Protect industrial and healthcare networks from IoT and M2M risks - IoT global network

Blogs

Protect industrial and healthcare networks from IoT and M2M risks

May 26, 2016

Posted by: George Malim

Myles Bray, ForeScout Technologies

When it comes to technological trends, the Internet of Things (IoT) is a very big thing indeed. Approximately 3.9 billion connected things were in use in 2014. Gartner expects this figure to rise to at least 25 billion by 2020. Connected devices are certainly changing the way our global economy and societies function, and they are dramatically changing the rules for IT security, writes Myles Bray, the vice president of EMEA sales at ForeScout Technologies.

Sooner or later, security departments must devise plans to deal with the IoT. However, sooner is better, as IoT devices are already connected to many corporate networks—in many cases unbeknown to IT managers. In fact, a recent survey conducted by IDG has shown that more than 60% of organisations have no way of seeing the devices that are connected to their networks. Not only are those connected devices unknown, they are often outside of the control of network administrators. As a result, totally unmonitored, cybercriminals can take their time and extract information or spread malware without risk of getting caught.

Security through visibility and automation in industrial facilities
The IoT is gaining ground in industrial facilities. However, unlike conventional office settings, where connected devices are most often PCs, laptops, tablets and smartphones, endpoints in production facilities may be all of those things as well as proprietary, small-footprint devices that are interconnected and use machine-to-machine (M2M) communication. SCADA systems, for example, tend to use proprietary operating systems and cannot be patched or have antivirus clients (agents) or other security tools installed because their functionality, integration and performance would be impaired. Putting agents on these systems isn’t possible or desirable in a fast-paced production environment.

Industrial control systems are generally programmed and developed as offline systems, and are built to manage isolated production environments. The challenge is to integrate agentless, IP-connected IoT devices into these time-critical environments while providing IT staff with visibility and continuous monitoring capabilities from one central position. Devices that are out of compliance must be able to be automatically remediated before access is granted. In many cases, internal networks must be reserved for company-owned devices, and guest devices need to be isolated to guest networks.

Providing flexibility and tight security in healthcare
The healthcare industry is a ripe target for cybercriminals, and recent ransomware attacks represent just a small fraction of the problem. Patient records contain a wealth of personal details that can be used in spear-phishing attacks. And, since there are so many people handling healthcare data in any institution, the attack surface is huge.

In interviews conducted by IDG of more than 1,500 IT directors from various industries in the U.K., DACH region (Austria, Germany, Switzerland) and the U.S., the healthcare industry stands out when it comes to data leakage concerns. 60% of respondents from this sector see monitoring of data losses as the most important security problem. In addition, those working in the healthcare industry report more security issues than other industries due to unsanctioned use of devices and applications.

IoT devices are pervasive in the healthcare sector. Remote medical applications and wearable patient-monitoring devices, as well as interconnected hospital equipment, are all accessing networks. Most of these devices have a small footprint and are incapable of supporting agents due to resource requirement and the potential impact on performance.

The healthcare industry poses unique challenges for IT technologists. Physicians must be able to work in their accustomed environment. Patient data must be protected. Devices sharing clinical information must not be blocked from the network because they are out of compliance due to a minor issue. Whitelisting is far too broad a solution. A fine-grained approach to security is called for in which granular policies are established for different groups of devices and users.

To that end, next-generation Network Access Control (NAC) solutions can serve as a cornerstone technology. A next-generation NAC, such as ForeScout CounterACT, automatically checks if a device is compliant as soon as it attempts to access the network. Unlike other next-generation NAC offerings, CounterACT performs these actions without requiring software agents or certificates. It then continues to monitor the device’s behaviour while it is connected. Devices that are deemed out of compliance or suspicious are limited to a segmented VLAN or blocked altogether.

This level of selectivity ensures that life-critical heart monitors can log on and maintain network connectivity without difficulties. It also minimises the risks associated with malware infecting a hospital or clinic through an employee’s or contractor’s privately owned device.

The IoT is ramping up. We can be certain that the types and quantities of devices accessing networks will grow extensively—even exponentially—in the years ahead. Companies need to take this into consideration and adapt their security strategies accordingly.

A next-generation NAC can see IoT devices as they access the network and control them automatically. At the same time, a next-generation NAC can provide orchestration of security tasks. Security solutions already installed and in use by organisations, such as firewalls, vulnerability assessment, enterprise mobility management (EMM), advanced threat detection (ATD), endpoint protection platforms (EPP) and SIEM solutions, can receive information from NAC. By automating response and network segmentation, next-generation NACs deployed in production facilities, clinical settings and in industries of all kinds can go a long way toward helping to maintain appropriate levels of asset protection and data privacy while maintaining compliance and reducing IT department stress.