The pervasiveness, vulnerability, and cloud connectivity of Internet-of-Things (IoT) and Operational Technology (OT) devices represent a rapidly expanding, often unchecked risk surface affecting a wider array of industries and organizations. Rapidly increasing IoT creates an expanded entry point and attack surface for attackers. With OT becoming more cloud-connected and the IT-OT gap closing, access to less secure OT is opening the door for damaging infrastructure attacks.
Watch the Cyber Signals digital briefing where Vasu Jakkal, CVP of Microsoft Security interviews key threat intelligence experts on IoT and OT vulnerabilities and how to help stay protected.
Over the past year, Microsoft has observed threats exploiting devices in almost every monitored and visible part of an organization. We have observed these threats across traditional IT equipment, OT controllers and IoT devices like routers and cameras. The spike in attackers’ presence in these environments and networks is fueled by the convergence and interconnectivity many organizations have adopted over the past few years.
The International Data Corporation (IDC) estimates there will be 41.6 billion connected IoT devices by 2025, a growth rate higher than traditional IT equipment. Although security of IT equipment has strengthened in recent years, IoT and OT device security has not kept pace, and threat actors are exploiting these devices.
It is important to remember attackers can have varied motives to compromise devices other than typical laptops and smartphones. Russia’s cyberattacks against Ukraine, as well as other nation-state sponsored cybercriminal activity, demonstrate that some nation-states view cyberattacks against critical infrastructure as desirable for achieving military and economic objectives.
Seventy two percent of the software exploits utilized by “Incontroller,” what Cybersecurity and Infrastructure Security Agency (CISA) describes as a novel set of state-sponsored, industrial control system (ICS) oriented cyberattack tools, are now available online. Such proliferation fosters wider attack activity by other actors, as expertise and other barriers to entry diminish.
As the cybercriminal economy expands and malicious software targeting OT systems become more prevalent and easier-to-use, threat actors have more varied ways of mounting large-scale attacks. Ransomware attacks, previously perceived as an IT-focused attack vector, are today affecting OT environments as seen in the Colonial Pipeline attack, where OT systems and pipeline operations were temporarily shut down while incident responders worked to identify and contain the spread of ransomware on the company’s IT network. Adversaries realize that the financial impact and extortion leverage of shutting down energy and other critical infrastructures is far greater than other industries.
OT systems include almost everything supporting physical operations, spanning dozens of vertical industries. OT systems aren’t solely limited to industrial processes, they can be any special purpose or computerized equipment, such as HVAC controllers, elevators, and traffic lights. Various safety systems fall into the category of OT systems.
Microsoft has observed Chinese-linked threat actors targeting vulnerable home and small office routers in order to compromise these devices as footholds, giving them new address space less associated with their previous campaigns, from which to launch new attacks.
While the prevalence of IoT and OT vulnerabilities presents a challenge for all organizations, critical infrastructure is at increased risk. Disabling critical services, not even necessarily destroying them, is a powerful lever.