Cybersecurity attacks are an ever present concern—a hydra that spawns new heads after each known head is vanquished. One of those newly spawned nightmares is trying to protect Internet of Things (IoT), Internet of Medical Things (IoMT), and Operational Technology (OT) devices as they become network enabled and part of the bigger cybersecurity picture. This is something that traditional cybersecurity tools aren’t built to handle.

These devices are used in many industries—healthcare, financial services, transportation, manufacturing, and education, just to name a few. IoT, IoMT, and OT devices, as well as traditional systems and resources, must be protected by a thorough plan. The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) helps your organization build a solution customized to fit your business and needs.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework is a technology neutral security structure built upon cutting-edge global standards, existing guidelines, and developed practices that is capable of evolving to meet business requirements and keep up with technological advancement. The NIST Cybersecurity Framework is intended as a complement to an organization’s existing cybersecurity strategy and risk management plan. It provides the means to continue with current policies and procedures, while also discovering areas of potential improvement, better means of communication, and/or increased industry alignment.

The NIST Cybersecurity Framework Core can be used by any sector with any infrastructure because it is adaptable, flexible, and based on business-driven implementation. The NIST Cybersecurity Framework is a top-ranked structural foundation on which a company can build the cybersecurity program best suited to their unique business profile.

The Core breaks the controls and practices into five service lanes to be addressed concurrently:

1. Identify (ID)
2. Protect (PR)
3. Detect (DE)
4. Respond (RS)
5. Recover (RC)

Importance of the NIST Cybersecurity Framework

The NIST Cybersecurity Framework is built upon tried-and-true practices, so you can apply proven solutions to real problems by leveraging the framework for guidance. It enhances compliance with industry standards and regulations, as well as helps mitigate vulnerabilities by exposing previously unseen risk.

The framework also aids with zeroing in on a company’s true risks, increasing both efficiency and resource management. In addition, the NIST Cybersecurity Framework (CSF) refines asset management to ensure the company maintains accurate inventory.

While security teams understand the threat landscape and cybersecurity needs, stakeholders and other company teams don’t have this detailed understanding. NIST CSF bridges the gap between IT and business departments by laying a reasonable path that focuses on specific outcomes. The framework enhances conversations with these groups and helps explain why certain actions and resources are necessary to achieve a fully mature cybersecurity solution.

The five core functions of the NIST Cybersecurity Framework allow for a company to start at any point. Whether your company is using cutting edge cybertech or relying on legacy systems, there are benefits to be reaped by employing the framework.

When applying NIST CSF, a practitioner should leverage the framework against a controlset outlined by the NIST publication they are attempting to adhere to. For example, 800-53 rev5 (Security and Privacy Controls for Information Systems and Organizations) are often used as the core set of standards for healthcare organizations as it helps in protection of personally identifiable information (PII). The control spreadsheet outlines a list of controls or control enhancements outlined by the control text column (that is to say, ‘do i have this control?’). Often controls are satisfied by technologies you have or need to have in your environment. A solution such as Ordr could help meet the requirements of CM-8 (System Component Inventory) and satisfy PM-5 (System Inventory) requirements. These controls speak directly to the framework.

Let’s take an example for 800-53 mapped to the CSF for ID.AM-1: Physical devices and systems within the organization are inventoried. To satisfy this functional category and subcategory you need controls CM-8 and PM-5. As you see, to satisfy the CSF you need to first decide what publication you would like to adhere to. 800-53 is popular but others may be relevant to your organization  and contain similar control maps.

The NIST Cybersecurity Framework Core Elements

The Core framework divides security activities into five high-level functions that include Identify, Protect, Detect, Respond, and Recover. As a whole, these functions provide a company with the means of managing risks by organizing all pertinent information, addressing potential threats, and continuously learning from previous ventures.

1. Identify (ID)

Identify is the NIST Cybersecurity Framework function that brings together business context, critical support functions and resources, and risk management. The goal of Identify is to define the critical business landscape for your organization so adequate protection can be implemented around it. Organizations should also consider all processes, procedures, and policies that revolve around the organization’s compliance regulation, legal considerations, risk factors, operational requirements, and environment.

This includes the following recommended tasks:

• Establish Asset Management policies and procedures, and identify all physical devices, systems, software platforms, and applications that are IT assets, including their criticality where possible.
• Establish an organization-wide security policy, and address cybersecurity issues/risks via governance and risk management policies and procedures.
• Determine the legal requirements and regulations to be enforced, including privacy requirements or civil liberties, and develop a method for the management of such.
• Identify and document any asset vulnerabilities, and utilize vulnerability and threat information available from information sharing forums and sources.
• Determine and document potential threats from both internal and external threat actors and evaluate threats, vulnerabilities, probabilities, and impacts to determine risks.
• Identify how the organization supports the business environment, including any supply chain roles or critical infrastructure implications.
• Identify constraints, priorities, assumptions, and risk tolerances to develop a supply chain risk management strategy.

Your organization should employ a platform that allows for passive discovery with in-depth details, agentless software tracking, and data flow monitoring. Ideally, this includes support of connected devices such as IoT, IoMT, and OT devices. This platform will be capable of providing relevant information to assist the risk management process, such as risk scores per device. The platform also should be able to identify and manage devices and/or communications that involve regulated data, such as payment card industry (PCI) data or medical information protected by HIPAA such as protected health information (PHI).

Consider a solution that can monitor incidents and risk for both traditional devices and IoT devices. The solution should be able to detect anomalies and network intrusions, as well as bad URL/site connections, with detailed trend analysis. A platform such as Ordr also provides a risk score to assist with prioritization, and should be capable of both scheduled and ad-hoc reporting.

2. Protect (PR)

The Protect function is about safeguarding to prevent, limit, or contain any impacts from potential cybersecurity incidents. It’s a crucial piece of ensuring the continued delivery of vital services.

This includes the following tasks:

• Manage both credentials and identities for authorized users and devices.
• Manage remote access.
• Use separation of duties and the principle of least privilege to help develop a robust method of access management.
• Protect network integrity, including network segregation where warranted.
• Protect data-at-rest.
• Formally manage assets in the transfer, removal, and disposition stages.
• Implement protections against data leaks.
• Keep the production environment separate from testing and development environments.
• Create and maintain a baseline configuration of IT/OT control systems.
• Implement a system development life cycle (SDLC) to manage systems.
• Develop and implement a vulnerability management plan.
• Control access to assets and systems while keeping in mind the least functionality principle.
• Protect both control networks in communications.
• A key piece of implementing Protective Technology is using a system that can restrict access to IoT and OT devices. Ordr’s offering is capable of tracking said devices and the communication patterns of each system.

A good solution should employ artificial intelligence (AI) that can establish baseline communication behavior and transform the baseline into security policies that are device specific, such as limiting traffic to only approved systems to reduce the IoT/IoMT/OT attack surface. As an example, microsegmentation policy can be created to limit IoT/IoMT/OT device communications such as restricting external communications as well as communications with internal systems not required for normal operations. A security platform such as Ordr can continuously monitor all communication and detect devices trying to connect to malicious sites, unauthorized networks, or receive malicious communications. Such a solution  also provides domain separation between environments by creating and enforcing microsegmentation policy. Choose a solution that can track an asset’s SDLC as it relates to cybersecurity.

Another capability to look for in a solution is the ability to integrate security intel feeds as well as integration with a vulnerability management platform. Security intel feeds provide insights into known vulnerabilities and associated risk with the ability to identify impact to your environment. Vulnerability management capabilities will help to ensure that remediation and mitigation tasks can be coordinated and tracked across teams as you look to reduce or eliminate risk. Ordr’s offering is capable of integrating security intel feed data to identify connected devices with known vulnerabilities. The solution also provides native vulnerability management capabilities as well as the ability to integrate with other 3rd party vulnerability management tools.

3. Detect (DE)

Detect is the section of the NIST Cybersecurity Framework that focuses on the development and implementation of capabilities, tasks, and activities required to identify incidents precipitated by a cybersecurity event. This functionality enables the organization to discover cybersecurity incidents quickly and efficiently.

Consider these tasks:

• Establish a baseline of network operations and expected data patterns for systems and users and ensure it stays maintained.
• Analyze all detected events to understand attack methods and intended targets.
• Aggregate and correlate event data from multiple sensors and sources.
• Determine the impact of events.
• Establish incident alert thresholds.
• Monitor the network to detect any potential cybersecurity events.
• Monitor the physical environment to detect potential cybersecurity incidents.
• Use monitoring to detect unauthorized connections, software, devices, or personnel.
• Perform vulnerability scans.
• Communicate event detection information to all appropriate parties.

Choose a platform that provides the ability to detect malicious activity as well as a security dashboard based on a consolidated view of events, which can be further enhanced with criticality and MITRE kill chain step data. Your organization also can benefit from a platform that can provide real-time alerts filtered by security event types so specific staff can be notified, based on the affected asset. A high-quality solution should be capable of detecting and logging device moves, adds, and changes.

