Microsoft has highlighted the urgent need to secure internet-exposed operational technology (OT) devices following a series of cyber attacks targeting these environments since late 2023. The Microsoft Threat Intelligence team emphasized that these repeated attacks underline the critical necessity to improve OT device security and prevent them from becoming easy targets for malicious actors. A cyber attack on an OT system can lead to tampering with crucial industrial process parameters, causing malfunctions and system outages.
OT systems often lack adequate security mechanisms, making them highly susceptible to exploitation. Directly connecting these devices to the internet exacerbates the risks, as it makes them easily discoverable and vulnerable to attacks via weak passwords or outdated software. Recently, Rockwell Automation advised disconnecting industrial control systems from the public internet due to increased geopolitical tensions and cyber activity. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also warned of pro-Russia hacktivists targeting industrial control systems in North America and Europe.
The onset of the Israel-Hamas war in October 2023 led to a spike in cyber attacks against Israeli OT assets, many conducted by groups affiliated with Iran. These attacks targeted OT equipment from both international vendors and Israeli manufacturers, exploiting poor security postures and known vulnerabilities. Microsoft recommends organizations enhance their OT security by reducing the attack surface and implementing zero trust practices to prevent lateral movement within compromised networks.
Additionally, the cybersecurity firm Claroty identified a destructive malware strain called Fuxnet, used by the Blackjack hacking group against a Russian company. This malware, described as “Stuxnet on steroids,” can destroy filesystems, block device access, and physically damage memory chips. Kaspersky reported that the primary sources of threats to OT infrastructure in early 2024 were the internet, email clients, and removable storage devices, with attackers using scripts for various malicious activities, including information collection and malware deployment.
