Blog

Last week, we announced the availability of Ordr’s 2nd annual Rise of the Machines 2021 Report “State of Connected devices — IT, IoT, IoMT and OT”. This year’s report analyzed connected device security risk and adoption for 12 months (June 2020 through June 2021) across more than 500 Ordr deployments in healthcare, manufacturing, financial services organizations and more.

We invite you to download this report here.

What were the learnings from the Rise of the Machines? Here are the five security takeaways from the 2021 Report.

1. A “whole organization” approach to connected device security is critical

In this report, Ordr discovered that 42% of connected devices were agentless or un-agentable devices. This number increased from 32% of agentless or un-agentable devices in 2020. With almost half of devices in the network that are either agentless or un-agentable, it’s clear that a security strategy that is only focused on agent-based endpoint security is not enough. These connected devices are key to digital transformation and organizational strategic priorities, but they are not designed with security in mind, often run obsolete operating systems and cannot support endpoint security agents. The solution is to identify, detect and secure via the network to complement your endpoint security solution.

What’s important to remember is that ALL devices/assets need to be identified and profiled. Yes, if you’re in healthcare, medical devices are critical, and similarly if you’re in manufacturing, your OT devices are critical. But because threat actors can target any vulnerable device, you need to have a complete asset inventory of every “thing” in your network. The Colonial Pipeline attack showed us that when IT and IoT systems are hit by a cyberattack, your business is impacted even if your OT environment continues to function. In a hospital environment, a cyberattack impacting your elevator control systems will similarly bring down the entire healthcare operations if patients cannot be transported even if your medical devices are fine. This is what we mean by the “whole organization” approach to connected device security.

2. Beware the “Shadow IoT” and personal devices

In a sign of the times, Ordr found Pelotons, Sonos, Alexas and Teslas in the network, almost 2 times the number compared to the 2020 report. Many of these devices (with the exception of Teslas) were in fact being used for actual business operations. In fact, many of our “Smart Hospitals” were deploying Aexas in their rooms for their pediatric patients. Alexas were used for “nurse call functions”, to switch channels on TVs, and to dim or change the smart lighting in the rooms. Pelotons were being used for physical therapy in hospitals, deployed in gyms in hospitality verticals and enterprises.

What’s interesting to note is that not only do these devices have vulnerabilities (for example leaky APIs within Pelotons) for threat actors to take advantage of but there is also an overwhelming amount of data stored that could be used to target users within the organization. Threat actors are already targeting disgruntled employees to get them to unleash ransomware, imagine if they had data from personal devices (eavesdropping on Alexas or identifying health conditions on Peloton devices) to optimize their target list.

3. Understand which devices are bringing risks to your network

Outdated operating systems present the greatest risks for most organizations. We identified about 19% of deployments with devices running outdated operating systems Windows 7 and older, and almost 34% of deployments with devices running Windows 8 and Windows 10, which are expected to end-of-life in 2023 and 2025, respectively.

Within healthcare, 15% of medical devices and 32% of medical imaging devices run on outdated operating systems. This is because many medical devices remain in operation for a number of years and cannot be easily replaced for cost reasons. Segmentation is the only way to ensure security of these devices, keep them in operation and avoid the costs of replacing devices early.

Ordr makes this easy for any security organization because we create the segmentation policies automatically for you, to be pushed and enforced on switches, next-generation firewalls, wireless LAN controllers and NAC systems.

Besides outdated operating systems, you should also identify devices with weak operating systems, weak passwords or weak certificates. Again, this is an easy click of the button on the Ordr dashboard.

4. Monitoring device behaviors and communications patterns is critical to security

At Ordr, we believe in the adage “You can’t secure what you can’t see”. But visibility is not just about knowing what devices you have in the network, it’s also about understanding how it’s behaving and what it is communicating with. That behavioral understanding of what is “normal” allows you to surface anomalous behaviors such as lateral movement from the (sudden increase in SMB traffic) or a compromised device (via communications calling home to a C2 domain).

The Ordr platform not includes an integrated threat detection engine for known threats, but also the behavioral mapping of every device flow to detect unknown threats. This is not easy, we monitor almost one BILLION flows today across all our customers’ deployments. But this has allowed us to detect Darkside and Conti infections, via devices behaving suspiciously, BEFORE any indicators of compromise were even released by authorities such as the FBI.

5. Manage user access to devices and appropriate offboarding when status changes

Finally, one of the most interesting additions to the 2021 report was about 55% of our deployments having devices with orphaned users. Devices with orphan accounts retain the same access rights as when they were associated with an active user. These orphaned user accounts provide a gateway to privilege escalation and lateral movement. Therefore, as part of a robust and complete Zero Trust strategy for connected devices, you need to ensure that all devices are being utilized only by current users and those with appropriate privileged access. Check out our blog on identifying employee account misuse using Ordr.

