Read Ordr Security Bulletin on Volt Typhoon Advisory Read more here!

This past year has brought many unexpected changes to the connected devices world and our daily lives. New vulnerabilities, recent cyberattacks, and the pandemic will all shape how connected devices develop in 2021. Ordr’s thought leaders, Craig Hyps, Darrell Kesti, Greg Murphy, Jeremy Haltom, and Russell Rice have come together to share their thoughts on what lies ahead for the industry.

More Remote Workers and Expanded Organizational Networks

As companies adapt to COVID-19 safety precautions and the “new normal,” more employees will be working from home on their own devices and equipment.

As a result of COVID-19, companies will continue to reduce on-premise workforces, and thus reduce user footprint and network equipment spend within the enterprise campus, and instead expand remote office/teleworker capacity. This will affect most industries including education and healthcare. – Craig Hyps

Over a quarter of employees forced to work from home will never return to claim a cube/space in the office, with a disproportionate density in many white-collar professions (hi-tech, legal, consulting, etc.). – Russell Rice

IoT device footprint will continue to expand as current and new devices are increased to enable greater automation and increase productivity both on-premises and off-premises (remote). – Craig Hyps

Companies will need to expand investment in off-premise security—whether via cloud-based security services or expanding security capabilities within remote/home office.  Security plans will need to cover the growing footprint of personal and home office IoT present at remote locations. – Craig Hyps

Changes in IT and Cybersecurity teams

With more employees at home and more expansive security plans, IT and Clinical Engineering, and security teams will need to adjust their goals and projects.

Industrial OT and Biomed organizations in healthcare will increasingly report to the CIO as organizations realize that cybersecurity incidents impacting mission-critical devices are one of the greatest risks to business continuity. – Greg Murphy

Complete network asset and device visibility (all things inside the network along with all things ‘owned’, even if coming in remotely) will become a CISO mandated project. – Jeremy Haltom

Delay in refreshing legacy systems.  COVID-19 has had an impact on almost all businesses and companies are holding on to their capital and large capital projects.  Wholesale system upgrades to address things like the Windows 7 End of Life are going to be paused in 2020, and probably throughout 2021.  This will especially be true in HealthCare Delivery environments. – Darrell Kesti

Increased Ransomware Attacks

Recently there have been high profile cases of ransomware and incidents such as these are likely to increase.

Ransomware will skyrocket based on all the high-profile accounts that paid huge ransoms recently.  It’s becoming even more lucrative than ever to run these types of attacks as a bad actor. – Jeremy Haltom

Increase in Ransomware….this just seems to continue to go up in volume and money associated with the Ransom. – Darrell Kesti

Ripple20 Vulnerabilities Exploited

Worried about Ripple20 vulnerabilities? Patch and protect your devices before they are exploited.

The number of long-term embedded security flaws, like Urgent/11 and Ripple20 will escalate dramatically as more attention is focused on embedded TCP/IP stack attacks – Jeremy Haltom

Ripple20 will be weaponized and exploited in the enterprise. – Greg Murphy

It is just a matter of time on this one being weaponized and there being attacks focused on these vulnerabilities.  It is just too large of a device surface / diversity not to see this be exploited. – Darrell Kesti

Increased Cyberattacks on Healthcare Networks and Devices

The global pandemic has made the healthcare industry a target for cyberattacks and this trend will likely continue.

COVID 19 related attacks.  If you are part of the supply chain for PPE, a drug company developing and manufacturing a vaccine, or part of the response to COVID-19, you can expect you will be targeted.  Also, I bet we see a huge increase in ransomware targeting the end users via spearphishing around the topic of COVID-19. – Darrell Kesti

Long-standing known vulnerabilities in healthcare devices will continue to be exploited, but weaponized to include threats that impact patient health/life, not just ransom of data, service access, or PHI theft. – Craig Hyps

Someone in the U.S. will die as the result of a ransomware attack, resulting in increased push for cybersecurity regulations in healthcare and increased cybersecurity budgets. – Greg Murphy

Further developments in the Healthcare Industry

The COVID-19 crisis has demanded quick action and innovation leading to new research and IoMT solutions.

A whole new brand of IOMT medical solutions are deployed in enterprises for COVID safety. This is happening in hospitality and education today. – Russell Rice

One or more major health systems will launch a ‘device cyber-security as a service’ offering to affiliate organizations. – Greg Murphy

Self-service systems, largely IoT-based, will blossom across numerous industries to reduce the need for human interaction – healthcare, retail, education, transportation, entertainment. – Russell Rice

The Future of Connected Devices

2020 has brought new, unexpected changes that will affect how connected devices develops in 2021. Employees from many industries will work from home, creating cybersecurity vulnerabilities as they connect to company networks remotely. IoT device visibility will become more important and security plans will change as capital purchases are reduced. Cases of ransomware and Ripple20 exploitation will increase as attackers see success. The healthcare industry will become a target for attacks as the industry expands in response to the COVID-19 crisis.

