Attacks and Vulnerabilities
Building Management Systems
Control device security
Critical infrastructure
Industrial Cyber Attacks
Malware, Phishing & Ransomware
News
Reports
SBOM
Secure Remote Access
Secure-by-Design
Supply Chain Security
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities

Forescout identifies PLCs, DCSs, industrial robots as top vulnerabilities in 2024 risk report

June 11, 2024
Forescout identifies PLCs, DCSs, industrial robots as top vulnerabilities in 2024 risk report

Forescout Technologies has found that the most vulnerable OT devices are critical and insecure-by-design PLCs (programmable logic controllers) and DCSs (distributed control systems), with industrial robots emerging as a new risk area. In its fourth annual review conducted by its research division, Vedere Labs, which analyzes data from nearly 19 million devices to identify vulnerabilities and threats to critical infrastructure, Forescout also noted that UPSs (Uninterruptible Power Supply) in many data centers still use default credentials. Additionally, building automation systems, commonly overlooked, pose significant security risks.

In its report titled ‘The Riskiest Connected Devices in 2024,’ Forescout utilized its dataset and scoring methodology to identify the five riskiest device types across four categories: IT, IoT, OT (operational technology), and IoMT (internet of medical things). Out of these 20 device types, 11 were included in the 2023 report and remain on the list. 

Nine device types in Forescout’s 2024 risk report were not included in the 2023 list, such as wireless access points, hypervisors, NVRs (network video recorders), robotics, and all devices in the IoMT category. Of these, four were previously listed in 2022 and have returned. However, four are entirely new entries, including NVRs, robotics, medical information systems, electrocardiographs, and medication dispensing systems.

“The device has evolved from a pure asset to a reliable, sophisticated, intelligent platform for communications and services, driving a transformation in the relationship between devices, people, and networks,” Elisa Costante, vice president of threat research at Forescout, said in a Monday media statement. “We analyze millions of data points to publish the Riskiest Connected Devices report to integrate important threat context into how organizations use different devices and to redefine what it means to connect and interact securely.” 

She added that Forescout is committed to delivering device threat intelligence that helps organizations respond faster to potential threats and take advantage of opportunities to enhance security postures.

Forescout said that it selected the 13 countries that had an average device risk greater than 6.0. The top three countries with the riskiest devices on average are all in Asia. They are followed by Canada and the U.S. The riskiest European countries are Denmark, the U.K., and Italy. 

The report identified that UPSs play a critical role in power monitoring and data center power management. CISA has alerted about threat actors targeting UPSs with default credentials. Attacks on these devices can have physical effects, such as switching off the power in a critical location or tampering with voltage to damage sensitive equipment. 

PLCs and DCSs are risky because they are very critical, allowing for full control of industrial processes, and are known to be insecure by design, often allowing attackers to interact with them and even reconfigure them without the need for authentication. 

Forescout has noted that building management systems also referred to as building automation systems, are vital for facilities management. There have been multiple instances where smart buildings were compromised by threat actors who either rendered controllers inoperable, enlisted vulnerable physical access control devices into botnets, or used management workstations as points of initial access. These devices dangerously mix the insecure-by-design nature of OT with the internet connectivity of IoT and are often found exposed online even in critical locations. 

The adoption of robotics is rapidly accelerating in industries like electronics and automotive manufacturing, as factories increasingly embrace smarter, more connected technologies. As of 2023, there were approximately 4 million industrial robots globally, with about 80 percent concentrated in five countries, including China, Japan, the U.S., South Korea, and Germany. There are also service robots deployed across other industries, such as logistics and the military. Despite popular use, many robots have the same security issues as other OT equipment, including outdated software, default credentials, and lax security postures. Attacks on robots range from production sabotage to physical damage and human safety. 

The Forescout report identified that the riskiest IoMT devices have changed from last year, but they include a mix of IT equipment used for healthcare, such as medical information systems and workstations. “These systems often have dedicated embedded devices, such as electrocardiographs and automated medication dispensing. Medical information systems store and manage clinical data using standard formats such as HL7 to connect systems containing, for instance, electronic health records and billing information. These systems store very sensitive information which is valuable on the dark web and are often leaked by ransomware gangs. Despite the criticality of their data, thousands of these systems can still be found exposed online,” it added. 

Electrocardiographs are risky because of their fundamental role and large impact on acute patient care. A peer-reviewed study showed that data breach remediation efforts in hospitals led to a 2.7-minute delay in performing ECGs, thus increasing patient mortality by 0.36 percent. 

“On our dataset, electrocardiographs were the third most vulnerable IoMT device, after medication dispensing systems and infusion pumps. DICOM workstations and PACS are used in medical imaging,” the Forescout report identified. “They often run legacy vulnerable IT operating systems, have extensive network connectivity to allow for sharing imaging files, and use the DICOM standard for sharing these files. DICOM defines the format for storing medical images and the communication protocol used to exchange them. The protocol supports message encryption, but its usage is configured by individual healthcare organizations. We observe unencrypted communications in many organizations, which could allow attackers to obtain or tamper with medical images, including to spread malware.” 

It added that PACS is by far the most commonly exposed IoMT device in the Forescout dataset. “Medication dispensing systems have been known to be vulnerable for almost a decade since Billy Rios documented 1,418 vulnerabilities on seven third-party components of a popular device in this category. More than eight years after that study, we still see medication dispensing systems as the sixth most vulnerable device type overall, not just in the IoMT category.” 

