By: Andrea Carcano, Michael Dugent
As global digitalization continues in virtually all aspects of society, seemingly millions of new devices are connected to corporate networks and the internet on a daily basis, creating a much
larger attack surface for nefarious actors to take advantage of. Cybersecurity researchers note that numerous attacks nowadays are driven by a desire for control and destruction, placing critical
infrastructure environments squarely in the crosshairs of hackers. Critical infrastructure systems –– the assets and networks, be they physical or virtual, underpinning the functioning of an
economy and society –– determine the security, prosperity, well-being, and resilience of an entire nation.
A recent report focused on Operational Technology (OT) and Internet of Things (IoT) security, revealed that
threat actors are not only escalating their attack frequency but also honing their tactics and identifying new entry points. In 2023, cyberattacks fueled by nation-state actors affected 120
countries, with over 40 percent targeting critical infrastructure.
Nowadays, cyberattacks on critical infrastructure represent a global risk, demanding heightened attention and deeper understanding of activities that pose a potential threat. Attacks on critical
infrastructure environments often include targeting IoT environments first, as these devices are often easier to compromise and monitoring of these environments is still limited. In this regard,
IoT is an important concept embedded within a larger spectrum of networked products and digital sensors that has caused an explosion of applications, marking a fundamental shift in the way human
beings interact with the Internet, amplifying both opportunities and challenges surrounding critical infrastructure across the globe. The question arises: why do threat actors target IoT
environments?
In October 2016, the most significant DDoS attack in history left a large portion of the East Coast of the United States without internet. The following year, hackers accessed sensitive personal and financial data from a
North American casino. In March 2021, a security
camera company was attacked, exposing live feeds from 150,000 surveillance
cameras in hospitals, manufacturing facilities, prisons, and schools. The common thread among these three attacks was that the perpetrators targeted the IoT environments of these companies to
gain access to their internal systems.
The Internet of Things, known as IoT, is a system of interconnected computing devices. The definition of what constitutes an IoT device varies widely and includes everything from biomedical
implants to sensors on manufacturing and electrical equipment. An industrial ecosystem can encompass many different smart devices that collect, send, and act on data from their environments.
Sometimes, these devices even communicate with each other and act on the information they get from one another.
Over the last 10 years, industrial and critical infrastructure operators have rapidly deployed billions of devices to optimize their automation processes using the data provided by these
“things.” Unfortunately, this trend has created new cybersecurity risks, as these devices are open to networks, both public and private. These endpoints have become low-hanging fruit for
attackers who want to compromise operational processes and maximize the economic benefits of a cyberattack.
As digital transformation leads to an increase in unmanaged devices across industrial environments, the importance of a robust IoT security program to safeguard critical infrastructure from
cyberattacks cannot be overstated. But what makes IoT security such a challenge for companies?
First of all, IoT devices are often unmanaged and inherently insecure. Once deployed, the software on these devices is seldom updated, especially firmware where many vulnerabilities exist. As a
result, these devices remain susceptible to attacks that could easily be prevented on other managed devices. Secondly, the use of default passwords and weak authentication procedures makes these
devices easier to
This post was originally published on the 3rd party site mentioned in the title of this this site