Microsoft has unveiled its latest Cyber Signals report, “The Convergence of IT and Operational Technology”. The report demonstrates the risk to critical infrastructure and the increased focus displayed by threat actors in going after that which matters most to the present communities. With this new report, Microsoft hopes to bring the issue of vulnerable critical infrastructure into the mainstream and make it the regional governance and policy focus of 2023.
The pervasiveness, vulnerability, and cloud-connectivity of Internet-of-Things (IoT) and Operational Technology (OT) devices represents a rapidly expanding, often unchecked risk surface that has come to affect a wider array of industries and organizations. With OT becoming more cloud-connected and the IT-OT gap closing, access to less secure OT is opening the door to damaging infrastructure attacks.
The report addresses this issue. In the research, Microsoft uncovered unpatched, high-severity vulnerabilities in 75% of the most common industrial controllers used in our customers’ OT networks. Between 2020 and 2022, we saw a 78% increase in disclosures of high-severity vulnerabilities in industrial control equipment produced by the most popular vendors.
They also discovered that there are more than 1 million connected devices publicly visible on the Internet that are running Boa, an out-of-support, open-source Web server for embedded applications that is still widely used in IoT devices and software development kits (SDKs). The inroads for attackers are becoming more plentiful. The IDC estimates there will be 41.6 billion connected IoT devices by 2025. That shows a growth rate higher than that of traditional IT equipment. Microsoft has found evidence of threat actors targeting vulnerable home and small-office routers to use them as footholds for attacks against more vital assets.
The threat is neither theoretical nor speculative. Survey after survey of the IT world tells us that almost everyone is a target. As attackers scale up their campaigns on OT infrastructure, we need to be ready for them. We are all cybersecurity defenders. We all have a role to play in our own protection.
