Forescout research found the Internet of things (IoT), Operational Technology (OT), and IT devices and systems within physical control access systems posed the most significant risks to organizations. Elevated IoT risks under these deployments are because IoT enabled devices could be targeted to grant entry into the corporate network or bypass physical authorization mechanisms via HVAC tampering. An example is when a casino was hacked through a thermometer in a fish tank. Similarly, people were locked out of their hotel rooms until a ransom was paid in Austria. The research analyzed 8 million devices deployed at 506 locations across the world. Forescout analyzed risk components across various industries such as financial services, healthcare, government, manufacturing, and retail. IoT devices in healthcare verticals, such the pneumatic tube systems, were the riskiest categories.
IoT risks components across deployments
IoT risks were higher across various industrial verticals because IoT devices are more common in these organizations and are more challenging to monitor and control. IoT devices could serve as entry points and final targets of malware attacks. They are also ubiquitous, thus bridging the distance between physical and virtual access.
IoT devices checked into almost all the risk components investigated by the researchers. The researchers analyzed security vulnerabilities, security events, services, connectivity, vendor, and potential impacts risk components of devices across various industry verticals.
Under potential impact, higher IoT risks were associated with the fact that most IoT and OT devices are unmanaged by most security solutions available. The connectivity risk component increased potential IoT risks because of the ability of IoT devices to communicate directly with other devices.
Regarding services, the IoT risks were present because of the various interfaces available on such devices. For example, most IoT devices have Wi-Fi and Bluetooth interfaces that increase the attack surface.
Embedded firmware also increased IoT risks because of the lack of uniformity in the vendor supply chain as well as lack of maturity in most IoT device firmware. Embedded firmware was also associated with increased IoT risks because it is responsible for most backdoors introduced by rogue vendors, hackers, and government entities.
Updating IoT embedded firmware is also problematic because it requires vendor-specific patches for common protocol vulnerabilities. Consequently, embedded firmware is a nightmare for application security, making it more challenging to keep the devices secure.
Most embedded devices also feature real-time operating systems (RTOS) which have known vulnerabilities. An example is the Wind River VxWorks which had 11 vulnerabilities allowing remote code execution. Many smart medical devices rely on this OS, thus exposing them to potential attacks.
Other security concerns
Medical devices and networking equipment posed a higher level of risk compared to other devices. The devices have the most significant impact if compromised. Additionally, they have many open interfaces that increase the attack landscape.
For networking equipment, there exists vendor homogeneity across industries. However, the category was responsible for about 37 vulnerabilities annually. When compromised, networking equipment could allow hackers to control all devices on the network because they act as internet security gatekeepers.
Windows environment remains a significant challenge
Over 30% of devices in both manufacturing (30%) and healthcare (35%) still run on unsupported versions of the Windows operating system. Keeping outdated windows running poses not only security issues but also financial challenges. For example, the German government will spend £800,000 to keep 33,000 outdated workstations running.
A similar number of Windows devices (30%) are not patched for Bluekeep and Curveball vulnerabilities.
Devices across industry verticals have default ports open
The research also found that 10% of devices in government verticals have default telnet port 23 and FTP ports 20 and 21 open. A fifth (20%) of devices across government, healthcare and financial industries have SMB port 445 open while 12% have RDP port 3389 open.
IoT security risks are prevalent in most organizations because of the higher adoption of IoT-enabled devices by consumers. Most connected devices include some form of IoT components with open ports and interfaces. These open ports and interfaces are easy to find for anybody with some free tools and an internet connection.
To address various risks facing organizations, business leaders must spend more resources in securing IoT and computing devices to minimize the cyber risk associated with shadow IT. Proper risk management should also include having a dedicated incident response team capable of addressing surprise security events in real time.