Freeman Health System has around 8,000 connected medical devices in its 30 facilities in Missouri, Oklahoma, and Kansas. Many of these devices have the potential to turn deadly at any moment. “That’s the doomsday scenario that everyone is afraid of,” says Skip Rollins, the hospital chain’s CIO and CISO.
Rollins would love to be able to scan the devices for vulnerabilities and install security software on them to ensure that they aren’t being hacked. But he can’t.
“The vendors in this space are very uncooperative,” he says. “They all have proprietary operating systems and proprietary tools. We can’t scan these devices. We can’t put security software on these devices. We can’t see anything they’re doing. And the vendors intentionally deliver them that way.”
The vendors claim that their systems are unhackable, he says. “And we say, ‘Let’s put that in the contract.’ And they won’t.”
That’s probably because the devices could be rife with vulnerabilities. According to a report released earlier this year by healthcare cybersecurity firm Cynerio, 53% of medical devices have at least one critical vulnerability. For example, devices often come with default passwords and settings that attackers can easily find online, or are running old, unsupported versions of Windows.
And attackers aren’t sleeping. According to Ponemon research released last fall, attacks on IoT or medical devices accounted for 21% of all healthcare breaches – the same percentage as phishing attacks.
Like other health care providers, Freeman Health Systems is trying to get device vendors to take security more seriously, but, so far, it hasn’t been successful. “Our vendors won’t work with us to solve the problem,” Rollins says. “It’s their proprietary business model.”
As a result, there are devices sitting in areas accessible to the public, some with accessible USB ports, connected to networks, and with no way to directly address the security issues.
With budgets tight, hospitals can’t threaten vendors that they’ll get rid of their old devices and replace them with new ones, even if there are newer, more secure alternatives available. So, instead, Freeman Health uses network-based mitigation strategies and other workarounds to help reduce the risks.
“We monitor the traffic going in and out,” says Rollins, using a traffic-monitoring tool from Ordr. Communications with which suspicious sites can be blocked by firewalls, and lateral movement to other hospital systems is limited by network segmentation. “But that doesn’t mean that the device couldn’t be compromised as it’s taking care of the patient,” he says.
To complicate matters further, blocking these devices from communicating with, say, other countries, can keep critical updates from being installed. “It’s not unusual at all for devices to be reaching out to China, South Korea, or even Russia because components are made in all those areas of the world,” he says.
Rollins says that he’s not aware of attempts to physically harm people by hacking their medical devices in real life. “At least today, most hackers are looking for a payday, not to hurt people,” he says. But a nation-state attack similar to the SolarWinds cyberattack that targets medical devices instead, has the potential to do untold amounts of damage.
“Most medical devices are connected back to a central device, in a hub-and-spoke kind of network,” he says. “If they compromised those networks, it would compromise the tools that we use to take care of our patients. That’s a real threat.”
IoT visibility struggle
The first challenge of IoT security is identifying what devices are present in the enterprise environment. But devices are often installed by individual business units or employees, and they fall under the purview of operations, buildings and maintenance, and other departments.
Many companies don’t have a single entity responsible for securing IoT devices. Appointing someone is the first step to getting the problem under control, says Doug Clifton, who leads operational technology and information technology efforts for the Americas at Ernst & Young.
The second step is to actually find the devices.
According to Forrester analyst Paddy Harrington, several vendors offer network scans to help companies do that. Gear from Checkpoint, Palo Alto, and others can continuously run passive scans, and when new devices are detected, automatically apply security policies to them. “It won’t solve everything,” he says, “but it’s a step in the right direction.”
Still, some devices don’t fall neatly into known categories and are hard to detect. “There’s an 80-20 rule,” says Clifton. “Eighty percent of devices can be detected by technology. For the other 20%, there needs to be some investigative work.”
Companies that don’t yet have an IoT scanning tool should start by talking to the security vendors they’re already working with, Harrington says. “See if they have an offering. It may not be best of breed, but it will help span the gap, and you won’t have to have a ton of new infrastructure.”
Enterprises typically use spreadsheets to keep track of IoT devices, says May Wang, Palo Alto’s CTO for IOT security. Each area of the business might have its own list. “When we go to a hospital, we get a spreadsheet from the IT department, the facilities department, and the biomed devices department, and all three spreadsheets are different and show different devices,” she says.
And when Palo Alto runs a scan of the environments, these lists typically fall short, sometimes by more than an order of magnitude. Many are older devices, Wang says, installed in the days before IoT devices were recognized as security threats. “Traditional network security doesn’t see these devices,” she says. “And traditional approaches to protecting these devices don’t work.”
But companies can’t apply endpoint security or vulnerability-management policies to devices until they are all identified. Palo Alto now includes machine-learning-powered IoT device detection integrated in its next-generation firewall.
“We can tell you what kind of devices you have, what kind of hardware, software, operating systems, what protocols you’re using,” Wang says. The Palo Alto systems can’t detect and get full information on every single device. “For some of them, it may not be as detailed, but we can get most information for most devices. That provides visibility for device discovery.”
Depending on how the technology is deployed, Palo Alto can also pick up devices based on their internal, lateral communications, and either suggest or automatically implement security policies for newly discovered devices.
When IoT devices use cellular communications, this creates a bigger problem. “Lots of IoT devices are 5G, and it’s going to become an even bigger issue,” she says. “We have a division working on 5G security. It definitely provides more challenges.”
Peering inside the IoT
Once IoT devices are reliably discovered and inventoried, they need to be managed and secured with the same rigor as other network devices. That requires configuration management, vulnerability scanning, traffic monitoring, and other capabilities.
