Forescout Reports on The Riskiest Connected Devices in Enterprise Networks at GITEX 2022

Forescout Reports on The Riskiest Connected Devices in Enterprise Networks at GITEX 2022

  • Network-attached storage devices are most at risk in the region
  • Manufacturing sector has the highest number of affected devices
Ihab Moawad , Vice President Forescout Middle East

Dubai, United Arab Emirates

Forescout Technologies, the global leader in automated cybersecurity, released its findings about the riskiest devices in enterprise networks in 2022 at GITEX.

In this region, network-attached storage is the riskiest and these devices often have both easy-to-exploit vulnerabilities and internet connectivity, thus they are constantly targeted by threat actors for ransomware, botnets, crypto mining, or simply data destruction.

“At Forescout, we are keen to raise awareness and let government entities and businesses know exactly where the vulnerabilities lie with their network. Our research team has done a fantastic job identifying which industry verticals are being targeted relentlessly and which connected devices are most at risk, globally and here across the region,” commented Ihab Moawad, Vice President, Forescout, Middle East, Turkey, and Africa.

Manufacturing has the highest percentage of devices with high risk (11%), while government and financial have the top combinations of medium and high risk (43% for government and 37% for financial). Healthcare and retail have the lowest risk overall, with 20% of devices having medium or high risk in healthcare and 18% in retail.

The ranking of riskiest devices does not change considerably per industry, which shows that almost every organization nowadays relies on a combination of IT, IoT, and OT (as well as IoMT for healthcare) to deliver their business. It also means that almost every organization is affected by a growing attack surface. The riskiest IT and OT devices remain nearly constant across different regions, while the riskiest IoT devices change slightly and the riskiest IoMT devices change considerably.

“GITEX gives us this global platform to showcase our Automated Cybersecurity Solutions that protect any digital terrain. Forescout is here to help companies understand and mitigate risks that come with digital transformation, the rapid growth of IoT devices across organizations, and the convergence of IT and OT networks that is encouraging the rise of ransomware-as-a-service gangs,” added Moawad.

At GITEX 2022, organizations and government entities can learn how they can better protect themselves against a new type of ransomware attack that can leverage any IoT devices, even security cameras, to deploy ransomware.

Forescout has further identified the five riskiest devices in four device categories: IT, IoT, OT, and IoMT – as shown in Table 1.

Table 1 – Riskiest connected devices per category

 ITIoTOTIoMT
1RouterIP cameraProgrammable logic controller (PLC)DICOM workstation
2ComputerVoIPHuman machine interface (HMI)Nuclear medicine system
3ServerVideo conferencingUninterruptible power supply (UPS)Imaging
4Wireless access pointATMEnvironment monitoringPicture archiving and communication system (PACS)
5HypervisorPrinterBuilding automation controllerPatient monitor

IT devices are still the main target of malware, including ransomware, and the main initial access points for malicious actors. These actors exploit vulnerabilities on internet-exposed devices, such as servers running unpatched operating systems and business applications, or use social engineering and phishing techniques to dupe employees to run malicious code on their computers.

Routers and wireless access points, as well as other network infrastructure devices, are becoming more common entry points for malware and advanced persistent threats. Routers are risky because they are often exposed online, interfacing internal and external networks, have dangerous exposed open ports and have many vulnerabilities that are often quickly exploited by malicious actors. Wireless access points are the typical border between internal and external networks in physical locations. They frequently host both guest and corporate networks and are used to connect guest devices, including computers and mobile.

Hypervisors, or specialized servers hosting virtual machines (VMs), have become a favorite target for ransomware gangs in 2022 since they allow attackers to encrypt several VMs at once and because ransomware developers are moving towards languages such as Go and Rust that allow for easier cross-compilation and can target both Linux and Windows.

A growing number of IoT devices on enterprise networks are being actively exploited because they are harder to patch and manage than IT devices. IoT devices are compromised due to weak credentials or unpatched vulnerabilities primarily to become part of distributed denial-of-service (DDoS) botnets. Beyond DDoS, several threat actors have been using IoT devices for other phases of attacks.