Ordr continuously monitors the network and employs intrusion detection capabilities to identify known malicious attack traffic. In addition the solution creates a baseline of normal behavior for each connected device and will detect abnormal deviations. With these capabilities Ordr can identify active threats, attempts to exploit vulnerabilities, and indications of compromise. Your platform should work with security information and event management (SIEM) and IT assessment management (ITAM) products so it can seamlessly integrate with existing workflows and procedures.

4. Respond (RS)

The Respond function of the NIST Cybersecurity Framework revolves around containing the impact of a potential cybersecurity event. It includes development and implementation of necessary activities to take action once a cybersecurity event has been detected.

Such recommended tasks include:

• Develop a response planning process and ensure that it’s executed when an incident is detected.
• Contain and mitigate incidents.
• Mitigate newly identified vulnerabilities and/or document them as accepted risks.
• Develop and manage a communication plan for stakeholders, both internal and external, and law enforcement for when incidents occur.
• Determine the impact of incidents by analyzing how effective the response plan is.
• Implement any revisions to the process based on lessons learned from incidents.

Ordr takes pride in being an ideal solution, as our platform uses automation to accelerate your response to an incident with the ability to create and apply next-generation firewall (NGFW) policies, quarantine VLAN assignment, access control list blocks, session termination, and port shutdown with a single click of a button. Ordr also provides details on the physical and network location for each device in the event that a technician needs to physically remove a device from the network or apply a patch by accessing the device directly.

5. Recover (RC)

The ability to recover from an incident  needs to be both timely and effective. The quicker system restoration is performed and operations returned to normal, the less impact the cyber incident has on your organization.

The NIST Cybersecurity Framework recommends these steps:

• Execute and maintain recovery procedures and processes to facilitate system restoration.
• Improve recovery processes and planning by incorporating findings and lessons learned into future solutions.
• Coordinate all restoration tasks with both internal and external parties.

Recovery is highly dependent on the circumstances of the attack, the attack method, and the level of complexity in the findings. Ordr’s ability identify the network and physical location of a device can aid in the system restoration process by enabling staff to quickly locate a device impacted by a cyber event that may need to be updated or reimaged. Ordr can also quickly move a quarantined device back to its normal network environment once upgrades, patches, or other remediation methods have been applied.

Use Ordr to Extend the NIST Cybersecurity Framework Throughout Your Organization

The NIST Cybersecurity Framework uses five specific service lanes that should be handled concurrently. The NIST Cybersecurity Framework is highly effective and can be used by any size organization in any industry.

The Identify function determines the who, what, when, and where of the cybersecurity configuration, while the Protect function employs safeguards and protects critical assets. Once you’ve dealt with the Detect function that monitors the network and roots out trouble, the Respond function launches the policies and procedures to combat an active cybersystem attack. Finally, Recovery involves the necessary activities to bring the system back to normal.

Ordr helps organizations extend the NIST Cybersecurity Framework to cover all of your assets, including IoT/IoMT/OT devices. With Ordr, you can rapidly inventory all assets in the domain, automatically classify them based on type and function, and assess each device for risk. It analyzes device communications to learn behaviors and creates device baselines to determine what communications the device requires for normal operations. From this baseline, Ordr can detect malicious activity and create policies to quickly stop active threats and quarantine compromised devices without disrupting the device, network, or enterprise operations. Ordr also uses device baselines to proactively improve protection via microsegmentation to logically segregate devices from non-essential areas.

To learn more about how Ordr aligns to the NIST framework, download this report. 

(Updated on November 10th with new Ordr capabilities) 

On October 26th, OpenSSL Project a critical vulnerability associated with OpenSSL versions 3.0 and higher. The version released on November 1st — OpenSSL version 3.0.7 —addresses this vulnerability.

• CVE-2022-3602 is an arbitrary 4-byte stack buffer overflow that could trigger crashes or lead to remote code execution (RCE).
• CVE-2022-3786 can be exploited by attackers via malicious email addresses to trigger a denial-of-service state via a buffer overflow.

• These vulnerabilities were downgraded from critical to as high (CVSS score 8.8 from 9.0) on November 1st.

Here is what you need to know about this critical vulnerability:

What is OpenSSL? 

OpenSSL is a widely used open-source cryptography utility implemented to keep secure the web traffic exchange between a client and server. It is used to generate public and private keys, install SSL/TLS certificates, verify certificate information, and provide encryption.

Most web servers across the internet and within Intranets use SSL certificates to secure connections and the website being browsed. These certificates are traditionally generated by OpenSSL.

How concerned should we be about this vulnerability? 

OpenSSL can be misused if the vulnerable version is in use. The good news is that this vulnerability impacts a very specific version of OpenSSL and patching quickly will address any associated risks.

A flaw in OpenSSL has previously affected businesses. In April 2014, OpenSSL’s Heartbleed flaw was discovered. Numerous web servers, including those running popular websites like Yahoo, included it. Security teams rushed to apply updates because the vulnerability was simple to exploit.

How is this OpenSSL vulnerability exploited? 

Both CVE-2022-3602 and CVE-2022-3786 vulnerabilities are prone to buffer overflow attacks that can perform RCE (Remote Code Execution) or expose contents of the memory that contains private keys or proprietary information.

The chances of these vulnerabilities getting abused are low because one of the conditions is a malformed certificate signed by a trusted CA.

The issue lies in the verification process of certificates that OpenSSL performs for certificate-based authentication. The exploitation of the vulnerabilities could allow an attacker to launch a Denial of Service (DoS) or even a Remote Code Execution attack.

Patches for the two weaknesses found in OpenSSL v3.0.0 to v3.06 have now been released.

Which OpenSSL versions are vulnerable? 

• OpenSSL versions 3.0 and above are vulnerable.
• OpenSSL 3.0.0, the first stable version of OpenSSL 3.0, was released in September 2021, about one year ago. Any older operating systems prior to 3.0.0 are not impacted by this vulnerability.
• Open SSL version 3.0.0 to 3.0.6 are affected by this vulnerability.
• OpenSSL version 3.0.7 includes the fix for the critical vulnerability.

CRITICAL Severity: This affects common configurations, which are also likely to be exploitable. Among these are significant disclosures of server memory (potentially revealing user information), vulnerabilities that are easily exploitable to compromise server private keys remotely, or situations where remote code execution is possible. We will keep these issues private and release a new version of all supported versions as soon as possible.

HIGH Severity: This includes issues that are of a lower risk than critical, perhaps due to affecting fewer common configurations or which are less likely to be exploitable. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month, where this is something under our control.

Is the Ordr platform impacted by the OpenSSL vulnerability?   

Ordr has reviewed our usage of OpenSSL. This vulnerability does not impact Ordr as we do not use the impacted version.

How Ordr can help? 

Ordr has added two new capabilities:

1. A new scanner that will detect versions of the OpenSSL that are vulnerable.

2. New IPS signatures that can detect exploits of this OpenSSL vulnerability

New Ordr Scanner to Detect Vulnerable Versions of OpenSSL  

• Ordr scanner uses the following command-line Options:

• As servers have an open HTTP port; A curl command is used to connect to them to find the SSL version
• In cases where clients do not usually have web services, the “ssh” command can be used instead.
• As for a detection method, we use HTTPS headers, SSH headers, and credentialed scans to get the information.

• Some scanners use only authenticated approach that requires full credentials, but Ordr uses an unauthenticated way to get information about Open SSL versions.
• Ordr scanner also uses tools like Nmap to find open ports as a precursor before finding out about the OpenSSL version.
• Example screenshots of detecting Open SSL that is built into the Ordr scanner.

Sample SSL command 

Sample SSH command

Packet Parser with IDS Signatures to Detect Exploit Attempts

• While the Ordr scanner detects all the machines that have this vulnerability, the next step is to see if any exploits are exploting this vulnerability.
• There is a parser on the wire that we need to enhance with rules to get versions of TLS, certs, and cryptography.
• Ordr has an intrusion detection engine that scans for exploits of this vulnerability with the correct signatures. For example, given below is a signature that would help identify the exploit of this vulnerability.
• CVS-2022-3602 Detection – Detection of this pattern was done using IDS Signatures.
• A buffer overflow can be triggered by sending an X.509 certificate with a specially crafted email address in the “id-on-SmtpUTF8Mailbox” field (OID 1.3.6.1.5.5.7.8.9), resulting in a crash (Denial of Service – DoS) or potentially remote code execution on a vulnerable client or server. Potential opportunities for exploitation can occur if a server requests authentication information after a malicious client connects or if a client connects to a malicious server, which would then make the client vulnerable.
• “OpenSSL x509 crafted email address buffer overflow attempt” is detected with the following signature.
• In the event that there is a malicious activity involving OpenSSL, Ordr has pushed the latest signature to all its customers, and the alarms will be raised.

As the war in Ukraine broke out in late Feb, security teams around the globe took notice. Russia has long been a focus in the fight against cybercrime, and their aggression raised concerns to new levels with fears that cyberattacks could increase with a focus on the US and other western countries. On March 21, 2022, President Biden confirmed the rising concerns with a statement warning of a potential increase in Russian cyber activity targeting the US, allies, and partners. As organizations across the globe were taking steps to improve cyber defenses, we heard from many of our customers asking what Ordr could do to help improve security, threat prevention, and the ability to monitor their environments. A primary requirement was the ability to identify devices in their environments that had communications with potentially malicious Russian sites.

