IoT Security Strategies for Businesses Utilizing Internet of Things Devices

Freeman Health System has approximately 8,000 connected medical devices across 30 facilities in Missouri, Oklahoma, and Kansas. Many medical devices could pose a fatal risk to patients if they are attacked at any time, said the chain’s CIO Skip Rollins, “This is the apocalyptic scenario everyone fears.”

Rollins hopes to scan these devices for vulnerabilities and install security software to ensure they are not hacked. However, this is difficult to achieve.

He said, “Vendors in the medical field often do not cooperate well; they all have proprietary operating systems and proprietary tools. We cannot scan these devices, nor can we install security software on them. We cannot see what they are doing, and the vendors have set it up that way intentionally.”

He said, “Vendors claim their products and systems are not susceptible to cyberattacks. Then we say, ‘Let’s write these commitments into the contract.’ But they usually refuse.”

This is because these devices may be full of vulnerabilities. According to a survey report released earlier this year by medical cybersecurity firm Cynerio, 53% of medical devices have at least one critical vulnerability. For example, devices often come with default passwords and settings that cyber attackers can easily find online or run outdated, unsupported versions of Windows.

Cyber attackers are continuously launching attacks; according to a research report published last fall by the Ponemon Institute, attacks on IoT or medical devices accounted for 21% of all healthcare vulnerabilities, the same proportion as phishing attacks.

Like other healthcare providers, Freeman Health Systems is trying to get device vendors to take security more seriously, but so far, they have been unsuccessful. Rollins said, “Our vendors are not working with us to solve this problem; this is their proprietary business model.”

As a result, some devices are located in publicly accessible areas, and some have accessible USB ports connected to the network but cannot directly address security issues.

With tight budgets, even if newer, more secure alternatives are available, hospitals cannot demand that vendors replace old devices. Therefore, Freeman Health Systems uses network-based mitigation strategies and other solutions to help reduce risks.

Rollins said, “We monitor incoming and outgoing traffic.” They use traffic monitoring tools provided by Ordr. Communication with suspicious locations may be blocked by firewalls, while lateral movement to other hospital systems is restricted by network segmentation.

He said, “But that does not mean that medical devices won’t be compromised in the process of caring for patients.”

To complicate matters further, blocking these devices from communicating with other countries and regions may result in critical updates not being installed.

He noted, “Devices from other countries are not uncommon, as some components are produced worldwide.”

Rollins said that in real life, he has not encountered cases where anyone tried to cause physical harm to patients by hacking medical devices. He said, “At least today, most hackers are motivated by profit rather than harming others.” However, similar to the SolarWinds attack on medical devices by nation-states, there is potential for immeasurable damage.

He said, “Most medical devices connect back to a central device, forming a hub-and-spoke network. If they compromise these networks, they will disrupt the tools we use to care for patients. This is a real threat.”

The first challenge of IoT security is identifying which devices exist in the enterprise environment. However, devices are often installed by individual business units or employees, belonging to the authority of operations, building maintenance, and other departments.

Many enterprises do not have a single person responsible for the security of IoT devices. Doug Clifton from Ernst & Young, responsible for OT and IT business in the Americas, stated that appointing someone is the first step in controlling the issue.

The second step is finding suitable devices. Forrester analyst Paddy Harrington stated that several vendors offer network scanning services to help enterprises achieve this. Devices from Checkpoint, Palo Alto, and others can continuously run passive scans and automatically apply security policies when new devices are detected. He said, “This won’t solve all problems, but it’s a step in the right direction.”

However, some devices do not fully belong to known categories and are difficult to guide. Clifton said, “There is an 80/20 rule. 80% of devices can be collected through technology. For the remaining 20%, some investigative work is required.”

Harrington said that enterprises without IoT scanning tools should negotiate with their existing security vendors. He stated, “They can find out if they have security products that, while not the best in class, can help narrow the gap, and users do not need to have a lot of new infrastructure.”

May Wang, Chief Technology Officer for IoT Security at Palo Alto, noted that enterprises often use spreadsheets to track IoT devices. Each business area may have its own list. She said, “When patients go to the hospital, they receive spreadsheets from the IT department, facilities department, and biomedical equipment department; these three spreadsheets are different and show different devices.”

When Palo Alto scans the operational environment for devices, these lists often fall short—sometimes by an order of magnitude. May Wang noted that many devices are legacy devices installed before IoT devices were considered security threats. She said, “Traditional cybersecurity systems cannot see these devices, and conventional methods of protecting these devices do not work.”

However, before all devices are identified, enterprises cannot apply endpoint security or vulnerability management strategies to the devices. Palo Alto is now integrating machine learning-driven IoT device detection into its next-generation firewalls.

May Wang said, “We can tell users what types of devices, hardware, software, operating systems, and protocols are being used. Palo Alto’s systems cannot detect and retrieve all information about each device. For some of these devices, the details may not be as comprehensive, but we can obtain most of the information for the majority of devices. This provides visibility into the devices.”

Depending on how technology is deployed, Palo Alto can also receive devices based on their internal and lateral communications and suggest or automatically implement security policies for newly discovered devices.

When IoT devices use cellular communication, this creates a larger problem. She said, “Many IoT devices are 5G devices, and using cellular communication will become a bigger issue; we thus have a department responsible for 5G security, which undoubtedly brings more challenges.”

