The FBI Publishes Statement – Unpatched and Outdated IoT Devices Increase Cyber Attack Opportunities

What Happened?

The FBI recently issued an industry notification around unpatched and outdated devices, warning the public that cyber criminals are increasingly targeting internet-connected devices for the purpose ofexploiting their vulnerabilities

The FBI discovered multiple vulnerabilities, specifically in medical devices, through devices that run outdated software and devices lacking sufficient security features.

According to FBI documentation, “these vulnerabilities negatively impact organization’s operational functions, overall safety, data confidentiality, and data integrity. In Medical, device vulnerabilities are inherent to the device itself, originating from device hardware design and device software management. Routine challenges include the use of standardized configurations, specialized configurations, including a substantial number of managed devices on the network, lack of device embedded security features, and the inability to upgrade those features.”1

Is There a Real Threat to Businesses?

The quick answer is “YES”. Every device that connects to the network through the Internet increases the cyber-attack surface. Protecting IoT devices against vulnerabilities (like that of which the FBI warns) is not a simple task, and there are various reasons for these difficulties. Here are a few reasons why this technology poses a greater security risk:

  • IoT devices are not designed with security top of mind (they’re usually unattended and unmanaged).
  • Up to half of connected devices, like ultrasound and MRI machines, run on legacy operating systems that are no longer supported or maintained—meaning zero security support or patches are available.
  • There’s no certification and standardization for cyber security in medical devices – which is ironic considering that medical device safety is one of the strictest areas of regulation gloabally.
  • There is a hodgepodge of devices within the organization, making it almost impossible to manually identify and map every single device to try and monitor its communication destinations.
  • IoT devices lack standardized interfaces and controls, so it’s also very difficult to create a uniform security policy, upgrade software, or even implement strong passwords without a solution specifically designed for IoT security.

The cost of a cyber criminal exploiting these vulnerabilities leaves a huge impact, both in the areas of financial loss and safety for employees, customers, patients, etc. According to a recent study by Ponemon, systems are paying $250,000 to $500,000 in any single ransomware attack on average2. This number does not include fees lost to exposing patient information.

How Can Check Point Help with the FBI Recommendations?

Managing the sheer number and variety of IoT devices can be overwhelming. And of course, your organization is probably using a wide range of those devices, from IP cameras and smart TVs to MRI machines and infusion pumps (if in healthcare).

The FBI released recommendations to consider while attempting to secure against these vulnerabilities. In this section, I will outline how Check Point is positioned to help mitigate these risks.

  • Endpoint Protection
    • FBI Recommendation:
      • If supported by the medical device, use antivirus software on an endpoint. If not supported, providing integrity verification whenever the device is disconnected for service and before it is reconnected to the IT network.
      • Encrypt medical device data while in transit and at rest.
      • Utilize endpoint detection and response (EDR) and Extended Detection and Response (XDR) solutions, which provides visibility on medical devices and offers protection.
    • Check Point Solutions:
      • Horizon EDR/XDR: Horizon XDR/XPR enables rapid detection, investigation, and automated response across your entire IT infrastructure, including network, cloud, endpoint, mobile, and email security.
      • Check Point on-device security solutions:
        • Horizon Endpoint: a complete endpoint security solution built to protect user PCs and laptops from exploits, malware and ransomware.
        • Horizon Mobile: secures employee iOS and Android mobile devices across all attack vectors: apps, network and OS.
        • Quantum IoT Protect Embedded: secures IoT devices with on-device runtime protection.
      • Identify and Access Management
        • FBI Recommendation:
          • Ensure default passwords are changed to secure and complex passwords specific for each medical device. If supported by medical device, limit the number of login attempts per user.
        • Check Point network security solutions:
        • Asset Management
          • FBI Recommendation:
            • Maintain an electronic inventory management system for all medical devices and associated software, including vendor-developed software components, operating systems, version and model numbers.
            • Use inventory results to identify critical medical devices, operational properties, and maintenance timeframes.
            • Consider replacement options for affected medical devices as part of purchasing process; if replacing the medical device is not feasible, take other mitigation precautions, such as isolating the device from network or auditing the device’s network activities.
          • Check Point solution
            • Quantum IoT Protect: Medigate (learn more) and Armis (learn more) are considered the most advanced asset management solutions in the market. Connect Medigate or Armis to Check Point to ingest 100,000+ device profiles and automatically create least-privileged access policies based on device attributes.
          • Vulnerability Management
            • FBI Recommendation:
              • Work with manufacturers to help mitigate vulnerabilities on operational medical devices.
              • Monitor and review medical devices’ software vulnerabilities disclosures by vendors and conduct independent vulnerability assessments.
              • Implement a routine vulnerability scan before installing any new medical device onto the operating IT network.
            • Check Point

If you would like more information, head over to the hyperlinks included in the section above and/or reach out to us now.