By continuously analyzing network data, Ordr uncovers all connected device communications within an organization as well as communications to external sites. We also assess the risk for these communications and provide that insight to every customer in our UI. To make these insights a little easier to access, we created a focused report that our customers could run to get a quick view of the exact flow level details of medical devices communicating with Russian sites and assess the risk. You can learn more about the report in this video:

While our customers could collect some of this data from various tools across their environment, only Ordr combines communication insights with device context.  This triangulation methodology from multiple sources helps them understand the risk of communication and provides them with the details needed to pinpoint the device at risk and quickly craft the proper response to eliminate the threat.

Helping Everyone Understand the Risk

Ordr’s continuous analysis of network data and the report highlighting communications to Russia is available to all Ordr customers, providing necessary details to help them understand and quickly respond to potential threats. We also wanted to share our insights beyond Ordr’s customers to help others understand the potential risk to their environment.

The threats uncovered below focus on medical devices; however, these threats are not limited to just medical devices or the healthcare industry. Attackers target connected devices in all industries, including manufacturing, financial services, retail, and utilities. Attacks not only target medical devices but also operational technology (OT) devices such as HVAC systems, elevator controls, and connected cameras that are common across all industries. Many of these devices are critical to business operations even if it seems there is no direct connection, and a successful breach could have a significant impact. For example, an attack that takes an HVAC system offline could create unsafe conditions in the emergency ward and hamper patient care.

Before getting into the details of our findings, here’s an extremely brief overview of how Ordr works and some of the details we uncover for each device:

Device Insights Provided by Ordr

Ordr analyzes data collected from multiple points in the network to discover every connected device.  We also uncover details to accurately classify every device and identify devices with vulnerabilities and potential threats. With our approach to collecting and analyzing network data we provide granular device insights without the need for agents or scanning and no impact on device operations.

Ordr insights help customers understand the exact devices connected in their environment, how those devices fit into the organization, and their potential risk. Ordr device details include:

• MAC Address – Important detail but identifying a device by its MAC alone can be limiting and misleading.
• IP Address – Since IP addresses can change, Ordr provides a historical view of a device’s IP addresses.
• Operating System – Helps to identify devices running an outdated or unpatched OS.
• Device Profile – Includes the manufacturer and model.
• Device Group – How the organization has grouped the device and its role in the environment (e.g., medical, mobile, office equipment, facilities).
• Device Type – Details including exact model number and firmware version to understand specific threats that may impact the device.
• Device Category – The type of device (e.g., CT scanner, infusion pump, patient monitor)
• Device Location – The exact physical and network location including the switch/port or access point/SSID the device connects to.

Communication Insights Provided by Ordr

Ordr also uncovers internal and external communication insights for each device by analyzing network data. This post focuses specifically with devices communicating with Russian sites but could also be used to identify communications with other restricted or high-risk countries. Ordr insights specific to devices communicating with external sites include:

• Destination IP – IP address of the site communicated with.
• Destination Domain Name – Domain name of the site communicated to.
• Destination City – Approximation of the site’s city. NOTE: Obfuscation techniques will impact accuracy (e.g., The Onion Router (Tor), VPN, etc.).
• URL – Complete the URL of the communication.
• URL Category – Category of the site (e.g., gaming, shopping, advertising, government, military, etc.).
• Reputation score 1 – URL reputation derived from a leading threat feed.
• Reputation score 2 – URL reputation derived from another leading threat feed.
• Receive Bytes – Number of bytes received by devices from the site.
• Transmit Bytes – Number of bytes transmitted to the site from devices.
• Last Activity – Timestamp of the last activity from devices to or from the site.
• Incident Type – Classification of the destination site (e.g., malicious URL, SPAM URL, etc.).
• Incident Score – Determined by aggregating multiple factors of device communications
• Aggregate Score – Determined by aggregating multiple factors of a device and its communications (e.g., vulnerabilities based on OS version, east-west communication analyzed using IDS signatures, external communication with malicious websites, etc.).
• Risk State – Overall assessment of device risk and potential impact to the organization (i.e., Critical, High, Medium, Low).

Ordr Analysis and Findings

For the insights that follow, the Ordr platform performed deep analysis on data aggregated and anonymized from 50 large health care chains, each consisting of multiple hospitals. The details below focus on medical devices used in healthcare settings such as infusion pumps, patient monitors, EEG/ECG, MRI/CT scanners, X-Rays, ultrasounds, medical gateways, medical workstations running medical apps, medical servers used to process and store patient data, and other connected device in the clinical setting delivering patient care. As mentioned previously, these threats are not limited to healthcare devices or the healthcare industry.

The goal of this analysis is to shed light on the potential threats so that organizations across all industries can be better prepared and take proper steps to secure their environments.

NOTE ON METHODOLOGY

• All data was aggregated and anonymized before analysis. None of the following details pertain to a specific customer, manufacturer, or device.
• Network Time Protocol (NTP) is a required service, and some devices may have legitimate reasons to communicate with Russian hosted NTP servers. Communications to Russian NTP sites have been removed from this analysis.

Top Russian Domains by Traffic

The first analysis highlights Russian domains that were identified for sustaining the highest levels of traffic into and out of the organizations we analyzed. While these domains may look somewhat benign, each may have the potential to be used to distribute malware or perform other malicious activities. Many of these sites are known to generate intrusive online ads and collect personal information. Device communications to any of these domains should be scrutinized to determine if communication is required and expected.

• *.yandex.ru
• *.ssp.rambler.ru
• ssp.adriver.ru
• sm.rtb.mts.ru
• *.rutarget.ru
• counter.yadro.ru

Devices Communicating with the Largest Number of URLs

The next analysis identifies device types that have communications with the largest number of Russian URLs. Many of these devices perform critical functions in healthcare environments and we can infer these types of devices are top targets for attackers.

Devices Communicating with the Smallest Number of URLs

The following medical device types have communications with the least number of Russian URLs compared the devices listed above. Like the devices above, many of these devices provide critical functions in healthcare environments and although they communicate with fewer Russian URLs, this activity should still be scrutinized to determine if communications are required and expected.

• Video Digitizer Recorder
• Coagulation Meter
• Perimetry System
• Blood Gas Analyzer
• Radio Fluoroscopy
• Surgical System
• X-ray Volume Imaging
• MR Image Analysis System
• Mobile X-ray System
• Molecular Diagnostics System
• ECG
• Anesthesia Cart
• Hematology Analyzer
• Digital Radiography System
• EEG
• PET/CT System
• Computed Tomography
• PET Scanner
• Patient Monitoring
• Mammography
• MRI Analyzer
• Dental X-ray System
• X-ray System
• SPECT System

Devices with the Most Received Data on a per Device Basis

Focus using our analysis on individual devices, the following details highlight the device types with the most amount of data received from Russian sites per device. Even if outbound communication is blocked by a firewall, the fact that these devices are receiving this volume of data from Russian sites should be of concern, and communication should be scrutinized to determine if communications are required and expected.

Device Category (Received bytes per device)

• CT Scanner  (700K)
• Infusion Pump  (160k)
• Medical Workstations (95K)
• X-Ray (47K)
• CT Scanner (21K)
• Hematology (19K)
• PACS (22K)
• Radiotherapy (7K)
• Ultrasound (5K)

Device Categories with the Most Received Data

Since a single organization may have multiple units of each device, we aggregated and analyzed device data to highlight the device categories with the most amount of data received from Russian sites. As with the other categories these devices provide critical functions in healthcare environments.

• EEG Workstation
• Ultrasound Image Management
• Infusion Pump
• Glucose Monitor
• Medical Workstation
• EHR Workstation
• PACS Workstation

Device Categories with the Most Transmitted Data

Since a single organization may have multiple units of each device, we aggregated and analyzed device data to highlight the device categories with the most amount of data transmitted to Russian sites. These devices provide critical functions in healthcare environments and are also found in the list above, highlighting device categories receiving the most data from Russian sites.

• Ultrasound Image Management
• EHR Workstation
• Medical Workstation
• PACS Workstation
• EEG Workstation
• Infusion Pump

Categories of Sites Communicating the Most with Medical Devices

Looking at the types of Russian sites communicating with the device data we analyzed, the following shows the distribution of site categories communicating with medical devices. As with the Top Russian Domains by Traffic analysis above, many of these categories may look benign; however, each may have the potential to be used to distribute malware or perform other malicious activities.

Device Types and Reputation Score of Sites

Looking at the reputation score of destination URLs, the following chart highlights device types and the reputation of the Russian sites they communicate with. Sites with a low reputation score (e.g., 10) are determined to be very suspicious with a high probability of being malicious. As an example, these sites could host a Command and Control (C&C) server and a connection could be used to download malware such as ransomware to a device and orchestrate the spread across an environment.

Malicious Russian Site Example

The site counter.yadro.ru is a known malicious site advertisement that has had several reports in the past of downloading malware. The following device types analyzed had frequent transactions with this site.

