Piles of Unpatched IoT, OT Devices Attract ICS Cyberattacks

Industrial devices are less likely to be patched due to expensive downtime, and threat actors have taken notice.

IoT farming drones hovering over a field
Source: Scharfsinn via Alamy Stock Photo

Despite efforts across both the public and private sectors to shore up industrial control system (ICS) cybersecurity, threat actors continue to find increasing opportunity against unpatched Internet of Things (IoT) and operational technology (OT) devices.

New research from Nozomi Networks looked at public IoT/OT cyber incidents over the past six months and found that various threat actors, including ransomware and DDoS cyber attackers, have unleashed a barrage of cyberattacks against ICS systems. The report notes manufacturing, water treatment, food and agriculture, and the chemical sectors were most frequently targeted in early 2023.

Nozomi added it measured an average of 813 unique cyberattacks daily on its honeypots the first six months of this year, hitting a peak of 1,342 on May 1.

Another bit of research, from SynSaber and downloaded by Dark Reading, sheds further light on what's causing the frenzy of nefarious activity against ICS networks. Even though the overall number of ICS CVEs reported in the first half of the year is down 1.6% from 2022, 34% of ICS CVEs reported in the first half of 2023 have no patch or remediation available, a 13% spike over the same period last year.

Why ICS Patching Takes So Long

There are plenty of good reasons why patches for supervisory control and data acquisition (SCADA) and ICS systems get held up for months, or even years, according to Melissa Bischoping, endpoint security researcher with Tanium.

"Stability and uptime of these systems is often a priority for operations, and many patches require restarts," which may trigger a cascade of restarts to the production process, Bischoping tells Dark Reading. "Given the cost and risk of those downtimes, operators may choose to delay the patches."

The cost of upgrading ICS systems can also be a deterrent to upgrades, she explains.

"In some cases, interoperability and compatibility with other systems may prevent upgrades until costly retrofitting or modernization of shared components can occur," Bischoping adds. "Upgrades can carry a price tag of millions of dollars, but choosing to delay upgrades may mean accepting as much or more in risk that the system may fail or be exploited."

Bright Spot in ICS Cybersecurity Data

The choices for ICS systems operators are tough, but John Gallagher, vice president with Viakoo Labs, says research and data points like these show that cybersecurity efforts to protect these systems are indeed working.

"Until recently IoT/OT devices and their related vulnerabilities were not a focus for the line-of-business organizations that typically run them — think manufacturing, facilities, physical security — and not a lot of data was available," Gallagher tells Dark Reading. "The growth of asset discovery, threat assessment, and vulnerability remediation solutions that directly address IoT/OT systems is helping to change that, along with more government and board-level focus on the threats from such systems."

About the Author

Becky Bracken, Senior Editor, Dark Reading

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights