Noam Moshe at Claroty explores the severity of the threats to the internet of things
Our lives have become increasingly surrounded by an invisible network of connected machines, and it’s estimated that there will be more than 15 billion IoT-enabled devices worldwide by the end of 2023.
The critical infrastructure sector is a prime example of this boom. Internet-enabled machines can automatically share industrial equipment availability, monitor patient vitals in hospitals, and chemical levels in water treatment centres, among many other tasks. Automating these activities enables critical infrastructure professionals to focus on more valuable or other crucial tasks.
However, for all their benefits, connected devices continue to present a serious cyber-security risk. Cyber-criminals target vulnerable IoT assets as an easy attack path into the network to disrupt systems or deploy malware. Highly automated facilities are also more susceptible to disruptive attacks like malware. When it comes to areas like healthcare and other Critical National Infrastructure (CNI), these vulnerabilities can escalate to knock out crucial services and directly threaten human lives.
So how significant a threat do unsecured IoT devices pose today, and how can critical infrastructure organisations mitigate the risks?
Why are IoT vulnerability disclosures going up?
Security has continued to be a significant challenge across the Extended Internet of Things (XIoT). This umbrella term encompasses all connected devices, from consumer gadgets to industrial control systems. Recent research by Claroty discovered a six per cent rise in vulnerabilities affecting XIoT devices from 2021 to 2022.
This increase stems in part from the fact that there is a growing awareness of XIoT security issues. Device manufacturers, end users, and the security industry are focusing more on finding these vulnerabilities and closing them before they can be exploited.
Nevertheless, vulnerable devices are still pervasive. Physicality is the biggest issue when managing and securing these devices. Organisations can quickly lose track of their IoT assets, particularly in sensors where a very high volume of devices will be distributed across a site. Without complete visibility of the XIoT estate, such as how devices are connected and what ports they are using, it is impossible to keep them updated and address vulnerabilities adequately.
Additionally, many connected devices still have design issues that make them more prone to vulnerabilities and more challenging to manage. For example, a device might have a complex user interface, making it more likely to be misconfigured and poorly secured. In other cases, a device might need to be physically opened up for patches and maintenance – a big problem when there are hundreds of units to manage.
Even for organisations making a concerted effort to keep their XIoT estate secure, it’s very easy to miss a few devices. A single vulnerability is often all it takes to enable a breach.
What are the risks of unsecured connected devices?
Alongside being more challenging to maintain, the physical nature of the XIoT means that security breaches can pose a much more direct and severe threat than software-based issues. This is especially the case in healthcare.
As healthcare providers become increasingly dependent on connected devices to carry out their duties, a cyber-attack can directly impact patient well-being. Notably, most medical vulnerabilities we discovered affected patient-facing machines, such as imaging devices, while a minority were clinical and lab-based. A disruptive attack such as ransomware could leave vital medical equipment non-functional, interrupting everything from CT scans to insulin injections.
This puts cyber-criminals in a very powerful position. Few threat actors carry out attacks specifically to put patients at risk. But the ability to do so gives them a tremendous advantage over healthcare organisations when making ransom demands. Ruthless gangs know that healthcare providers will do anything they can to protect the well-being of their patients, even if it means paying up to cyber-criminals.
In addition to the impact of a disruption, XIoT can also be exploited as a pivot point to enter the wider IT environment. A vulnerable internet-facing device can be compromised, and its connectivity used to bypass network security controls. From here, attackers can plant ransomware to cripple the provider’s IT and XIoT network and exfiltrate large volumes of sensitive patient data to sell on the dark web. The double impact of disruption and patient confidentiality violations devastates healthcare providers and their patients.
How can organisations get XIoT risks under control?
While the number of vulnerability discoveries has increased, the threat is being taken more seriously. Governmental bodies, including the UK and EU, are working on laws to regulate XIoT security more closely, pushing for more secure designs and faster action in addressing vulnerabilities.
As the industry continues to develop, we should naturally see a greater focus on security from XIoT device vendors, particularly in high-risk areas like healthcare. Developers and manufacturers are responsible for ensuring their products can be easily managed and supplied with regular updates.
In the meantime, organisations implementing any XIoT into their operations must do their due diligence. This means taking the time to fully evaluate products and ensure they address security basics such as vulnerability patching.
For existing XIoT implementations, critical infrastructure organisations must ensure complete visibility of every device connected to their network, from the smallest vital sensor to the biggest MRI machine or Industrial Control System (ICS). Automated asset discovery tools can help to identify connections and make this task more manageable. With all devices identified, it is then crucial to implement a regular cadence for applying security updates.
Finally, organisations should look at network hygiene options that limit the chances of a connected device being discovered and exploited in an attack. Network segmentation is one of the most effective approaches here, and our research found it to be the security approach that is most successful against the most critical vulnerabilities. Here, the network is divided into virtual zones, making it much harder for an attacker to jump from a vulnerable XIoT device into the main network.
Callous criminals have shown they are willing to risk peoples’ lives to boost their chances of a big payday. With connected devices often presenting an easy attack path and a way of inflicting disruption, organisations within the healthcare industry must ensure their XIoT estate is well secured.
Noam Moshe, Vulnerability Researcher, Team 82 at Claroty
Main image courtesy of iStockPhoto.com
© 2024, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543