Uncovering the true risk of connected devices in 2022

By Daniel dos Santos, Head of Security Research, Forescout Vedere Labs.

Connected devices and risk is a widely acknowledged by-product of the rapidly evolving digital era in which we now operate. But the rate at which IT, Internet of Things (IoT), Internet of Medical Things (IoMT) and Operational Technology (OT) devices are susceptible to being compromised, varies. Some are considerably more at risk than others, especially as cybercriminals continue to innovate at a rapid pace to gain access to, and exploit, connected devices to achieve their goals.

The growing number and diversity of connected devices in every industry presents new challenges for organisations to understand and manage the risks they are exposed to. The attack surface now encompasses IT, IoT and OT in almost every organisation, with the addition of IoMT in healthcare, which is fuelling increased vulnerabilities across interconnected networks.

In fact, according to a recent report by the Ponemon Institute, 65% of responding organisations say that IoT and OT devices are one of the least secured parts of their networks, while 50% say that attacks against these devices have increased[i]. IT and IT security practitioners in 88% of those organisations have IoT devices connected to the internet, 56% have OT devices connected to the internet and 51% have the OT network connected to the IT network.

The reality is that connected devices now exist in every vertical and they continue to pose considerable and wide-reaching security risks to organisations across all sectors, as many are still susceptible to both known and older vulnerabilities. To identify points of risk inherent to device types, industry sectors and cybersecurity policies, recent research has analysed the risk posture of over 19 million devices across financial services, government, healthcare, manufacturing and retail to reveal the riskiest connected devices of 2022. [ii]

The findings have shown that:

IT devices are still a favourite target

IT devices including computers, servers, routers and wireless access points are among the riskiest, as they remain the main target of malware, including ransomware, and the main initial access points for malicious actors. These actors exploit vulnerabilities on internet-exposed devices, such as servers running unpatched operating systems and business applications, or use social engineering and phishing techniques to dupe employees to run malicious code on their computers.

Routers and wireless access points, as well as other network infrastructure devices, are becoming more common entry points for malware and advanced persistent threats. Routers are risky because they are often exposed online, interfacing internal and external networks, have dangerous exposed open ports and have many vulnerabilities that are often quickly exploited by malicious actors.

Hypervisors, or specialised servers hosting virtual machines (VMs), have become a favourite target for ransomware gangs in 2022 because they allow attackers to encrypt several VMs at once - ransomware developers are moving toward languages such as Go and Rust that allow for easier cross-compilation and can target both Linux and Windows.

IoT devices are harder to patch and manage

A growing number of IoT devices on enterprise networks are being actively exploited because they are harder to patch and manage than IT devices. IoT devices are compromised due to weak credentials or unpatched vulnerabilities primarily to become part of distributed denial-of-service (DDoS) botnets.

IP cameras, VoIP and video conferencing systems are the riskiest IoT devices because they are commonly exposed on the internet, and there is a long history of threat actor activity targeting them. For instance, in 2019 APT28 compromised VoIP phones for initial access to multiple networks[iii], in 2021 Conti targeted cameras to move internally in affected organisations[iv] and, in 2022, both UNC3524 and TAG-38 have targeted video conferencing and cameras for use as command and control infrastructure[v].

ATMs appear in the ranking because of their obvious business criticality in financial organisations and also because data indicates that many ATMs are adjacent to other IoT devices such as security cameras and physical security systems that are often exposed.

Printers include not only multifunctional printing and copying devices used in the connected office but also specialised devices for printing receipts, labels, tickets, wristbands and other uses. Although printers are not widely associated with cyber risk, they should be. Like IP cameras, they have been exploited in intrusions by threat actors such as APT28 and spammed by hacktivists on multiple occasions. And just like ATMs, printers are often connected to sensitive devices, such as point of sale systems in the case of receipt printers and conventional workstations with privileged users in the case of office printers.

X-ray machines and patient monitors are among the riskiest IoMT devices

Connected medical devices are obviously risky because of their potential impact on healthcare delivery and patient safety. There have been many ransomware attacks on health system corporate IT networks that spilled over to medical devices, rendering them unusable, such as WannaCry in 2017, the attack on a hospital in Alabama affecting foetal monitors in 2019[vi] and several attacks affecting radiation information systems in the United States and Ireland since 2020[vii].

