All organizations are increasingly connecting their equipment, sensors and other physical systems (Internet of Things devices) to the enterprise network to derive new revenue streams, improve productivity, and customer services in their operations. The FBI, however, warned that these devices are being targeted by cybercriminals.
There are three possible scenarios:
Attackers exploit vulnerabilities of these IoT devices to hack into enterprise networks,
Connected devices become candidates for infection if they have vulnerabilities matching the malware’s target profile even if they weren’t targeted, and
IoT devices and networks are targeted for cyber terrorism and/or ransomware.
In any scenario, malfunction of compromised connected devices leads to operational disruptions and safety concerns.
Following discoveries were made concerning connecting equipment cybersecurity for ResiliAnt's customer engagements:
Electronics Manufacturing Services (EMS) company
The chairman and CEO of a small-cap publicly traded group had recently attended a week-long Executive Program for Presidents at Harvard. Using Target's cyber-breach case as an example, they discussed how cybersecurity has become one of the most concerning risks for corporations. He was surprised to learn how hackers were able to break-in by exploiting the HVAC system connectivity. He came back determined to make cybersecurity a top priority for his company.
The group serves many Fortune Global 500 companies across various industries such as industrial equipment, defense, aerospace, medical, transportation, etc. via its Electronics Manufacturing Services (EMS) business unit. The CEO understood that operational disruptions could have ripple effects on its highly valued customers. He tasked the company's CFO and CIO to perform a cybersecurity audit and report the outcome to the board.
The audit uncovered a few areas to strengthen such as endpoint security, intrusion detection, and advanced threat protection from phishing. The review, however, completely missed the fact that plant equipment and HVAC systems are also connected to the network. The CEO quickly inquired if the facility systems or any of the plant equipment were connected to the network, and perimeter controls were sufficient. The team needed to get those answers quickly.
ResiliAnt was engaged to inventory and profile all connected industrial systems, and identify the associated vulnerabilities. The engagement revealed that 84% of equipment had three or more vulnerabilities, needing operating systems, software and firmware level patches.
The company decided to include vulnerability management program into its operating mechanism to proactively manage cybersecurity risks. The CFO was chosen to be the executive sponsor for this new program.
ResiliAnt's proprietary solution helps organizations manage their operations technology (OT/IoT) related to cybersecurity risk. Please reach us at info@ResiliAnt.co to learn more.
A Machining Service Provider Case Study
A mid-sized machining service provider serving various industries has a fast-growing defense business. One of the customers serving the US DoD required the company to be NIST 800-171 compliant. The CFO and the business unit leader saw this as an opportunity to build an enterprise-wide cybersecurity program in alignment with their enterprise risk management (ERM) efforts.
The company chose ResiliAnt to develop their cybersecurity risk management program in compliance with the NIST framework.
The engagement uncovered a few critical areas that requiring leadership attention. First, the organization needed to manage cybersecurity of its IT infrastructure differently than the array of Bring-Your-Own-Devices (BYOD) and operational technology (OT) devices. Coordinating all cybersecurity related activities under a single governance mechanism was appropriate for them to realize some functional synergies. The CFO office emerged as an ideal group to manage these efforts because it was already administering the outsourced IT infrastructure management work.
Second, about 30% of all connected assets were found to be highly vulnerable. The OT devices, accounting for only 12% of all connected assets, were the most severely vulnerable. There were on average 372 unique critical vulnerabilities per OT device. The OT devices had not received the necessary attention from cybersecurity standpoint, making the company's operations vulnerable to disruptive cyber-attacks.
Third, the cybersecurity program also needed to include employee awareness and training, and cross-functional engagement to build a culture of security.
ResiliAnt is supporting the company in managing its new cybersecurity program.
ResiliAnt's proprietary solution helps organizations manage their operations technology (OT/IoT) related to cybersecurity risk. If you are interested in learning more about the solution, please reach us at info@ResiliAnt.co
A Packaging Solution Provider Case Study
A small packaging company serving automotive, appliance, furniture and medical industries faced ransomware events, costing both business disruption and customer goodwill, twice in the last year. The leadership became convinced of the need to institutionalize a robust cybersecurity program.
