How can a hospital protect an MRI machine with an unchangeable password and still connect it to the network? How can an industrial recycler safely secure its $400,000 hard drive recertification rack with control software that only runs on Windows XP?
These are not uncommon risks. The devices themselves can’t be secured, but that doesn’t mean we can’t use basic IT techniques to reduce our security risks. We will examine three options that can help protect the vulnerable devices: network segmentation, a hard-wired partner, and virtual machines. However, before we dig into the technologies, let’s first examine why we need them.
The Scope of the Unfixable Device Problem
Many organizations find themselves with very expensive, very vulnerable devices that cannot be replaced. Yet these devices also have critical vulnerabilities and need to connect to the network to exchange data or for remote control.
Industries with very expensive operational technology (OT) and Internet of Things (IoT) devices, such as healthcare or industrial manufacturing, can be especially vulnerable. Many of these critical devices require obsolete operating systems, have hard-coded passwords, or other equally dangerous security weaknesses.
As recently as 2020, 83% of medical imaging devices ran on operating systems that no longer receive updates. A report from this year estimates that 53% of connected medical devices have an identified critical risk. This includes 73% of IV pumps and most laboratory devices.
Although the number of hospitals applying solutions such as network segmentation continues to grow, researchers estimated less than half of the hospitals in the United States had begun the process. The world-wide numbers will be even worse.
Of course healthcare providers have plenty of company in their vulnerable state. Researchers estimate that:
- 40% of industrial sites have at least one direct connection to the internet with at least one Industrial Control System (ICS) device exposed
- 84% of sites have at least one remotely accessible device
- 53% of industrial sites maintain obsolete Windows OS such as Windows XP
- 57% of ICS sites do not run automatically updating antivirus protection
Also read: Top IoT Security Solutions
3 Ways to Defend Unprotected Devices
Millions of devices and thousands of organizations, big and small, have unprotected vulnerabilities waiting for a hacker to find them. Fortunately, we don’t have to just wait for the problem to explode, we can apply traditional IT technology to isolate and protect many of these devices that cannot be made secure on their own. Here are three ways to make unfixable devices more secure.
Network segmentation originates from separately wired network segments back when our physical offices had different equipment on every floor and our switches had more limited capacity. Today, our network segmentation can also be created using programming and no longer has to rely upon wires and switches.
Researchers estimate that 90% of healthcare IoT critical risks can be addressed by network segmentation. Network engineers use network segmentation rules to restrict sections of the network to specific users, security controls, or devices.
Here are a few examples of network segmentation in use:
- finance computers could be restricted to a user group defined as accounting employees
- computers connected to hospital ultrasound devices could be restricted to ultrasound employees carrying specific security badges (two-factor authentication)
- a chemical plant can create a white-label list of specific PCs and connected devices (pumps, mixers, etc.) and block any other device from connecting to that segment
Networks can also be cloud-based virtual local area networks (VLAN) that can run in the cloud and encompass specific types of devices across a wide geographic area. When network segments are restricted to only a couple of devices, it can be called microsegmentation, a critical component of zero trust security.
When a combination of controls creates a network segment for a vulnerable device it secures the organization in two ways. First, the segmentation limits which devices and users can even see the vulnerable device on the network and constrain an attacker’s ability to attack the device. Second, it also protects the network from attackers that manage to gain access to the vulnerable equipment because the attackers will find themselves on a very limited segment with restricted access to devices on other network segments.
Also read: Top Microsegmentation Software
A hard-wired partner realizes a similar isolation, but uses different technology. Instead of using network segmentation to protect the system, we instead use a second computer. This second, fully secured device serves only to connect the vulnerable devices to the network or internet.
For example, we might have a machine that can only be controlled by a PC running Windows XP. That industrial system and the Windows XP device need to be remotely controlled, but we cannot secure either the device or Windows XP system.
We hardwire the Windows XP system to an older PC with enough power to run Windows 10. We further lock down the Windows XP system and deny communication with any PC other than that specific Windows 10 machine using restrictive firewall rules or through a completely separate and hard-wired network.
Of course, we still need to lock down the Windows 10 machine, but we know how to do that. This Windows 10 machine could be used to serve other functions, but the Windows XP device should be strictly limited to controlling the equipment.
This solution often will be overlooked because it lacks sophistication and uses extra resources. However, the cost of a second PC will usually offset potential costs of a breach by a wide margin. Additionally, this solution requires the least IT knowledge and does not require advanced IT skills to execute.
Virtual machines can act as a hard-wired pair, but instead use virtualization to host the vulnerable software within a secure device. For example, instead of a separate computer, the Windows XP software can be installed into a virtual machine hosted on a secured host.
We still block the Windows XP device from the internet or general network by implementing a firewall on the XP virtual device that blocks all ports except those specifically needed to connect with the equipment or to communicate with the host computer.
The advantage to the virtual machine is added flexibility. Virtual machines can run on servers, powerful laptops or PCs, and on the cloud. Instead of using the network to communicate, they can communicate directly with the host computer, which can create a secure bubble for the vulnerable operating system or software.
Using a virtual machine also allows for scalability and range. For example, picture an oil pipeline company with a series of expensive pumps located hundreds of miles apart that require an obsolete management software with known vulnerabilities that runs on Windows 7.
A cloud-based server could be set up with virtual Windows 7 machines that have a whitelist restricting communication strictly with the pumps and with the host server. The secure cloud server can still be remotely controlled, and it protects devices hundreds of miles apart in a secure virtual machine.
The Best Security Wins
Which method is best? It depends upon the situation and the resources. Different IT engineers have different specialties. Network engineers will prefer network segmentation, VM experts will favor virtual machines, and if we don’t understand networking or VMs that well, a hardwired second computer might make the most sense.
Geography, network resources, and costs will also play a role in determining the ideal solution. For high-value or high-risk targets, we may even want to implement more than one of these solutions or add additional security measures. White-listed IP addresses or port knocking can be used to further isolate and protect vulnerable machines.
In all cases, whatever is used to protect the unfixable device needs to be set up well. Internal penetration testing should be used to verify that the selected strategy hasn’t overlooked any potential security holes.
In an ideal world, our suppliers will be able to update our devices to plug security holes. Unfortunately, that ideal world isn’t our current reality, so we must take adequate measures on our own. Fortunately, we are not helpless, and solutions like these can isolate and contain our unfixable vulnerabilities.
Read next: Top Vulnerability Management Tools