Healthcare is ripe for innovation when it comes to medical device security. Of course, automated visibility across the rapidly growing number of connected devices remains a crucial component of any security strategy. Two areas that are often overlooked are Industrial Control Systems (ICS) and/or Supervisory Control and Data Acquisition (SCADA), which typically have worse security controls in place. These connected devices control things like entry control and environmental automation. Typically, these ICS / SCADA devices are based on archaic operating systems full of easily exploitable vulnerabilities, and their security relies on using “proprietary” communications methods – leaving a lot to be desired.
Heating and air conditioning (HVAC) systems were the earliest places where industrial control systems were installed. Most large buildings, not just hospitals, use industrial control systems to maintain temperature and humidity efficiently. Like most industrial-focused systems, these systems are designed to last far longer than laptops or servers, often with lifecycles measured in decades rather than years. It is not uncommon for an organization to go through four or five generations of computers when an HVAC ICS system is in use. Now imagine that an organization kept its servers and laptops for 10 or more years. They would be far from able to secure their network, let alone manage it well.
These systems, regardless of their age, are endpoints. They have connected systems that process information, execute commands, and directly affect real-world conditions. During the decades an HVAC system is used, the organization will spend time, money, and resources to test, remediate, and replace outdated systems and software throughout their network. At the same time, they will pay little to no attention to these “non-standard” devices, leaving a goldmine for attackers to gain a foothold into an organization’s intranet.
While HVAC environmental controls are the universal ICS systems, there are many other weak spots to consider. Most larger organizations have some sort of entry control system that runs on an overlooked or unmanaged industrial control system. These entry control systems monitor and control access to the building, which could mean a myriad of terrible things for the victim.
These systems, regardless of their age, are endpoints. They have connected systems that process information, execute commands, and directly affect real-world conditions. During the decades an HVAC system is used, the organization will spend time, money, and resources to test, remediate, and replace outdated systems and software throughout their network. At the same time, they will pay little to no attention to these “non-standard” devices, leaving a goldmine for attackers to gain a foothold into an organization’s intranet.
All of these systems have the potential to cause real-world catastrophes, including financial and physical consequences. Attackers will use weak systems as their entry into a corporate network using a compromised and unmonitored system. When their presence is noticed on a monitored system, they can re-establish their connection from the compromised systems. Once inside, they can compromise customer data, steal financial information, hold sensitive information hostage, or some other malicious result.
The most important step any organization can take to get a handle on these often-overlooked issues is to view industrial control systems as part of the network as a whole. If a device can connect to your network, it should be managed. And that starts with knowing what’s on your network. All devices must be carefully tested, monitored, and updated to ensure network security. Once logged, you can take further steps, such as identifying vulnerable ports, services, and default passwords.
Technical Product Manager
Share This Blog