The traditional threat landscape comprised of conventional IT assets is difficult enough to protect, detect and respond to, but the landscape seems to be quickly expanding beyond traditional IT. Those new domains are operational technology (OT), the internet of things (IoT) and the internet of medical things (IoMT).

Devices from non-traditional IT environments are finding their way onto corporate intranets, which can create a shadow IT environment. These devices are unmanaged and some managers don’t have a full understanding of the risks associated with these devices. More visibility into these devices could help a chief information security officer (CISO) to understand whether they are acting appropriately. As the number of connected devices within an enterprise grows, so too does the attack surface if these connected and shadow devices do not have security built into them. This wave of digital transformation provides new attack vectors that could come with significant and far-reaching risk and liability.

Converging IT and OT Environments Bring New Security Risks

Industrial organizations are adding many connected technologies into the manufacturing process, such as industrial control systems (ICS), supervisory control and data acquisition systems (SCADA), distributed control systems (DCS), programmable logical controllers (PLC) and smart sensors. Manufacturing environments have devices on the assembly line and robots, oil pipelines have pressure sensors, and food facilities have temperature sensors. With the addition of these numerous connected devices can come mounting security risks to critical infrastructure.

A yearly research study conducted by IBM shows that in 2019 there was a 2,000 percent increase in OT cybersecurity attacks. Yes, you read that correctly — 2,000 percent. As operational organizations and industries experience innovation and connectivity, bad actors can take notice and execute security attacks. To help mitigate these risks, organizations can adopt an operational technology security strategy.

As businesses modernize their operational equipment and traditional IT systems rely on operational data to optimize and improve organizational metrics, the two environments are converging. Traditional IT infrastructure can control physical assets in the operational technology domain, and this overlap allows an IT breach to target OT devices. In 2019, IBM X-Force Incident Response and Intelligence Services (IRIS) responded to a breach where ransomware infected an IT system and moved laterally into OT infrastructure. The attack brought plant operations to a halt and caused a ripple effect in global markets. Research also shows that threats to industrial control systems and operational technology will likely continue to grow.

An Agentless Approach to IoT Security

The combination of digital transformation and the “Internet of Everything” can reshape the modern landscape of goods and services. Additionally, the new dawn of 5G could bring blazing connection speeds and have significant impacts on the number of connected devices. If we look across offices, factories, hospitals and transportation networks, we see numerous devices throughout the organization:

  • Badge access systems
  • Telephony systems
  • Laptops and desktops
  • Wireless keyboards, mice, printers and Bluetooth devices
  • Smart TVs, smart security cameras and smart boards
  • Smart lighting, HVAC and building management systems

All of these devices are designed to connect and transmit information to other devices and systems. However, IoT devices can present a rapidly growing enterprise security risk. Why is that? IoT devices generally do not have security agents installed. Security agents are pieces of software that allow the collection of device data and enable protection of the device. However, there are connected and unmanaged smart devices that do not have this capability. These issues can make IoT devices easier for attackers to access remotely. IBM’s Threat Intelligence Index reports widespread use of command injection (CMDi) attacks containing instructions to download malicious payloads targeting various types of IoT devices. Because many IoT devices do not have security agents to monitor these attacks, we need to take an agentless approach to help gain visibility into devices and their activity on a network.

How do you implement an agentless approach? Machine learning (ML) and artificial intelligence (AI) are a big part of it. Security providers first create an enterprise-scale knowledge base of an organization’s devices and combine that with a device behavior crowdsourcing engine. This crowdsourcing engine uses ML and AI to determine when a device exhibits abnormal behavior. For example, an IP camera that is behaving differently than hundreds of others across a client’s environment can be flagged as a possible threat.

IoMT Devices Could Affect Healthcare Services

Additionally, the internet of things is bringing its connectivity to all markets, including the medical industry. The internet of medical things generally refers to a group of medical devices, software applications and infrastructure all connected to the internet. These devices can include heart pumps, patient trackers, blood infusion pumps and more. Patient data captured from these connected devices helps to inform decisions by healthcare providers. Therefore, a cybersecurity threat to these devices could interfere with care and potentially cause physical harm to patients. IBM’s Threat Intelligence Index reports that healthcare was the 10th most targeted industry for cybersecurity attacks in 2019.

In short, many organizations are on a journey of digital transformation that is increasing the number of devices and ultimately the variety of threat vectors as potential security targets. The security domain touches on every area of an organization including OT, IoT and IoMT areas.

So how do we provide threat management for all of these connected and unmanaged devices?

Learn more about driving security into the fabric of your business

New Technology Domains Require Integrated Threat Management

The convergence of the device landscape presents a new challenge for organizational security. Attacks against the IoT, for example, need to be analyzed to determine the IT assets the attacker may be ultimately after. In many cases, the IoT or OT device is being utilized as an attack vector only, which ties the security of connected devices to that of traditional IT assets.

Securing these domains requires an integrated approach to threat management and an understanding that threat management is a journey. The NIST Cybersecurity Framework provides a programmatic approach that addresses the entire life cycle of threats. NIST outlines the following five core tasks:

  • Identify organizational systems, assets, data and devices
  • Protect assets with a mix of technology, policies and practices
  • Detect security events, anomalous activity and malicious behavior
  • Respond to detected events and suspected incidents
  • Recover by restoring affected systems and data

Using a standardized approach such as NIST’s can help organize the activities of a security or incident team by outlining a logical, practical approach to incident management. A standards-based approach provides a reliable, repeatable framework for managing multiple types of security incidents and encourages transparency, a shared vocabulary and predictable outcomes in responding to threats.

Potential benefits of using this approach include:

  • Visibility — Uncovering all connected devices and providing an open-book solution
  • Speed — Automation increases speed to action
  • Consistency — Prescriptive action increases consistency
  • Quality — Enriched investigation results in higher quality
  • Partnership — Joint development of security maturity road map and execution
  • Governance — Routine advisory service and continuous optimization

Threat management is the heart and soul of any security organization. Using a standardized approach can help organizations integrate threat and incident life cycle management. Performing NIST functions across the new hybrid landscape can help security organizations manage cybersecurity risks.

X-Force Threat Management for OT, IoT and IoMT

IBM’s X-Force Threat Management is an integrated program of services and technology designed to help your organization through the entire threat management journey. Our X-Force Threat Management solution helps implement the NIST framework for the OT, IoT and IoMT domains to bring visibility into unmanaged and connected devices. Our solution offers:

  • Threat insight using IBM X-Force Red offensive services and vulnerability management, X-Force Research and Threat Intelligence, and consulting services
  • Threat protection using global managed security services, SIEM management, mobile app access and virtual security operations centers (SOCs)
  • Threat detection using patented artificial intelligence, machine learning and automation via the X-Force Protection Platform, providing continuous monitoring and detection
  • Threat response using IBM Security SOAR, IBM IRIS Vision Retainer and response expertise for speed and repeatable response to threats
  • Threat recovery using IBM X-Force IRIS, analytics and business continuity plans to help organizations return to normal operations

We leverage technology that discovers potential threats in your environment — managed and unmanaged devices, both on and off your network as well as in your airspace. IBM’s X-Force Threat Management integrates the capabilities of offensive security services, managed security services, artificial intelligence, incident response and continuous improvement. IBM X-Force Threat Management offers integrated threat and incident life cycle management.

Learn more about X-Force Threat Management

More from Endpoint

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…