The pervasiveness, vulnerability, and cloud-connectivity of Internet-of-Things (IoT) and Operational Technology (OT) devices represents a rapidly expanding, often unchecked risk surface that has come to affect a wider array of industries and organisations. With OT becoming more cloud-connected and the IT-OT gap closing, access to less secure OT is opening the door to damaging infrastructure attacks.
To address this issue, Microsoft has unveiled its latest Cyber Signals report, “The Convergence of IT and Operational Technology” in which we demonstrate the risk to critical infrastructure and the increased focus displayed by threat actors in going after that which matters most to our communities. In our research, we uncovered unpatched, high-severity vulnerabilities in 75% of the most common industrial controllers used in our customers’ OT networks. Between 2020 and 2022, we saw a 78% increase in disclosures of high-severity vulnerabilities in industrial control equipment produced by the most popular vendors.
We also discovered that there are more than 1 million connected devices publicly visible on the Internet that are running Boa, an out-of-support, open-source Web server for embedded applications that is still widely used in IoT devices and software development kits (SDKs). The inroads for attackers are becoming more plentiful. The International Data Corporation (IDC) estimates there will be 41.6 billion connected IoT devices by 2025. That shows a growth rate higher than that of traditional IT equipment. Microsoft has found evidence of threat actors targeting vulnerable home and small-office routers to use them as footholds for attacks against more vital assets.
The threat is neither theoretical not speculative. Survey after survey of the IT world tells us that almost everyone is a target. As attackers scale up their campaigns on OT infrastructure, we need to be ready for them. We are all cybersecurity defenders. We all have a role to play in our own protection. With our new report, Microsoft hopes to bring the issue of vulnerable critical infrastructure into the mainstream and make it the regional governance and policy focus of 2023.
See below additional links for further details:
30-minute digital video briefing: Frame.io
Microsoft blog by Vasu Jakkal – Read more