Internet of Things (IoT) and operational technology (OT) devices represent a rapidly expanding, often unchecked, risk surface that is largely driven by the technology's pervasiveness, vulnerability, and cloud connectivity. This has left a wider array of industries and organizations vulnerable and opened the door for damaging infrastructure attacks.
Microsoft recently identified unpatched, high-severity vulnerabilities in 75% of the most common industrial controllers in customer OT networks. Keep reading to learn more about these cyber-risks to critical infrastructure and what you can do to mitigate them.
IoT's Growth Has Outstripped Device Security
Over the past year, Microsoft has observed threats exploiting devices in almost every monitored and visible part of an organization. This includes traditional IT equipment, OT controllers, and IoT devices like sensors and cameras. Many organizations have adopted a converged, interconnected model of OT and IoT in recent years. This trend has caused attackers' presences in these environments and networks to grow exponentially.
IDC estimates there will be 41.6 billion connected IoT devices by 2025, a growth rate higher than traditional IT equipment. And although the security of IT equipment has strengthened in recent years, IoT and OT device security has not kept pace. Threat actors are exploiting these devices accordingly by compromising newly networked devices to gain access to sensitive critical infrastructure networks.
Take the recent Boa Web server vulnerabilities, for example. Microsoft discovered these vulnerabilities during an investigation of continued attacks on Indian power grid assets by Chinese state-sponsored groups. Despite being discontinued in 2005, the Boa Web server is still used by different vendors across a variety of IoT devices and popular software development kits. Data from the Microsoft Defender Threat Intelligence platform identified more than 1 million Internet-exposed Boa server components around the world over the span of a week. Without developers managing the Boa Web server, its known vulnerabilities create an opening for attackers to silently gain access to networks by collecting information from files.
Nation-States Targeting Critical Infrastructure
It is important to remember that attackers can have varied motives. Russia's cyberattacks against Ukraine, as well as other state-sponsored cybercriminal activity, demonstrate that some nation-states will target critical infrastructure in order to achieve military and economic objectives.
Threat actors have more varied ways of mounting large-scale attacks as the cybercriminal economy expands and malicious software targeting OT systems becomes more prevalent and easier to use.
Ransomware attacks, previously perceived as an IT-focused attack vector, are today affecting OT environments. This can be seen in instances like the Colonial Pipeline attack, where OT systems and pipeline operations were temporarily shut down while incident responders worked to identify and contain the spread of ransomware on the company's IT network. Adversaries realize that the financial impact and extortion leverage of shutting down energy and other critical infrastructures is far greater than other industries.
Microsoft has observed Chinese-linked threat actors targeting vulnerable home and small-office routers in order to compromise these devices as footholds. This provides new address space that is less associated with their previous campaigns — giving them a new foothold from which to launch future attacks.
Secure Your OT and IoT
While the prevalence of IoT and OT vulnerabilities presents a challenge for all organizations, critical infrastructure is at increased risk. Disabling critical services, not even necessarily destroying them, is a powerful lever.
If organizations are to secure their IoT and OT systems, there are a number of recommendations that should be put in place.
- Identify your vulnerabilities: It's important to map out business-critical assets in IT and OT environments so you can fully understand your landscape and its innate weaknesses.
- Evaluate device visibility: Next, you should identify which IoT and OT devices are critical assets by themselves and which are associated with other critical assets.
- Perform a risk analysis on critical assets: Focus on the business impact of different attack scenarios as suggested by MITRE. This publicly available knowledge base outlines common tactics, techniques, and procedures deployed by cybercriminals, and offers specific guidance for a variety of control systems.
- Define a strategy: Finally, define your protection strategy by addressing the risks that you previously identified. Rank risk by business impact priority.
Read more Partner Perspectives from Microsoft.