• Patient Monitor
• PACS Workstation
• EEG Workstation
• Blood Analyzer

Here is a list of the offenders by device type with the number of URLs they are reaching out to.

Cities With the Most Communications

The following analysis highlights the top Russian cities with the most traffic to and from the devices we analyzed. Since attackers commonly use techniques to obscure their details, it is not always easy to determine the exact location of malicious activity. However, by analyzing the site IP address, it can be possible to provide insight and an approximation of the potential location.

Protecting Your Environment

Identifying potentially malicious activity and understanding risk is a critical first step to protecting any environment. Ordr customers regularly generate and review their detailed reports showing devices in their environment that have communicated with Russian sites. That report not only identifies these communications but also provides detailed analysis to help customers understand and address the potential risk in their environments.

Ordr also helps customers eliminate risk by dynamically generating policies for enforcement across their existing security and network infrastructure. Ordr has Integrations with leading firewall vendors and can automatically push policies to limit the sites with which devices are allowed to communicate. Examples might be manufacturer maintenance, software update, and services such as image enhancements for medical imaging.

If a device is already infected and spreading malware, Ordr can quickly push policies to switches or wireless controllers to isolate them and stop the spread of the attack. Ordr can also push proactive zero-trust policies to switches or wireless controllers, allowing only a pre-determined set of devices and flows to and from any medical device.

If you want to learn more about the Ordr solution, the insights we provide to uncover the risk of Russian communications, and how you can improve the security for your connected devices, reach out for a personalized demo.

Today Ordr announced our Series C funding; another injection of capital that allows us to continue investing in our company and build it to last. On this occasion, I can’t help but look back and reflect on a journey that began in 2015 when Sheausong Yang and I–the founding team–had a vision to build a security platform that would give organizations the ability to see and secure every connected device in their network.

Our idea was new then, and it wasn’t easy getting people to understand the problem at first. Even as organizations were increasingly adding unmanaged connected devices to enterprise IT environments, there was confusion over what was classified as internet of things (IoT) or operational technology (OT). Many organizations we encountered thought we were talking about consumer technologies, like then-new smart speakers, and not the millions of medical devices, industrial controls, building management systems, and other equipment like surveillance cameras, phones, printers and vending machines that were often connecting simultaneously to enterprise networks and the public internet.

The Entrepreneur’s Dream

Because an entrepreneur’s journey is hard, often with ups and downs, it’s important to find partners who believe in the vision, the team, and are willing to give the support needed to work things out and solve big problems. We were fortunate to find such a believer in Peter Wagner, founding partner at Wing Venture Capital. Peter believed in the Ordr founding team and our ability to design the right solution to the problem. We also trusted Peter as a partner in our journey. Dominic Orr, former president of Aruba Networks; Pankaj Patel, former executive vice president and chief development officer at Cisco Systems; Dan Warmenhoven, former CEO of NetApp; and Prakash Bhalerao, veteran chief executive and angel investor also became believers in our vision and invested in our seed round as well.

What was not well-known when we started, but something that Peter, Dominic, Pankaj, Dan, and Prakash grasped, was how difficult it was to discover and secure IoT devices in enterprise environments. In fact, it was nearly impossible. These devices were often connected and unmanaged, operating outside the view of IT management and security tools, and given the proliferation rate at which they were connecting, the problem was getting worse. A specialized security solution was needed, and so we set out to build one. At the same time, the industry needed education about the unique threats to connected devices, and we were competing for attention in the cybersecurity space with hundreds of companies, each claiming to have something new and better, even if only a few really did.

A Foundation of Data

Every strong structure starts with a solid foundation. Our approach to connected device security would be built on data and analytics. Specifically, building a massive data lake populated with the details of as many device types as possible, and using behavioral analytics to build security models for each. Achieving our vision required studying breaches to understand their characteristics and communication patterns, and continuously comparing what we learned with the typical behavior of every single device in the network. Employing behavioral analytics was the only way to monitor complex communication patterns and adapt to the ever-changing strategies of threat actors.

Artificial intelligence (AI) and machine learning (ML) require massive amounts of data to solve hard problems. Rather than rely on second-order metadata, the Ordr Data Lake would be populated with accurate, correlated device details collected directly from the source. This was no easy task. You need to have grit, and shortcuts taken at this stage will haunt you throughout the lifetime of the product. We knew once we had the data we could harness it to solve hard problems, take on the challenges ahead, and build a platform for connected device security.

Fast forward to 2022 and the Ordr Data Lake has millions of device profiles; a number that grows as new devices are released and connected to environments across the globe. To enrich our data lake with new details and insights, we do a full, real-time packet capture across our customers’ environments to feed our platform with an accurate and continuous input of every connection, every flow, and every change. Analysis of that data is real-time too. It has to be. When someone asks for the current weather, it does no good to give the temperature from earlier in the day. Real-time analysis is critical in security and provides a precise assessment so accurate decisions can be made. In security, the game is rapid detection and remediation; guesswork is unacceptable.

Innovative Approaches to Problem Solving

Other key innovations have been part of the evolution of our platform. Data correlation, normalization, compression and organization is critical to storing and harnessing the massive amounts of data we collect and analyze without requiring hundreds of servers and zettabytes of disk storage. For those who are counting, one zettabyte is one billion terabytes. Thanks to our intelligent data compression, we can secure an entire large-scale hospital with just a few servers as our analytics backend. For context, the average hospital maintains an inventory of more than 100,000 total devices of which at least 10-15 thousand are in clinical care as internet of medical things (IoMT) devices, as well as IoT and OT associated with administration, communications, facilities management, and other essential functions–not to mention all the stranger things that find their way onto enterprise networks.

Behavior-based identity analytics is another key innovation for Ordr, and is used to establish multifactor authentication on agentless, unmanaged devices. Triangulation of factors such as a device’s OS vulnerabilities, communication patterns across the enterprise, communications patterns to external sites, and the reputation score of destination sites, are all analyzed to minimize false-positives and ensure a high level of confidence when unique indicators of compromise (IOC) are identified.

Countless hours of hard work, determination, and creativity were behind the effort that turned our vision into a proof-of-concept, and then, a working product. From that point, our vision, the strength of our team, and the potential of our technology helped us secure Series A funding, led by Alex Doll of Ten Eleven Ventures and joined by Unusual Ventures. With Series A we were able to build our team, establish our brand, and go to market. After Series B, led by Dharmesh Thakkar of Battery Ventures, and with investments from Kaiser Permanente Ventures and Mayo Clinic, Ordr was established as a force in healthcare and positioned for expansion into other verticals, like manufacturing, financial services, smart cities, and government. At this point, we began expanding into visibility and security for every connected device. To secure any device, you need visibility into every device in the network.

Flexibility in the Face of the Unexpected

When the pandemic struck in early 2020, the strength, resilience, and flexibility of our company were put to the test. The growth of nearly every organization was impacted at this time, but our healthcare customers in particular faced tremendous challenges. We stepped up to explore new ways to deliver value with our platform. Leveraging our core discovery and analytics capabilities, our customers found value in the ability to locate existing device inventory and understand real-time device utilization.

As an example, the Ordr platform enabled customers to keep track of critical devices such as ventilators, ensuring they were deployed to maximal efficiency to deal with the surge of COVID patients. Not only did the Ordr platform keep hospitals safe during this time, it also helped them run efficiently, ensuring they could continue to deliver critical healthcare services. That built goodwill and, when the pandemic eased, our customers adopted our platform enterprise-wide and recommended us to their peers in the industry. It was a key moment for the growth of our business.

Building an Unrivaled Franchise

As the world slowly returns to some semblance of normalcy, our Series C funding sets us up for our next phase of expansion on our journey to build an unrivaled security franchise. The Ordr Data Lake is growing rapidly, and now includes millions of device profiles, helping us to discover, identify, and classify every device in a customer’s environment with accurate, granular detail.

Within minutes of deploying Ordr in an environment, the data we analyze populates our UI with every connected device discovered, classifying each by manufacturer and model. Each device includes a picture for easy identification, along with a detailed description of attributes that include the device’s OS, vulnerabilities, connectivity details, flow data, applications installed, and logged users. Visualization in our platform is world-class and gets raves from our customers thanks to the tremendous “design thinking” effort we put into our UI/UX to achieve excellent aesthetics in support of usability.

On top of that, we add data and insights from a wide variety of enterprise tools to enrich our analysis. With more than 70 integrations, our data lake quickly provides accurate context for the operational status, as well as security posture, of every device in an organization.

Fast, Accurate, Dynamic, Automatic

Another critical strength of the Ordr platform is its ability to identify and respond to active attacks, including zero-day threats, and enable teams to stop them quickly with automation and orchestration. To get to “zero-day” attack detection requires behavioral baselines–something that must be done within minutes–to identify unique, malicious, abnormal behaviors. Since most connected devices operate within narrow behavioral parameters, our extensive data lake allows us to detect IOCs with a high degree of speed and accuracy.

