Forescout reports 2023 riskiest connected devices across IT, IoT, OT, IoMT environments

Forescout Research – Vedere Labs published updated findings about the riskiest devices in enterprise networks in 2023 that it has been tracking on organizations’ networks since 2020. Covering IT, IoT, OT (operational technology), and IoMT (internet of medical things) with data coming directly from connected devices, the team noticed that although many device types are consistently in these lists, such as IP cameras, VoIP equipment, and programmable logic controllers (PLCs), due either to their inherent criticality or to the persistent lack of attention from security teams, there are other devices whose current risk level reflect developments in the threat landscape. 

“The riskiest OT devices include the critical and insecure-by-design PLCs, the UPSs present in many data centers with default credentials, and the ubiquitous but often invisible building automation controllers that were present last year, while also for the first time engineering workstations and RTUs,” Daniel dos Santos, wrote in Forescout’s latest report titled ‘The Riskiest Connected Devices in 2023’. “Engineering workstations typically run a traditional operating system such as Windows and allow engineers to manage PLCs, RTUs, and other OT equipment on the network.” 

According to SANS, 35 percent of attacks into OT/ICS in 2022 used engineering workstations as initial access vectors, doubling what they reported in 2021, dos Santos revealed. “RTUs are used to connect field devices to a distributed control system or SCADA by exchanging data and commands. Vulnerabilities in RTUs are common and some were found in Project Memoria and OT:ICEFALL. In early 2023, the GhostSec hacktivist group claimed to encrypt an RTU as part of their politically-motivated attack campaign,” he added. 

Moving to the riskiest IoMT devices, dos Santos revealed that they were healthcare workstations, “which include the DICOM workstations we discussed last year but also specialized workstations for radiology, for instance. Imaging devices, including nuclear imaging, and patient monitors were also on last year’s list. Those are all among the most vulnerable and at the same time most connected IoMT devices in hospitals.” 

“The new device type on the list is blood glucose monitors. Blood glucose monitors are often used together with insulin pumps, and there is a history of vulnerabilities affecting these devices and their communication protocols, which may allow attackers to capture, replay, inject, or modify traffic between devices,” wrote dos Santos. “More recent versions of these devices are often paired with patients’ personal mobile devices, which means that they may be connected first to an insecure home network and later to a supposedly more secure clinical network used by much more critical medical devices.”

Addressing the riskiest IoT devices, the report included the most persistent suspects – IP cameras, printers, and VoIP – which are exposed on the internet and which have been historically targeted by APTs (advanced persistent threats), as well as two new entries – network attached storage (NAS) and out-of-band management (OOBM). 

“NAS devices have been a growing target for ransomware actors, with several ransomware families designed specifically to run on them, due to the valuable data they store and their numerous vulnerabilities,” the report said. “Out-of-band management allows for remote management of equipment via alternative interfaces. The first variety of OOBM is plagued with critical vulnerabilities, some of which have had public exploits for years and have been exploited by sophisticated malware, others which have been found as recently as late 2022. Devices of the second variety are often found online and sometimes misconfigured, allowing attackers to ultimately access the devices being remotely managed.”

The Vedere Labs report said that healthcare is the riskiest industry in 2023, followed by retail and manufacturing, while the highest risk reduction it observed from 2022 to 2023 was in government. Data revealed that over 4,000 vulnerabilities affect the devices in the dataset, and out of those, 78 percent affect IT devices, 14 percent affect IoT, 6 percent affect OT, and 2 percent affect IoMT. Furthermore, although most vulnerabilities affect IT devices, almost 80 percent of those have only high severity. On the other end, IoMT devices have fewer vulnerabilities, but 80 percent of them are critical, which typically allows for the complete takeover of a device. Similarly, more than half of the vulnerabilities affecting OT and IoT devices are critical. 

In all industries, at least 10 percent of devices that have endpoint protection installed have it disabled, the report added, with this figure being the highest in government, financial services (both with almost 24 percent), and healthcare (21 percent).

The research also identified that not every vulnerability is exploited or even exploitable. CISA maintains a constantly updated list of vulnerabilities known to be exploited by threat actors. “As of May 2023, the list contains 925 vulnerabilities. Six IT software vendors – Microsoft, Adobe, Apple, Google, Oracle, and Apache – are responsible for 477 (52%) of these vulnerabilities, which may affect a variety of devices running their software. However, several vulnerabilities affect specific types of devices, including IoT and OT. All those device types being targeted by threat actors appear in the 2023 riskiest devices list, except for conferencing systems and hypervisors, which were present in the 2022 list,” it added.

Vulnerabilities are among the riskiest factors for a device, but open ports are what leave devices open to attacks, both because of known vulnerabilities and unknowns such as zero days, dos Santos disclosed. “We selected four common ports to analyze out of the ones we observed as most exploited in 2022. Server Message Block Protocol (SMB) is used by Windows machines for file sharing, printer sharing, and access to remote services. Remote Desktop Protocol (RDP) provides remote management for devices using a graphical interface.” 

He added that Secure Shell (SSH) provides remote management using a command-line interface, especially to Linux/UNIX servers and IoT devices, while Telnet provides remote management mainly for legacy specialized devices.

The Forescout report explored the current risk associated with the expanded attack surface that now encompasses IT, IoT, and OT in almost every organization, with the addition of IoMT in healthcare. 

The findings point to specific actions that can be taken by organizations to reduce immediate risk. These include the prevalence of legacy Windows and critical vulnerabilities in OT and IoMT means that organizations need immediate action plans to upgrade, replace or isolate these devices as much as possible; often-disabled endpoint protection solutions in IT devices means that organizations must adopt automated device compliance verification and enforcement, to ensure that non-compliant devices cannot connect to the network; and commonly found exposed devices such as IP cameras and dangerous open ports, such as Telnet mean that organizations must improve network security efforts, including segmentation. 

“Beyond these specific recommendations, the increased risk profiles of devices as diverse as security appliances, VPN gateways, NAS, out-of-band management, and blood glucose monitors means that organizations need to embrace the fact that this attack surface requires new, superior security approaches to identify and reduce risk,” according to dos Santos. “To bypass traditional endpoint security approaches, threat actors are consistently moving to devices that offer easier initial access. Modern risk and exposure management must encompass devices in every category to reduce risk across the whole organization.” 

He added that solutions that work only for specific devices cannot effectively reduce risk because they are blind to other parts of the network being leveraged for an attack. “For instance, OT or IoMT-only solutions cannot assess risk for IT devices, while IT-only solutions will miss the nuances of the specialized devices. Beyond risk assessment, risk mitigation should use automated controls that do not rely only on security agents. Likewise, they must apply to the whole enterprise instead of silos like the IT network, the OT network, or specific types of IoT devices.”

Earlier this week, the Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) published a template document called ‘Health Industry Cybersecurity Coordinated Healthcare Incident Response (HIC-CHIRP),’ with material for the technical response process to a cybersecurity incident.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.