PLCs and HMIs are the riskiest OT devices because they are very critical, allowing for full control of industrial processes, and are known to be insecure by design.  Although PLCs are not often connected to the internet, many HMIs are, to enable remote operation or management. These devices are not only common in critical infrastructure sectors, such as manufacturing, but also in sectors such as retail, where they drive logistics and warehouse automation.

OT devices are typically associated with manufacturing and critical infrastructure. However, other observed risky OT devices are much more widespread than PLCs and HMIs. For instance, uninterruptible power supplies (UPSs) are present in many corporate and data center networks next to computers, servers, and IoT devices. UPSs play a critical role in power monitoring and data center power management. CISA has alerted about threat actors targeting UPSs with default credentials. Attacks on these devices can have physical effects, such as switching off the power in a critical location or tampering with voltage to damage sensitive equipment.

Environment monitoring and building automation systems are critical for facilities management, which is a common need in most organizations. Smart buildings perfectly exemplify a cross-industry domain where IT, IoT and OT are converging on the same network. There are several examples of smart buildings exploited by threat actors to render controllers unusable, recruit vulnerable physical access control devices for botnets, or leverage engineering workstations for initial access. These devices dangerously mix the insecure-by-design nature of OT with the internet connectivity of IoT and are often found exposed online even in critical locations.

The riskiest IoMT devices change considerably. Table 2 shows the riskiest IoMT devices in each region. DICOM workstations are the only devices that consistently make the list in every region.

 AmericasAPJEuropeMETA
1DICOM WorkstationElectrocardiographDICOM WorkstationDICOM Workstation
2Nuclear Medicine SystemCT ScannerElectrocardiographPACS
3PACSDICOM WorkstationUltrasoundMedication Dispensing System
4ImagingImagingPatient MonitorCT Scanner
5Medical AnalyzerMedication Dispensing SystemMammography SystemAngiography System

Two recurring themes in the recent research have been the growing attack surface due to more devices being connected to enterprise networks and how threat actors leverage these devices to achieve their goals.

The attack surface now encompasses IT, IoT and OT in almost every organization, with the addition of IoMT in healthcare. It is not enough to focus defenses on risky devices in one category since attackers can leverage devices of different categories to carry out attacks. Forescout has demonstrated this with R4IoT, an attack that starts with an IP camera (IoT), moves to a workstation (IT) and disables PLCs (OT).

You need proper risk assessment to understand how your attack surface is growing. However, assessing device risk is not easy. For instance, to determine whether a device is vulnerable or not, granular classification information is needed, such as device type, vendor, model and firmware version.

The security vendor is at GITEX 2022 to show how cybercriminals use vulnerabilities in IoT devices to exploit for initial access and lateral movement to IT and OT devices, with the objective of causing physical disruption of business operations, for financial gains.

Visitors to the Forescout Stand H1-B40, in Hall 1, at the Dubai World Trade Center (DWTC) will be able to get first-hand information on the company’s security solutions, be part of interactive demos, and have all of their cybersecurity queries answered. The security vendor will also be showcasing its Completed Project Memoria, the most extensive study of TCP/IP stacks that uncovered 97 new vulnerabilities impacting over 400 vendors.

GITEX 2022 is taking place from 10 to 14 October 2022, at DWTC. For more information on Forescout, please visit www.forescout.com.

***ENDS***

About Forescout

Forescout Technologies, Inc. delivers cybersecurity automation across the digital terrain, maintaining continuous alignment of customers’ security frameworks with their digital realities, including all asset types – IT, OT, IoT, IoMT. The Forescout Continuum Platform provides complete asset visibility, continuous compliance, network segmentation and a strong foundation for Zero Trust. For more than 20 years, Fortune 100 organizations and government agencies have trusted Forescout to provide automated cybersecurity at scale. Forescout arms customers with data-powered intelligence to accurately detect risks and quickly remediate cyberthreats without disruption of critical business assets. www.forescout.com    

Managing cyber risk, together.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s