Once malicious activity is identified, we leverage our deep knowledge of each device and its exact connectivity under normal operations to dynamically generate zero trust policies to isolate any misbehaving, potentially compromised device. These policies can be reviewed by security teams and, with a single click in our UI, policies are enforced with existing security and network infrastructure. With Ordr, response times are reduced from hours or days down to minutes to stop the spread of an attack. No other connected device security solution provides a complete map of all the devices, their connectivity in the enterprise, and their flow level context in real time, 24×7. We achieved this by building interfaces with every single network infrastructure vendor out there–a daunting task indeed.

The Next Chapter

From the start, our mission has been to help enterprise organizations see, know, and secure every connected device everywhere. We continue to innovate to deliver on that mission and provide our customers and partners with the most accurate, complete, and easy to consume device knowledgebase on the planet with meticulous device classifying, profiling, and cataloging.

What’s more, all of our data is available to partners through open APIs. In fact, Ordr is the only platform that has complete device intelligence that includes network and flow-level context with deep accuracy. Today, Ordr is well-positioned to be the supplier of choice of device intelligence to evolving Open XDR frameworks, providing open-source data to enable the correlation of information and delivery of the best possible service to the customers.

There are many more innovations and opportunities ahead for Ordr. With our world-class investors, dynamic board of directors, experienced management team, and passionate employees, we look ahead with laser focus to meeting the needs of our customers and helping them see, know, and secure every connected device that is critical to their business. Stay tuned, we’re off to write the industry’s next chapter on connected device security–and beyond.

Protecting data from cyber attacks has only grown more complicated over the years: the number of cyber crimes committed per year has massively grown. In 2021, the number of security breaches reached 1,862. How do organizations prevent the risk of cyber attack? 

Many countries and industries have devised their own sets of cybersecurity best practices for organizations to follow to manage that risk. These frameworks consist of assessment, monitoring, preventative, and response activities to help security teams identify and resolve current issues and constantly scan for new threats. In some cases, these frameworks have even been signed into law.

In this article, you’ll learn what those cybersecurity frameworks are, how they are categorized, and determine which of the most common frameworks might help your organization achieve its security goals.

What are cybersecurity frameworks?

Cybersecurity frameworks are systems and standards that guide security programs and help leaders mitigate cyber risks in their organizations. These frameworks act as a shared language across regions and industries, allowing consumers and businesses to make informed decisions about the companies they place their trust in. No matter the industry, organizations that adopt cyber security frameworks have committed to maintaining a high degree of security around the data they gather and store, as well as the services they provide. Likewise, when a threat arises, they should have a clear plan to take action.

In many cases, implementing certain cybersecurity frameworks is necessary to comply with state, national, and international regulations. Abiding by accepted frameworks shows that organizations are taking concrete steps to decrease their exposure to vulnerabilities that hackers can exploit on their networks, applications, or devices. In practice, cybersecurity frameworks can take on several different forms.

Types of cybersecurity frameworks

There are three types of cybersecurity frameworks distinguished by their function:

Control frameworks

Control frameworks are foundational security strategies. They help teams:

• Evaluate the current state of their overall tech stack (including devices, networks, and applications)
• Create a baseline set of controls
• Plan and prioritize other control implementation

Program frameworks

Program frameworks strengthen an organization’s overarching security practices by:

• Establishing a comprehensive security program
• Continuously assessing the efficacy of that program
• Streamlining communication between the security team and business leaders

Risk frameworks

As the name implies, risk frameworks are designed specifically to minimize risks. They include:

• Processes to help security teams manage existing risk and improve security posture
• Steps to identify and quantify risk
• Methods to triage and implement new security measures

Together, control, program, and risk frameworks serve as a comprehensive barrier — not only to current cyber threats but risks that may arise in the future as well.

8 Cybersecurity framework examples

Since there isn’t any one “right” framework to follow, implementing cybersecurity frameworks can be daunting. Let’s explore eight of the most common frameworks to give you inspiration for the types of frameworks that could fit your organization’s security goals.

1. The NIST Cybersecurity Framework

The NIST Framework for Improving Critical Infrastructure Cybersecurity, known as the “NIST Cybersecurity Framework,” or “NIST CSF” was created to safeguard commercial, energy, and defense utilities. However, its core principles can help any organization follow the basic pattern of cyber defense: identify, protect, detect, respond, and recover.

The NIST framework consists of a series of steps to protect an organization’s data (in transit and at rest), detect risks, respond to threats, and recover assets if needed. It also prompts security teams to conduct root cause analysis of any vulnerabilities they uncover in the process. Originally, the NIST framework was designed to cover traditional IT-managed systems. But organizations are applying the NIST framework to any IoT, IoMT, OT or other connected devices under their purview.

While NIST compliance is voluntary, it’s required for any organization doing business with federal government agencies. For that reason, many enterprise-level organizations in the U.S. have adopted the NIST framework in conjunction with the Cybersecurity Enhancement Act of 2014.

2. The Center for Internet Security (CIS) Critical Security Controls

The Center for Internet Security (CIS) Critical Security Controls framework is best for organizations wanting to ease into a cybersecurity framework. The 20 CIS controls are constantly updated by volunteer experts who hold various industrial, academic, and government roles. Controls are divided into three groups: basics, foundational, and organizational. Security teams should implement the basics first and then move on to the foundational and organizational controls.

CIS also has benchmarks that work in conjunction with its controls. They are set according to other existing standards like NIST or HIPAA, and are split into two levels: security essentials that don’t affect performance, and advanced protocols that may affect performance. Again, this distinction enables security teams to break up their work into more manageable chunks, getting controls implemented faster and more efficiently.

CIS frameworks are meant to calibrate IT services, products, and devices, as well as prepare organizations to tackle other, more complex and demanding frameworks. 

3. The International Standards Organization (ISO) frameworks ISO/IEC 27001 and 27002

International Standards Organization (ISO) frameworks are international standards for cybersecurity. As part of the 27K ISO framework, organizations must design and implement an information security (InfoSec) management program dedicated to mitigating identified threats and patching vulnerabilities.

27001 and 27002 ISO frameworks are notoriously demanding. They have over 100 coherent and comprehensive controls that organizations struggle to follow without an ongoing risk management process.

But many organizations need to adopt at least ISO 27001 for legal reasons. To be considered ISO 27001-compliant, organizations must demonstrate that they adhere to the “PDCA Cycle” to an external auditor. The PDCA Cycle is a business management method that focuses on four steps: Plan, Do, Check, and Act:

• Plan – objectives, processes, and procedures for risk management
• Do – implementing InfoSec policies

• Check – regularly evaluating and updating InfoSec policies relative to performance and emerging InfoSec best practices
• Act – enhancing and adjusting InfoSec policies per internal audits

Any organization that has a financial services arm or handles particularly sensitive data, such as medical records, should consider implementing the ISO 27001 protocol. 

4. SOC 2 (Systems and Organization Controls 2)

Systems and Organization Controls 2 dictates how organizations protect their data from unauthorized access, security incidents, and other vulnerabilities. Today, most organizations store this information on the cloud, so SOC 2 was formed specifically to protect sensitive data used in cloud-based applications and connected devices.

The SOC 2 framework requires that customer data is managed and stored based on 5 Trust Services criteria:

• Security – protection against unauthorized access, disposal, modification, or disclosure of confidential data, software misuse, or any other system abuse 
• Availability – assurance that a device or software works as it’s supposed to when it’s supposed to and there are plans in place to alleviate any delays in performance 
• Processing integrity – ensures organizations communicate the way they process data to their clients and uphold their own standards
• Confidentiality – keeps confidential data encrypted and restricted
• Privacy – organizations follow Generally Accepted Privacy Principles (GAAP) to mask PII and other personal data regarding race, sexuality, religion, and health.

Unlike other frameworks, SOC 2 has some flexibility — organizations can determine attestation reports and controls on their own. These reports and controls are then distributed to and evaluated by independent CPA auditors.

While achieving SOC 2 compliance isn’t necessary, it establishes trust with service providers and their customers. Modern procurement teams often look for SOC 2 compliance when evaluating new vendors. Any B2B SaaS organization should strongly consider achieving compliance with this framework.

5. GDPR (General Data Protection Regulations)

The European Union’s GDPR is consumer and data privacy legislation, not a cybersecurity framework. However, this law requires that organizations use “appropriate technical and organizational measures” to secure processed personal data — something that applies to many organizations, especially those in the healthcare sector.

All organizations with patients in the EU must prove that they are GDPR-compliant under the accountability principle. That means they’ve instituted technical measures to adhere to the GDPR law, can explain how those measures work, and demonstrate their effectiveness whenever requested. Examples of those measures include:

• Documenting what data is kept and how long it will be stored for
• Establishing concrete security and response processes for preventing and containing data breaches
• Noting how data is originally collected and whether it can be shared with third parties

The goal of GDPR is to provide consumers with more control over how their personal data is handled and disseminated by companies, particularly in a marketing context. Putting consumers in the driver’s seat makes it more difficult for organizations to mislead consumers with deliberately confusing or vague information.

The EU takes GDPR rules very seriously and will fine organizations that fail to comply with GDPR up to 4% of their global revenue.

6. CMMC (Cybersecurity Maturity Model Certification)

The Cybersecurity Maturity Model Certification (CCMC) is a unified standard for implementing cybersecurity across defense industrial base contractors. The CMMC model was built to prevent U.S. Department of Defense (DoD) information leakage. 