The company engaged ResiliAnt to develop their cybersecurity risk management program in compliance with the NIST framework.
First, the company used a flat network architecture. It meant that all devices were connected to a single segment irrespective of their functional criticality to the organization. The company was also exposed to many human-centric risks, making it more susceptible to cyber-attacks. For example, the organization had weak password management practices and the employees weren’t adequately trained on cybersecurity awareness.
Second, about 65% of all connected assets were found to be vulnerable with each having about 450 vulnerabilities. While OT devices accounted for only 15% of all connected assets, they were the most vulnerable. Many of the OT devices were vulnerable to scanning; in other words, they would either reboot or shut-down if network scanning were performed.
Third, while none of the Bring-Your-Own-Devices (BYOD) were found to be vulnerable, they were connected to the same network as other business critical applications. The BYOD devices are often exposed to the external environment when connected outside of the enterprise network. Hence, they bring an elevated level of risk to the organization.
The company is using the Resiliant platform to effectively remediate these risks and manage its new cybersecurity program.
ResiliAnt's proprietary solution helps organizations manage their operations technology (OT/IoT) related to cybersecurity risk. To learn more, please reach out to us at info@ResiliAnt.co.
A Dental Clinic Case Study
In the summer of 2019, a ransomware attack hit 400 dental offices across the US, denying access to patient data and systems. This event convinced a dental office in Ohio that they needed to better understand their cybersecurity posture and put appropriate measures in place to protect their business and reputation.
The office chose ResiliEYE to uncover all vulnerabilities and manage their risk with an ROI mindset.
This dental office had mixed cyber-hygiene practices in place. On the positive side, their policies prevented employees or patients from connecting their personal devices onto the office network. They also had configured the server with admin privileges, so only the dentist was allowed access. They, however, needed to be careful about leaving their systems unlocked around patients when they steps away from the room. An ill-intending patient could access the system and information it contained.
This office used a flat network architecture. It meant that all devices were connected to a single network segment irrespective of their functional criticality. For example, an x-ray machine and security camera were connected to the same network as the office computers. About 70% of the connected devices, including the main router, contained high to critical vulnerabilities! In this network architecture, a breach of one device would impact everything else.
The office is benefiting from taking a holistic approach, including people, process and technology, to managing cybersecurity. An incident in a office like this would typically cost around $800,000 to resolve and could damage their reputation and ability to attract customers.
To learn more about the ResiliEYE platform by ResiliAnt, please reach us at info@ResiliAnt.co.
A Quick Service Restaurant (QSR) Case Study
Restaurants are becoming fast adopters of digital tools. At the same time, they are getting breached frequently. More than 70% of consumers cite vendor security as one of their top selection criteria for purchase. An owner of a top 10 quick service restaurant (QSR) franchise in North Carolina decided to minimize his business’s cybersecurity risk and better protect his reputation with customers.
The owner of this QSR chose ResiliEYE because of the platform’s ease of use and ability to comprehensively evaluate cybersecurity risks.
As a best practice, the franchisor had provided this restaurant with hardware and enterprise software with good security. However, 50% of the network-connecting devices, including some of the IoT devices, had known security vulnerabilities. The POS terminals connected to the main server were running on an operating system that was no longer supported by Microsoft. A mobile food ordering company had provided terminals that also connected to the network and were vulnerable to cyber-attacks.
Further, the restaurant had not established a strong culture of security. Employees were able to connect their personal devices to the same network that connected the POS system and the main server. Hence, a personal device under attack could risk some of the critical store assets and customer data. Every employee also had admin access to the server. The passwords to the systems were openly shared and employees stored them in their mobile devices and personal emails.
This restaurant was highly vulnerable to a cyber breach. An incident in a restaurant like this (annual revenue of $310,000) would cost around $350,000 to resolve in addition to damaging its reputation. With use of ResiliEYE, the owner is now managing cybersecurity in his business proactively and comprehensively.
To learn more about the ResiliEYE platform by ResiliAnt, please reach us at info@ResiliAnt.co.
A Defense Electronics Company Case Study