents.
• Use monitoring to detect unauthorized connections, software, devices, or personnel.
• Perform vulnerability scans.
• Communicate event detection information to all appropriate parties.

Choose a platform that provides the ability to detect malicious activity as well as a security dashboard based on a consolidated view of events, which can be further enhanced with criticality and MITRE kill chain step data. Your organization also can benefit from a platform that can provide real-time alerts filtered by security event types so specific staff can be notified, based on the affected asset. A high-quality solution should be capable of detecting and logging device moves, adds, and changes.

Ordr continuously monitors the network and employs intrusion detection capabilities to identify known malicious attack traffic. In addition the solution creates a baseline of normal behavior for each connected device and will detect abnormal deviations. With these capabilities Ordr can identify active threats, attempts to exploit vulnerabilities, and indications of compromise. Your platform should work with security information and event management (SIEM) and IT assessment management (ITAM) products so it can seamlessly integrate with existing workflows and procedures.

4. Respond (RS)

The Respond function of the NIST Cybersecurity Framework revolves around containing the impact of a potential cybersecurity event. It includes development and implementation of necessary activities to take action once a cybersecurity event has been detected.

Such recommended tasks include:

• Develop a response planning process and ensure that it’s executed when an incident is detected.
• Contain and mitigate incidents.
• Mitigate newly identified vulnerabilities and/or document them as accepted risks.
• Develop and manage a communication plan for stakeholders, both internal and external, and law enforcement for when incidents occur.
• Determine the impact of incidents by analyzing how effective the response plan is.
• Implement any revisions to the process based on lessons learned from incidents.

Ordr takes pride in being an ideal solution, as our platform uses automation to accelerate your response to an incident with the ability to create and apply next-generation firewall (NGFW) policies, quarantine VLAN assignment, access control list blocks, session termination, and port shutdown with a single click of a button. Ordr also provides details on the physical and network location for each device in the event that a technician needs to physically remove a device from the network or apply a patch by accessing the device directly.

5. Recover (RC)

The ability to recover from an incident  needs to be both timely and effective. The quicker system restoration is performed and operations returned to normal, the less impact the cyber incident has on your organization.

The NIST Cybersecurity Framework recommends these steps:

• Execute and maintain recovery procedures and processes to facilitate system restoration.
• Improve recovery processes and planning by incorporating findings and lessons learned into future solutions.
• Coordinate all restoration tasks with both internal and external parties.

Recovery is highly dependent on the circumstances of the attack, the attack method, and the level of complexity in the findings. Ordr’s ability identify the network and physical location of a device can aid in the system restoration process by enabling staff to quickly locate a device impacted by a cyber event that may need to be updated or reimaged. Ordr can also quickly move a quarantined device back to its normal network environment once upgrades, patches, or other remediation methods have been applied.

Use Ordr to Extend the NIST Cybersecurity Framework Throughout Your Organization

The NIST Cybersecurity Framework uses five specific service lanes that should be handled concurrently. The NIST Cybersecurity Framework is highly effective and can be used by any size organization in any industry.

The Identify function determines the who, what, when, and where of the cybersecurity configuration, while the Protect function employs safeguards and protects critical assets. Once you’ve dealt with the Detect function that monitors the network and roots out trouble, the Respond function launches the policies and procedures to combat an active cybersystem attack. Finally, Recovery involves the necessary activities to bring the system back to normal.

Ordr helps organizations extend the NIST Cybersecurity Framework to cover all of your assets, including IoT/IoMT/OT devices. With Ordr, you can rapidly inventory all assets in the domain, automatically classify them based on type and function, and assess each device for risk. It analyzes device communications to learn behaviors and creates device baselines to determine what communications the device requires for normal operations. From this baseline, Ordr can detect malicious activity and create policies to quickly stop active threats and quarantine compromised devices without disrupting the device, network, or enterprise operations. Ordr also uses device baselines to proactively improve protection via microsegmentation to logically segregate devices from non-essential areas.

To learn more about how Ordr aligns to the NIST framework, download this report.