Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

The Convergence of IT and OT

Home
Industry Insights
The Convergence of IT and OT

Blog Article Published: 01/10/2023

Originally published by Microsoft on December 14, 2022.

The pervasiveness, vulnerability, and cloud connectivity of Internet-of-Things (IoT) and Operational Technology (OT) devices represent a rapidly expanding, often unchecked risk surface affecting a wider array of industries and organizations. Rapidly increasing IoT creates an expanded entry point and attack surface for attackers. With OT becoming more cloud-connected and the IT-OT gap closing, access to less secure OT is opening the door for damaging infrastructure attacks.

Threat Briefing

Adversaries compromise internet-connected devices to gain access to sensitive critical infrastructure networks

Over the past year, Microsoft has observed threats exploiting devices in almost every monitored and visible part of an organization. We have observed these threats across traditional IT equipment, OT controllers and IoT devices like routers and cameras. The spike in attackers’ presence in these environments and networks is fueled by the convergence and interconnectivity many organizations have adopted over the past few years.

The International Data Corporation (IDC) estimates there will be 41.6 billion connected IoT devices by 2025, a growth rate higher than traditional IT equipment. Although security of IT equipment has strengthened in recent years, IoT and OT device security has not kept pace, and threat actors are exploiting these devices.

It is important to remember attackers can have varied motives to compromise devices other than typical laptops and smartphones. Russia’s cyberattacks against Ukraine, as well as other nation-state sponsored cybercriminal activity, demonstrate that some nation-states view cyberattacks against critical infrastructure as desirable for achieving military and economic objectives.

Seventy two percent of the software exploits utilized by “Incontroller,” what Cybersecurity and Infrastructure Security Agency (CISA) describes as a novel set of state-sponsored, industrial control system (ICS) oriented cyberattack tools, are now available online. Such proliferation fosters wider attack activity by other actors, as expertise and other barriers to entry diminish.

As the cybercriminal economy expands and malicious software targeting OT systems become more prevalent and easier-to-use, threat actors have more varied ways of mounting large-scale attacks. Ransomware attacks, previously perceived as an IT-focused attack vector, are today affecting OT environments as seen in the Colonial Pipeline attack, where OT systems and pipeline operations were temporarily shut down while incident responders worked to identify and contain the spread of ransomware on the company’s IT network. Adversaries realize that the financial impact and extortion leverage of shutting down energy and other critical infrastructures is far greater than other industries.

chart of real iot/ot attacks

OT systems include almost everything supporting physical operations, spanning dozens of vertical industries. OT systems aren’t solely limited to industrial processes, they can be any special purpose or computerized equipment, such as HVAC controllers, elevators, and traffic lights. Various safety systems fall into the category of OT systems.

Microsoft has observed Chinese-linked threat actors targeting vulnerable home and small office routers in order to compromise these devices as footholds, giving them new address space less associated with their previous campaigns, from which to launch new attacks.

While the prevalence of IoT and OT vulnerabilities presents a challenge for all organizations, critical infrastructure is at increased risk. Disabling critical services, not even necessarily destroying them, is a powerful lever.

Recommendations:

  • Work with stakeholders: Map business-critical assets, in IT and OT environments.
  • Device visibility: Identify what IoT and OT devices are critical assets by themselves, and which are associated with other critical assets.
  • Perform a risk analysis on critical assets: Focus on the business impact of different attack scenarios as suggested by MITRE.
  • Define a strategy: Address the risks identified, driving priority from business impact.
Internet of ThingsThreat Intelligence

Share this content on your favorite social network today!

Latest from CSA
Join AT&T Cybersecurity in Chicago
The State of AI and Security Survey Report
CSA's STAR: The Key to Cloud Security & Compliance
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Level up with Cloud Infrastructure Security Training
Related Articles:
Breach Debrief: The Fake Slackbot

Published: 04/22/2024

Are You Ready for Microsoft Copilot?

Published: 04/19/2024

Implementing a Data-Centric Approach to Security

Published: 04/19/2024

Threats to Water: The Achilles’ Heel of Critical Infrastructure

Published: 04/08/2024