Microsoft has identified a huge number of IoT security issues, finding unpatched, high-severity vulnerabilities in 75% of the most common industrial controllers in customer operational technology (OT) networks.
The tech giant's research also found that 72% of the software exploits utilized by what Microsoft terms “Incontroller” are now available online.
"Incontroller" is what the Cybersecurity and Infrastructure Security Agency (CISA) describes as a "novel set of state-sponsored, industrial control system (ICS) oriented cyberattack tools".
What is true scale of the issue?
Microsoft cited recent IDC figures that estimate there will be 41.6 billion connected IoT devices by 2025, a growth rate much higher than that of traditional IT equipment.
However, it claims that the development of IoT and OT device security has not kept pace with that of other IT systems, and threat actors are exploiting these devices.
Microsoft pointed towards Russia’s cyberattacks against Ukraine, as well as other nation-state-sponsored cybercriminal activity, saying these demonstrate that "some nation-states view cyberattacks against critical infrastructure as desirable for achieving military and economic objectives".
You certainly do not have to look far to see examples of these types of industrial IoT attacks wreaking havoc on all involved.
In May 2021, the Colonial Pipeline ransomware attack disrupted the supply of natural gas in much of the Southern US, causing widespread price rises.
To mitigate these types of risks, Microsoft recommends customers work with stakeholders to map business-critical assets, in IT and OT environments, as well as work to identify what IoT and OT devices are critical assets by themselves, and which are associated with other critical assets.
Microsoft also recommends that organizations perform a risk analysis on critical assets, focusing on the business impact of different attack scenarios.
- Interested in keeping your organization safe from cyber threats? Check out our guide to the best firewalls
