IT, OT and IoT convergence highlight cyber threats rethink
The increasing adoption of digital technology has exposed businesses to new cyber threats.

The increasing adoption of digital technology has exposed businesses to new cyber threats.

Increased convergence creates bigger online risks. | Photograph courtesy of Microsoft
Over the past decade, cyberattacks have increased in frequency, incidence, complexity and sophistication. Amid a backdrop of a rapidly shifting landscape, mass adoption of nascent technology and constantly evolving threats, companies are maneuvering a hyper-competitive digital world rife with unpredictability.
The shift toward virtual customer engagement and remote work across various industries have fueled the acceleration of digitization, with the increasing connectivity across converging IT, OT and IoT, highlighting the need for organizations and individuals to rethink cyber risk impact and consequences, according to Microsoft's third edition of Cyber Signals.
Vasu Jakkal, Corporate Vice President for Security, Compliance, Identity, and Management at Microsoft, commented, "As OT systems underpinning energy, transportation and other infrastructures become increasingly connected to IT systems, the risk of disruption and damage grows as boundaries blur between these formerly separated worlds.
"For businesses and infrastructure operators across industries, the defensive imperatives are gaining total visibility over connected systems and weighing evolving risks and dependencies."
Microsoft's third edition of Cyber Signals is a regular cyber threat intelligence brief spotlighting security trends and insights gathered from Microsoft's 43 trillion daily security signals and 8,500 security experts.
The edition highlights new insights into the broader risks that converging IT, Internet-of-Things and Operational Technology systems pose to critical infrastructure and how enterprises can defend against these attacks.
OT is a combination of hardware and software across programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). Examples of OT include building management systems, fire control systems and physical access control mechanisms, like doors and elevators.
According to Microsoft, the increasing adoption of digital technology has exposed businesses to new cyber threats.
The study said that similar to how the loss of a laptop or modern vehicle containing a homeowner's cached WiFi credentials could grant a property thief unauthorized network access, compromising a manufacturing facility's remotely connected equipment or an intelligent building's security cameras introduces new vectors for threats like malware or industrial espionage.
To stay ahead of the curve, companies must revisit their cybersecurity risk management and rethink their security strategies.
Key insights shared in this edition of Cyber Signals include:
Microsoft identified unpatched, high-severity vulnerabilities in 75 percent of customer OT networks' most common industrial controllers. This illustrates how challenging it is for even well‑resourced organizations to patch control systems in demanding environments sensitive to downtime.
There has been a 78 percent increase in disclosures of high-severity vulnerabilities from 2020 to 2022 in industrial control equipment produced by popular vendors.
Over 1 million connected devices are publicly visible on the Internet running Boa, an outdated and unsupported software still widely used in IoT devices and software development kits.
For businesses and individuals, securing IoT solutions with a Zero Trust security model starts with non-IoT-specific requirements. This can be achieved by explicitly ensuring they have implemented the basics of confirming identities and devices and limiting their access. These requirements include explicitly verifying users, visibility into the network devices and real-time risk detections.
Methodology: For snapshot data, Microsoft platforms, including Microsoft Defender for IoT, Microsoft Threat Intelligence Center and Microsoft Defender Threat Intelligence, provided anonymized data on device vulnerabilities, such as configuration states and versions, and data on threat activity on components and devices. In addition, researchers used data from public sources, such as the National Vulnerability Database and Cybersecurity & Infrastructure Security Agency. The cover stat is based on Microsoft engagements in 2022. Control systems in critical environments include electronic or mechanical devices which utilize control loops for improved production, efficiency and safety.