By Gnanaprakasam Pandian, Chief Product Officer and Co-Founder, Ordr
As connected devices, including Internet of Things (IoT), Internet of Medical Things (IoMT) and Operational Technology (OT) continue to explode in growth, they introduce a new attack surface. In fact, an astonishing 46% of all connected devices are vulnerable to medium and high severity attacks. This is just one of the key findings of a new report released by connected device security company Ordr, in its 2nd annual Rise of the Machines 2021 Report “State of Connected devices — IT, IoT, IoMT and OT report.
The report analyzed connected device security risk and adoption between June 2020 and June 2021, across more than 500 customer deployments in healthcare, manufacturing, financial services organizations and more. According to the report, the following are the key security issues that should be on the radar of every network security professional.
Extending security to agentless or un-agentable devices
The report found that 42% of connected devices were agentless or un-agentable devices – meaning that they cannot support endpoint security agents. This represents a 32% increase since 2020, further confirming that a security strategy focused only on agent-based endpoint security is insufficient. A complete security strategy should include solutions that can identify and secure these devices via the network to complement endpoint security solutions.
Adopting a “whole organization” approach to connected security
To ensure connected device security, it is vital that all devices and assets on a network be identified and profiled. The Colonial Pipeline attack showed us that when IT and IoT systems are hit by a cyberattack, business is impacted even if the OT environment continues to function. For example, in a hospital environment, a cyberattack impacting an elevator control system will similarly bring down the entire healthcare operations if patients cannot be transported, even if medical devices are unaffected.
Understanding the Risks posed by “Shadow IoT” and personal devices
Reflecting current times, the report found that the number of Pelotons, Sonos, Alexas and Teslas in customer networks have almost doubled since 2020. Many of these devices (with the exception of Teslas) are being used for actual business operations. In fact, many of “Smart Hospitals” have deployed Alexas in their rooms for their pediatric patients. Alexas were used for “nurse call functions,” to switch channels on TVs, and to dim or change the smart lighting in the rooms. Pelotons are being used for physical therapy in hospitals, deployed in gyms in hospitality verticals and enterprises.
Not only do these devices have vulnerabilities (for example leaky APIs within Pelotons) that threat actors can take advantage of, but there is also an overwhelming amount of data stored that could be used to target users within the organization. Threat actors are already targeting disgruntled employees to get them to unleash ransomware. Data from personal devices could present a whole new range of threats.
Gauging the level of security risk posed by devices
It is important to be aware that outdated operating systems present the greatest security risks for most organizations. According to the report, about 19% of deployments include devices running outdated operating systems Windows 7 and older, and almost 34% of deployments have devices running Windows 8 and Windows 10, which are expected to end-of-life in 2023 and 2025, respectively.
Within healthcare, 15% of medical devices and 32% of medical imaging devices run on outdated operating systems. This is because many medical devices remain in operation for many years and cannot be easily replaced for cost reasons. Segmentation is the only way to ensure security of these devices, keep them in operation and avoid the costs of replacing devices early.
Managing user access to devices and appropriate offboarding when status changes
A particularly interesting finding of the report was that about 55% of organizations examined had devices with orphaned users. These are most often devices that were the responsibility of users that have left an organization or changed roles. Devices with orphan accounts retain the same access rights as when they were associated with an active user. These orphaned user accounts provide a gateway to privilege escalation and lateral movement. Therefore, as part of a robust and complete Zero Trust strategy for connected devices, security teams need to ensure that all devices are being utilized only by current users.
This latest Rise of the Machines report identified a substantial number of vulnerabilities and risks in connected devices, which is a crucial reminder that organizations must have comprehensive visibility as well as security for everything connecting to their networks. The number of network-connected devices is only going to increase and the number and sophistication of attacks targeting them will continue to grow in parallel.
About the Author
Gnanaprakasam Pandian, Chief Product Officer and Co-Founder of Ordr. Pandian has more than 20 years of product and engineering leadership experience and is also a serial entrepreneur. Before founding Ordr, he was the Chief Development Officer at Aruba, responsible for all of engineering and product management functions. Aruba, an enterprise mobile wireless company, was acquired by HPE for $3 Billion in March 2015. Before Aruba, Pandian served as the head of engineering for Cisco’s multi-billion-dollar Wi-Fi business unit and before that as VP of engineering for low-end switching product lines. He graduated with a master’s degree in Electrical Engineering from IIT, Chennai, India and holds several patents to his credit in various networking technologies.