There are documented cases of ransomware attacks affecting the availability of dispensing systems, which can cause delays in patient treatment. We also reported on 183 of these systems exposed online in 2022. Less than two years later, that number has grown to 225. Medication dispensing systems are the second most exposed IoMT device type in the Forescout dataset.

Forescout also identified that in 2024, technology has the riskiest devices on average, followed by education and manufacturing. “We changed the sorting methodology from last year when we counted the percentage of devices with critical or high risk, rather than average risk across devices. Healthcare has made notable strides and is no longer the riskiest industry. Last year, it had the largest percentage of high and medium-risk devices. Today, its average device risk is 7.25 — the lowest of the 10 industries. Similarly, retail was the second riskiest in 2023 and has also shown a big improvement this year,” the report added.

The report revealed that IT devices still account for most vulnerabilities at 58 percent, but that is down from 78 percent in 2023. IoT vulnerabilities increased from 14 percent last year to 33 percent now. Last year, there were more OT vulnerabilities than IoMT, but this year the ranking is reversed with IoMT in third position at five percent and OT in fourth place with four percent.

The report disclosed that vulnerabilities are a major risk factor for devices, but open ports are what leave devices open to attacks. Forescout selected four common ports to analyze out of the ones we observed as most exploited in 2023. Server Message Block Protocol (SMB) is used by Windows machines for file sharing, printer sharing, and access to remote services. Remote Desktop Protocol (RDP) provides remote management for devices using a graphical interface. Secure Shell (SSH) provides remote management using a command-line interface, especially to Linux/UNIX servers and IoT devices, while Telnet also provides remote management mainly for legacy specialized devices. 

It found that SMB and SSH are the most popular protocols, followed by RDP and Telnet. Most Telnet devices are found in healthcare (4 percent), technology (3 percent), and manufacturing (3 percent). The most SSH are found in entertainment (52 percent), technology (39 percent), and oil and gas (33 percent). The most RDP are found in services (14 percent), oil and gas (12 percent), and manufacturing (12 percent). The most SMB is found in technology (37 percent), financial (32 percent), and services (30 percent). 

Compared to 2023, Forescout said “We see that every industry we tracked last year reduced its Telnet exposure, except for manufacturing where it remained stable at 3%. The highest Telnet decrease was in healthcare which moved from 10% to 4%. On the other hand, SSH increased in every industry. This may be an indication that organizations are replacing remote management of devices via Telnet with SSH which is a good sign. RDP also decreased in every industry, except for manufacturing,” it added. 

Once again, the report found that the highest decrease was in healthcare, from 16 percent to 6 percent. SMB had a mixed result, with government, healthcare, and retail reducing exposure but financial and manufacturing increased slightly.

“Computers, mobile, and servers represent nearly 90% of the exposed devices. The most exposed unmanaged device types include VoIP equipment (5%), networking equipment (3%) and printers (1%),” Forescout reported. “The ‘other IoT’ group includes more than 30 other types of commonly exposed IoT devices. The majority are IP cameras, smart TVs, and NAS. ‘Other IoMT’ includes over 40 types of IoMT devices, including PACS systems, blood glucose meters, and healthcare workstations. Finally, ‘other OT’ includes 20 types of devices, such as UPS, PLC, and building automation systems.”

In its conclusion, Forescout identified that the attack surface now encompasses IT, IoT, and OT in almost every organization — with IoMT in healthcare. It is not enough to focus defenses on risky devices in a single category since attackers can leverage devices of different categories to carry out attacks. 

“We have demonstrated this with a proof-of-concept attack (R4IoT) that starts with an IP camera (IoT), moves to a workstation (IT), and disables PLCs (OT). To defend this expanded attack surface, organizations need new security approaches to identify and reduce risk,” the report added. “As the threat landscape continues to evolve and more organizations adopt cybersecurity only for traditional endpoints, threat actors are consistently moving to devices that offer easier initial access.” 

It added that modern risk and exposure management must encompass devices in every category to identify, prioritize, and reduce risk across the whole organization. Solutions that work only for specific devices cannot effectively reduce risk because they are blind to other parts of the network being leveraged for an attack. For example, IoMT-only solutions will not effectively assess risk for IT devices. 

At the same time, IT-only solutions will miss the nuances of specialized devices. Beyond risk assessment, risk mitigation should use automated controls that do not rely only on security agents but apply to the whole enterprise, not individual siloes.

In April, researchers from Forescout Vedere Labs revealed that U.S. networks have experienced a significant 40 percent year-on-year increase in Chinese-made devices, despite official bans. Critical infrastructure organizations are among those that use the highest numbers of such devices and some of these industries more than doubled the number of Chinese-manufactured devices in their networks in one year.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Webinar: A Sense of Urgency - Industrial Cybersecurity and Compliance Under the NIS2 Directive

Register: June 27, 2024 2pm CET

http://industrialcyber.co

Related

House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
Broadcom's Symantec solutions achieve IRAP certification, meeting Australian government standards
Broadcom’s Symantec solutions achieve IRAP certification, meeting Australian government standards
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA's ICSNPP Parsers
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA’s ICSNPP Parsers
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
US CISA issues ICS cybersecurity advisories for Emerson, Mitsubishi Electric, Johnson Controls equipment
CISA warns of path traversal vulnerability in RAD Data’s SecFlow-2 hardware
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
NHS updates on disruptions, potential data breach following London lab ransomware attack
NHS updates on disruptions, potential data breach following London lab ransomware attack