Want to learn more? Download our Rise of the Machines report now.

The second episode of the seven-part CHIME Medical Device Security webinar series aired last week. The episode addressed the topic of aligning healthcare cybersecurity for connected medical devices with a new cybersecurity law for healthcare. Once again, I moderated the episode under my new role as, Senior Account Executive with Nuvolo. I was joined by two industry experts who weighed in on the subject. Erik Decker, the CISO of Intermountain Healthcare, former Board Chair of the Association for Executives in Healthcare Information Security (AEHIS), and co-leader of the HHS task group implementing the Cybersecurity Act of 2015. Returning from Episode One was Rob Suárez, CISO of Becton Dickinson (BD) and chairman of the Medical Device Innovation Consortium’s (MDIC) Cybersecurity Steering Committee and the Advanced Medical Technology Association’s (AdvaMed) Cybersecurity Work Group.

The Cybersecurity Act of 2015, in particular its 405(d) provision, expressly calls out the healthcare industry. While the name “405(d)” offers little insight as to the legislation’s relevance to medical device security, Mr. Decker is uniquely positioned, perhaps more so than anyone else, to elaborate on its significance. As he explained, healthcare is officially designated as critical infrastructure and simply requires more protection. Cyber-attacks to hospital operations are direct threats to patient safety, and compromises to highly sensitive electronic health information threatens patient privacy rights. Ransomware attempts against healthcare are increasing, rising 123% in 2020, incurring $20.8 billion in downtime costs. 405(d) mandates the formation of an industry-led task group to publish a compendium of cybersecurity best practices, frameworks, methodologies, technologies, and other recommendations to serve as a set of Federally recognized cybersecurity practices that afford legal safe harbor to Health Delivery Organizations (HDOs) when implemented. In the words of Mr. Decker, “It’s a way to draw a line in the sand and say, ‘here is an example of what you can do that demonstrates best practice’; and if you do it, you get a benefit for it; and if you don’t, you might be hindered by it.” The cornerstone publication of the 405(d)-task group is Health Industry Cybersecurity Practices (HICP, pronounced liked ‘hiccup’). Comprised of three primary volumes, HICP has a main document providing a high-level summary of the threats and recommendations, and two technical volumes prescribing specific practices, including connected medical devices, to be implemented by IT specialists of small, medium, and large HDOs. Under the new law, Public Law 116-321, following the best practices for medical device security detailed in HICP will require the Office of Civil Rights within the HHS (OCR) to consider reductions in fines, audits and post breach oversight.

Next, Mr. Suárez discussed the Medical Device and Health IT Joint Security Plan (JSP), authored by a Healthcare and Public Health Sector Coordinating Council (HSCC) task group in 2019, which Mr. Suárez co-chaired. The JSP document proposes a voluntary framework in which responsibility for medical device security is disseminated across healthcare stakeholder organizations. Under the JSP, MDMs proactively aid their customers by developing and communicating processes, personnel training recommendations, device life-cycle strategy, vulnerability patches, decommissioning plans, and incorporating HDO feedback into future product design. HDOs work with their vendors to establish baseline best practices and measures of device maturity and process effectiveness, communicate complaints and discovered vulnerabilities, and institute remediation procedures.

Episode Three of CHIME’s Medical Device Security webinar series airs on Thursday, August 5th. If you missed Episodes One, you can view my recap here, or register for the entire series at https://store.ignitedigital.org/product?catalog=medical_device_security_webinar_series.

Acronym Glossary

405d: A provision within the Cybersecurity Act of 2015 (CSA). The CSA 405(d) document aims to raise awareness, provide vetted practices, and foster consistency in mitigating the most pertinent and current cybersecurity threats to the sector. It seeks to aid the Healthcare and Public Health (HPH) sector organizations to develop meaningful cybersecurity objectives and outcomes.
AdvaMed: Advanced Medical Technology Association
AEHIS: Association for Executives in Healthcare Information Security
BD: Becton Dickinson
CHIME: College of Healthcare Information Management Executives
HDOs: Health Delivery Organizations
HHS: Health and Human Services
HICP: Health Industry Cybersecurity Practices
HSCC: Healthcare and Public Health Sector Coordinating Council
JSP:Medical Device and Health IT Joint Security Plan
MDIC: Medical Device Innovation Consotium
MDM: Medical Device Manufacturers
OCR: Office of Civil Rights within the HHS
Public Law 116-321: An act to amend the Health Information Technology for Economic and Clinical Health Act to require the Secretary of Health and Human Services to consider certain recognize security practices of covered entities and business associates when making certain determinations, and for other purposes

The Executive Order 14028 has sent ripples through the cybersecurity industry. Since my last blog post where I provided my reflections on the EO, NIST has published their definition of ‘critical software’ in their official white paper published on June 25, 2021.

