Cybellum header

We are surrounded by billions of connected devices that contribute round-the-clock to practically every aspect of our lives – from transportation, to entertainment, to health and well-being. Since connected devices increasingly rely on software for their many capabilities and features, their exposure to cyber threats grows exponentially.

The combination of outdated software, 24×7 operation, and access to information make connected devices treasured targets for hackers. Embedded, proprietary, and open source device software offer an especially attractive attack surface.

As the cyberthreat landscape continues to evolve, developers and security teams, tasked with ensuring that their customers and users can enjoy safe and secure use of their connected devices, have their work cut out for them. If finding and fixing flaws throughout the entire product lifecycle – from design to post-production – wasn’t a big enough challenge, doing it while maintaining increasingly aggressive production timelines has become a tall order.

Here are the top three reasons why connected-device cybersecurity is more fragile than ever.

1. Connected Devices are Becoming the Hacker’s Preferred Endpoint

Hackers are quickly recognizing that connected devices can be an easily compromised endpoint. Because they are often part of a larger system – automotive, medical, industrial, or other – devices can act as unwitting gateways. That’s why they are increasingly attracting hacker attention, exploited for intrusions and lateral movements throughout large networks, for exfiltration of the company’s data, or other malicious activity.

Connected medical devices are a case in (end)point. For example, a cyberattack that allows a hacker to gain control of an operating MRI machine can put patients at personal risk. The threat goes further. An MRI typically is connected to workstations that enable technicians to work with the images. Along with the MRI itself, any of the connected workstations – and even other integrated systems, e.g., Picture Archiving and Communication Systems (PACS) – may be next in line for attack. Personal Health Information and more could be an easy target.

When you consider that more than 50% of connected devices used in typical oncology and pharmacology departments and hospital labs run on legacy medical devices, it’s easy to understand how full of opportunity connected medical devices are for hackers. Some leading cybersecurity experts even go as far as saying weaponized connected devices are a real threat, and in the wrong hands, can lead to mass casualty events.

While we’ve been seeing more headlines about breaches in the medical device industry, there have most probably been others that we haven’t read about. Many medical device and healthcare attacks stay behind closed doors, and the actual number of attacks could be far greater than what we get from media reports.

To keep their devices secure, safe, and operational, product security teams need to proactively manage cyber risk and compliance across their entire portfolio, from the earliest stages of design and development, through operational use, and all the way to end-of-life.

2. Break in the Chain

The supply chain is attracting a lot of attention by suppliers, governments, and hackers – for good reason..

For complex connected devices, like today’s vehicles – veritable computer networks on wheels – layers of external suppliers provide much of the firmware and software embedded in safety, drivetrain, infotainment, and other systems. The OEM, the assembler of components into a finished product, relies on, but has limited control and visibility, of what’s in the numerous third-party components, generating a new level of risk for the final product, its manufacturer, and its many consumers.

The SolarWinds hack affected more than 18,000 SolarWinds customers who installed malicious updates (known as Sunburst) via their third-party Orion software. Even US government departments, normally highly scrutinized and protected, such as Homeland Security, State, Commerce, and even the Treasury(!) were affected.

While that notorious hack happened over a year ago, reports of the many supply chain attacks since then prove SolarWinds was not a singular occurrence. Attacks like these are expected to become even more common as software takes up an increasingly bigger part in device and product manufacturer’s supply chain.

Manufacturers who use third-party firmware and software are now required to vet their suppliers carefully to avoid SolarWinds-type attacks. But getting comfortable with a reliable supplier is not enough. Suppliers come and go during the life of a product – especially considering the many supply chain shortages manufacturers have been facing lately. Perhaps a new player has come up with a better firmware solution or a trusted supplier is unable to supply needed software components in time and must be replaced.

Supply chain issues

Onboarding each supplier is a tedious and demanding process. One slip-up by a new supplier – a bug in the code that isn’t noticed until thousands of versions are already in the field – could destroy the brand of a global giant. It could expose the steering of an automobile or the functioning of a life-saving medical machine to cyberattack that results in heavy financial damage or even human casualties.

Don’t forget that third-party vendors might use other third-party software in their own products. In fact, there can be a very long supply chain of third parties who use other third parties before you get the bundle – all of these require serious vetting before being used. 

3. Open Source Components Come with a New Set of Risks

Open source libraries are employed just about everywhere. Every time you view a web page, check email, chat, stream music, or play video games, your laptop, mobile phone, or gaming console employs open source software.

Device manufacturers are no different. Open source components help device and product developers create innovative software faster, by using trusted tools ready-made by the open source community. However, while open source usage helps device manufacturers keep up with tight development timelines, there is a catch.

Who owns open source? Nobody. And also anyone that uses it.

If there is a vulnerability in the code, whose problem is it? Yours!

One of the biggest advantages of popular open source libraries is that they have a huge community of users, allowing you to trust that they are solid and continuously maintained. However, it’s up to users to track versioning and security updates. To be certain of its safety and security, you must track security updates and respond quickly once you’ve added open source components to your product. 

Or else, what could happen?

Hugely popular open source library log4j, generated more than 1.8 million attacks in the first few days after it became public. Why is it so attractive to hackers? Because so many Java applications use log4j directly or indirectly – providing millions of attack vectors. 

Device developers are faced with more challenges than ever before. Product development ecosystems are becoming more layered and complex, as the threat landscape is rapidly expanding and evolving. It seems like an impossible task, too complicated to undertake manually. But there is a very helpful solution.

The only way to stay ahead of connected device cybersecurity threats is to automate – to continuously monitor the software bill of materials (SBOM) of every device to keep track of its entire inventory in real time. Automation can also enable product security teams to manage vulnerabilities from the earliest stages of development, all the way to post-production. When integrated into the development process, an advanced product security platform can help teams detect vulnerabilities, see them in context so they can easily eliminate false positives and prioritize the issues that really matter, and mitigate them – without delaying time-to-market.

Learn how Cybellum enables device manufacturers to keep the products they build secure and compliant for life, from design to post-production and beyond. 

Sponsored by Cybellum

Source: www.bleepingcomputer.com