- 78% increase in high-severity vulnerabilities from 2020 to 2022
- Identified vulnerabilities in 75% of the most common industrial controllers
Microsoft has released its third edition of Cyber Signals, a regular cyber threat intelligence brief spotlighting security trends and insights gathered from its 43 trillion daily security signals and 8,500 security experts.
In a statement, the tech firm said this edition highlights new insights on the wider risks that converging IT, Internet-of-Things (IoT), and Operational Technology (OT) systems pose to critical infrastructure.
It also includes how enterprises can defend against these attacks, it said.
Microsoft notes that OT is a combination of hardware and software across programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment).
It said examples of OT include building management systems, fire control systems, and physical access control mechanisms, like doors and elevators.
The firm notes that with increasing connectivity across converging IT, OT, and IoT, organisations and individuals need to rethink cyber risk impact and consequences.
It said similar to how the loss of a laptop or modern vehicle containing a homeowner’s cached Wi-Fi credentials could grant a property thief unauthorised network access, compromising a manufacturing facility’s remotely connected equipment or a smart building’s security cameras can introduce new vectors for threats like malware or industrial espionage.
Vasu Jakkal, corporate vice president, security, compliance, identity, and management at Microsoft, said, as OT systems underpinning energy, transportation, and other infrastructures become increasingly connected to IT systems, the risk of disruption and damage grows as boundaries blur between these formerly separated worlds.
“For businesses and infrastructure operators across industries, the defensive imperatives are gaining total visibility over connected systems and weighing evolving risks and dependencies,” he added. 
Key insights shared in this edition of Cyber Signals include:
- Microsoft identified unpatched, high-severity vulnerabilities in 75% of the most common industrial controllers in customer OT networks. This illustrates how challenging it is for even well-resourced organizations to patch control systems in demanding environments sensitive to downtime.
- There has been a 78% increase in disclosures of high-severity vulnerabilities from 2020 to 2022 in industrial control equipment produced by popular vendors.
- Over 1 million connected devices are publicly visible on the Internet running Boa, an outdated and unsupported software still widely used in IoT devices and software development kits.
For businesses and individuals, securing IoT solutions with a Zero Trust security model starts with non-IoT specific requirements.
This can be achieved by specifically ensuring they have implemented the basics to securing identities and their devices and limiting their access, Microsoft said.
These requirements include explicitly verifying users, having visibility into the devices on the network, and real-time risk detections, it added.
Click here to learn more about IT, OT, and IoT threats, read the third edition of Cyber Signals today. To learn more about Microsoft Security solutions and keep up with expert coverage on security matters, click here.