Operational technologies comprise the industrial hardware and software systems that form the backbone of industry. Manufacturing equipment, building automation systems, facilities management controls, transportation and logistics infrastructure are all essential to managing critical operations.

In the guidance, NIST clearly defines Operational Technology as critical software that must be secured. At Ordr, we know fully the gravity of this situation and have built our solution around this paradigm to give our customers the peace of mind, in knowing that they can effectively identify, manage and secure their critical infrastructure devices in their critical infrastructure in support of this crucial mission for the United States.

From the NIST Whitepaper:

NIST recommends that the initial EO implementation phase focus on standalone, on-premises software that has security-critical functions or poses similar significant potential for harm if compromised.

Subsequent phases may address other categories of software such as:

software that controls access to data;
cloud-based and hybrid software;
software development tools such as code repository systems, development tools, testing software, integration software, packaging software, and deployment software;
software components in boot-level firmware;
or software components in operational technology (OT).

EO-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:

Is designed to run with elevated privilege or manage privileges;
Has direct or privileged access to networking or computing resources;
Is designed to control access to data or operational technology;
Performs a function critical to trust; or,
Operates outside of normal trust boundaries with privileged access.

The definition applies to software of all forms (e.g., standalone software, software integral to specific devices or hardware components, cloud-based software) purchased for, or deployed in, production systems and used for operational purposes. Other use cases, such as software solely used for research or testing that is not deployed in production systems, are outside of the scope of this definition.

The preliminary list of software categories considered to be EO-Critical:

Identity, credential, and access management (ICAM)
Operating systems, hypervisors, container environments
Web browsers
Endpoint security
Network control
Network protection
Network monitoring and configuration
Operational Monitoring and Analysis
Remote scanning
Remote access and configuration management
Backup/recovery and remote storage

As an extension of the focus on Operational Technology, on July 20, the Department of Homeland Security (DHS) issued a security directive requiring owners and operators of critical pipelines that transport hazardous liquids and natural gas to implement “urgently needed protections against cyber intrusions.”

In an earlier security directive in late May, immediately following the Colonial Pipeline cyber attack, the DHS began requiring US pipeline operators to conduct a cyber security assessment. The May 2021 Security Directive requires critical pipeline owners and operators to (1) report confirmed and potential cybersecurity incidents to CISA; (2) designate a Cybersecurity Coordinator to be available 24 hours a day, seven days a week; (3) review current practices; and, (4) identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.

These are all the right steps toward improving the Nation’s Cybersecurity. We are eager to extend the work we already have underway with many federal agencies and organizations that need to protect their Operational Technology. With the Ordr platform, our focus is on visibility and security for cyber resilience:

Continuous visibility into all devices and their vulnerabilities (IT, IoT, and OT):

Ordr can help you identify what assets are in your environment. This allows you to examine your entire business process when calculating risk. It is important to not overlook what seem to be simple IT or IoT systems or processes like shipping or logistics, like billing. Those systems are as critical to production, processing, and delivery as any refinery equipment or manufacturing sensors.

Intelligent insights into how devices are behaving:

We detect known threats via our integrated threat detection engine to identify exploits, active threats and attacker lateral movement tools. We also use machine learning to baseline and map exactly how every device is behaving and what it is communicating to. This is critical to surface unknown threats and anomalous communications, particularly when attackers have already infiltrated your network. Ultimately we have to examine cyber resilience via full spectrum understanding of the flow of device communications (transactions and data) as well as we understand the flow of oil or manufacturing processes.

Automated policies on existing infrastructure:

The most critical function during an attack on OT environments is cybersecurity resilience, how quickly you can respond to an attack and continue business operations. Ordr not only tells you what device is being compromised, where it’s located, what it is doing and who it is communicating with, we also dynamically generate the policies to mitigate threats on your security and networking infrastructure. We can automate the creation of NGFW policies, ACL blocks, quarantine VLAN assignment, port shutdown, or session termination with one click of a button– enforced on existing switches, wireless controllers, and firewalls, or via NAC platforms.

Our work doesn’t just stop in the United States. Being a global leader in IoT, IoMT and OT Security, we are proactively embedding best practices, as well as lessons learned, to nations around the world. The US is not alone in their struggle against threat actors that wish to do them harm. This is highlighted in recent events in Germany, Canada, Australia, United Kingdom as well as other many other nations and industries. We are doing our part to make the giant leap towards a better and safer future.

Setup a time with us to start the process today and you’ll be able to see what connected devices are on your network in minutes.

Ordr Knowledge Base

Become A Partner

Blog

Month: August 2021