The study from Forescout Technologies, which specializes in the visibility and control of devices connected to the network, finds that physical access control systems and medical equipment are very vulnerable.
Certain connected equipment exposes corporate networks. Entitled “The Enterprise of Things Security Report”, the Forescout study defines the risks inherent in the types of equipment and specific to each sector.
The most sensitive trio include, in descending order of risk, physical access control systems, HVAC (heating, ventilation, air conditioning) and surveillance cameras.
To conduct this study, Forescout collected data from 8 million connected devices worldwide, deployed in five main sectors: finance, public institutions, health, industry and commerce.
It has implemented a methodology defining the risk for IoT devices based on 6 criteria including vulnerabilities, security events or even potential impact.
According to this survey, the groups of equipment most at risk are those relating to Smart Buildings. Next come health care equipment, network equipment and VoIP phones.
Critical ports open
These Smart Building connected objects – among which are HVAC systems, physical access control solutions, IP cameras, emergency communication system and lighting – are present in all the sectors studied and represent a risk for organizations modern.
The recent discovery of Ripple 20 vulnerabilities reminds us that many devices can be at risk for organizations. Either the device will be hacked itself, with direct consequences for the service it provides, or hackers will use it as a gateway to access the corporate network.
Apart from in the healthcare sector, smart objects from the Smart Building group still occupy one of the first two places of the most risky equipment. In the institutional sector and the trade sector, they even constitute the entire podium!
In detail, the types of devices that present the highest level of risk are physical access control systems, in particular due to many open critical ports and too much connectivity with risky devices, as well than the presence of known vulnerabilities.
HVAC systems (heating, ventilation, air conditioning) and surveillance cameras complete the podium.
Medical equipment is also among the most risky connected objects, just like network equipment. If compromised, this equipment could have significant consequences, especially medical equipment. Again, these devices too often have open critical ports that expose dangerous services on the network.
More worryingly, just over 30% of equipment managed under Windows in the industrial sector uses software versions which Microsoft no longer supports! This figure exceeds 35% in health.
Hundreds of forgotten IOTs
In the finance industry, almost 30% of Windows managed equipment uses operating systems that have not been updated to address threats identified as BlueKeep.
On the other hand, the percentage of devices using Microsoft software versions (Windows 7, Vista, XP) which are no longer supported by the editor remains below 1% in all the sectors studied.
The main network protocols are present in the different vertical sectors. The study shows that almost 10% of devices in the institutional sector have the Telnet port 23 open by default, and almost 12% have the FTP ports 20 or 21 open by default.
In the financial services, health and institutional sectors, almost 20% of devices have the SMB port 445 by default open and 12% the RDP port 3389.
“When we talk about connected equipment, most companies think first of all of phones and laptops, and forget about the hundreds of other devices that are also connected on their networks,” explains Julien Tarnowski, regional director for France and Luxembourg of Forescout.
Achieving the security of so many and if different equipment represents a major challenge for IT managers. But solutions exist to automatically identify, manage and secure the equipment that connects to networks and is part of more global security policies.