A new study analyzed 19 million real world enterprise devices for risk factors such as known vulnerabilities, open ports, legacy operating systems, endpoint protection, internet exposure and more across different industries and device use categories like IT, IoT, operational technology or industrial IoT and medical devices (IoMT).
According to security firm Forescout who ran the study on anonymized telemetry data from enterprise customers, compared to the list of top 20 riskiest devices from a year ago, seven new device types made the ranking this year due to vulnerabilities and exploits revealed since then, including VPN gateways, security appliances, network attached storage (NAS) boxes, out-of-band management (OOBM) platforms, engineering workstations, remote terminal units (RTUs) and blood glucose monitors.
Thirteen devices remained the same as in the previous list and include some expected entries: computers, servers and routers in the IT category, printers, IP cameras and VoIP systems in IoT, uninterruptible power supplies (UPSes), programmable logic controllers (PLCs) and building automation systems in industrial IoT, healthcare workstations, imaging devices, nuclear medicine systems, and patient monitors in IoMT.
Forescout established the risk score of a device by looking at three categories of factors:
- Configuration — the number and severity of vulnerabilities and open ports present on the device
- Function — the potential impact to an organization based on what the device is used for
- Behavior — internet exposure and the reputation of IP addresses connecting to the device or to which the device connects to
More than 4,000 device vulnerabilities tracked
Forescout tracked over 4,000 vulnerabilities present in the 19 million network devices it had data from. As expected, the majority of these (78%) impacted IT devices, the category that includes the most common type of devices on enterprise networks such as computers and servers. The IoT device category accounted for 16% of vulnerabilities, industrial devices for 6%, and medical devices for 2%.
However, not all vulnerabilities are equal and not all are easy to patch. For example, for IT devices only 20% of vulnerabilities were critical, whereas for OT and IoT devices half were critical, and 80% of medical devices had a critical severity score. Critical vulnerabilities usually allow for complete device takeover. Moreover, specialized embedded devices like those used in OT and the medical field are harder to patch than a computer running Windows. They’re also more likely to run specialized firmware instead of a general-purpose OS like Windows or Linux.
It’s not surprising then that healthcare was the industry with the largest number of high- and medium-risk devices and the only industry where the number of such devices increased compared with Forescout’s previous analysis in 2022. This was followed by retail, manufacturing, finance, and government. In fact, the government sector had the biggest reduction in the number of medium- and high-risk devices since last year — from 40% to 10%.
The fact that the US Cybersecurity and Infrastructure Security Agency (CISA) maintains a constantly updated list of vulnerabilities that are known to be exploited in the wild — currently over 900 — and which government agencies have deadlines to patch, might have played a role in reducing the number of risky devices on government networks.
Challenges of patching enterprise devices
Since embedded devices running special-purpose operating systems and firmware are generally harder to patch, it’s no surprise that healthcare and retail have the highest number of such devices while also being the sectors with the highest number of medium and high risk devices.