IoT Devices Risky Business for the Enterprise

As the number and diversity of IoT devices proliferates and diversifies, organizations find themselves under constant assault from threat actors who often turn to the same attack vectors time and again. Successfully.

Among the riskiest devices to enterprise networks: Networking equipment, VoIP, IP cameras and PLCs, according to a report by researchers at Forescout’s Vedere Labs. In this year’s research, the attack surface has been expanded by new entries like medical use of hypervisors and human-machine interfaces (HMIs).

“The growing number and diversity of connected devices in every industry presents new challenges for organizations to understand and manage the risks to which they are exposed,” researchers said in the 2022 edition of The Riskiest Internet Devices in Enterprise Networks report that notes, not surprisingly, that “most organizations now host a combination of interconnected IT, OT and IoT devices in their networks that has increased their attack surface.”

“According to Statista, the number of IoT devices is projected to reach 30.9 billion units by 2025. IoT devices continue to be threats in organizations and homes due to their increasing prevalence and relatively poor security,” said Will Carlson, senior director of content at Cybrary. “Add to this, even for informed users of these devices, they are often not user serviceable, patchable or upgradeable.”

The report cited findings from the Ponemon Institute that showed 65% of organizations named IoT/OT devices as a part of the network where security falls short. A whopping 88% of IT and IT security pros said their IoT devices were connected to the internet while 56% have OT devices connected as well. About half (51%) said an OT network was connected to the IT network.

The five riskiest devices in four device categories:

ITIoTOTIoMT
1RouterIP CameraProgrammable Logic ControllerDICOM workstation
2ComputerVoIPHuman Machine InterfaceNuclear medicine system
3ServerVideoconferenciingUninterruptible

Power Supply

Imaging
4Wireless Access PortATMEnvironment monitoringPicture archiving and communication system
5HypervisorPrinterBuilding automation controllerPatient monitor

“Threat actors are well aware of these trends. We recently reported on how ransomware groups have started massively targeting devices such as NAS, VoIP and hypervisors,” Vedere Labs said. Perhaps that is why 50% of those surveyed by Ponemon noted an uptick in attacks against the devices.

Every organization, regardless of industry, has felt the impact of a growing attack surface, the researchers said. “Manufacturing has the highest percentage of devices with high risk (11%), while government and financial have the top combinations of medium and high risk (43% for government and 37% for financial),” they said, explaining that the “ranking of riskiest devices does not change considerably per industry, which shows that almost every organization currently relies on a combination of IT, IoT and OT (as well as IoMT for health care) to deliver their business.”

“It should come as no small surprise that IoT devices with cameras and microphones present are highly interesting to adversaries. Although any IoT device can be used for botnets, lateral movement, or any other nefarious acts; those with cameras and mics can be used for so much more,” said Carlson. “The presence of these capabilities opens up the aperture for increased remote espionage, observing staff and security movements and an increase in targeted attacks based on the intel gathered.”

The riskiest IT and OT devices did not vary much across different regions, they said, “while the riskiest IoT devices change slightly, and the riskiest IoMT devices change considerably.”

But “it is not enough to focus defenses on risky devices in one category since attackers can leverage devices of different categories to carry out attacks. We have demonstrated this with R4IoT, an attack that starts with an IP camera (IoT), moves to a workstation (IT) and disables PLCs (OT),” researchers wrote.

Instead, “risk assessment becomes even more important for organizations as their attack surface increases with the addition of new connected devices,” the report said. “Implementing automated controls that do not rely only on security agents and that apply to the whole enterprise can help reduce risk across an organization.”

The Forescout report “highlights the need for basic mitigation steps like network segmentation and complete patching of devices. While the report focuses on IoT and OT, these threats often use Windows endpoints to propagate across shared networks, as evidenced by all-too-familiar headlines over the last few years,” said Ashley McGlone, Tanium technology strategist for manufacturing. “Some enterprises only patch critical and high vulnerabilities, ignoring the risk of chained medium and low CVEs to build attack vectors. Other enterprises patch IT machines while relegating OT Windows patching to site support that may be understaffed. Bridging cybersecurity leadership, people, processes and tools across IT, IoT and OT are essential to comprehensive visibility and mitigation of these risks.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson