Ordr Recognized in Gartner Market Guide for CPS Protection Platform Read more here!

The COVID-19 pandemic is one of those black swan events that is beyond the scope of normal contingency planning and has unpredictable, long-lasting, and highly disruptive consequences. Yet amid the chaos, one thing has been completely predictable: malicious actors quickly exploiting the panic.

Not long after emergency orders were issued and the healthcare industry was preparing for the first wave of patients infected by coronavirus, malicious actors were already bombarding healthcare workers with phishing emails weaponized with ransomware, and exploiting vulnerable remote desktop systems deployed by hospitals to enable a remote workforce and then installing ransomware on hospital systems.

Ransomware is one of the more insidious attacks that can be unleashed by malicious actors. It usually enters an organization through phishing attacks or vulnerable systems deployed on a network’s perimeter. Once the ransomware gains a foothold, the infection spreads through common exploits or open shares, moving laterally from machine to machine and encrypting important data. Then, once the important data is encrypted, the attackers display a message to pay a ransom or else the data will be lost forever; that is followed by instructions for transferring money to the attackers via untraceable cryptocurrency. In most ransomware cases, the requested ransom amount increases over time in an attempt to lure companies to act fast and pay a lower ransom payment. UCSF was recently targeted by the Netwalker ransomware and paid $1.14M to recover their data.

Hospitals and other healthcare organizations are especially susceptible because many of their mission-critical, internet-connected devices—including medical devices—run vulnerable operating systems that cannot be patched. Some examples include nursing station that have to interact with legacy systems that, in turn, have out of date operating system requirements; or expensive imaging equipment which runs on unsupported and unpatchable versions of WindowsXP. Our Rise of the Machines: 2020 Enterprise Risk and Adoption Report found that 15-19 percent of deployments had IoT devices running on legacy operating systems Windows 7 (or older).

By some estimates there are nearly 650 million IoT and IoMT devices operating in the healthcare industry right now, and 82% of healthcare organizations using IoT/IoMT devices have had those devices attacked.

When a ransomware attack happens:

  • Don’t Panic: If you can isolate infected machines, do it quickly. Stop the spread of ransomware by isolating those machines from the network and protecting systems with important information. It is much easier to deal with a few infected machines versus thousands, so identifying and stopping the spread of ransomware should be the primary goal after it has entered the network.
  • Research: Ransomware has been around for a long time. Some variants have been well-studied, and free decryption programs are available to defeat them. Once you know what variant of ransomware has hit your network, you may learn that the keys to decrypt your data are easily available and that your infection turns out to be little more than a nuisance. However, newer variants are more virulent, and use sophisticated algorithms that can’t be decrypted.
  • Respond: Having assessed your situation and taken the appropriate action to limit the damage, you may still find that your important data is encrypted. This is where the question, “Should I pay the ransom?” comes into play and you have decisions to make. Some points to consider:
    • How valuable is your lost data and can you do without it?
    • Do you have that data backed up and archived?
    • Does losing the data affected by the ransomware put the life of your business at risk?
    • Follow the Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments by the U.S. Department of the Treasury to make sure that you are not facilitating payment if, “there is a reason to believe the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.” This could potentially result in an assessed fine.
  • No Guarantees: One major point to consider if you decide to pay the ransom is that, after doing so there is no guarantee of recovery. Keep in mind that attackers are criminals. They may execute an attack campaign, scoop up quick payouts, and then abandon their victims in order to leave a cold trail for investigators. The systems they’ve set up for transferring payment may not work as intended. Or, they may have never intended to cooperate with anyone who made payment in the first place.

Of course, the best thing you can do to respond to a ransomware attack is to take proactive, mitigating actions. Working with trained security experts to assess vulnerabilities, close security gaps, train employees, and put written incident plan in place specific to your organization, and of course having a robust backup strategy for important information before an attack occurs is your best course of action. There are many antivirus and backup tools out there that can prevent or limit the damage of a ransomware or other malware attack.

For organizations that have adopted IoT as a part of their infrastructure and technology strategy , the Ordr platform is designed to give you full visibility into all the devices connected to your network, understand their purpose and operation, and automate management and security policies to ensure maximal protection for even the most sensitive and mission critical equipment. In a worst-case scenario, Ordr can facilitate the rapid isolation and protection of infected devices.

If you have questions about your situation, or need a partner with the skills and expertise to help protect your IoT assets, let us know. We work with a number of excellent integrators and managed security providers who specialize in protecting healthcare and other industries that are heavily invested in the use of connected devices.


In 2015, former Cisco research David Evans calculated how many devices were being added every second. At the time, an average of 127 new things were being connected to the Internet every second. 328 million things were being connected every month, approximately one for each person in the U.S.

Fast forward to 2020 and the IoT market has exploded. From connected cars and video cameras to smart virtual assistants and HVAC systems, the IoT market is now expected to grow to 31 billion connected devices by 2020 and 75 billion devices by 2025.

With so many devices proliferating, security and risk professionals need to be much more aware of the expansion of their attack surface. Each device represents a new attack vector for cyber attackers.  The recent spate of vulnerabilities that impact IoT recently, from Ripple20 to SIGRed, demonstrates the importance of securing these devices.

But what types of risks should enterprises expect to find in their environment? How best should they protect themselves?