Even a device that’s not connected to an external network can become an intermediate staging point or a hiding place for a determined attacker moving laterally through the company. Marcos Marrero, CISO at H.I.G. Capital, faced just this dilemma a year ago.
H.I.G. is a global investment firm with over $50 billion of equity capital under management and 26 offices on four continents. The firm has hundreds of devices on its networks, such as cameras, physical security devices, and sensors that monitor temperature, humidity, and power inside its computer rooms. IoT device security “is a huge problem,” says Marrero. “And it’s constantly evolving and getting larger.”
As a financial firm, H.I.G. is extremely security conscious, with the security team having oversight of every device that’s installed on its networks. “Knock on wood, we haven’t come across any rogue IoT in our environment,” says Marrero.
But being able to locate devices is just the start of the journey. “Then there’s the visibility into vulnerabilities and configurations,” he says.
About a year ago, Marrero ran a vulnerability scan on one of the room alert devices and found open ports requiring no authentication. The firm contacted the manufacturer and was able to get instructions on how to harden the device. “But we had to ask for it. It wasn’t information that was given to us right off the bat,” he says.
And the vulnerability scan the company ran only looked at the device from the outside, he says, finding the open ports and type of operating system, but little else, leaving him blind to a range of possible problems. “There is a whole host of vulnerabilities in the open-source software used in these devices,” he says.
To address the problem, H.I.G. turned to a firmware scanning tool from Netrise.
“We did a proof of concept and uploaded one of the firmware images, and it gave back all this vulnerability data and other information,” he says. “That is what sealed it for us.”
Uploading the images was a manual process that took a couple of minutes per image. Since there were many duplicate devices of the same type, the company had to upload fewer than 20 different images in total. As a result of the scans, the firm’s estimated inventory of vulnerabilities increased by 28%.
“We had no idea they existed in our environment,” he says. “Yes, our vulnerability trending had a spike, but half the battle is even knowing you had those vulnerabilities in the first place.”
After the vulnerabilities were discovered, H.I.G. contacted device vendors and took other mitigation steps. “It could be taking the device down if it’s too dangerous and poses too much of a risk to our environment,” he says, “or layering additional controls around it.”
For example, some devices were segmented off on the network, with access control lists limiting what other systems and users could access them. “For example, a security camera can only talk to technology assets that support that device,” he says. “That limits the risk of any negative exploitation.”
Then future firmware updates are run through the Netrise tool before they’re deployed to guard against new vulnerabilities the manufacturer might have introduced.
Other IoT-management policies the company has in place include security screening during the initial purchase decisions.
“Before we procure any new assets, we ensure they have some level of logging that we can send to our centralized logging environment,” he says, referring to the company’s security information and event management (SIEM) system. “What our SIEM does is take all the different logs we send to it and correlate them to reduce the level of false alerts.”
Occasionally, the company comes across devices that have very immature levels of logging, he says, “And I’ve had to say, ‘We’re not buying that.'”
Monitoring and oversight
Once all the devices are identified, categorized by risk, and, to the extent possible, patched and updated, the next step is to create a monitoring framework around the ones with the potential to do the most harm to the company.
In some cases, companies may be able to install endpoint-protection software on the IoT devices themselves to protect them against malicious attacks, to monitor configuration settings, to ensure that they are fully patched, and to monitor for unusual activity. That may not be possible for some older devices or proprietary devices such as medical equipment.
When devices connect to an enterprise network, those communications can be monitored for suspicious activity.
For once, enterprises are catching a break in this aspect of IoT security. According to Palo Alto, 98% of IoT traffic is unencrypted. Plus, IoT devices typically do the same thing over and over again.
“Take a thermostat, for example,” says Palo Alto’s Wang. “It’s only supposed to send the temperature, and that’s it. It’s not supposed to talk to other servers. That’s a good thing. It makes it easier for the AI models to build up a baseline of behavior.”
IoT and the zero-trust future
As companies move to zero-trust architectures, it’s important not to forget the connected devices.
Zero-trust principles and security-by-design should be used to harden devices and associated applications. That starts with protection controls, such as device identification and authentication, as well as trusted device updates with supply chain tamper-resistance, says Srinivas Kumar, vice president of IoT solutions at security vendor DigiCert. Communications need to be secure as well, he adds.
One of the industry organizations working on securing IoT devices by creating authentication and encryption standards is WI-SUN, founded about 10 years ago to specifically focus on devices used by utilities, smart cities, and agriculture.
The security measures built into the WI-SUN standards include certificates for authenticating devices as they connect to a network, encryption to ensure that all messages are private, and a message integrity check to prevent man-in-the-middle attacks.
Rising geopolitical tensions mean that securing these meters – and other devices key to critical infrastructure operations – is more and more urgent. “If you have structural-integrity check sensors on a bridge or railroad track and someone comes along and jams all the sensors, you’d have to shut the city down, and it would cause a huge amount of mayhem,” says WI-SUN president and CEO Phil Beecher.
And that’s just the start, says David Nosibor, platform solutions lead and head of the SafeCyber project at UL Solutions, formerly UL. “From disruptions of supply chains to loss of food, water, or power, these impacts can extend well beyond the impacted organizations,” he says.
Meanwhile, attackers are getting increasingly sophisticated, he says, and there’s a shortage of cybersecurity expertise in the workforce. Plus, on top of all this, there’s a wave of regulations coming as legislators wake up to the risks.
“These challenges are interconnected,” Nosibor says. “And many organizations, unfortunately, struggle to keep pace with the complexity.”
Copyright © 2022 IDG Communications, Inc.