Cloud 101CircleEventsBlog
Get 50% off the Cloud Infrastructure Security training bundle with code 'unlock50advantage'

The Convergence of IT and OT

Published 01/10/2023

The Convergence of IT and OT

Originally published by Microsoft on December 14, 2022.

The pervasiveness, vulnerability, and cloud connectivity of Internet-of-Things (IoT) and Operational Technology (OT) devices represent a rapidly expanding, often unchecked risk surface affecting a wider array of industries and organizations. Rapidly increasing IoT creates an expanded entry point and attack surface for attackers. With OT becoming more cloud-connected and the IT-OT gap closing, access to less secure OT is opening the door for damaging infrastructure attacks.

Threat Briefing

Adversaries compromise internet-connected devices to gain access to sensitive critical infrastructure networks

Over the past year, Microsoft has observed threats exploiting devices in almost every monitored and visible part of an organization. We have observed these threats across traditional IT equipment, OT controllers and IoT devices like routers and cameras. The spike in attackers’ presence in these environments and networks is fueled by the convergence and interconnectivity many organizations have adopted over the past few years.

The International Data Corporation (IDC) estimates there will be 41.6 billion connected IoT devices by 2025, a growth rate higher than traditional IT equipment. Although security of IT equipment has strengthened in recent years, IoT and OT device security has not kept pace, and threat actors are exploiting these devices.

It is important to remember attackers can have varied motives to compromise devices other than typical laptops and smartphones. Russia’s cyberattacks against Ukraine, as well as other nation-state sponsored cybercriminal activity, demonstrate that some nation-states view cyberattacks against critical infrastructure as desirable for achieving military and economic objectives.

Seventy two percent of the software exploits utilized by “Incontroller,” what Cybersecurity and Infrastructure Security Agency (CISA) describes as a novel set of state-sponsored, industrial control system (ICS) oriented cyberattack tools, are now available online. Such proliferation fosters wider attack activity by other actors, as expertise and other barriers to entry diminish.

As the cybercriminal economy expands and malicious software targeting OT systems become more prevalent and easier-to-use, threat actors have more varied ways of mounting large-scale attacks. Ransomware attacks, previously perceived as an IT-focused attack vector, are today affecting OT environments as seen in the Colonial Pipeline attack, where OT systems and pipeline operations were temporarily shut down while incident responders worked to identify and contain the spread of ransomware on the company’s IT network. Adversaries realize that the financial impact and extortion leverage of shutting down energy and other critical infrastructures is far greater than other industries.

chart of real iot/ot attacks

OT systems include almost everything supporting physical operations, spanning dozens of vertical industries. OT systems aren’t solely limited to industrial processes, they can be any special purpose or computerized equipment, such as HVAC controllers, elevators, and traffic lights. Various safety systems fall into the category of OT systems.

Microsoft has observed Chinese-linked threat actors targeting vulnerable home and small office routers in order to compromise these devices as footholds, giving them new address space less associated with their previous campaigns, from which to launch new attacks.

While the prevalence of IoT and OT vulnerabilities presents a challenge for all organizations, critical infrastructure is at increased risk. Disabling critical services, not even necessarily destroying them, is a powerful lever.

Recommendations:

  • Work with stakeholders: Map business-critical assets, in IT and OT environments.
  • Device visibility: Identify what IoT and OT devices are critical assets by themselves, and which are associated with other critical assets.
  • Perform a risk analysis on critical assets: Focus on the business impact of different attack scenarios as suggested by MITRE.
  • Define a strategy: Address the risks identified, driving priority from business impact.

Share this content on your favorite social network today!