Ranked as the riskiest, DICOM workstations, nuclear medicine systems, imaging devices and PACS are all devices related to medical imaging and have a few things in common: They often run legacy vulnerable IT operating systems, have extensive network connectivity to allow for sharing imaging files and use the DICOM standard for sharing these files.

DICOM defines both the format for storing medical images and the communication protocol used to exchange them. The protocol supports message encryption, but its usage is configured by individual healthcare organisations. Through unencrypted communications across different organisations, attackers could obtain or tamper with medical images, including to spread malware.

Furthermore, patient monitors are among the most common medical devices in healthcare organisations and also among the most vulnerable. Like medical imaging devices, they often communicate with unencrypted protocols, which means attackers can tamper with their readings.

OT devices are mission critical yet insecure by design

In the past decade, state-sponsored attacks against OT systems and devices have become commonplace. The research has found that manufacturing has the highest percentage of devices with high risk (11%), but what’s even more troubling is the rise in cybercriminal and hacktivist activity targeting these devices. Recently, ransomware groups gained access to the SCADA systems of water utilities on several occasions[viii] and hacktivists gained access to the HMI of a water treatment facility in Florida.[ix]

Overall, PLCs and HMIs are the riskiest OT devices because they are very critical, allowing for full control of industrial processes, and are known to be insecure by design. Although PLCs are not often connected to the internet, many HMIs are connected to the internet to enable remote operation or management. These devices are not only common in critical infrastructure sectors, such as manufacturing, but also in sectors such as retail, where they drive logistics and warehouse automation.

However, other observed risky OT devices are much more widespread than PLCs and HMIs. For instance, uninterruptible power supplies (UPSs) are present in many corporate and data centre networks next to computers, servers and IoT devices. UPSs play a critical role in power monitoring and data centre power management. Attacks on these devices can have physical effects, such as switching off the power in a critical location or tampering with voltage to damage sensitive equipment.

Environment monitoring and building automation systems are critical for facilities management, which is a common need in most organisations. Smart buildings perfectly exemplify a cross-industry domain where IT, IoT and OT are converging on the same network. There are several examples of smart buildings exploited by threat actors to render controllers unusable, recruit vulnerable physical access control devices for botnets or leverage engineering workstations for initial access. These devices dangerously mix the insecure-by-design nature of OT with the internet connectivity of IoT and are often found exposed online even in critical locations.

Proactively protecting devices on multiple levels

Both device manufacturers and users are responsible for developing and maintaining their cybersecurity defences, which is an outlook that’s being reinforced by regulatory developments.

It’s imperative that manufacturers utilise secure software development lifecycles. This includes processes, such as code reviews, vulnerability scanning and penetration testing. Most importantly, these processes must not be limited to the software the manufacturers produce, but to all the components that go into a device, including third party libraries.

As for the regulatory developments, the proposed EU regulation for cybersecurity requirements, if implemented, will make it compulsory for vendors to obtain cybersecurity certification for IoT devices. From a user perspective, there’s also a big push towards making the disclosure of cybersecurity incidents mandatory, which would undoubtedly force companies to increase their security posture.

Unfortunately, there isn’t a single quick fix to protecting connected devices. But there are practical measures all organisations can adopt, which starts with creating a complete, automated and continuous inventory of all network assets. Once all devices and their configurations are known, a risk assessment can be conducted to highlight the devices that need special attention either because they are insecure or because they are business critical.

Mitigation actions can then be implemented. Measures include patching known vulnerabilities, hardening devices by disabling unused services, using strong and unique passwords, segmenting networks to isolate risky devices and using comprehensive network monitoring to detect attempts to exploit devices.

Protecting connected devices from attack is a shared responsibility. We all have a part to play in uncovering the risks and safeguarding our infrastructures from increasingly sophisticated tactics. And exposing any potential chinks in our armour is where it all begins.

By Zeki Turedi, EMEA CTO, CrowdStrike.
By Simon Crocker, Senior Director, Systems Engineering, Palo Alto Networks.
By Michael O'Donnell, Data Ecosystem Specialist at Quest.
By Madalina Tanasie, Chief Technology Officer at Collibra.
By Chris Bailey, Product Leader at Fortra, the new name for HelpSystems.
By Deryck Mitchelson, Field CISO EMEA, Check Point Software Technologies.