Microsoft has discovered a whole series of industrial and IoT cyber failures

Microsoft has discovered a whole series of industrial and IoT cyber failures

Microsoft has identified a large number of IoT security issues and has found unpatched, high-severity vulnerabilities in 75% of the most common industrial controllers on customers' operational technology (OT) networks.

The tech giant's research also found that 72% of software exploits used by what Microsoft calls "Incontroller" are now available online.

"Incontroller" is what the Cybersecurity and Infrastructure Security Agency (CISA) describes as a "new set of cyberattack tools targeting the state-sponsored industrial control system (ICS).

What is the real scale of the problem?

Microsoft cited recent figures from IDC estimating that there will be 41.600 billion connected IoT devices by 2025, a growth rate that far exceeds that of traditional computing equipment.

However, he claims that the security development of IoT and OT devices has not kept pace with other computing systems, and threat actors are exploiting these devices.

Microsoft pointed to Russia's cyberattacks in Ukraine, as well as other nation-state-sponsored cybercriminal activities, saying they demonstrate that "some nation-states view cyberattacks on critical infrastructure as desirable to achieve military and economic objectives." .

You certainly don't have to look far to see examples of these kinds of industrial IoT attacks wreaking havoc on everyone involved.

In May 2021, the Colonial Pipeline ransomware attack disrupted natural gas supplies to much of the southern United States, causing prices to spike across the board.

To mitigate these types of risks, Microsoft recommends that customers work with stakeholders to map critical business assets, across IT and OT environments, as well as to identify which IoT and OT devices are themselves critical assets and which are associated with other reviewers. active. active.

Microsoft also recommends that organizations perform risk analysis on critical assets, focusing on the business impact of different attack scenarios.