The proliferation of Internet-connected devices has begun to change the way we live and work. Within our homes and our workplaces, more of the devices we use are “smart,” gathering data and communicating between each other and with our networks.

While this scenario gives us an incredible wealth of new data, insights, conveniences, and efficiencies, it also causes a corresponding expansion of our threat landscape.

These devices include networked manufacturing equipment helping companies manage efficient production lines. Connected healthcare devices allowing doctors to monitor patients’ critical health information in real time. And even wi-fi enabled light bulbs and other household appliances.

Our world is growing increasingly connected, and each of those connections represents a potential weakness for attackers to exploit. Too often, those weaknesses are overlooked, or even unknown, as smart devices are seldom managed as carefully as their traditional IT counterparts. It’s our job to ensure those devices and the connections between them are as secure as possible.

Internet of Things (IoT) Explained

Simply stated, the Internet of Things (IoT) is a system of interconnected devices and sensors that can collect and exchange data. IoT devices can range from simple sensors to more complex devices such as smart thermostats or cars. The data collected by IoT devices can be used to monitor and control the devices, as well as to track and manage the data collected by the devices.

IoT devices connect to the Internet through a variety of networks, such as Wi-Fi, cellular, Bluetooth, and Zigbee. But these devices can also connect to the Internet using gateways such as the Amazon Echo and the Google Home.

Devices in the IoT category can be used to monitor and control a variety of systems. Countless IoT devices are aimed at consumer convenience and improving efficiency at home. Think of smart home appliances, light bulbs, thermostats, and other devices. Most modern cars have sensors and some degree of internet connectivity, monitoring driving behavior and mechanical system performance and even providing infotainment.

Beyond the consumer world, the evolution of medical equipment has been greatly influenced by this trend. Wearables and networked medical equipment allow medical professionals to monitor patient condition in real time, whether the doctor is down the hall or around the world. Governments and municipalities rely on smart devices to monitor energy use, and water and air quality. The agricultural sector has rapidly adopted IoT devices that monitor crop conditions—light levels, humidity, soil moisture, crop health, and more—and then automate irrigation and other processes accordingly.

How Operational Technology (OT) Fits In

A more business-focused category of IoT, operational technology (OT) refers to the hardware and software used to identify, monitor, and control physical devices, processes, and events in an organization. Also referred to as IIoT (industrial internet of things), OT helps manage facilities, infrastructure, and assets. Just as IoT devices deliver convenience and efficiency to our homes and offices, OT devices improve the operations of industrial and manufacturing systems.

Common examples of OT include industrial control systems, supervisory control and data acquisition (SCADA) systems, and security systems, but the range of OT applications is stunning. Oil and gas companies use connected sensors to monitor tank levels and pressure. Agriculture operations use sensors connected with machine learning algorithms to monitor and predict when maintenance is needed – before the machines break down. Solar farms use weather stations connected to the positioning motors in their solar arrays, and automatically move their panels to safety positions when the wind speeds reach potentially damaging speeds. Today, organizations are exploring OT opportunities to improve efficiency, reliability, or safety in a wide range of industrial applications.

OT is often distinguished from information technology (IT), which refers to the hardware and software used to store, process, and communicate information. However, the line between OT and IT is blurring, as organizations increasingly adopt digital technologies to manage both physical and digital processes.

Common Security Issues for IoT and OT

Compromised IoT devices can lead to data breaches, cyberattacks, and privacy issues. Depending on the nature of the devices’ connection and the network architecture, hackers can move laterally within networks after they breach a vulnerable IoT device.

In one memorable (if now somewhat antiquated) example, hackers in 2017 were able to exfiltrate a significant amount of data from a casino after finding a vulnerability in the smart sensors monitoring temperature and water quality of an aquarium sitting in the lobby1.

More recently, IoT devices have fallen victim to command-and-control (C2) attacks. Microsoft’s Defender for IoT research team recently discovered that Trickbot, malware that historically targeted computers and IT systems, has moved into IoT devices. Trickbot has compromised IoT devices, then used those devices to try to move laterally and gain access to target network with more critical data 2.

Medical IoT devices pose uniquely worrisome risks. A HIPAA Journal study of over 300 hospitals found that among the medical IoT devices they evaluated, over half had a known and unpatched vulnerability3. Sure, these devices can store personally identifiable information (PII), and privacy is a very real concern. But even more critically, they may also control life-saving equipment. For example, an attack that disrupts the smart system monitoring and controlling hospital respirators could have devastating consequences for patients.

This sort of attack is sometimes referred to as “cyber kinetic,” meaning that it attacks a system by digital means but causes indirect or direct physical harm. OT environments – where physical devices and systems are monitored and controlled – are by their very nature particularly vulnerable to this sort of attack. After gaining unauthorized access to either the equipment or the control systems, attackers can sabotage or tamper with the system, potentially wreaking havoc.

IoT and OT are changing the way we live and work, for the better. Smart devices simplify our day-to-day tasks and streamline our critical operations, saving us time and in some cases, making us money. But with these benefits come increased risk. And part of that risk is simply acknowledging that the risks these devices cause aren’t fully understood. Join us as we explore the world of OT and IoT—and how to secure it.

This is the first in a series of blogs planned on the topics of IoT and OT. Future topics will include operational constraints, where to start with security, and what Microsoft is doing in IoT/OT security.

References:

1https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino/

2https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/

3https://www.hipaajournal.com/more-than-half-of-all-healthcare-iot-devices-have-a-known-unpatched-critical-vulnerability/