Investment in the Internet of Things (IoT) is booming. By 2027 it’s predicted that there will be around 30 billion IoT devices globally, double the number from 2022. IoT isn’t new but its growing popularity is down to companies being able to automate processes and reduce labor costs during a time when operational spend is at its greatest.
All great stuff but on the flip side, the more interconnected your environment, the greater the attack surface for cyber gangs to compromise. Each connected IoT device offers possible entry points for hackers and malicious threat actors, through misconfigurations and other unpatched errors. Just last month Microsoft uncovered instances of cyptojacking, through affected Linux-based IoT devices, an online threat that embeds itself within a device and uses its resources to mine cryptocurrency, also known as cryptomining.
Nor are attacks against Linux systems the only vulnerabilities being exploited. Today, instead of developing custom Linux kernels for IoT devices, manufactures are saving development time and costs by using commercial off the shelf (COTS) operating systems designed especially for IoT and other low resource systems such as Windows Embedded and Windows IoT, a minimal version of regular Windows operating systems. Indeed, today, the vast majority of new healthcare IoT systems including hospital medical devices, run on Windows Embedded or Windows IoT.
Richard Staynings is Chief Security Strategist at Cylera.
Healthcare IoT
IoT by itself would not normally be a problem, but medical and other healthcare IoT systems have a long development, test, and approval period, followed by in some cases a 10 or 15 year expected lifespan and amortization schedule. This leads to the wide use in hospitals of technologies that are up to 20 years old, some of which are no longer supported and patched against security vulnerabilities by their creators.
An example of this is broad usage of Windows XP and Windows 7 in their embedded forms across medical devices today. While Microsoft provided extended support for the embedded versions of its operating systems long after retiring its PC versions, security vulnerabilities are no longer being patched today. This makes older systems easy prey for attackers with a large number of exploits readily available to compromise old systems. Seventy percent of medical devices are believed to be currently running unsupported windows operating systems. Indeed, many of the medical devices attached to hospital networks have become the easy ingress point for attackers. This has resulted in at least some health systems being compromised from an initial foothold established in an unpatched medical device.
Hospitals have hundreds or thousands of IoT medical devices connected to their networks with little to no segmentation from their critical health IT systems. This leads to major security concerns.
“Medical devices create problems for organizations that don't understand how to secure them,” said Larry Ponemon, founder and chairman of the Ponemon Institute in a recent report. “Based on our study, and other studies conducted, the weakest link in the security chain within healthcare is managing these devices, because it's not one device. It's hundreds of devices.”
Consumer IoT
The same is true for other uses of IoT in the home, at the office, in the factory, or at school. Anything that connects to the internet that is not periodically tested and patched against vulnerabilities is just waiting to be attacked and compromised.
Unlike PCs, Macs, iPads, and smartphones, most IoT manufacturers were until recently under no obligation to test, or release patches for their devices. This is especially so for consumer devices. Once you purchase a consumer device, you are on your own. The business model of these manufacturers is based entirely upon sales with limited or no support included. Some may for a time provide patches and updates, but few owners of devices would know where to look for an update or how to install it. Even less could probably be bothered to do so. When that IoT device becomes so compromised it no longer works, customers confine it to a landfill and purchase a newer faster more secure model and the cycle continues.
The trouble starts when we connect IoT to the same network that we use for our PCs, Mac’s and other computing devices. An easily compromised IoT gadget can quickly lead to a compromised office laptop or home PC. This is exactly how criminals are able to break into our homes and hold our digital photo collection hostage to ransomware. It’s also the way that many attackers are able to springboard from a compromised home office PC or laptop and its active VPN, to infect the main corporate network and hold the entire company to ransom. All it takes is a home IoT camera doorbell or connected thermostat to accomplish that. The key here is to only connect IoT devices to your guest network, so devices have no connectivity to the firewalled local area network and your Mac or PC.
Securing the IoT supply chain
The risk of being compromised via IoT devices is greater still with the growing threat of cyber warfare from hostile states such as Russia and China. In fact, nearly every connected IT or IoT device today has some component that is manufactured in the People’s Republic of China (PRC), a country that is now widely regarded as an economic, political, and potential military adversary of most of the western democratic world including the UK.
Most IoT devices are assembled from large catalogues of components produced in China to Taiwanese, Korean and Japanese design. This may include separate modules that provide wireless connectivity, Bluetooth, a camera, a network interface, and others. But these modules are manufactured under license in the PRC to supply both domestic and international needs.
Given fears and a growing paranoia in the PRC leadership about a counter revolution against the ruling Chinese Communist Party (CCP), (China spends almost twice as much on internal domestic security as it does on external national defense), many IoT components destined for the domestic market are purposely back-doored to allow the Chinese Ministry of State Security (MSS) access to these systems so that the population can be easily watched and monitored. Many of these same (backdoored) components are exported or used in the assembly of medical and other IoT devices destined for the rest of the world.
