The Riskiest Connected Devices in Enterprise Networks
The growing number and diversity of connected devices in every industry presents new challenges for organizations to understand and manage the risks they are exposed to. Most organizations now host a combination of interconnected IT, OT and IoT devices in their networks that has increased their attack surface.
According to a recent report by the Ponemon Institute, 65% of responding organizations say that IoT/OT devices are one of the least secured parts of their networks, while 50% say that attacks against these devices have increased. IT and IT security practitioners in 88% of those organizations have IoT devices connected to the internet, 56% have OT devices connected to the internet and 51% have the OT network connected to the IT network.
Threat actors are well aware of these trends. We recently reported on how ransomware groups have started massively targeting devices such as NAS, VoIP and hypervisors. Not surprisingly, most of these devices were among the riskiest we identified in the 2020 Enterprise of Things Security Report.
In this blog post and in our full report, we update our findings from two years ago by analyzing millions of devices in Forescout’s Device Cloud using the Forescout Continuum Platform’s new multifactor risk scoring methodology, described below.
Many of the device types observed among the riskiest in 2020 remain in the list, such as networking equipment, VoIP, IP cameras and programmable logic controllers (PLCs). However, new entries such as hypervisors and human machine interfaces (HMIs) are representative of trends including critical vulnerabilities and increased OT connectivity.
Quantifying device cybersecurity risk
To get a dataset representative of the current device landscape in enterprise networks, we analyzed device data between January 1 and April 30 in Forescout’s Device Cloud, one of the world’s largest repositories of connected enterprise device data including IT, OT, IoT and IoMT. The anonymized data comes from Forescout customer deployments and contains information about almost 19 million devices, a number that grows daily.
To measure risk on that dataset, we rely on Forescout’s multifactor risk scoring methodology, where the risk of a device is calculated based on three factors: configuration, function and behavior.
- Configuration considers the number and severity of vulnerabilities on the device as well as the number and criticality of open ports.
- Function considers the potential impact to the organization if the device is compromised.
- Behavior considers the reputation of inbound connections to and outbound connections from the device, along with its internet exposure.
After measuring the risk of each individual device, we calculate averages per type of device to understand which types are the riskiest.
Riskiest connected devices in 2022
Using the dataset and scoring methodology described above, we identified the five riskiest devices in four device categories: IT, IoT, OT and IoMT.
|1||Router||IP camera||Programmable logic controller (PLC)||DICOM workstation|
|2||Computer||VoIP||Human machine interface (HMI)||Nuclear medicine system|
|3||Server||Video conferencing||Uninterruptible power supply (UPS)||Imaging|
|4||Wireless access point||ATM||Environment monitoring||Picture archiving and communication system (PACS)|
|5||Hypervisor||Printer||Building automation controller||Patient monitor|
For an analysis of what makes these devices so risky and their distribution by industry (financial, government, healthcare, manufacturing and retail) and geography (Americas; Asia-Pacific; Europe; and Middle East, Turkey and Africa), read the full report.
Takeaways and mitigation recommendations
Two recurring themes in the recent research of Vedere Labs have been the growing attack surface due to more devices being connected to enterprise networks and how threat actors leverage these devices to achieve their goals.
The attack surface now encompasses IT, IoT and OT in almost every organization, with the addition of IoMT in healthcare. It is not enough to focus defenses on risky devices in one category since attackers can leverage devices in different categories to carry out attacks. We have demonstrated this with R4IoT, an attack that starts with an IP camera (IoT), moves to a workstation (IT) and disables PLCs (OT).
You need proper risk assessment to understand how your attack surface is growing. However, assessing device risk is not easy. For instance, to determine whether a device is vulnerable or not, granular classification information is needed, such as device type, vendor, model and firmware version.
As an example, take some of the advisories issued by HP in response to the Ripple20 vulnerabilities. First, HP has multiple versions of their Integrated Lights Out (iLO) out-of-band controllers, at least one confirmed vulnerable (v2) and one confirmed not vulnerable (v5). Simply classifying a device as an “out-of-band controller” (function) or as an “HP iLO” (vendor and model) is not granular enough to determine if that device is vulnerable: we also need the model version. Second, some HP printers are also vulnerable, but they receive automatic firmware updates, so determining if a printer is vulnerable depends on vendor, model, and a firmware version that can change automatically with an unscheduled update.
The Forescout Continuum Platform solves the risk assessment problem by continuously discovering, granularly classifying and assessing devices without agents or active techniques that could compromise business operations.
Once you understand your attack surface, you need to mitigate risk with automated controls that do not rely only on security agents and that apply to the whole enterprise, instead of silos like the IT network, the OT network or specific types of IoT devices.
Forescout Continuum enables these types of controls by accelerating the design and deployment of dynamic network segmentation across the digital terrain while also automating policy enforcement by enabling countermeasures to mitigate threats, incidents and compliance gaps.
Understand what makes the riskiest connected devices so risky. Then strive for full visibility into how many are connecting to your digital terrain so you can secure your attack surface.