Operational technology (OT) systems like doors, elevators, fire control systems not to mention factory systems and power plants connected to the internet of things are the new route in for hackers.
Critical infrastructure that runs building management systems, power plants right down to doors and elevators are now the hacker’s preferred route into business networks, a new study by Microsoft reveals.
Microsoft has identified unpatched, high-severity vulnerabilities in 75% of the most common industrial controllers in customer OT networks, illustrating how challenging it is for even well-resourced organisations to patch control systems in demanding environments sensitive to downtime.
“For businesses and infrastructure operators across industries, the defensive imperatives are gaining total visibility over connected systems and weighing evolving risks and dependencies”
This is according to the third edition of Cyber Signals – a report spotlighting security trends and insights gathered from Microsoft’s 43 trillion daily security signals and 8,500 security experts. The report provides new insights on wider risks that converging IT, Internet of Things (IoT), and operational technology (OT) systems pose to critical infrastructure.
Anything that is connected can be attacked
OT is a combination of hardware and software across programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). Examples of OT can include building management systems, fire control systems, and physical access control mechanisms, like doors and elevators.
As OT systems underpinning energy, transportation, and other infrastructures become increasingly connected to IT systems, the risk of disruption and damage grows as boundaries blur between these formerly separated worlds.
Additionally, with more than 41bn IoT devices across enterprise and consumer environments expected by 2025—according to International Data Corporation (IDC) research —devices such as cameras, smart speakers, or locks and commercial appliances can become entry points for attackers.
“For businesses and infrastructure operators across industries, the defensive imperatives are gaining total visibility over connected systems and weighing evolving risks and dependencies,” said Vasu Jakkal, Microsoft’s Corporate Vice President, Security, Compliance, Identity, and Management.
“Unlike the IT landscape of common operating systems, business applications, and platforms, OT and IoT landscapes are more fragmented, featuring proprietary protocols and devices that may not have cybersecurity standards. Other realities affecting things like patching and vulnerability management are also factors.
“While connected OT and IoT-enabled devices offer significant value to organisations looking to modernize workspaces, become more data-driven, and ease demands on staff through shifts like remote management and automation in critical infrastructure networks, if not properly secured, they increase the risk of unauthorized access to operational assets and networks.”