2021 will bring new devices designed to solve the challenges associated with adhering to COVID safety practices. Security procedures and plans will need to be recalibrated to cover those new devices as well as mitigate vulnerabilities discovered now.

Start developing your device security plan and secure your devices with Ordr. The Ordr System Control Engine (SCE) gives organizations the power to enable visibility and security of their network-connected devices, with a simple and powerful solution to identify, classify, profile the behavior and risk and automate action for every network-connected device in the enterprise. Want to experience Ordr on your network? Request a free sensor.


Healthcare has been one of the key verticals for Ordr since our inception as CloudPost Networks. Over the last couple of years, we’ve helped many healthcare organizations address visibiity and security for their unmanaged and IoT devices. In turn, we’ve worked with our customers to evolve our solution and address new use cases.

As a result, we’re grateful and proud to have been named a market leader (with the highest market share) in the new KLAS Research report, Decision Insights: Healthcare IoT Security for the second year in a row. If you’re not familiar with KLAS Research, they are a healthcare IT data and insights company. One of the most unusual aspects of KLAS Research is that they actually interview real clients with questions such as “Are customers happy with a vendor’s products and with customer service?” “Do they have a positive impression of their vendor?” “Do they think their organization has benefited from adopting the vendor’s software?” KLAS is lauded in the industry for their accurate, honest and impartial research.

Market Leader for Second Straight Year 

The KLAS Healthcare IoT Security Report defined the following as key capabilities for an IoT Security solution.

In addition, KLAS spoke to more than 51 customers on which vendors were being selected and why. They had this to say in their report, “ Ordr, who has contracted with some of the largest health systems, has continued to be one of the market leaders in terms of wins and considerations for the second straight year, resulting in their current leading market share.” 

KLAS also noted that we were praised by customers for:

  • The breadth and number of devices Ordr can detect;
  • The highly granular visibility the solution provides;
  • Ordr’s culture of “flexibility and willingness to partner;”
  • Strong technology integrations that help drive value with the solution; and,
  • High customer satisfaction.

We thank all healthcare organizations who participated in the KLAS interviews. We’re excited to continue our growth with our customers, helping to discover, profile and secure connected devices. Thank you to two of our customer advisory board members Skip Rollins and Jeff Vinson,  who supported us throughout our journey and contributed to our release.

“COVID-19 has forced healthcare organizations to double-down on prioritizing security while balancing other organizational priorities and needs. CIOs need to find ways to support the business,” said Skip Rollins, CIO, Freeman Health. “Ordr is a tool we lean on not only for visibility and security of unmanaged and IoT devices, but for device utilization insights. Details about how often a device is being used helps us to optimize device allocation and support procurement decisions.” 

“Most healthcare organizations don’t realize that a vending machine may be connected to the same network as a critical life-saving device like a ventilator,” said Jeffrey Vinson, CISO, Harris Health. “We have partnered with Ordr because the company provides the most comprehensive IoT security solution that goes beyond simple device inventory. Ordr discovers all connected devices, helps us identify risks and malicious behaviors in devices, and can automatically generate segmentation policies to secure high-risk devices.” 

We are excited to continue our growth with our customers, helping to discover, profile and secure connected devices.

For a summary of the report, click here.


On Oct 28, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) along with the Federal Bureau of Investigations (FBI) and Health and Human Services (HHS) announced of an increased and imminent cyberthreat to the Healthcare and Public Health Sector. This warning comes on the heels of increased ransomware incidents in the last few months and includes information on Conti, TrickBot, BazarLoader and new Indicators of Compromise (IOCs). As healthcare continues to grow as a reliable source of income for threat actors because of the necessity to protect patient care, ransomware campaigns will continue to proliferate.
Jeff Horne, Chief Security Officer at Ordr, provides insight into the latest wave of ransomware with a series of articles:

Threat Summary

Ransomware has been around for decades and while the recent evolution in the past few years has transformed into more of a service – yes, Ransomware-as-a-Service (RaaS), it can be attributed to one of the reasons there is a 25 percent increase in attacks from Q4 2019 to Q1 2020 and a 715% year-over-year increase in detected – and blocked – ransomware attacks and the average payment  increased by 33%.
The distributed nature of the ransomware developer and the affiliates makes it more lethal than ever.
Ransomware developer: Who creates custom malicious code, and capabilities like lateral movement tools and scripts, and including exploit code that is sold to a ransomware affiliate for a fee or share in eventual ransom after a successful attack.
Ransomware affiliate: Starts a hosting site with custom exploit code. Identify targets and send the exploit code typically by phishing email or as an attachment.
Victim: Falls victim to the exploit code.
RaaS Infection Lifecycle
There are several RaaS types identified by security experts. Some examples are Sodinokibi, Ryuk, Mamba, Phobos, Dharma, Snatch, etc. It is worth noting that in the actual ransomware code is usually the last piece dropped in the infection life cycle giving hope that this can be prevented. The infection usually starts with Trojans like Trickbot, will go through the baking process where the RaaS affiliates monitor and map out the network and any existing vulnerabilities and then drop the actual ransomware code.
Ordr recommendation for defense against RaaS:
There are several recommendations given by security experts. Ordr compiled the Mitigation plans and policies from the CISA advisory and others, mapped it to the NIST cybersecurity framework.
Fig-2: NIST cybersecurity framework