Before a contractor can start any government contracts, they must pass certain CMMC certifications. Currently, this applies to over 300,000 companies in the supply chain.

There are five levels to the CMMC certification paradigm. Each reflects the reliability of a company’s cybersecurity infrastructure to safeguard sensitive government information like federal contact information and unclassified documents. Contractors must pass an audit conducted by third-party assessors to achieve each certification.

Organizations that abide by the NIST framework will be in good shape, as submitting an NIST 800-171 assessment to the DoD’s Supplier Performance Risk System is the first step in achieving CMMC certification. Post- NIST assessment, many enterprises enlist the help of an accredited third-party auditor to perform a gap analysis. They can pinpoint any major missing protocols prior to taking the full CMMC assessment.

Organizations also have a chance to remedy any issues that are spotted in a CMMC assessment 90 days after the evaluation is complete. If your organization is successful, it will be awarded a 3-year CMMC certification.

7. FISMA (Federal Information Security Management Act)

Like GDPR, FISMA is U.S. legislation that defines a framework of guidelines and standards to protect government information and operations. FISMA was signed into law in 2002 and requires compliance from state agencies that administer federal programs or organizations that hold a contract with the U.S. government. FISMA compliance is especially crucial for healthcare organizations: many patients receive care through Medicare and Medicaid programs, which are government programs that must be protected. Non-compliance with FISMA can lead to a loss of federal funding, reputational damage, and even indictment for potential government hearings.

FISMA has similar controls to the NIST framework, requiring federal contractors to:

• Track information system inventory
• Continuously categorize risk
• Design a system security plan
• Implement security controls
• Conduct risk assessments
• Achieve certification and accreditation

Organizations that work with the federal government, and even those in the private sector, should stay up to date with FISMA standards and keep a record of the ways in which they comply with the law. Data should be classified according to the level of sensitivity whenever it’s created or stored. Organizations should also take steps to encrypt that data automatically.

8. UK Cyber Essentials sections

The Cyber Essentials scheme is designed to show an organization has a minimum level of protection in cyber security through annual assessments to maintain certification. The Cyber Essentials and Cyber Essentials Plus certifications help organizations avoid weaknesses and address vulnerabilities to prevent exploits.

Both assessments are rooted in five major controls that show organizations are committed to preventing cyber crime. Those controls include:

• Firewalls
• Secure configurations
• User access control
• Malware protection
• Patch management

Organizations that want to bid for UK central government contracts must have the Cyber Essentials certification at minimum.

Get a jumpstart on your cyber security today

Cyber security is of utmost concern to all organizations: hospitals, IP-enabled manufacturing systems, and Interactive Teller Machines are collecting more data than ever before, making rock-solid security protocols a necessity — not a nice to have.

Implementing cyber security frameworks can seem daunting, especially without the right tools. Organizations need a security solution particularly designed for their unique security needs, and that’s where Ordr comes into play. Ordr makes connected device security simple through automated asset discovery, identification of vulnerabilities and risk, and dynamically created policy to improve protection.

Organizations that use Ordr get visibility into what is connected to their network in real time, allowing security teams to find and eliminate vulnerabilities proactively. Plus, Ordr can dynamically create policy to respond to active threats or proactively improve security to protect your organization, data, and patients.

Before medical device manufacturers are able to release a product to market, they are subject to Food and Drug Administration (FDA) reviews to evaluate the safety and effectiveness of these devices. Since 2014, those evaluations have included medical device security guidance, with a subsequent update in 2018. Now, with the explosive growth of connected devices used by hospitals and healthcare providers and a growing number of cyberattacks that have crippled healthcare services, the FDA recently released draft guidelines requiring that devices comprising the Internet of Medical Things (IoMT) meet more stringent cybersecurity standards.  

“Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” is a 45-page document that deals with security design, vulnerability disclosures, Software Bill of Materials (SBOMs), and other documentation requirements that will have to be addressed by medical device manufacturers before their new devices can gain FDA premarket approval. 

In general, this is a step in the right direction for the FDA. Security needs to be built into the design of medical devices. At the same time, because medical devices have longer lifecycles than typical IT devices, it also means that it may be a while years before new devices falling under this new guidance are deployed. Because of the risks inherent with existing medical devices, healthcare organizations need to take action to secure legacy devices now. 

What Is Included in the FDA Guidance for Medical Devices? 

New medical device applicants are advised to submit “a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities, and exploits.” 

 They are also asked to “design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure.” This includes making patches available “on a reasonably justified regular cycle,” and for newfound critical vulnerabilities, “as soon as possible out of cycle.” 

 Finally, manufacturers must provide the FDA with “a Software Bill of Materials,” including any open-source or other software their devices use. This is one of the new changes in the FDA guidance— a complete SBOM requirement instead a Cybersecurity Bill of Materials (CBOM), as outlined in the 2018 guidance.  

When Does This Mandate Take Effect?  

The new security requirements came into effect when the $1.7 trillion federal omnibus spending bill (the 2023 Consolidated Appropriations Act) was signed by President Joe Biden on December 29, 2022.  

Section 3305 of the spending bill — “Ensuring cybersecurity of medical devices”— is an amendment to the Federal Food, Drug, and Cosmetic Act. It took effect 90 days after the Act became law, and with its new authority, the FDA has given manufacturers six months — until Oct. 1, 2023 — to comply with the new regulations. The new law also requires the FDA to update its medical device cybersecurity guidance at least every two years. 

How Can Ordr Help with This Mandate? What About Existing Medical Devices?  

 Security of medical devices is a shared responsibility. While the FDA mandate can ensure security for a device before it is released to the market, the day-to-day management and security of devices post FDA approvals is the responsibility of healthcare providers and requires a solution like Ordr.  Ordr not only maintains an accurate device inventory and monitors devices for vulnerabilities and threats but also delivers device utilization details to optimize operations. 

 In addition, medical devices are expensive, and a complete upgrade to new devices that adhere to the new guidelines is not operationally feasible or cost effective. Ordr can ensure existing devices (pre-2022 devices) or devices with outdated operating systems in the network can be secured via Zero Trust segmentation policies to restrict access and communications to only enable access required for their role.  

 We recommend the following approach to secure every connected device. Download our Maturity Guide for connected device security for more details:   

• See every device: You can’t protect what you don’t know about. Security starts with real-time, granular visibility of every device connected to your network and how those devices communicate within your environment and externally to the Internet. Every connected device in the hospital including IoMT, IoT, and operational technology (OT), plays a role in either patient care or hospital operations. Ultimately, the security of every device in the hospital can impact hospital services and patient safety, therefore real-time visibility into every device is essential.  

With regard to the new 2022 FDA mandate, Ordr can ingest SBOMs as manufacturers make them available, to enable easy visibility across the entire organization. Ordr Software Inventory Collector can complement manufacturer SBOMs by identifying applications for devices running Windows, iOS, and Linux operating systems.  

• Know your attack surface: The attack surface for healthcare organizations can range widely. Organizations need to be able to identify the following risks within their connected devices 

• Vulnerabilities – CVEs need to be prioritized and patched. Ordr offers full lifecycle vulnerability management capabilities to identify these vulnerabilities, prioritize them based on impact to a hospital (I.e., clinical risk), track and tag them for appropriate remediation workflows, and generate reports on them. Ordr also integrates with CMMS, CMDB tools to enrich their view of vulnerabilities, and ITSM systems to create tickets and manage workflows for remediation.  
• FDA or manufacturing recalls – To meet compliance requirements, it is important to identify devices that have been recalled either by the FDA or manufacturers. Ordr integrates with FDA and manufacturing databases to provide insights and help hospitals identify impacted devices. 
• Exploits and active threats – To protect healthcare organizations from active threats, Ordr offers an integrated intrusion detection system (IDS) that can inspect East West and North South device communications for active threats. Devices that are impacted by top security issues such as OpenSSL, Log4J, Solar Winds, and Conti, are highlighted in a unique security category in the Ordr dashboard for easy analysis. 
• Anomalous behavior – Unlike most IT systems and software, medical devices, and many IoT and OT devices have deterministic functions. Ordr uses machine learning (ML) to baseline normal behavior for every device. From that baseline Ordr identifies deviations which can be an indication of attack or compromise including zero-day activity. In addition, Ordr can dynamically create policy to help ensure a rapid response enabling teams to contain and stop an attack. 
• Track who is using your devices – By tracking and associating devices to users, Ordr can identify compromised devices and potential account misuse. 
• Reacting to Zero Day events: By ingesting SBOMs and utilizing Ordr’s Software Inventory Collector, organizations can react quicker to Zero Day events. There is no need to wait for manufacturers to determine if devices are running a vulnerable application. Ordr correlates all the application information from both SBOM and Software Inventory Collector into one searchable database. 
• Secure with automated policies:  
  • During an incident, quickly prevent lateral movement by pinpointing compromised devices and creating policies to quarantine the device, block ports or terminate sessions. 
  • Implement Zero Trust segmentation for vulnerable devices that cannot be patched: Zero Trust segmentation policies can keep these devices in operations by allowing only “normal communications” required for its function, while limiting exposure. 
  • When a new IoC (indicator of compromise) is announced, identify whether a device communicated with the malicious domain in the past 365 days.  

The Ordr platform is trusted by the world’s leading healthcare delivery organizations. Schedule a demo with our product experts to see how we can secure your connected devices. 

The major crux faced by IT security professionals across the industry today is that threats evolve at the same speed as technology. Technology is vital to business, especially as more professionals work outside the standard office environment, and that creates additional vulnerabilities. The CIS 20 Critical Security Controls framework is so widely used, that there are several different ways to reference them:

• CIS CSC
• CIS 20
• CCS CSC
• SANS Top 20
• CAG 20

The key to mitigating risk is having a solid security foundation on which to build industry or business specific security protocols. The CIS 20 Critical Security Controls (CSC) are that foundation.

What are the CIS 20 Critical Security Controls?

The CSC are a security foundation of actionable best practices developed by the Center for Internet Security (CIS) and the SANS Institute. Knowledge is garnered from a wide array of security professionals, condensed and clarified by industry experts, and presented in a format that can be adapted by any organization to counter the leading forms of cyber attack and protect data assets.

These basic principles allow IT professionals to respond swiftly and effectively against growing security concerns, which allows organizations to reduce cybersecurity risks.

How do the CIS 20 apply to your organization?

All organizations must navigate the deep and complex waters that are risk and compliance. Industry standards often define the specific dive level an organization has to make into those murky depths, but they rarely indicate how. The CIS Critical Security Controls are a set of best practices that recommend how to combat the most common cybersecurity threats, and are applicable to all organizations.
The CSC are broken into three implementation groups, each set of controls being a progression based upon an organization’s needs:

• Basic implementation is applying controls 1 – 6, and is advised for all organizations. These six controls can be implemented with conservative resources, and will provide a basic level of protection that even the smallest of organizations can utilize.
• Foundational implementation is applying the basic controls and controls 7 – 16, and is advised for mid-level organizations that have more resources and cybersecurity professionals to implement security measures.
• Organizational implementation is applying all 20 security controls, and is intended for developed organizations that have rich resources and robust cybersecurity expertise.

By segmenting the controls into resource and expertise specific sections, an organization is given the option of choosing the best fit for their infrastructure.

Why use CIS Controls for Security and Compliance?

The CIS top 20 Critical Security Controls are an evolution of worldwide knowledge from IT professionals that are arm-deep in security each and every day. The results of using the CSC are phenomenal; studies have shown that 85% of cyberattacks can be thwarted by using just the basic implementation of CSC. Using the organizational implementation of all 20 Critical Security Controls has a staggering 97% success rate. By using these outlined best practices, an organization will have a strong security base that has already proven its worth. A base that is perfect for building in any additional industry specific security requirements.

How do the CIS Critical Security Controls work with other standards?

The CSC are cross-compatible because they are effective best-practices that encompass a large threat range. Industry specific standards and security framework ideologies are growing and evolving with technology, and the CSC helps organizations keep up with the ever changing security environment.

For example, the California Consumer Privacy Act (CCPA) and General Data Protection Act (GDPR) require organizations to maintain reasonable security to protect consumers’ private data. In addition, the IoT Cybersecurity Act requires connected devices to meet a minimum level of cybersecurity. Using the CIS Top 20 Critical Security Controls allows an organization to meet these thresholds.

Also, the CSC maps well to other well known security standards:

• National Institute of Standards and Technology (NIST)
• International Organization for Standardization (ISO)
• Payment Card Industry Data Security Standard (PCI-DSS)
• Health Insurance Portability and Accountability Act (HIPAA)
• Control Objectives for Information and Related Technologies (COBIT)
• Federal Information Security Modernization Act of 2014 (FISMA)
• NERC Critical Infrastructure Protection Standards (NERC CIP)
• Federal Financial Institutions Examinations Council (FFIEC)
• Department of Homeland Security Continuous Diagnostics and Mitigation (DHS CDM)
• National Security Agency Manageable Network Plan Guide (NSA Network Infrastructure Security Guide)
• Data Security and Protection Toolkit Standard (NHS DSP Toolkit)

The CSC are beneficial aids for organizations that need to meet these complex industry standards or regulations.

An overview of the CIS Controls

Basic CIS Controls

The basic level of implementation is applying controls 1 – 6, and is considered the minimum amount of security that all organizations should use to be ready against cyber attacks.

Control 1: Inventory and Control of Hardware Assets

Knowing who and what is using the network is key to preventing unauthorized access. This includes maintaining a detailed inventory via both active and passive discovery and using access controls. An in-depth view of all the devices that use an organization’s network provides a first line of defense.

Control 2: Inventory and Control of Software Assets

Software needs to be inventoried and monitored in a way that allows the organization to see what’s been installed, who did the installing, and what the software is doing. Implementing authorization lists, installation rights, and integrity management are a must. Just like hardware assets, software can be used as a vulnerable point of entry into the protected network.

Control 3: Continuous Vulnerability Management

Security risks need to be identified before they result in an actual breach. The network should be scanned for weak points, which can then be quickly remediated. For the testing to be most effective, keep up-to-date on vulnerability advances.

Control 4: Controlled Use of Administrative Privileges

Inventory of service accounts, administrative credentials, and adequate password requirements need to be fundamental. Administrative accounts must be safeguarded to prevent them being used by attackers.

Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Update default configurations and automate processes that manage them. Configuration management is necessary to lock-down unnecessary risks that attackers can exploit.

Control 6: Maintenance, Monitoring, and Analysis of Audit Logs

Logging will give an organization the ability to see all the activity of the network and provide pertinent details in the case of a breach. It also allows for the creation of alerts.

Foundational CIS Controls

The foundational level of implementation is also applying controls 7 – 16, and is considered appropriate for mid-level organizations that need to protect systems beyond basic needs.

Control 7: Email and Web Browser Protections

Numerous threats are directly related to email systems and web browsers. If they aren’t safe, the network isn’t either.

Control 8: Malware Defenses

Malware is used for everything from identity theft to corporate espionage. Antivirus software and malware prevention mitigates the risk to users and the organization.

Control 9: Limitation and Control of Network Ports, Protocols, and Services

Firewalls, port scans, and separation of critical services can reduce the available avenues open to attackers. Sharp focus here can prevent unauthorized access.

Control 10: Data Recovery Capabilities

Some forms of cyber attack, like ransomware, directly target data. Backups prevent losing data and give a benchmark for data comparison if data integrity is in question after a security breach.

Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

Encryption and advanced authentication methods are good starting points. Shielding network devices from improper access, shields the network and its data.

Control 12: Boundary Defense

An organization must control flow through the boundary using monitoring and analysis. Tight management of perimeter defenses keeps out unauthorized users and keeps in sensitive data.

Control 13: Data Protection

Data protection is complex and requires a multi-prong focus. Use managerial controls, procedures, and technology to ensure data is accessed only where authorized, is controlled, and maintains integrity.

Control 14: Controlled Access Based on the Need to Know

Classify data, segment based on that classification, and control the access based on what users/systems need to use that level of data. This prevents both internal and external unauthorized access to data.

Control 15: Wireless Access Control

Wireless access is a common area of risk for many organizations, and controls are necessary to mitigate as much risk as possible. Implementing protocols around SSID and broadcasting levels, guest networks, and monitoring the wireless network are ways to combat attacks.

Control 16: Account Monitoring and Control

Attackers using valid credentials is a concern that must be addressed. Two factor authentication and managing the account life cycle are common recommendations.

Organizational CIS Controls

The organizational level of implementation is applying all 20 CIS controls. It is considered appropriate for well-developed organizations that have more complex security needs and have the necessary resources/capabilities required for implementation.

Control 17: Implement a Security Awareness and Training Program

Users are an important piece of the cybersecurity puzzle. Refreshing users about security practices and new attacks to be wary of can be key to preventing breaches.

Control 18: Application Software Security

Keep applications current, use only trusted components, and harden applications where possible to prevent vulnerabilities. In-house applications should be accessed for security and kept within maintenance limits. Do not allow applications to provide a backdoor into the system.

Control 19: Incident Response and Management

Always be prepared by planning for possible incidents and testing where possible. Don’t leave the response measures unplanned until something actually happens.

Control 20: Penetration Tests and Red Team Exercises

Identify points of breach and remediate as they are found. Keep testing and remediations evolving as the attack vectors change.

How to implement CIS Controls

The CIS Top 20 Critical Security Controls are actionable best practices that organizations can use to protect themselves in an ever-changing technology environment. In order to successfully implement the CSC controls, organizations have to move forward against security risks by taking proper action to protect organizational devices, networks, and data.

This includes taking steps to implement proper discovery methods and ensuring the correct classifications of all devices on an organization’s network. In addition, an organization needs to continuously track device behavior and segment vulnerable devices. Risk assessment should be performed, as well, to ensure that security standards are being met.

The Ordr Systems Control Engine (SCE) gives organizations the power to enable visibility and security of their network-connected devices, with a simple and powerful solution to identify, classify, profile the behavior and risk, and automate action for every network-connected device in the enterprise.

