Industrial Control Systems:
Ghosts in the Healthcare Machine

Healthcare is ripe for innovation when it comes to medical device security. Of course, automated visibility across the rapidly growing number of connected devices remains a crucial component of any security strategy. Two areas that are often overlooked are Industrial Control Systems (ICS) and/or Supervisory Control and Data Acquisition (SCADA), which typically have worse security controls in place. These connected devices control things like entry control and environmental automation. Typically, these ICS / SCADA devices are based on archaic operating systems full of easily exploitable vulnerabilities, and their security relies on using “proprietary” communications methods – leaving a lot to be desired.

Security by Obscurity Not Effective

ICS / SCADA often run on “non-IP” networks. Because of this, they use proprietary communication protocols to communicate within the industrial control network, which may include each device such as the Primary Logic Controller and various valve controllers and sensors. Each component has an IP bridge with an ethernet and/or wireless-capable network interface card (NIC). Overall, the system and each piece of that system are likely to be communicating on the standard IP network. How many of those devices go unnoticed?

These industrial control systems devices are connected to the primary network (hopefully in a segmented subnet) to communicate with performance monitoring systems. While this is reasonable for this functionality, it creates the potential for numerous unmanaged and vulnerable devices to be connected and communicating on the intranet and even possibly sending log data out to the internet. Malicious actors looking to gain access to sensitive information can use these weak and unknown systems to gain a foothold within the network from which they can disseminate malware, exfiltrate data, or many other things.

ICS Systems Aging … Gracefully?

Heating and air conditioning (HVAC) systems were the earliest places where industrial control systems were installed. Most large buildings, not just hospitals, use industrial control systems to maintain temperature and humidity efficiently. Like most industrial-focused systems, these systems are designed to last far longer than laptops or servers, often with lifecycles measured in decades rather than years. It is not uncommon for an organization to go through four or five generations of computers when an HVAC ICS system is in use. Now imagine that an organization kept its servers and laptops for 10 or more years. They would be far from able to secure their network, let alone manage it well.

These systems, regardless of their age, are endpoints. They have connected systems that process information, execute commands, and directly affect real-world conditions. During the decades an HVAC system is used, the organization will spend time, money, and resources to test, remediate, and replace outdated systems and software throughout their network. At the same time, they will pay little to no attention to these “non-standard” devices, leaving a goldmine for attackers to gain a foothold into an organization’s intranet.

ICS Security Threats Not Limited to Environmental Controls

While HVAC environmental controls are the universal ICS systems, there are many other weak spots to consider. Most larger organizations have some sort of entry control system that runs on an overlooked or unmanaged industrial control system. These entry control systems monitor and control access to the building, which could mean a myriad of terrible things for the victim.

These systems, regardless of their age, are endpoints. They have connected systems that process information, execute commands, and directly affect real-world conditions. During the decades an HVAC system is used, the organization will spend time, money, and resources to test, remediate, and replace outdated systems and software throughout their network. At the same time, they will pay little to no attention to these “non-standard” devices, leaving a goldmine for attackers to gain a foothold into an organization’s intranet.

Compromised Industrial Control Systems and Real-World Implications

All of these systems have the potential to cause real-world catastrophes, including financial and physical consequences. Attackers will use weak systems as their entry into a corporate network using a compromised and unmonitored system. When their presence is noticed on a monitored system, they can re-establish their connection from the compromised systems. Once inside, they can compromise customer data, steal financial information, hold sensitive information hostage, or some other malicious result.

Successful Security Strategies Treat All Endpoints as Endpoints

The most important step any organization can take to get a handle on these often-overlooked issues is to view industrial control systems as part of the network as a whole. If a device can connect to your network, it should be managed. And that starts with knowing what’s on your network. All devices must be carefully tested, monitored, and updated to ensure network security. Once logged, you can take further steps, such as identifying vulnerable ports, services, and default passwords.

How Securolytics Can Help

Fortunately, the Securolytics Security Appliance and the FREE IoT Mini make it easy to manage your industrial control system security with less time and overhead. Simply plug in the Securolytics appliance into any network port. Within a day, it will identify IoT and other connected devices on your network, categorize them, identify vulnerabilities and, where possible, block vulnerable services or patch them if patches exist. And, Securolytics can do this with little to no interaction or strain on corporate IT.

Ready to give your ICS security plan an upgrade? We’ll ship the Security IoT Mini to you for free.