Last week, we kicked off our first jointly hosted #SecChat with technology partner, Xerox. Co-hosting the chat were industry experts Larry Kovnat (@lkovnat) and Doug Tallinger (@dtallinger), both key members of the Xerox security team. We wanted to know what you, the security community, had to say about embedded device security. Are embedded devices a legitimate threat to the enterprise? And if so, how much? What strategies have you used to mitigate this risk, and how are different embedded devices treated when it comes to policy decisions?
To begin the conversation, we asked how much of a threat our participants believed embedded devices posed to enterprise environments. Responses were varied, but all carried a similar theme that I think @JGamblin summed up nicely: “A Lot.”
@LabNuke seconded this thought, adding that the threat could potentially be very significant, since embedded devices likely have no patching or monitoring. @HectorDi4z noted that one reason why this threat is so pernicious is that too many people are still running on the false belief that embedded devices are a low-risk platform.
One question @lkovnat sourced to our audience was which devices should be placed in the embedded device category when it comes to security concerns. @JGamblin believed that organizations should consider any machine with a network card as an embedded device, noting that even his last washer and dryer had a network jack. @BrianContos and @HectorDi4z added ATMs, multi-function printers, cars, healthcare systems, and industrial control systems to the growing list. The general consensus was that if a device has the potential to connect to an organization’s network, that machine should be considered a potential threat.
Another topic brought up was security policy in regards to embedded devices. @dtallinger voiced concerns that organizations don’t include embedded devices in vulnerability assessments and compliance checks, while @Spotini and @sm_bv mentioned the low frequency of patching and updates. Still, @jtyrus noted that her organization already has policies set in place regarding how devices are added to the network, and what those machines can access.
Near the end of our discussion, @Coverity brought to light two key trends being talked about by our audience: the challenges of holding suppliers to a security benchmark, and using the right tools to ensure security. In terms of holding suppliers to a standard, @LabNuke mentioned that many suppliers do not yet fully understand what constitutes an embedded device, not to mention the security issues that come along with them. And as @chort0 and @CaffSec brought up, the real challenge is getting every vendor to realize that their products will reside on hostile networks – and to plan accordingly.
Of course, creating a security standard and enforcing it is easier said than done. According to @CaffSec, it means convincing management and vendors of the benefits of proactive security – a problem that exists industry-wide. Another issue that @0xjudd pointed out is that even if you do include embedded devices in compliance regulations, if a vulnerability is found, many organizations would rather rely on compliance than patch. There are issues both in defining a standard and a method of enforcement – and since embedded security is still a fairly new space, neither has yet been decided upon.
We wrapped up our May chat with few insightful thoughts from our participants. Moving forward, every actor involved in the development and deployment of these devices will need to make security a priority. But it will take time and effort on the part of security professionals to make these needed changes in policy and perception.
Thanks to everyone who joined this month’s discussion – in particular Larry Kovnat and Doug Tallinger for their help in driving the conversation. As always, I’m continually impressed by the quality and variety of information and perspectives shared.
Stay tuned for our June announcement here in the blog and on Twitter at @IntelSec_Biz – hope to see some of you in the stream!