Read Ordr Security Bulletin on Volt Typhoon Advisory Read more here!

I am honored to work with CHIME on the seven-part Medical Device Security webinar series to educate the community on healthcare cybersecurity. We’ll be sharing takeaways from this webinar on the Ordr blog.

I kicked off and hosted the first episode on July 6th featuring a panel of thought leaders on the topic of medical device cybersecurity. Episode One’s expert panels included the following:

  • Greg Garcia, Executive Director of the Healthcare and Public Health Sector Coordinating Council (HSCC)
  • Jessica Wilkerson, JD, Cyber Policy Advisor of the All Hazards Readiness, Response, and Cybersecurity (ARC) team of the FDA’s Center for Devices and Radiological Health
  • Rob Suárez, CISO of Becton Dickinson (BD) and chairman of the Medical Device Innovation Consortium’s (MDIC) Cybersecurity Steering Committee and the Advanced Medical Technology Association’s (AdvaMed) Cybersecurity Work Group
  • Dr. Jeff Tully, MD, physician and anesthesiologist at UC San Diego Health, and hacker activist and co-founder of the CyberMed Summit
  • Dr. Christian Dameff, MD, Assistant Professor, emergency physician, and Medical Director of Cybersecurity at UC San Diego Health, and hacker activist and co-founder of the CyberMed Summit

The challenges of device security was a central area of discussion. One particular concern the panelists brought up was the limited attention that is generally dedicated to security by clinical staff in hospitals. As noted by Dr. Tully, “for the average clinician, cybersecurity awareness is limited to the pesky, mandatory annual training modules we have to do to maintain our privileges at a hospital.” This is an example of “security by compliance”, as Ms. Wilkerson put it, which is precisely what the future regulatory framework aims to avoid. Patient safety is a top priority for all doctors, though the potential adverse impact to patients of neglecting cybersecurity standards is not always apparent. Promoting an industry-wide culture of vigilance towards device security and building recognition of the very real, tangible threats that exist is paramount to hardening the U.S. healthcare system against malicious attack.

An even more formidable obstacle is the capability of healthcare delivery organizations (HDOs) to implement the necessary or mandated cybersecurity solutions. “There are hospitals that are ‘cyber-haves’ and ‘cyber-have-nots’, and they’re going to be like that for a very long time,” said Dr. Dameff. He continued, “There are hundreds of hospitals in this country that don’t have two nickels to rub together,” explaining the dilemma faced by many rural critical-access hospitals. Struggling just to pay staff during the pandemic, these HDOs will likely be unable afford security technologies like multi-factor authentication, immutable backups, and appropriate network segmentation. Yet another resource constraint is the deficit of cybersecurity professionals in rural America needed to implement, operate, and support new systems and practices. As concurred by Mr. Garcia, this is a problem that necessitates support and incentive from regulators as opposed to penalization for noncompliance. In other words, more carrot and less stick.

Legacy devices and their inherent vulnerabilities were discussed by Ms. Wilkerson and Mr. Garcia, both of whom are familiar with the difficulties of crafting policy and standards governing the security of antiquated technology. Mr. Suárez emphasized the importance of being proactive with device cybersecurity, as securing fifteen or twenty-year-old devices is a very expensive endeavor. Today’s technology will be the legacy technology of tomorrow, so futureproofing for tomorrow’s threats is essential for mitigating the same predicament our healthcare system is experiencing currently.

Among the other topics covered by the panelists was the communication of known vulnerabilities to clinicians and patients. However, as noted by Dr. Tully, cybersecurity literacy of the audience must be considered when deciding how and when to inform them of vulnerabilities in devices with which they interact. Medical device manufacturers (MDMs) inevitably are vital to disclosing vulnerabilities and disseminating that information to doctors, whom in turn educate their patients. Unfortunately, clinicians often neglect to communicate device vulnerabilities to patients. According to his research on patient preferences, Dr. Dameff found that patients overwhelmingly desire to be informed of vulnerabilities in the devices they use or have implanted, even if there is no realistic threat. “Cyber Informed Consent” is the terminology he used to describe the responsibility of clinicians to effectively articulate vulnerability information in a meaningful way. Ms. Wilkerson further reiterated this point, as the FDA discovered the same sentiment in their own patient surveys. In her own words, “It should not be the FDA, or the manufacturers, or anyone else deciding what the patient wants, or doesn’t want, to know. That is for the patient to decide.”

Be sure to mark your calendars for our recap of the second episode of CHIME’s medical device security webinar series Aligning Healthcare Cybersecurity; we will recap the episode in a guest blog next week. The second episode featured Julie Chua, Director of GRC within HHS, and Erik Decker, CISO at Intermountain Health, who both lead the HHS 405(d) task group, and Rob Suarez, CISO of BD and lead on the MedTech Joint Security Plan. We discuss two publications released by health industry public-private partnerships that have impacted Medical Device Security more than any others.

I participated in Threatpost’s 15 Cybersecurity Gaffes and Fixes Mid-size Businesses Face Webinar with Timu Kovalev and Erich Kron earlier this year to share my knowledge of today’s cybersecurity issues.

Here are 15 cybersecurity issues many midsize businesses face:

  1. Think they’re too small to be a target: Many smaller organizations are perceived as easier targets, and attacks can go undetected and unsupported. Ensure there are appropriate cybersecurity defenses to protect your business.
  2. Haven’t made a thorough asset inventory assessment: You should be confident that you know what is on your network. Asset inventories should be kept up to date and automated.
  3. No network segmentation: Segmenting your network is foundational to cybersecurity plans, and prevents breaches from spreading throughout the network.
  4. Ignore fundamentals: Businesses should have the cybersecurity basics – asset inventory, business continuity plan, backups, security training, least privilege access policy, and segmentation strategy.
  5. Haven’t done a business risk evaluation: Risk evaluations are important to analyze security risks and allocate adequate resources to mitigate those risks.
  6. Insecure digital assets: All aspects of your organization are at risk of attack – digital assets need to be secured too.
  7. Don’t know what “normal” activity looks like: Some form of device monitoring program should be in place to flag what device communications are normal and which should be investigated.
  8. No two-factor authentication: Two-factor authentication is not only a useful cybersecurity tool, but is also an educational tool, driving employee awareness of cybersecurity issues by making them stop and think about security.
  9. Misconfigured cloud servers, confusion about move to cloud: Securing your data is your job, cloud service providers do not secure your data. Organizations should deploy security in the cloud and control access to the resources moved to cloud.
  10. Not enough user security training: Security training and helping employees understand the importance of security is key to a good security plan. Reminding employees that breaches can cause substantial business disruption as well as damage the company reputation can help them take training seriously.
  11. Haven’t evaluated their own threat to the supply chain: Many smaller organizations are often part of the supply chain for larger organizations, and will start being regulated more. These regulations can impact business function and revenue, so evaluating potential threats to the supply chain early on is important to addressing security risks.
  12. No business continuity plan: Many businesses fail to make a continuity plan or fail to think about a multitude of scenarios. A smart business continuity plan emcompasses cybersecurity.
  13. Strategic, realistic asset allocation and budgeting: Cybersecurity takes time, money, and effort, requiring asset allocation to be realistic and strategic.
  14. Failing to backup: Organizations should have a secure, set place to consistently backup information and protect their data.
  15. Lax patching: Patching is key to addressing vulnerabilities, and should be taken seriously.

Although this list is not all encompassing, addressing those 15 common mistakes can greatly improve your security. Ordr works with many channel partners and managed service providers that can help provide managed security services for you, including deployment and management of the Ordr platform.

Ready to achieve total visibility into what’s on your network? Request a free Ordr sensor today and you’ll be able to see what connected devices are on your network in minutes!

Ordr has one of the most robust channel partner programs in the market, and I often meet with our partners to understand not only what opportunities they’re working on, but also address any questions they have about our products.

In a conversation with Steven Dastoor of CITON recently, we spoke about the convergence of IT and OT environments, and how it was important to have visibility and security for IT (IoT) and OT devices. The Colonial Pipeline attack demonstrated that the security of IT systems is just as important as OT, because when your billing system goes down, your business operations are impacted even if the ransomware did not hit the OT systems.

We discussed best practices and specifically the recommendations outlined in the September 2020 Microsoft Digital Defense Report on securing IoT/OT Networks.

These were great recommendations by Microsoft. Here’s how Ordr maps to them:

Reducing exposure of IoT/OT devices

Beyond discovering and classifying all connected devices– from traditional servers, workstations and PCs to IoT, IoMT and OT devices. Ordr profiles device behavior and risks, and then automates appropriate action. In addition, there are visual representations of your network and associated risk. You can view this at the device group level easily to see all devices with communications to the internet in our Ordr Traffic Analysis connectivity map, or at the individual device level in our Ordr Flow Genome. We also integrate threat intelligence from multiple sources, enriching the Ordr Data Lake with data on emerging threats, domains associated with phishing sites, Command and Control (C2) infrastructure etc. We can also map “good behavior,” and flag and alert on any anomalies or new traffic patterns we have never seen before. This good behavior can be shared with other tools like the firewalls, switch infrastructure too, to create zero trust policies that only allow a device access and communication flows it needs. Anything else is automatically blocked based on the dynamically generated policies.

