The volume of attacks on IoT and OT devices is increasing and in many cases these systems were specifically targeted by threat actors, according to a new study commissioned by Microsoft.
Forty-four percent of the more than 600 respondents who took part in a survey said their organization experienced a cyber incident that involved an IoT or OT device in the past two years. Thirty-nine percent said such a device was the target of the attack and 35% said the device was leveraged to conduct a broader attack — this includes lateral movement, detection evasion and persistence.
IoT and OT devices may be specifically targeted by attackers with the intent to cause disruption. One example provided by Microsoft involves human-operated ransomware attacks that disrupt production in an organization.
Half of respondents said the volume of attacks against IoT/OT devices in their organization “increased” or “significantly increased” in the past 12 to 24 months. Moreover, only less than 20% of respondents believe the volume of attacks will decrease in the upcoming period.
Many organizations are still not confident in their ability to protect their systems. Only less than one-third of the respondents who contributed to the Microsoft study said their organization has a complete inventory of devices, and 42% don’t have the ability to detect vulnerabilities affecting IoT and OT devices.
Moreover, 61% have low or average confidence when it comes to identifying compromised systems, and nearly half still mainly rely on manual processes to identify and correlate impacted devices.
Microsoft’s study also confirms that industrial systems are in many cases not isolated from the internet or the IT network. Roughly half of respondents said their OT network is connected to the corporate IT network, and 56% admitted that their OT network is directly connected to the internet.
While 55% of respondents believe IoT and OT products are not secure by design, 47% are relying on the manufacturer to secure these devices.
The report released by Microsoft is based on a survey of 615 IT, IT security, and OT security practitioners across the United States, conducted by the Ponemon Institute.
A survey conducted recently by Ponemon for industrial cybersecurity firm Dragos showed that some companies reported that the total cost of an ICS/OT incident exceeded $100 million.