While these exploits present yet another security vulnerability, some at least appear to be purposeful to support China’s prolific and growing cyber espionage campaign against western critical infrastructure. China has long used its position as a global manufacturer to build back doors into critical systems destined for the west, including a recent case where server motherboards destined for the US Congress were manufactured with a spy chip embedded in a hidden substrate as Bloomberg reported.
This is one of the primary reasons why providers of critical national infrastructure in the UK and elsewhere are de-risking their supply chains and looking carefully at the origins and security of components used in their control and other systems.
Ignorance is bliss
Few people in the west realize that their Google, Amazon or Apple Smart speaker is listening to their every conversation. Or that their internet home thermostat or camera doorbell can be easily used to attach to their home networks – the same network that connects to their business, school, or government department via a VPN. IoT is the weak link and the easy ingress opportunity for hackers and other cyber criminals whether a nation-state spy agency, an organized crime syndicate, or an opportunistic hacker.
IoT is not designed to be secure. It is designed primarily to fulfil a functional purpose. Once produced, rarely does anyone at the manufacturer look at the testing and publishing disclosures of security vulnerabilities. Nor are patches produced in a timely manner to remedy discovered vulnerabilities even when exploits are published and widely available. In fact, many IoT devices are never patched for their entire lifespan. Connected to the same network as IT systems, unsegmented IoT offers an easy ingress opportunity for hackers.
The need for new regulations
This is about to change however for new medical devices approved from October 2023 under new FDA rules in the United States which will likely be mirrored in the UK, EU, and ANZ. New rules require new medical devices to be designed securely, for manufacturers to test and publish vulnerabilities and any associated patches in a timely manner. But these new rules only apply to new devices, not to the millions of legacy devices already approved or in use. These devices will be connected for at least the next decade or more thus continuing to pose a security risk. For these devices other security measures will be necessary to prevent them from becoming easy attack vectors against healthcare providers.
Since many legacy medical devices lack approved patches from vendors, (some of which may no longer be in business), and applying a non-vendor approved patch may invalidate any remaining vendor warranties, healthcare providers are trapped between a rock and a hard place. Should they patch published Windows and Linux security vulnerabilities, place their faith in manufacturers to release timely patches, or look elsewhere to secure their connected IoT?
The reality is probably a combination of all three, but building and testing a patch for critical infrastructure such as a hospital is not quick or easy even if providers have the expertise on staff to do so. Meanwhile manufacturers can take months or years to release patches leaving hospitals vulnerable to cyberattack in the meantime.
Compensating security controls
The solution is to introduce additional ‘compensating security controls’. These are auditor-approved risk remediation measures that reduce the risk of attack while patches are being developed, or systems decommissioned and replaced with new. For medical devices, the most effective compensating security control is ‘enclaving’ or ‘network segmentation’ of at-risk connected systems so that only legitimate ‘approved’ network traffic is permitted to and from at-risk devices. This is most easily accomplished via Network Access Control (NAC) tools often already owned by the healthcare provider and usually bundled in their enterprise network license. Examples of NAC include Cisco ISE, Aruba ClearPass, Extreme NAC, and PAN Coretex, among others.
Alternatively, a provider could implement an internal firewall to protect a number of medical devices using similar access control lists (ACLs) to that used in NAC tools. This however is labour-intensive and expensive to maintain. The difficulty for both, though is understanding what those rule sets need to look like for each endpoint device. Typical rule sets would include IP addresses of host and recipient, TCP ports and network protocols needed by a medical device to communicate with a RIS/PACS or the EMR/EPR for example.
Essentially, healthcare providers adopt a Zero Trust approach to communication with at-risk medical devices, which are in effect, then locked down. This minimises the attack surface since all non-approved inbound and outbound network traffic is dropped at the switch port or firewall. The difficulty is in profiling each medical device accurately so that legitimate traffic is permitted in rules, while everything else is blocked.
New AI tools built for purpose
This is where the latest generation of IoMT security solutions comes into play by accurately identifying, profiling and risk assessing medical devices connected to hospital networks and capturing their legitimate communication needs. In England this is now a requirement for all trusts to report DSPT vulnerabilities to NHS England. In the US it’s a requirement under HIPAA.
To be successful at this however, these tools need high levels of fidelity based upon real time investigation, observation and in-depth understanding of each device type and model version. This is where machine learning comes into play to automate this entire process via a constantly running datatype analysis process using a risk emulation engine. This results not only in the identification of connected assets, and the risks each presents to patients and the medical network, but also the communication profile of each IoT device.
With this profile in hand, NAC technologies can then automatically micro-segment networks to protect vulnerable IoT devices and safely permit their continued use on patients till finances are available to eventually retire the device. This has saved NHS trusts millions of pounds in equipment replacement and helped to reduce the cyber threat surface for hospitals and clinics.
With experts estimating that the cost of cybercrime to businesses is expected to reach $10.5tn by 2025, making it the third biggest economy after the US and China, knowing how to secure your IoT network is essential to business privacy and security. In healthcare and for the NHS, the concern is more than money, it’s about keeping patients safe and hospitals open.
