In a landscape full of high-profile data breaches, such as Yahoo and Tesco Bank, we’re seeing more and more organisations looking to bolster their defences in order to protect their business critical assets. However, are organisations overlooking the smaller, intermediate devices in their network that could provide an access point for the craftier cybercriminal?
One example would be that of water pumps in flood defences, which might seem a non-obvious point of entry. However, industrial processes and individual water pumps are increasingly becoming internet-enabled so they can be controlled from one central point in the network. One compromised pump on its own may not change the world, however if a series of these could be controlled, not only could this prove disastrous to the community the plant serves, but if the infrastructure is not protected at every level, this small, intermediate pump could become a gateway, granting access all the way up to sensitive data and mission controls.
To prioritise defending non-obvious assets, businesses need to ask themselves – if someone were to gain access to this device, where would the network take them? Exploring this further, we look at a selection of intermediate devices that organisations often overlook.
If Oracle’s breach last year is anything to go by, Point of Sale (POS) systems are one of the most critical intermediate devices to secure in your network, especially in retail. In the case of the Oracle incident, the company announced that malicious code had been found in the payments system and it was unknown if the cybercriminals were able to decrypt the card data or use it to steal money.
Thankfully, Oracle’s corporate network and its other cloud service offerings were not affected. Much like the water pump example, this shows the potential route a simple payments platform could have into your wider network if left unprotected.
Small IoT devices
According to recent research, 73% of IT professionals are concerned that they will fall foul of a sensitive breach occurring in the next 12 months via a connected device. This is a concern as each connected device has an administrative back door into a network that poses a risk, and many are left unsecured. IT professionals admitted that half of them don’t have the process to change default passwords on these IoT devices, which could potentially provide hackers easy access into the entire corporate network.
Last year’s Dyn DDoS attack was a huge wake up call for the dangers of unsecured connected devices. Thousands of internet-connected CCTV cameras were infected with Mirai malware, making them into a botnet, most likely the largest of its kind, which flooded sites with traffic, taking down most of America’s internet connections. The threat of IoT is two-fold – not only can unsecured devices give a cybercriminal access to your network, but it could potentially take out websites across the globe.
Additionally, companies that are caught up in the rush of digital transformation are potentially putting themselves at risk. Organisations connecting legacy devices to the internet looking to take advantage of the huge benefits available, can cause a wider security issue as these systems are run on older software versions that aren’t always supported and difficult to patch. It is a growing trend that in the rush to make everything “internet-enabled”, security can sometimes be overlooked. Businesses must ensure they aren’t creating or opening a backdoor into the network accidentally.
It comes as no surprise that healthcare and NHS institutions need a large cybersecurity overhaul. One recent incident found misconfigured email servers, outdated software, and security certificates, along with NHS trusts’ emails and passwords, through public web searches. It was also discovered through the same incident that NHS trusts are suffering an increase of data breaches, from 3,133 in 2014 to 4,177 last year. Combine that with the devastating effects of WannaCry earlier this year, and cyber incidents are now accounting for more breaches, rather than just human error, rising from eight in 2014 to 60 last year.
Additionally, the increased adoption of connected devices into medical services and processes is creating even more endpoints in hospitals that need to be tracked and secured, widening the surface area for attacks with even small devices like insulin pumps being shown to be breachable. Although the introduction of these devices is streamlining and improving the way care is provided, it has the potential to make healthcare institutions easy targets. Hospitals and other health practices are a source of valuable data, with information on almost every single citizen in the country hosted between them. This combined with cybersecurity not being a high priority and the fact that these institutions have the money to pay a ransom, makes them a top target for the enterprising cybercriminal.
Healthcare institutions must prioritise the management of user access if they want to ensure adequate security levels around these endlessly growing numbers of endpoints. The variety of job roles that need to access a vast array of files from a connected network will also require different levels of access. For example, a doctor on call will need access to all previous medical history and prescription requirements, whereas an on-call care worker may only need medical history, and are not qualified to distribute or access prescriptive files. It’s paramount in this case that healthcare institutions evaluate who needs access to which devices and what data to prevent access falling into the wrong hands. This is especially pertinent as the GDPR legislation looms, which will enforce NHS departments to fully analyse their digital functions, including processes for the storage, security and identification of patient data.
Industrial Control Systems
Industrial plants, and their control systems (ICS), are often overlooked. These controls are managed through remote stations, both automated and operator driven, distributing commands to manage supervision, control, and production.
However, as industrial controls manage everything from your production line to power, transport, water, gas and other critical infrastructure, the potential disruption and resulting downtime from any issues can have a significant impact on your business and national infrastructure and possibly impact peoples lives.
This was brought to everyone’s attention during the Ukraine power station hack that took place in late 2015. Phishing emails were sent to the power companies containing malware that permitted the exfiltration of information and credentials to control systems, cutting off power to nearly 250,000 homes and businesses in western Ukraine. Even more recently, Ukrainian infrastructure has been paralysed by the Petya ransomware, which then spread across Europe, halting the operation of government departments, its central bank, and aircraft manufacturers.
Once again, the rise of internet enabled control devices and systems is putting organisations at risk. These systems demand forms of remote access for repairs and instant communication with the operations teams, as well as the support technicians themselves. Today, machinery can be monitored and accessed through mobile phone apps, and often service centres receive automated alerts from the machinery itself as a warning in the case of a fault and these technological advances are transforming processes. Much like in healthcare, the sake of productivity and progress shouldn’t overshadow the need to make sure the network is secured at every endpoint.
While modernisation has clear advantages, it also exposes new risks. Today, it’s imperative that IT professionals have a clear view of every device in their networks, and that no element of the environment is overlooked. When something as small as an insulin pump or a single water pump has the potential to allow a cybercriminal into your network, it’s time to get visibility of every device and make sure the correct security protocols are in place.