A widespread ransomware campaign was first reported on May 12, 2017, indicating tens of thousands of infections across 99 countries. This was an unprecedented cyber-attack, which encrypted users’ data and demanded a payment to unlock it. Security researchers initially believed that the healthcare industry may have been specifically targeted, as a majority of the early victims were hospital systems. However, a deeper dive into the attack trends revealed that healthcare may have been the first victim, as it was an easy target due to its lax security posture.
The National Health Service (NHS) in England was one of the first victims who reported about 45 hospitals being affected across England and Scotland. Patient safety was put at risk when doctors and hospitals were unable to access patients’ medical records and history. Of note is the data from a recent study that polled 42 NHS Trusts, which revealed that 90% of NHS Trusts’ devices were still running the unsupported Windows XP operating system. Many of these devices are single purpose systems (medical devices) that are often ignored and not given enough TLC of patches and updates. With the convenience of wireless connectivity, the devices that were never designed to be network-connected are joining the network at a rapid pace. The device vendors, however, do not provide frequent firmware updates leaving these systems highly vulnerable to cyber threats. We now have confirmed reports on MedRad (Bayer), Siemens, and other unnamed medical devices being infected. Most medical devices use Commercial off-the-shelf (COTS) operating systems, so is it really then a surprise that the healthcare sector was the first to be affected?
After a few days into the ransomware attack, we also see other sectors being affected. A disproportionate number of special purpose systems have become victims of this attack. The major toll was taken by operational services at Telefonica, NHS, FedEx, Renault, Deutsche Bahn AG, and many others. Some examples of special purpose systems are medical devices, industrial controllers, etc.
Such purpose-built systems:
- Are hard to patch: Most devices are not easily upgraded. Once deployed, they generally run the factory default software with no provisions to update it.
- Have long lifecycle: IoT devices have a long lifecycle compared to IT devices. Many loT devices have no security but are, nevertheless, deployed with a life expectancy of 15-20 years.
- Often remain unmanaged: The lack of endpoint agents results in blind-spots within the IoT infrastructure. With no logs from IoT devices, current security solutions, like SIEM, also remain blind to IoT threats.
What can we do?
For the past two decades, the entire security investment has gone towards protecting the IT assets which make up for only half of the overall network infrastructure. The other half, which is made up of SPS (or IoT), has pretty much been neglected. Ignoring this issue is no longer an option without severe consequences. We now know for a fact that traditional security controls are far less effective in securing IoT infrastructure. Traditional security tools heavily lean towards perimeter defense, signature based threat detection, and security event correlation that do not protect the Special Purpose Systems (SPS) the same way they provide benefits in IT environments. This is mostly due to the inherent characteristics of IoT devices, which makes it hard to discover, manage, patch, and upgrade unlike the IT assets. One characteristic that can save the IoT infrastructure from being victimized is its consistent network behavioral pattern. Such purpose-built systems are designed to perform only a few tasks on a repetitive basis, thereby exhibiting an extremely predictable behavior on the network. Employing advanced machine learning algorithms allow for discovering, baselining the behaviors, and detecting deviations to uncover hidden threats. Understanding the personality of a device enables an intelligent solution to detect when it’s misbehaving.