Mitigating risks

Ordr has a number of capabilities to first identify devices that are high-risks. These include devices with weak passwords and certificates, running outdated operating systems, or with vulnerabilities. Ordr also includes an integrated Threat Detection Engine that detects exploits and active threats, in addition to machine-learning models that alerts on anomalous traffic. Ordr helps validate security-based workflows like red teaming.

In addition, once vulnerable or compromised devices are identified, we can deliver rapid response to remediate and mitigate risks. We dynamically generate policies to save security teams time on manually writing policies individually for VLANs, SGTs, internal Firewall rules. In addition, organizations globally, use Ordr to triage events during the incident response (IR) process, often through enriching their Security Information Event Management (SIEM) solution.

Implement Zero Trust IoT/OT strategies

In order to create the appropriate Zero Trust policies, it is important to not only identify devices but also what they are doing in the network, and be able to create policies that align to business needs. This is one of Ordr’s biggest differentiators– creation of Zero Trust policies and the ability to be able to enforce them across existing networking and security infrastructure such as Aruba ClearPass, Cisco ISE, FortiManager/FortiGate, FortiNAC, CheckPoint, etc…

Centralize asset/configuration/patch management (IT, IoT, and OT)

Ordr delivers real-time asset inventory of every device. As we discover devices on the network, we can push and pull information from tools like ServiceNow or other CMDB/IT Asset Management tools to ensure the devices we see are cataloged by the business. We can keep asset management systems continuously up-to-date about systems that are not being tracked. We see this a lot where Ordr detects devices on the network that do not exist in the Asset Management tool, and also devices that are still in the Asset Management system as Active, but not deployed or online in the environment.

Ordr also works with vulnerability management tools like Tenable and Rapid7 to deliver vulnerability insights into devices that may not previously have been scanned for CVEs.

Convergence of IT and OT

We are a bridge between these teams, as we give them a data set they can both work with, from their unique perspective. I am working with a manufacturer right now where we are delivering visibility and security of their OT and IT networks. Because there aren’t “air-gapped” networks anymore, the IT security team was concerned about exactly what was connected. We found a number of OT Workstations running Windows XP, not part of IT as they are Siemens control systems, But the IT team was using Remote Access (RDP) to connect to them remotely for work. This is similar to how threat actors infiltrated the water treatment plant in Florida. Ordr was able to map out what specific devices are allowed to be part of remote work and remote access, limiting the attack surface. It is a great story of IT and OT coming together to ensure the security and availability of these systems.

Continuously monitor for unusual or unauthorized behavior

The Ordr platform includes a machine learning engine that baselines and maps every single device communications. This baseline allows us to understand what is “normal behavior” and alert on unusual behavior.

Ordr also monitors all devices that use supervisory protocols like SSH, telnet, ftp, etc., associates them with user names, correlates them with the network they logged in from (corporate or guest), and maintains an accurate access record for each and every device as well as each and every user.

Plan for Incident response

We are a critical product for Security Operations Centers (SOCs) and Cyber Security Incident Response Teams (CSIRTs) and should be a tool used in diagnostics. When an incident occurs, Ordr provides the context for the device and details about what it is communicating with. We can also provide insights on communications to C2 sites retrospectively. Finally, we empower SOCs and incident response teams by creating security policies to quickly lock down or isolate a device, block threats through NGFW policies, ACL blocks, quarantine VLAN assignment, port shutdown, or session termination–either directly to firewalls, existing switches, wireless controllers, or via NAC platform.

For example, when the SolarWinds vulnerability hit, we had a customer reach out and ask: “Can you give me an inventory of all of my SolarWinds devices, and where they are in the network”? We did it in two clicks. We also monitored the customer’s environment to see if there were any communications to SolarWinds domains.

Remember third parties

We can monitor third party connections. We see this all the time in healthcare where a third party, like Siemens, is connecting to do remote support on a device, like an MRI. We see the communications coming in from the Netherlands, generally over traditional management protocols like Telnet, SSH, HTTPS, and RDP. We can track the source/destination of this traffic, as well as have the time stamps for when it is occurring. We can then create Zero Trust policies to lock down these management ports, but still allow the third party access that is needed.

Ready to achieve total visibility into what’s on your network? Request a free Ordr sensor today and you’ll be able to see what connected devices are on your network in minutes!