One of the differentiated actions with Ordr SCE is that security and IT teams have access to dynamically generated segmentation policies to only allow sanctioned communications for every class of device.

10 INTERNET OF THINGS (IoT) HEALTHCARE EXAMPLES, AND WHY THEIR SECURITY MATTERS

Connected devices in healthcare—often referred to as the Internet of Medical Things (IoMT)—represent one of the fastest-growing sectors of the IoT market, and is predicted to reach $176 billion by 2026.

To monitor, manage, and protect Internet of Things (IoT) devices in healthcare you must first understand the multiple ways in which IoMT devices are used. While the most popular example of IoT in healthcare is remote patient monitoring—meaning IoMT devices that collect patient data such as heart rate and body temperature—there are many other examples of IoT in the healthcare industry.

Here’s a look at 10 ways IoT is changing healthcare, as well as how the use of IoT devices for medical purposes impacts IoT security.

Healthcare monitoring devices

IoT devices offer a number of new opportunities for healthcare professionals to monitor patients, as well as for patients to monitor themselves. By extension, the variety of wearable IoT devices provide an array of benefits and challenges, for healthcare providers and their patients alike.

1. Remote patient monitoring

Remote patient monitoring is the most common application of IoT devices for healthcare. IoT devices can automatically collect health metrics like heart rate, blood pressure, temperature, and more from patients who are not physically present in a healthcare facility, eliminating the need for patients to travel to the providers, or for patients to collect it themselves.

When an IoT device collects patient data, it forwards the data to a software application where healthcare professionals and/or patients can view it. Algorithms may be used to analyze the data in order to recommend treatments or generate alerts. For example, an IoT sensor that detects a patient’s unusually low heart rate may generate an alert so that healthcare professionals can intervene.

A major challenge with remote patient monitoring devices is ensuring that the highly personal data that these IoT devices collect is secure and private.

2. Glucose monitoring

For the more than 30 million Americans with diabetes, glucose monitoring has traditionally been difficult. Not only is it inconvenient to have to check glucose levels and manually record results, but doing so reports a patient’s glucose levels only at the exact time the test is provided. If levels fluctuate widely, periodic testing may not be sufficient to detect a problem.

IoT devices can help address these challenges by providing continuous, automatic monitoring of glucose levels in patients. Glucose monitoring devices eliminate the need to keep records manually, and they can alert patients when glucose levels are problematic.

Challenges include designing an IoT device for glucose monitoring that:
a. Is small enough to monitor continuously without causing a disruption to patients
b. Does not consume so much electricity that it needs to be recharged frequently.

These are not insurmountable challenges, however, and devices that address them promise to revolutionize the way patients handle glucose monitoring.

3. Heart-rate monitoring

Like glucose, monitoring heart rates can be challenging, even for patients who are present in healthcare facilities. Periodic heart rate checks don’t guard against rapid fluctuations in heart rates, and conventional devices for continuous cardiac monitoring used in hospitals require patients to be attached to wired machines constantly, impairing their mobility.

Today, a variety of small IoT devices are available for heart rate monitoring, freeing patients to move around as they like while ensuring that their hearts are monitored continuously. Guaranteeing ultra-accurate results remains somewhat of a challenge, but most modern devices can deliver accuracy rates of about 90 percent or better.

4. Hand hygiene monitoring

Traditionally, there hasn’t been a good way to ensure that providers and patients inside a healthcare facility washed their hands properly in order to minimize the risk of spreading contagion.

Today, many hospitals and other health care operations use IoT devices to remind people to sanitize their hands when they enter hospital rooms. The devices can even give instructions on how best to sanitize to mitigate a particular risk for a particular patient.

A major shortcoming is that these devices can only remind people to clean their hands; they can’t do it for them. Still, research suggests that these devices can reduce infection rates by more than 60 percent in hospitals.

5. Depression and mood monitoring

Information about depression symptoms and patients’ general mood is another type of data that has traditionally been difficult to collect continuously. Healthcare providers might periodically ask patients how they are feeling, but were unable to anticipate sudden mood swings. And, often, patients don’t accurately report their feelings.

“Mood-aware” IoT devices can address these challenges. By collecting and analyzing data such as heart rate and blood pressure, devices can infer information about a patient’s mental state. Advanced IoT devices for mood monitoring can even track data such as the movement of a patient’s eyes.

The key challenge here is that metrics like these can’t predict depression symptoms or other causes for concern with complete accuracy. But neither can a traditional in-person mental assessment.

6. Parkinson’s disease monitoring

In order to treat Parkinson’s patients most effectively, healthcare providers must be able to assess how the severity of their symptoms fluctuate through the day.

IoT sensors promise to make this task much easier by continuously collecting data about Parkinson’s symptoms. At the same time, the devices give patients the freedom to go about their lives in their own homes, instead of having to spend extended periods in a hospital for observation.

Other examples of IoT/IoMT

While wearable devices like those described above remain the most commonly used type of IoT device in healthcare, there are devices that go beyond monitoring to actually providing treatment, or even “living” in or on the patient. Examples include the following.

7. Connected inhalers

Conditions such as asthma or COPD often involve attacks that come on suddenly, with little warning. IoT-connected inhalers can help patients by monitoring the frequency of attacks, as well as collecting data from the environment to help healthcare providers understand what triggered an attack.

In addition, connected inhalers can alert patients when they leave inhalers at home, placing them at risk of suffering an attack without their inhaler present, or when they use the inhaler improperly.

8. Ingestible sensors

Collecting data from inside the human body is typically a messy and highly disruptive affair. No no enjoys having a camera or probe stuck into their digestive tract, for example.

With ingestible sensors, it’s possible to collect information from digestive and other systems in a much less invasive way. They provide insights into stomach PH levels, for instance, or help pinpoint the source of internal bleeding.

These devices must be small enough to be swallowed easily. They must also be able to dissolve or pass through the human body cleanly on their own. Several companies are hard at work on ingestible sensors that meet these criteria.

9. Connected contact lenses

Smart contact lenses provide another opportunity for collecting healthcare data in a passive, non-intrusive way. They could also, incidentally, include microcameras that allow wearers effectively to take pictures with their eyes, which is probably why companies like Google have patented connected contact lenses.

Whether they’re used to improve health outcomes or for other purposes, smart lenses promise to turn human eyes into a powerful tool for digital interactions.

10. Robotic surgery

By deploying small Internet-connected robots inside the human body, surgeons can perform complex procedures that would be difficult to manage using human hands. At the same time, robotic surgeries performed by small IoT devices can reduce the size of incisions required to perform surgery, leading to a less invasive process, and faster healing for patients.

These devices must be small enough and reliable enough to perform surgeries with minimal disruption. They must also be able to interpret complex conditions inside bodies in order to make the right decisions about how to proceed during a surgery. But IoT robots are already being used for surgery, showing that these challenges can be adequately addressed.

Why security matters for IoT in healthcare

In order to make the most of IoT for healthcare, critical security challenges must be addressed.

Above all, IoT device developers, managers and healthcare providers must ensure that they adequately secure data collected by IoT devices. Much of the data collected by medical devices qualifies as protected health information under HIPAA and similar regulations. As a result, IoT devices could be used as gateways for stealing sensitive data if not properly secured. Indeed, 82 percent of healthcare organizations report having experienced attacks against their IoT devices.

Developing secure IoT hardware and software is one step in addressing this challenge. Equally important, however, is ensuring that IoT devices in healthcare are managed properly in order to protect against data from unmonitored devices falling into the wrong hands. A patient monitoring device that has an older version of software or firmware, or a device that is not properly decommissioned after it is no longer needed, for example, could offer attackers an opportunity to infiltrate a network or steal protected health information.

Proper discovery and classification of all IoT devices on a healthcare provider’s network helps guard against this risk. Once IoT device networks are properly identified, classified, regulated, and secured, managers can track device behavior to identify anomalies, perform risk assessments and segment vulnerable from mission-critical devices.

Ordr can help

In a hyper-connected healthcare enterprise, the quantity and heterogeneity of IoT devices creates a complex and increasingly untenable reality for healthcare technology, IT and security organizations. Leaders struggle to understand exactly what’s connected to the network, what it’s doing, and how to regulate and protect it all.

Ordr Systems Control Engine (SCE) can enable visibility, and security of all of your connected medical devices. It can identify, classify, profile behavior and risk, and secure all medical and IoT assets in your healthcare organization. Once you understand the behavior and communications of every connected device, you can proactively secure them using microsegmentation policies enforced on your existing network and security infrastructure, without touching or modifying the devices. You can even use Ordr to maximize the utilization of all of your connected medical devices.

Ordr offers superior ransomware protection across the kill chain starting with comprehensive visibility into devices and risks (including complete details about devices, with granular insights—such as make, model, serial number, and network location). Our solution is capable of illuminating network blind spots by monitoring for east-west lateral movement and identifying attacker exploit tools. Our machine learning engine can baseline communication patterns to recognize an attack in progress, such as C2 communications. Finally, automated policies allow security teams to take action rapidly.