The convergence of the Internet of Things (IoT) — roughly 40 billion devices are projected to be internet facing by 2025 — and operational controls technology (OT) create a boon for nation state and domestic cyber criminals, Microsoft said in a new report.
A Closer Look at the Report
Here are the key takeaways from the Microsoft report:
- Some 75% of industrial controllers used in OT networks that impact multiple critical industries, such as water, transportation and energy, have highly severe and unpatched vulnerabilities, the vendor found in a close examination of its customers’ OT networks.
- OT attacks often serve as gateways into the critical infrastructure facility’s IT network and to a multitude of vertical markets. Examples in the U.S. alone include recent attacks on a Florida water treatment plant and the high-profile, disabling ransomware assault on the Colonial Pipeline.
- Over 1 million connected devices publicly visible on the internet are running Boa, an industrial control outdated and unsupported software still widely used by popular vendors in IoT devices and software development kits.
What has come with the potential explosion in attacks on critical infrastructure, fortunately, is a nearly 80% spike in disclosures of high severity vulnerabilities in the last two years in industrial control equipment produced by popular vendors, Microsoft said.
In its report entitled The Convergence of IT and Operational Technology: Cyber Risks to Critical Infrastructure on the Rise, Microsoft writes:
“The pervasiveness, vulnerability, and cloud connectivity of Internet-of-Things (IoT) and Operational Technology (OT) devices represent a rapidly expanding, often unchecked risk surface affecting a wider array of industries and organizations. Rapidly increasing IoT creates an expanded entry point and attack surface for attackers. With OT becoming more cloud-connected and the IT-OT gap closing, access to less secure OT is opening the door for damaging infrastructure attacks.”
Exploits Observed Everywhere
It’s not only big installations that Microsoft is talking about. In the past year, the vendor has observed exploits in nearly every visible corner and alleyway in an organization.
As Microsoft explained:
“We have observed these threats across traditional IT equipment, OT controllers and IoT devices like routers and cameras. The spike in attackers’ presence in these environments and networks is fueled by the convergence and interconnectivity many organizations have adopted over the past few years.”
Other cybersecurity guardians have reported similar observations and come to conclusions along the same lines. For example, a recent study by Fortinet found industrial control environments continue to be a target for cyber criminals, with 93% of OT organizations experiencing a breach in the past 12 months.
That’s not all for Fortinet's research:
- 97% of global organizations consider OT a moderate or significant factor in their overall security risk.
- OT security intrusions significantly impact organizations’ productivity and their bottom line.
- Nearly 50% of organizations suffered an operation outage that affected productivity with 90% of intrusions requiring hours or longer to restore service.
- Ownership of OT security is not consistent across organizations.
- A vast majority of organizations use between two and eight different vendors for their industrial devices and have between 100 and 10,000 devices in operation.
Another report by San Jose, California based Skybox found that OT vulnerabilities had nearly doubled year-over-year.
Microsoft has a number of recommendations to follow for critical infrastructure owners and operators and organizations with OT technology.
On threat briefing:
- Work with stakeholders: Map business-critical assets, in IT and OT environments.
- Device visibility: Identify what IoT and OT devices are critical assets by themselves, and which are associated with other critical assets.
- Perform a risk analysis on critical assets: Focus on the business impact of different attack scenarios as suggested by MITRE.
- Define a strategy: Address the risks identified, driving priority from business impact.
On defending against attacks:
- Implement new and improved policies: Policies stemming from the Zero Trust methodology and best practices provide a holistic approach for enabling seamless security and governance across all your devices.
- Adopt a comprehensive and dedicated security solution: Enable visibility, continuous monitoring, attack surface assessment, threat detection, and response.
- Educate and train: Security teams require training specific to threats originating from or targeting IoT/OT systems.
- Examine means of augmenting existing security operations: Address IoT and OT security concerns to achieve a unified IT and OT/IoT SOC across all environments.
Microsoft concludes its report, saying:
“Adversaries realize that the financial impact and extortion leverage of shutting down energy and other critical infrastructures is far greater, compared to other industries. OT systems include almost everything supporting physical operations, spanning dozens of vertical industries. OT systems aren’t solely limited to industrial processes, they can be any special purpose or computerized equipment, such as HVAC controllers, elevators, and traffic lights.”