Identify

Insightful asset management: Asset management of all the network connected assets is the first step towards defense against any threats. Insightful asset management is not about maintaining a list of IP addresses or serial numbers but a very detailed inventory containing – What the device is, where it is located, Operating System details etc. Ordr passively detects all the network connected devices creates a database with make, model, OS, location and other detailed information.
Continuous monitoring: Continuous monitoring is key for any good asset management and security programs. With the proliferation of IoT devices continuous monitoring is key to the protection of the entire Organization. A device that is not supposed to be in the network need to be detected right away and appropriate action need to be taken. Ordr detects a device the moment it is active in the network and records the same. Ordr can quarantine or disconnect a device from the network with a click of a button.
Knowledge of what is in your control and more importantly what is not: Organizations usually maintain the inventory of the assets that they control. What is largely missed are the assets that are not “owned” by the organization but still uses the critical resources of the organization – third-party managed network, vendor devices, devices and software under vendor qualification etc. Ordr detects all these devices and gives a very easy way to identify these unmanaged devices with ease.
Asset criticality: Knowing and protecting critical assets is a critical part of the security program. For healthcare Ordr provides Clinical risk metrics that helps prioritize and secure the most critical assets.

Protect

Security awareness: Awareness is key to any security program. This process should cover topics from identifying malicious emails to social engineering risks. Make sure that Security awareness campaign is an ongoing process.
Understand vulnerability threat posture: Understand the existing vulnerabilities of all the devices and software in the network. Most of the ransomware damage is done using the existing vulnerabilities. One of the vulnerabilities identified as a major exploitation vector is CVE-2020-1472. Ordr identifies devices that are impacted by this vulnerability. Ordr in combination with any popular vulnerability detection software like Tenable or Rapid7 provide a complete picture of IoT specific and application vulnerabilities. With the combination of critical infrastructure score, organization knows how to prioritize the never-ending patching programs.
Bring unmanaged devices under compliance: In almost all deployments Ordr found devices that the security teams never knew existed. These range from someone plugging in some device into the corporate network, contractor/vendor devices to third party managed networks. Ordr can easily identify these devices so that appropriate action can be taken to bring these devices in compliance.
Understand active threat posture: Active threats are different from vulnerabilities. Ordr has an inbuilt IDS engine that can detect East to West threat propagation. Understanding the criticality of the device along with the evidence of vulnerability exploitation is very critical. Typical Firewalls don’t catch East to West threat propagation. Ordr detects and reports the East to West threat propagation that reduces the threat response time.
Monitor active communications: No one wants their device to talk to the bad websites. Ordr detects these activities right away and triggers an alarm.
Backup and encryption: As a standard practice, perform regular backup and encryption.
Be proactive: These new attacks try to understand the network and the connectivity details to cause maximum damage. Microsegmentation is a sure way to protect the network from the ransomware attacks as the threat exposure is minimized. Ordr makes microsegmentation easier and a reality.

Detect

Make sure standard security practices are up-to-date: Make sure that all the security measures you have in place like end-point protection software and threat feed information are up-to-date. Provide continuous security education to all the users including vendors and contractors.
Logging: Make sure that you have the logs of all transactions. Ordr records all network transactions over the network. This will help immensely for any forensic activities.
User to device mapping: Its critical to understand who is using what devices and what they are doing with those devices. Ordr helps map user to device mapping and device communication mapping.
Communication patterns: Understanding device to device communication patterns and blocking unnecessary or unexpected communication is another step towards protecting the infrastructure. One of the exploitation vectors for the recent ransomware attacks is the open RDP port 3389. Ordr provides an easy way to identify devices that are communicating over port-3389. User can then decide if this communication is expected or not and if the RDP port itself need to be changed.

Respond

Incident response: Develop a plan to respond to an incident. Ordr helps identify the blast radius, understand the impacted applications and users to come up with an effective threat incident response plan.

Recover

Restore: With the backup and encryption mechanisms in place, restore the data.
Verify: Make sure that the suspect hardware software is not used in the future. Ordr continuous monitors the network for the devices and will let the user know about any vulnerable devices coming back into the network.
Report: Report the incident to appropriate authorities as designated by response and discloser policies.
In summary RaaS has no prescriptive solutions. This can be prevented by following the recommendations by Ordr and other authoritative sources. In the battle between good and evil always good triumphs – We just need to know the exploitation vectors, vulnerability posture of the organization and the active threat posture of the organization. We hope our recommendation will help organizations to continue their business and discourage bad actors from doing malicious activities.
For more information on how Ordr can help you identify and manage vulnerabilities for any connected device, please contact info@ordr.net.