IoT Devices Risky Business for the Enterprise
As the number and diversity of IoT devices proliferates and diversifies, organizations find themselves under constant assault from threat actors who often turn to the same attack vectors time and again. Successfully.
Among the riskiest devices to enterprise networks: Networking equipment, VoIP, IP cameras and PLCs, according to a report by researchers at Forescout’s Vedere Labs. In this year’s research, the attack surface has been expanded by new entries like medical use of hypervisors and human-machine interfaces (HMIs).
“The growing number and diversity of connected devices in every industry presents new challenges for organizations to understand and manage the risks to which they are exposed,” researchers said in the 2022 edition of The Riskiest Internet Devices in Enterprise Networks report that notes, not surprisingly, that “most organizations now host a combination of interconnected IT, OT and IoT devices in their networks that has increased their attack surface.”
“According to Statista, the number of IoT devices is projected to reach 30.9 billion units by 2025. IoT devices continue to be threats in organizations and homes due to their increasing prevalence and relatively poor security,” said Will Carlson, senior director of content at Cybrary. “Add to this, even for informed users of these devices, they are often not user serviceable, patchable or upgradeable.”
The report cited findings from the Ponemon Institute that showed 65% of organizations named IoT/OT devices as a part of the network where security falls short. A whopping 88% of IT and IT security pros said their IoT devices were connected to the internet while 56% have OT devices connected as well. About half (51%) said an OT network was connected to the IT network.
The five riskiest devices in four device categories:
IT | IoT | OT | IoMT | ||
1 | Router | IP Camera | Programmable Logic Controller | DICOM workstation | |
2 | Computer | VoIP | Human Machine Interface | Nuclear medicine system | |
3 | Server | Videoconferenciing | Uninterruptible Power Supply | Imaging | |
4 | Wireless Access Port | ATM | Environment monitoring | Picture archiving and communication system | |
5 | Hypervisor | Printer | Building automation controller | Patient monitor | |
“Threat actors are well aware of these trends. We recently reported on how ransomware groups have started massively targeting devices such as NAS, VoIP and hypervisors,” Vedere Labs said. Perhaps that is why 50% of those surveyed by Ponemon noted an uptick in attacks against the devices.
Every organization, regardless of industry, has felt the impact of a growing attack surface, the researchers said. “Manufacturing has the highest percentage of devices with high risk (11%), while government and financial have the top combinations of medium and high risk (43% for government and 37% for financial),” they said, explaining that the “ranking of riskiest devices does not change considerably per industry, which shows that almost every organization currently relies on a combination of IT, IoT and OT (as well as IoMT for health care) to deliver their business.”
“It should come as no small surprise that IoT devices with cameras and microphones present are highly interesting to adversaries. Although any IoT device can be used for botnets, lateral movement, or any other nefarious acts; those with cameras and mics can be used for so much more,” said Carlson. “The presence of these capabilities opens up the aperture for increased remote espionage, observing staff and security movements and an increase in targeted attacks based on the intel gathered.”
The riskiest IT and OT devices did not vary much across different regions, they said, “while the riskiest IoT devices change slightly, and the riskiest IoMT devices change considerably.”
But “it is not enough to focus defenses on risky devices in one category since attackers can leverage devices of different categories to carry out attacks. We have demonstrated this with R4IoT, an attack that starts with an IP camera (IoT), moves to a workstation (IT) and disables PLCs (OT),” researchers wrote.
Instead, “risk assessment becomes even more important for organizations as their attack surface increases with the addition of new connected devices,” the report said. “Implementing automated controls that do not rely only on security agents and that apply to the whole enterprise can help reduce risk across an organization.”
The Forescout report “highlights the need for basic mitigation steps like network segmentation and complete patching of devices. While the report focuses on IoT and OT, these threats often use Windows endpoints to propagate across shared networks, as evidenced by all-too-familiar headlines over the last few years,” said Ashley McGlone, Tanium technology strategist for manufacturing. “Some enterprises only patch critical and high vulnerabilities, ignoring the risk of chained medium and low CVEs to build attack vectors. Other enterprises patch IT machines while relegating OT Windows patching to site support that may be understaffed. Bridging cybersecurity leadership, people, processes and tools across IT, IoT and OT are essential to comprehensive visibility and mitigation of these risks.”