The convergence of IT and OT and its impact on growing infrastructure risks

Internet-of-Things (IoT) and Operational Technology (OT) devices represent a rapidly expanding, often unchecked risk surface that is largely driven by the technology’s pervasiveness, vulnerability, and cloud connectivity. This has left a wider array of industries and organizations vulnerable and opened the door for damaging infrastructure attacks.

OT systems include almost everything supporting physical operations, spanning dozens of vertical industries. They aren’t solely limited to industrial processes. OT systems can cover any special purpose or computerized equipment, such as HVAC controllers, elevators, and traffic lights. Various safety systems also fall into the category of OT systems.

Microsoft recently identified unpatched, high-severity vulnerabilities in 75% of the most common industrial controllers in customer OT networks. This highlights a significant gap that enterprise businesses must address. Keep reading to learn more about these cyber risks to critical infrastructure and what you can do to mitigate them.

The growth of IoT has outstripped device security

Over the past year, Microsoft has observed threats exploiting devices in almost every monitored and visible part of an organization. This includes traditional IT equipment, OT controllers, and IoT devices like routers and cameras. Many organizations have adopted a converged, interconnected model of OT and IoT in recent years. This trend has caused attackers’ presences in these environments and networks to grow exponentially.

The International Data Corporation (IDC) estimates there will be 41.6 billion connected IoT devices by 2025, a growth rate higher than traditional IT equipment. And although the security of IT equipment has strengthened in recent years, IoT and OT device security has not kept pace. Threat actors are exploiting these devices accordingly by compromising internet-connected devices to gain access to sensitive critical infrastructure networks.

Take the recent Boa Web server vulnerabilities, for example. Microsoft discovered these vulnerabilities during an investigation of continued attacks on Indian power grid assets by Chinese state-sponsored groups. Despite being discontinued in 2005, the Boa web server is still used by different vendors across a variety of IoT devices and popular software development kits (SDKs). Data from the Microsoft Defender Threat Intelligence platform identified over 1 million internet-exposed Boa server components around the world over the span of a week. Without developers managing the Boa web server, its known vulnerabilities create an opening for attackers to silently gain access to networks by collecting information from files.

Nation-states are targeting critical infrastructure

It is important to remember attackers can have varied motives to compromise devices other than typical laptops and smartphones. Russia’s cyberattacks against Ukraine, as well as other nation-state-sponsored cybercriminal activity, demonstrate that some nation-states will target critical infrastructure in order to achieve military and economic objectives.

Seventy-two percent of the software exploits utilized by Incontroller are now available online. Cybersecurity and Infrastructure Security Agency (CISA) describes Incontroller as a novel set of state-sponsored, industrial control system (ICS)-oriented cyberattack tools. The widespread sharing of their software exploits has an exponential effect—fostering wider attack activity by other actors as expertise and other barriers to entry diminish.

Threat actors have more varied ways of mounting large-scale attacks as the cybercriminal economy expands and malicious software targeting OT systems becomes more prevalent and easier to use. Ransomware attacks, previously perceived as an IT-focused attack vector, are today affecting OT environments. This can be seen in instances like the Colonial Pipeline attack, where OT systems and pipeline operations were temporarily shut down while incident responders worked to identify and contain the spread of ransomware on the company’s IT network. Adversaries realize that the financial impact and extortion leverage of shutting down energy and other critical infrastructures is far greater than other industries.

Microsoft has observed Chinese-linked threat actors targeting vulnerable home and small office routers in order to compromise these devices as footholds. This provides new address space that is less associated with their previous campaigns—giving them a new foothold from which to launch future attacks.

Our recommendations

While the prevalence of IoT and OT vulnerabilities presents a challenge for all organizations, critical infrastructure is at increased risk. Disabling critical services, not even necessarily destroying them, is a powerful lever.

If organizations are to secure their IoT and OT systems, there are a number of recommendations that should be put in place:

• Identify your vulnerabilities: It’s important to map out business-critical assets in IT and OT environments so that you can fully understand your landscape and its innate weaknesses.
• Evaluate device visibility: Next, you should identify what IoT and OT devices are critical assets by themselves and which are associated with other critical assets.
• Perform a risk analysis on critical assets: Focus on the business impact of different attack scenarios as suggested by MITRE. This publicly-available knowledge base outlines common tactics, techniques, and procedures deployed by cyber criminals, and offers specific guidance for a variety of control systems.
• Define a strategy: Finally, define your protection strategy by addressing the risks that you previously identified. Rank risk by business impact priority.

Looking for more tips on how to secure your IoT and OT systems? Explore the full breadth of our cybersecurity research and recommendations with Microsoft’s Security Insider.