Critical Infrastructure Attacks: Convergence of IoT and OT Gives Hackers a Huge Attack Surface

• Some 75% of industrial controllers used in OT networks that impact multiple critical industries, such as water, transportation and energy, have highly severe and unpatched vulnerabilities, the vendor found in a close examination of its customers’ OT networks.
• OT attacks often serve as gateways into the critical infrastructure facility’s IT network and to a multitude of vertical markets. Examples in the U.S. alone include recent attacks on a Florida water treatment plant and the high-profile, disabling ransomware assault on the Colonial Pipeline.
• Over 1 million connected devices publicly visible on the internet are running Boa, an industrial control outdated and unsupported software still widely used by popular vendors in IoT devices and software development kits.

“The pervasiveness, vulnerability, and cloud connectivity of Internet-of-Things (IoT) and Operational Technology (OT) devices represent a rapidly expanding, often unchecked risk surface affecting a wider array of industries and organizations. Rapidly increasing IoT creates an expanded entry point and attack surface for attackers. With OT becoming more cloud-connected and the IT-OT gap closing, access to less secure OT is opening the door for damaging infrastructure attacks.”

“We have observed these threats across traditional IT equipment, OT controllers and IoT devices like routers and cameras. The spike in attackers’ presence in these environments and networks is fueled by the convergence and interconnectivity many organizations have adopted over the past few years.”

• 97% of global organizations consider OT a moderate or significant factor in their overall security risk.
• OT security intrusions significantly impact organizations’ productivity and their bottom line.
• Nearly 50% of organizations suffered an operation outage that affected productivity with 90% of intrusions requiring hours or longer to restore service.
• Ownership of OT security is not consistent across organizations.
• A vast majority of organizations use between two and eight different vendors for their industrial devices and have between 100 and 10,000 devices in operation.

1. Work with stakeholders: Map business-critical assets, in IT and OT environments.
2. Device visibility: Identify what IoT and OT devices are critical assets by themselves, and which are associated with other critical assets.
3. Perform a risk analysis on critical assets: Focus on the business impact of different attack scenarios as suggested by MITRE.
4. Define a strategy: Address the risks identified, driving priority from business impact.

1. Implement new and improved policies: Policies stemming from the Zero Trust methodology and best practices provide a holistic approach for enabling seamless security and governance across all your devices.
2. Adopt a comprehensive and dedicated security solution: Enable visibility, continuous monitoring, attack surface assessment, threat detection, and response.
3. Educate and train: Security teams require training specific to threats originating from or targeting IoT/OT systems.
4. Examine means of augmenting existing security operations: Address IoT and OT security concerns to achieve a unified IT and OT/IoT SOC across all environments.

“Adversaries realize that the financial impact and extortion leverage of shutting down energy and other critical infrastructures is far greater, compared to other industries. OT systems include almost everything supporting physical operations, spanning dozens of vertical industries. OT systems aren’t solely limited to industrial processes, they can be any special purpose or computerized equipment, such as HVAC controllers, elevators, and traffic lights.”