Ordr specializes in providing solutions for managing and securing Internet of Things (IoT) devices in enterprise environments. The company's primary focus is on securing connected devices, such as medical devices, industrial control systems, and smart building technologies, to ensure network integrity and protect against cyber threats. They recently were also recently named Best AI/Machine Learning/Autonomous Solution by The Tech Ascension Awards.
We spoke with Jim Hyman, CEO of Ordr to discuss the latest challenges of securing connected devices and the impact of government regulations on IoT cybersecurity.
Cybercriminals have stepped up their efforts over the course of the year, for sure. As you talk to customers and folks in the industry, have you seen any trends among the attacks?
Jim: It does seem like there’s been an increase in the frequency of attacks - and, I’d say, the boldness of the organizations targeted. We’re seeing more and more attacks be directed at critical infrastructure and organizations - manufacturing, healthcare facilities, utilities, and so on. One of the commonalities between these organizations is that they all rely heavily on connected devices - and connected devices typically have varying degrees of security readiness.
What would you say is the biggest challenge of securing connected devices in these organizations? What makes connected device security so difficult to do correctly?
Jim: Good question. Well, the biggest problem is that connected devices - unless purchased and rolled out by the IT team - can be difficult to discover and secure. Facilities teams may roll out video surveillance cameras and badge readers, while operational teams may be responsible for devices that power the business. Many of these devices, particularly IoT and OT are not designed with security in mind. Visibility into what devices are present and connecting to your network is critical, so teams can know what they need to protect - and what might have access to their systems. This visibility needs to be real-time and accurate; a historical list of devices is useless when there are new ones entering the facility each day.
Once you acquire that visibility into devices and what’s connecting to what, is there anything additional that stands in the way of securing your environment?
Jim: There sure is. Understanding the network environment and getting a list of devices on it is only the starting point. The next step is looking at what each device’s baseline operations are. Do they connect to the internet? Are they connecting to critical data center servers? Are the devices outdated? All devices need to be assessed in order to determine their risk factor. As this is uncovered, steps can be taken to secure them. Some devices need to be isolated, some segmented, and some blocked, while others just require software patches to be up to date.
Could you share an example of what you mean by an outdated device? What is the security risk of an older device?
Jim: In many healthcare facilities, everything from the surgery devices to the hospital beds themselves could be connected to the internet. But these devices have dramatically different life cycles, and are often not manufactured with long-term security in mind. Many medical devices, for example, are expected to last for 15 years or more, which often means they are outliving the software that they run on, making proper security updates and patches impossible. To be truly secure, teams need to have this knowledge, so they can isolate that bed from other devices and critical systems within the facility. This is also true for manufacturing facilities, where the connected devices that are critical to running the business often have long lifecycles, and can operate with outdated operating systems.
Why is this visibility so important?
Jim: You can’t secure what you can’t see. Security teamsneed to know that they have an accurate view of their organization and what’s connected to their network, so they understand their attack surface. This includes identifying devices with exploits, vulnerabilities, outdated operating systems, or just running a weak padsword to reduce the attack surface. During an incident, they need to identify compromised devices, stop lateral movement and quickly mitigate any issues. Unknown or unexpected devices make this incredibly difficult.
Additionally, when we say “visibility”, what we really mean is granular context about every device, ranging from make, model, serial number, operating system to its communications flows ( what other systems it is talking to inside the network and on the Internet). All this context is foundational to understanding the risks a device brings.
We keep hearing that the government is planning to step in and require device manufacturers to design medical (and other critical infrastructure) devices with security in mind. Plans have ranged from providing a full software bill of materials, to integrating strong security functionality within the device themselves. Will this help the situation?
Jim: Of course it will help. In fact, the FDA recently issued a cybersecurity mandate to medical device manufacturers to build some key cybersecurity capabilities into their devices before they can get approved. But, the problem is that critical infrastructure facilities such as healthcare and manufacturing cannot wait for the government to secure their devices, it is a shared responsibility model.. These facilities are being attacked now - and organizations need to act now to secure their devices today. Even if regulations or requirements were approved tomorrow, it would be years before the “more secure devices” hit the markets. That doesn’t help a hospital, a manufacturer, or a financial services institution prevent a cybersecurity attack right now.
So, looking into your crystal ball for a moment, do you believe that cyberattacks will decrease now that regulations such as the National Cybersecurity Strategy, the IoT Cybersecurity Improvement Act, and new FDA mandate to secure medical devices have passed?
Jim: Cybersecurity requires more than government actions. Cyberattacks aren’t stopping any time soon. Cybercriminals follow the money - and holding healthcare organizations hostage due to cyberattacks has unfortunately proven to be profitable. At the same time, every organization in every vertical is under siege. It's so important for every organization to take measures to protect themselves, starting with their expanded attack surface from connected devices.
###