Today, we’re excited to release the inaugural Rise of the Machines: 2020 Enterprise Adoption and Risk Report. We examined more than 5 million unmanaged, IoT, and IoMT devices in Ordr customer deployments across a variety of verticals including healthcare, life sciences, retail and manufacturing, between June 2019 and June 2020. Ordr strongly believes in the importance of sharing this type of data with the global security communitiy to better understand IoT risks and secure their organization.

Among the report’s most interesting findings were the frequent discovery of consumer-grade shadow IoT devices on the network such as  Amazon Alexas and Echos.

We love the perspective that Zeus Kerravala, founder and Principal Analyst at ZK Research provided, “In some of my recent research around enterprise IoT security I’ve found that more than 51% of IT teams are unaware of what types of devices are touching their network. But perhaps what is more disconcerting is that the other 49% often times find themselves guessing or using a ‘Frankenstein’d’ solution to provide visibility into their network security, which will almost always create security issues. Shadow IoT is becoming a real security challenge, as It’s not enough to have the visibility into what is touching your network, but you need a solution like Ordr’s that allows for you to resolve the issues in a scalable automated fashion.”

Highlights from Ordr deployments include the following:

  • 15-19 percent of deployments had IoT devices running on legacy operating systems Windows 7 (or older). Since it is often not economical to take these critical systems out of service, these devices need to be properly segmented.
  • 20 percent of deployments had PCI-DSS violations where IoT devices with credit card information were on the same subnet or VLAN as a tablet, printer, copier, or video surveillance camera.
  • 86 percent of healthcare deployments had more than 10 FDA recalls against their medical IoT devices, meaning the medical device is defective, poses a health risk, or both.
  • 95 percent of healthcare deployments had Amazon Alexa and Echo devices active in their environment alongside other hospital surveillance equipment. Voice assistants can unknowingly eavesdrop and record conversations and may put the organization at risk of a HIPAA violation.
  • 75 percent of healthcare deployments had VLAN violations where medical devices were connected to the same VLAN and subnet as other non-medical devices.

There are real risks and threats posed by IoT, IoMT, and other connected devices if not accounted for and properly managed. One cannot fix what one cannot see, and with IoT, the discovery and classification is the very first step. Once security and networking have high fidelity visibility into unmanaged and IoT devices, then they need to understand device behavior, perform risk assessment and segment vulnerable and mission-critical devices.

Get your copy of the Ordr Enterprise Adoption and Risk Report today.

Rise of the Machines 2020 Enterprise of Things Adoption and Risk Report


Today, in conjunction with Check Point’s IoT Protect Program announcement, we’re excited to not only highlight Ordr’s participation in the program, but also to announce the Ordr Systems Control Engine’s availability directly through Check Point. We’re excited to work with a great security partner with market leading technology.

When we built the Ordr SCE, we created a robust AI platform to deliver high-fidelity visibility and security for all unmanaged devices – IoT, IoMT and OT. However, we knew that was not enough. We also focused on automating the critical job of securing these devices, not only reducing the burden on security and networking teams but making previously complex management tasks simple and automatic.

After all, these unmanaged and IoT devices bring very different challenges to an organization. They often cannot be brought out of service, they cannot be scanned or patched, and you cannot install a security agent on them. But unlike end users, unmanaged and IoT devices have very specific and predictable communications patterns. Video cameras need to connect to a camera management system. Medical imaging devices need to communicate to a central PACS or DICOM server. Neither wakes up in the morning and decides to browse the web.

How does Ordr address this? Once we discover and categorize these devices, Ordr’s Flow Genome maps each device’s unique, customer-specific communications patterns and profiles exactly how it should communicate and behave. We then proactively create specific network segmentation policies for each category of device and enforce them on networking and security infrastructure to only allow these “sanctioned communications.”

This is a Zero Trust Network in action.

Ordr SCE does not create segmentation policy recommendations, guidelines, or suggestions. The policies do not need tweaking or customizing. They do not need updating when new devices join the network, or existing devices move to a new location or receive a new IP address. They do not need to be exported as a CSV file, manually uploaded into another system, and refreshed with a chron job. They fully integrate with Check Point’s APIs, providing full, automated context right in the Check Point IoT Protect Manager.

This is the differentiator of the Ordr and Check Point integration. Whether it is proactive segmentation or quarantining an infected device, we will dynamically create and enforce policies for IoT devices with one click of a button. As new devices are added to the network that match a particular device profile with an active policy, this new device will automatically be protected.

This is a huge benefit for any organization with Check Point infrastructure, as it protects your existing investment. At the same time, our ability to generate these policies alleviates the challenges of manually addressing risks and vulnerabilities across the hundreds of thousands of unmanaged and IoT devices that may exist in a network.

Benefits of combining the Check Point and Ordr solutions include:

  • Automatic discovery and classification of IoT, IoMT and OT devices
  • Direct integration of device context into the Check Point IoT Protect Manager, including asset type, make and model, OS version and risk information
  • Use of Check Point’s advanced APIs to automatically send Ordr Zero Trust segmentation policies to the Check Point IoT Protect Manager for distribution to Check Point’s Quantum Security GatewaysTM
  • Automatic updates of Check Point’s Quantum Security GatewaysTM with current device IP information, regardless of network location or dynamic addressing
  • Dynamic generation of firewall zoning policies directly into Check Point IoT Protect Manager , allowing for protection and control of the IoT and OT environment within minutes

For more information on the joint integration, please check out our detailed Check Point partnership page here and the Check Point IoT Protect page.

Check Point Overview