7th December 2022

How Network Segmentation can help improve your Cyber Posture

“Government organisations are routinely and relentlessly targeted [by cyber security attacks]: of the 777 incidents managed by the National Cyber Security Centre between September 2020 and August 2021, around 40% were aimed at the public sector. This upward trend shows no signs of abating.“ Government Cyber Security Strategy – Ministerial Foreword

An Attractive Target for Threat Actors

Why is the public sector such an attractive target for threat actors? It’s partly due to the vulnerability caused by outdated and legacy systems, but more than that, it’s the lure of public sector data. Cyber criminals are looking to exploit a treasure trove of personally identifiable information (PII) for identity theft, financial fraud, account takeovers, or to create spear phishing emails and social engineering attacks that lead to ransomware.

This data also has value. If threat actors were to steal thousands of credit card details by hacking into a private organisation such as a bank or online retailer, they’d get a certain price per record when auctioned on the dark web. Now consider they were to attack an NHS Trust and steal medical information, their profit would most certainly be significantly higher. And that’s not taking into account the amount they could extort from the targeted Trusts themselves.

The explosion of IoT and Connected Devices

Another trend in health and care that is making life more difficult for cyber teams is digital transformation and IoT, which can create security challenges is the growing adoption of connected devices. NHS Trusts use ranges from around 3000 connected devices in the smallest trusts, to more than 50,000 for the largest, with numbers continuing to grow exponentially. These are being deployed in an increasing range of use cases, from drug infusion pumps to chemotherapy delivery and MRI scanners. They’re also making their way into non-clinical areas such as smart lighting and HVAC systems for hospitals. It’s no surprise therefore that Enterprise IoT is the latest category of service to be added to DSPT for cyber assurance. E- IoT covers Connected Medical Devices, OT and IoT devices.

In an average NHS Trust, these devices will comprise of a wide mix of well managed IT assets (such as domain workstations and mobile assets), and hundreds of different types of devices with a similarly numerous number of asset owners from IT, estates, clinical departments and third parties. Of these devices at least 30% to 40% of those devices are OT, IoT, Medical IoT, or medical devices with very limited endpoint management capabilities.

Research shows that more than 50% of these Operational and Clinical IoT assets ship with known vulnerabilities, and in many cases are not (or cannot be) routinely patched. With IoT asset lifespans typically being significantly longer than traditional IT lifecycles, it’s not uncommon for assets on end of support operating systems, with critical vulnerabilities and insecure configurations, to exist within an estate, with limited ability for IT and Cyber teams to detect and mitigate the risk.

It’s quite common for these devices to co-exist amongst all the other devices that live on the network, with little to no segmentation between them, and, worryingly, with unrestricted network access permissions. This all combines to create significant risk to infrastructure, applications and that critical, and valuable, data that threat actors are so eager to get their hands on.

The Campus Challenge

The campus in particularly, presents a key security challenge as it is typically the least controlled region of the network, and has the widest variety of asset use cases. Common problems include a lack of control when connecting endpoints, and the subsequent lack of visibility into the endpoints that are attached to the network. Technologies such as Network Access Control (NAC) solve part of the problem, by controlling what can be attached to the network, however even legitimate devices can still pose significant risk.

The compromise of just a single device in the campus can provide a threat actor with a starting point from which to conduct lateral movement, the techniques that cyber threat actors use to gain control of remote systems and thereafter, consolidate their position on the network. Learn more about Lateral Movement in this guidance from the National Cyber Security Centre (NCSC). Network segmentation is an extremely powerful tool to help mitigate these types of activities by hardening the data plane of the network and limiting the opportunities for threat propagation.

NHS Digital Guidance on Network Segmentation

In 2022, NHS Digital released specific guidance on Network Segmentation which has been circulated to NHS organisations to highlight the importance of segmentation in today’s health and care environments. The guidance covers key use cases, the forms of segmentation that exist, recommendations, guiding principles, and deployment challenges. This guidance is extremely useful, but it’s not easy for network managers to choose the best options for their organisations, or to implement in a live environment. Here are some of the main challenges that we see our clients facing today:

The number and types of connected devices are incredibly difficult to recognise with traditional asset management tools. The inability to understand if a device is a Windows machine or a ‘headless’ clinical device running on Windows, means that around 20 – 30% of the estate cannot be definitively identified without being physically located. This activity is rarely performed in practice as its incredibly labour intensive – resulting in a substantial number of poorly understood ‘anomalous’ devices.
Teams often don’t have visibility into how devices connected to the network communicate with other devices, or critically, to backend systems. What ports do they use, what are all the addresses they communicate with?
Many IoT assets which would most benefit from strict segmentation will have either static or reserved IP’s, which can be disruptive, and, if managed by third-parties, costly to change, often make re-addressing devices a non-starter. This challenge in itself suggests a rigid IP-based approach to segmentation is inappropriate.

Block’s approach to Network Segmentation

If you would like to learn more about network security, and in particular, network segmentation, then please take a look at this video. In which Paul Yarwood, Senior Security Architect at Block, examines how NHS organisations can adopt an enhanced network security posture, and the tools and techniques that are used to secure traditional IT, medical devices and OT, whilst ensuring ease of management. Paul has spent the last 8 years helping the NHS overcome their network and security challenges and has led the adoption of network security in some of the UK’s largest NHS organisations/Trusts.

https://www.block.co.uk/securing-healthcare-network-write-up/

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-functional	1 year	The cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
viewed_cookie_policy	1 year	The cookie is set by the GDPR Cookie Consent plugin to store whether or not the user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.

Cookie	Duration	Description
__hstc	1 year 24 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-37712409-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
hubspotutk	1 year 24 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Our News