For the past five years Great Bay Software has been carefully stating our belief that there are real IT Security threats associated with the non-windows computing devices in the enterprise network. We’ve been mentioning this carefully because this information has been largely met with eye rolling and snickers; the most common feedback being “our concern is with the Windows-based user devices; our printers, SCADA, UPS’, HVAC, IP Phones, IP Cameras, etc. do not pose a threat”.
As evidenced by two recent items in the press, the light is beginning to shine on these devices and their role in the IT security threat landscape. The first one is about an enterprising young man who hacked into the HVAC systems (among other things) in a hospital:
The article is here:
http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?articleID=218300006
and there’s loads more information here:
http://www.mcgrewsecurity.com/2009/06/30/ghostexodus-the-eta-and-a-control-systems-incident-at-carrell-clinic-part-1/
Note - be sure to check out the videos of our brave little superhero installing a botnet on an XP machine and later showing off his myriad of toys; you’ll laugh, you’ll cry, you’ll run home and make your kids work harder in school. My favorites are 1) when he logs into the PC he’s about to attack bare handed and then puts on latex gloves so he doesn’t leave any fingerprints and 2) when he conceals his face during the “tools” video only to show an up-close of his fake FBI ID with his real picture on it.
Although some folks have been quick to point out that changing the temperature in a room isn’t immediately life threatening, it certainly isn’t funny either, especially for folks that are in surgery or seriously ill. Further, health care facilities have a myriad of patient care system on the network and if this person had targeted those there could have been a real threat to the health of patients. I’ve seen a number of posts that defend his actions by stating that he technically never changed anything, but really, simply messing around with these systems should be considered highly illegal. Patient care systems in particular are frequently older Windows OS devices that cannot be patched or updated due to federal regulations about who can change what and when on them. In the wide range of systems attaching to the enterprise network today I would think securing unpatched, outdated, patient care systems would be a much higher priority than securing the managed, patched, updated, back office machines. Yes, I know they have PHI on them, but preserving lives should take priority over preserving data. Many IT professionals in health care are aware of this and continue to fight the good fight in trying to get this prioritized, but their pleas continue to be met with that same eye rolling and snickers.
Subscribe