By Elizabeth Snell

December 30, 2016 - With its high dependency on digital records, network connectivity, accessible information, and real-time communication, healthcare is one of the sectors at greatest risk for a DDoS attack, the Institute for Critical Infrastructure Technology (ICIT) explained in a recent publication.

The financial industry and energy sector are also at high risk for such attacks, ICIT said in “Rise of the Machines: The Dyn Attack Was Just a Practice Run.”

“Obstructions to even an email server could cause delays in treatment, while widespread attacks that holistically render a critical service unavailable, such as an IoT DDoS attack, would pose a serious risk to patient and staff safety,” wrote ICIT Senior Fellow James Scott and ICIT Researcher Drew Spaniel.

Citing research from a previous ICIT brief, the duo explained that healthcare is incorporating, and interacting with connected devices that are often designed without necessary security measures. Previously, this has led to instances such as MRI machines or pacemakers being infected with ransomware.

“While there is no indication that healthcare devices have been incorporated into DDoS botnets, it may be only a matter of time before an adversary adapt an IoT malware such as Mirai, to harness the computational resources of medical devices because many lack basic access controls such as multi-factor authentication (or any authentication whatsoever),” the authors maintained.

There is also the potential danger of an IoT malware or a worm that would “brick” or kill “infected medical devices in order to cause panic, extort a ransom, or as part of a multi-tiered attack.”

Overall, Scott and Spaniel stated that a “perfect storm” is brewing across the nation with regard to private critical infrastructures facing cybersecurity threats.

More organizations are utilizing the internet and IoT devices, but device manufacturers will sometimes “negligently avoid incorporating security-by-design into their systems.” This happens because the manufacturers have not been properly incentivized, and instead pass the potential risk onto the end-user.

“As the adversarial landscape of nation state and mercenary APTs, hacktivists, cyber-criminal gangs, script kiddies, cyber caliphate actors, and hail-mary threat actors continues to hyperevolve, America’s treasure troves of public and private data, IP, and critical infrastructure continues to be pilfered, annihilated, and disrupted, while an organizational culture of ‘Participation Trophy Winners” managed by tech neophyte executives continue to lose one battle after the next.”

A key area of concern is the Mirai malware, which “offers malicious cyber actors an asymmetric quantum leap in capability.”

Specifically, Mirai has a strong development platform “that can be optimized and customized according to the desired outcome of a layered attack by an unsophisticated adversary.”

While Mirai has forced different industries to review devices that lack security by design and other IoT device vulnerabilities, the authors noted that it “will not forever remain the favorite tool of unsophisticated malicious threat actors.”

DDoS attacks on the healthcare industry were addressed earlier this month in the Office for Civil Rights (OCR) latest newsletter.

OCR reiterated that healthcare often uses IoT in several ways, such as allowing healthcare facilities to monitor medical devices, patients, and personnel. This can open organizations up to certain cybersecurity threats.

“An attacker may be able to deter patients or healthcare personnel from accessing critical healthcare assets such as payroll systems, electronic health record databases, and software-based medical equipment (MRI, EKGs, infusion pumps, etc.),” OCR stated, citing data from US-CERT.

For preventing such attacks, OCR advised that organizations continuously monitor and scan for vulnerable and comprised IoT devices on their networks. Entities should also adhere to the necessary remediation actions.

“Password management policies and procedures for devices and their users should also be implemented and adhered to. All default passwords need to be switched to strong passwords,” OCR said, adding that default usernames and passwords for most devices can be found online.

Dig Deeper: