“High severity” vulnerabilities uncovered in three-quarters of operational technology systems

A cartoon depiction of a smart factory floor to symbolise operational technology
(Image credit: Shutterstock)

Three-quarters of industrial control devices used in operational technology (OT) networks remain unpatched and laden with severe vulnerabilities, according to new research from Microsoft.

Statistics from the tech giant’s latest Cyber Signals bulletin showed that threats against operational technology systems and internet of things (IoT) products are rising steeply and posing significant risks for businesses globally.

“The pervasiveness, vulnerability, and cloud connectivity of IoT and OT devices represent a rapidly expanding, often unchecked risk surface affecting a wider array of industries and organisations,” said David Atch, head of IoT and OT security research at Microsoft Threat Intelligence.

“Rapidly increasing IoT creates an expanded entry point and attack surface for attackers. With OT becoming more cloud-connected and the IT-OT gap closing, access to less-secure OT is opening the door for damaging infrastructure attacks.”

By 2025, more than 41 billion IoT devices are expected to be deployed across enterprise and consumer environments, according to research from IDC.

Connected devices such as smart speakers, cameras, or commercial appliances are frequently targeted as entry points for threat actors.

As such, Microsoft said the increasing convergence of IoT and OT with traditional IT systems means organisations will be forced to “rethink cyber risk impact and consequences”.

OT systems underpin a range of critical industries, including energy, transportation and other key infrastructure assets, meaning that successful cyber attacks would have a potentially crippling economic impact for nations worldwide.

“While the prevalence of IoT and OT vulnerabilities presents a challenge for all organisations, critical infrastructure is at increased risk. Disabling critical services, not even necessarily destroying them, is a powerful lever,” Atch said.

Evolving threat landscape

The use of OT systems in critical infrastructure means that state-sponsored threat actors are increasingly targeting organisations working in this space, Microsoft warned.

Since the onset of the war in Ukraine, Russian state-backed groups have placed a strong focus on targeting systems to cripple Ukrainian infrastructure and support military operations.

Similarly, risks for individual organisations and staff are escalating. Microsoft said it has observed Chinese-linked hackers targeting vulnerable home and office routers to gain a network foothold and launch wider attacks on IT infrastructure.

This trend is expected to continue, Microsoft said. The rise of malicious software used to target OT systems is becoming “more prevalent”, easier to use, and enabling threat actors to draw upon a wider range of options when mounting large-scale attacks.

Ransomware attacks, previously perceived as an IT-focused attack vector, are today affecting OT environments as seen in the Colonial Pipeline attack,” Microsoft warned.

The Colonial Pipeline attack forced OT systems and pipeline operations to temporarily shut down, and caused significant financial losses for the organisation.

Research published by Mandiant this year highlighted the growing threat of ransomware for OT system operators, with one-in-seven extortion attacks leaking critical OT data.

The company identified 1,300 leaks released by ransomware groups involving companies which use OT systems. Data uncovered in the study included sensitive network and process documentation for two oil and gas companies.

Countering Threats

Looking forward, Microsoft said that improving the visibility of connected systems will be a “defensive imperative” for businesses and infrastructure operators across a range of industries.

The tech giant advised that organisations should also improve collaboration with key industry stakeholders to map business critical assets.

Earlier this year, the National Cyber Security Centre (NCSC) called on startups to apply to collaborate with the centre to counter key cyber security threats currently facing the UK.

Under the plans outlined in July, the NCSC said it will work with startups to develop and pilot technologies that can help organisations mitigate growing threats.

A key focus of the initiative centres around bolstering protection for OT in a range of sectors, including the energy, agriculture and food manufacturing industries.

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.