Once IoT devices are reliably discovered and counted, they need to be managed and protected as strictly as other network devices. This requires configuration management, vulnerability scanning, traffic monitoring, and other functions.

Even devices not connected to external networks can become intermediate gathering points or hiding places for attackers moving laterally within the enterprise.

A year ago, H.I.G. Capital’s Chief Information Officer Marcos Marrero faced such a dilemma.

The company is a global investor managing over $50 billion in equity, with 26 offices worldwide. The company operates hundreds of devices on its network, such as cameras, physical security devices, and sensors monitoring temperature and power in the server room. Marrero stated that IoT device security is a huge issue and continues to evolve.

As a financial company, H.I.G. Capital has a strong security awareness, and its security team oversees every device installed on its network. Marrero said, “Fortunately, we have not encountered any IoT threats in our operational environment. But being able to locate devices is just the beginning of this journey, followed by visibility of vulnerabilities and configurations.”

About a year ago, Marrero scanned a vulnerability on one of the room’s alarm devices and found an unauthenticated open port. The company contacted the alarm device manufacturer and received instructions on how to strengthen device security. He said, “But we had to ask the manufacturer for more detailed information.”

He said that the vulnerability scanning the company operates only looked at devices from the outside, discovering open ports and operating system types, but little else. He said, “There are many vulnerabilities in the open-source software used in these devices.”

To address this issue, H.I.G. Capital turned to Netrise’s firmware scanning tool.

Marrero said, “We did a proof of concept, uploaded a firmware image, and it returned all the vulnerability data and other information.”

Uploading the image is a manual process, and uploading each image takes a few minutes. Since many similar devices have a lot of repeated images, the company uploaded less than 20 images in total. The result of the scan was that the company’s vulnerability list increased by 28%.

He said, “We did not know they existed in our operational environment, so there were many vulnerabilities.”

After discovering vulnerabilities, H.I.G. Capital contacted the device vendor and took other remedial measures. He said, “If a device is too dangerous and poses too great a risk to our environment, it may be removed or subjected to additional controls.”

For example, some devices are segmented on the network, using access control lists to restrict what other systems and users can access on that device. He said, “For instance, security cameras can only communicate with the technical assets supporting that device, which limits the risk of any misuse.”

Then, any future firmware updates would run through the Netrise tool before deployment to prevent manufacturers from introducing new vulnerabilities. The company’s other IoT management policies include conducting security checks during the initial purchasing decision.

He said, “Before we purchase any asset, we need to ensure they have some level of logging that I can send to a centralized logging environment.” He referred to the company’s Security Information and Event Management (SIEM) system.

He said, “What our SIEM does is collect all the different logs we send to it and correlate them to reduce the level of false positives.”

He said the company occasionally encounters devices with very immature logging levels.

Once all devices are identified, classified by risk, and patched and updated as much as possible, the next step is to create a monitoring framework around the devices that could cause the most harm to the enterprise.

In some cases, enterprises may be able to install endpoint protection software on IoT devices to protect them from malicious attacks, monitor configurations and settings, ensure they have been fully patched, and monitor for abnormal activities. For some older or proprietary devices (such as medical devices), this may be impossible.

When devices connect to the enterprise network, these communications can be monitored to prevent suspicious activities.

Some enterprises have made breakthroughs in IoT security. According to data released by Palo Alto, 98% of IoT traffic is unencrypted. Additionally, IoT devices often do the same things repeatedly.

May Wang from Palo Alto said, “Take thermostats, for example; their function is just to record temperature, and nothing more. They should not communicate with other servers. This is a good thing—it makes it easier to establish behavioral baselines for AI models.”

As enterprises move towards a zero-trust architecture, it is important not to forget connected devices.

Zero trust principles and design security are applied to harden devices and related applications. Srinivas Kumar, Vice President of IoT Solutions at security vendor DigiCert, stated that this begins with protecting controls, such as device identification and authentication, as well as trusted device updates with supply chain tamper-proof capabilities. He added that communication also needs to be secure.

WI-SUN is one of the industry organizations that protect IoT devices by creating certification and encryption standards, established about a decade ago, focusing on devices used by utility companies, smart cities, and agriculture.

Security measures built into the WI-SUN standard include: verifying the device’s certificate when it connects to the network, ensuring all messages are private and encrypted, and integrity checks of messages to prevent man-in-the-middle attacks.

The increasing geopolitical tensions mean that protecting these instruments and other critical devices operating key infrastructure is becoming increasingly urgent. WI-SUN President and CEO Phil Beecher stated, “If structural integrity sensors are installed on bridges or railway tracks, if someone compromises all the sensors, it will throw the city into massive chaos.”

David Nosibor, Head of Platform Solutions and Project Lead for SafeCyber at UL Solutions, said this is just the beginning. He said, “From supply chain disruptions to loss of food, water, or electricity, these impacts can be widespread.”

He said that, at the same time, cyber attackers are becoming increasingly sophisticated, and many enterprise staff lack cybersecurity expertise. Additionally, as lawmakers become aware of the risks, a wave of regulation is on the horizon.

Nosibor said, “These challenges are interrelated. Unfortunately, many enterprises struggle to cope with this complexity.”