Hackers Know Your OT Weaknesses: How to Solve the Legacy Risk

It would be more than safe to say that the cost of hardware has fallen dramatically in most industries. Computers cost a fraction of what they did 5 years ago, let alone 20. Cars that cost £10k now have twice the features. More or less, this has held across most industries – but not all of them. Certain industries, unfortunately, require significant capital investment in high-cost and long-lifespan devices – healthcare and manufacturing come to mind. This creates a unique threat environment for those tasked with protecting and securing these valuable devices. Where most networking and IT hardware are easily patched or can be ripped out and replaced at manageable cost when they reach end-of-life – what is a hospital meant to do with an MRI scanner that costs the best part of £500k? Or an assembly line of network-controlled robotic arms in a manufacturing plant, costing the best part of $150k each new?

Not every organisation can so easily implement the “patch, rip and replace” model with their hardware. Nor can every piece of hardware even be patched or upgraded. As time progresses, and operating systems move forward to new generations – what happens to these devices running operating systems that are no longer supported by their manufacturers? New vulnerabilities are found, and new exploits emerge by the week – what are you meant to do when you can’t mitigate ever-increasing systemic risk by the usual methods (patching and upgrading hardware)?

What do you do when even the company that created the operating system your expensive equipment runs on stops supporting it? This is the very real situation that has presented itself to a great many organisations across industries.

79% of organisations still run at least one instance of Windows 7

They are trapped between the proverbial rock and a hard place – too much capital invested and lifespan remaining to replace and in some case a total inability to upgrade an embedded operating system. Applications designed to interface with complex hardware may not run on management terminals once upgraded to newer, more secure operating systems. That’s simply a risk some organisation aren’t willing to take. According to Spiceworks, 79% of organisations still run at least one instance of Windows 7 and 32% of businesses still have Windows XP installed on at least one device on their network. This attack surface of devices and systems forcibly left behind by industry progress is very much a real thing. Devices that man assembly lines and help keep people safe and well are running software that beginner hackers practice on because they’re so out of date.

The attack surface is real, and so are the threats taking advantage of them. For example, take the WannaCry cyberattack of 2017, which for a few days crippled healthcare IT systems around the world and caused hundreds of thousands of dollars in damage. The vulnerability that the WannaCry attack exploited exists in a protocol used in Windows known as Server Message Block (SMB). Specially crafted data packets can be sent to devices that have SMB services running on them that the systems cannot handle properly, this condition then being exploited by attackers to run whatever their intended code was on your system. In WannaCry’s case, that was ransomware – a form of malware that once installed sweeps a computer for files and connected folders and encrypts them with a key that the system owner has no access to. The organisation then receives a demand for ransom in return for their data back. In the meantime, the IT estate of the victim organisation is virtually unusable, crippling an organisations ability to work.

Wannacry ransomware took only a few seconds to to encrypt files and spread globally.

This very attack hit over 70,000 machines owned by the UK’s National Health Service – hitting devices like MRI scanners, blood storage refrigerators and operating theatre equipment. All were found in later analyses to be running instances of Windows XP and other similarly out-of-support operating systems. Starting to see a pattern here? Organisations like the NHS and other public sector entities like the city of Baltimore are saddled with a host of problems that make them prime targets for attackers – systemic underfunding, expensive and often proprietary hardware and capital investments and a large user base to support making upgrades and patching difficult and expensive. They also cannot usually afford the salaries that attract the best cybersecurity talent. Private sector companies, especially those in large-scale manufacturing have the same issues – lack of expertise and a huge difficulty or inability to change out/update their IT systems. Many organisations have their hands tied by this plethora of constraints, and this has not gone unnoticed by the world’s cybercriminals.

Address Asset Management Processes

But now we know the issue in front of us, and that the threat is real – let’s move on to how an organisation can get to work on mitigating the situation and the systemic risk it entails. First up is getting a handle on asset management. I would not follow an officer into a battle that didn’t know how many men he had at his disposal, and your IT security officer is no different. Any organisation intent on reducing its risk and attack surface first needs to address their asset management processes to identify and track the devices they own and therefore support – known as their IT estate. This is where Accelerate Technologies can help organisations to identify their critical assets and therefore accurately quantify, track and measure their associated risk to the organisation. Know your enemy, and you need not fear the result of a thousand security audits – that’s how that saying went, right?

Isolate Elements of Infrastructure

Next up – seeing as our usual weapons of patching and upgrading the hardware isn’t available – is attempting to isolate the elements of our infrastructure that cannot be brought in line with the rest of the IT estate with regards to baseline security standards. This can be done in a variety of clever ways by network administrators. These include placing devices that can’t be secured in the same manner as the rest of the IT estate on a different network entirely, at least protecting the remainder of the organisation’s infrastructure. Sometimes this isn’t realistic or even possible, though – but there is another solution that can come to the rescue!

Monitor and Protect with Endpoint Detection and Response

If you can’t patch or upgrade a valuable system or asset, you can monitor and protect it. This is where Endpoint Detection and Response (EDR) systems come into their own. EDR is a solution that provides exceptional security visibility in pretty much real-time on assets it is employed on. This is done by baselining the target system, detecting malicious activity, monitoring and recording endpoint data, and responding to threats. Fortinet’s FortiEDR solution does exactly this – providing critical monitoring and visibility for valuable assets and supporting several operating systems that are now end-of-life and out of manufacturer support. FortiEDR will support all of the vulnerable operating systems described in this article, ranging from Windows XP through Windows 10. FortiEDR also integrates seamlessly with the rest of Fortinet’s security solution suite and allows integration of the valuable hardware we’ve been discussing with your existing incident response and threat hunting capability.

This can become a force multiplier in securing your high-cost/long-lifespan IT and technical assets when a solid managed SOC (Security Operations Centre) function is overlaid on a good EDR solution. Think of it like hiring the best racing drivers you can find to better drive the expensive racing car you’ve built. You’re just going to get more out of it when you import the proper expertise. Get in touch to begin the process of better protecting your critical assets with Fortinet’s FortiEDR and Accelerate Technologies.

Critical endpoints running legacy Windows? Learn how to secure them with FortiEDR in our on-demand webinar. Watch here >