By: Andrea Carcano, Michael Dugent

As global digitalization continues in virtually all aspects of society, seemingly millions of new devices are connected to corporate networks and the internet on a daily basis, creating a much larger attack surface for nefarious actors to take advantage of. Cybersecurity researchers note that numerous attacks nowadays are driven by a desire for control and destruction, placing critical infrastructure environments squarely in the crosshairs of hackers. Critical infrastructure systems –– the assets and networks, be they physical or virtual, underpinning the functioning of an economy and society –– determine the security, prosperity, well-being, and resilience of an entire nation.

A recent report focused on Operational Technology (OT) and Internet of Things (IoT) security, revealed that threat actors are not only escalating their attack frequency but also honing their tactics and identifying new entry points. In 2023, cyberattacks fueled by nation-state actors affected 120 countries, with over 40 percent targeting critical infrastructure.

Nowadays, cyberattacks on critical infrastructure represent a global risk, demanding heightened attention and deeper understanding of activities that pose a potential threat. Attacks on critical infrastructure environments often include targeting IoT environments first, as these devices are often easier to compromise and monitoring of these environments is still limited. In this regard, IoT is an important concept embedded within a larger spectrum of networked products and digital sensors that has caused an explosion of applications, marking a fundamental shift in the way human beings interact with the Internet, amplifying both opportunities and challenges surrounding critical infrastructure across the globe. The question arises: why do threat actors target IoT environments?

IoT in Industrial and Critical Infrastructure

In October 2016, the most significant DDoS attack in history left a large portion of the East Coast of the United States without internet. The following year, hackers accessed sensitive personal and financial data from a North American casino. In March 2021, a security camera company was attacked, exposing live feeds from 150,000 surveillance cameras in hospitals, manufacturing facilities, prisons, and schools. The common thread among these three attacks was that the perpetrators targeted the IoT environments of these companies to gain access to their internal systems.

The Internet of Things, known as IoT, is a system of interconnected computing devices. The definition of what constitutes an IoT device varies widely and includes everything from biomedical implants to sensors on manufacturing and electrical equipment. An industrial ecosystem can encompass many different smart devices that collect, send, and act on data from their environments. Sometimes, these devices even communicate with each other and act on the information they get from one another.

Over the last 10 years, industrial and critical infrastructure operators have rapidly deployed billions of devices to optimize their automation processes using the data provided by these “things.” Unfortunately, this trend has created new cybersecurity risks, as these devices are open to networks, both public and private. These endpoints have become low-hanging fruit for attackers who want to compromise operational processes and maximize the economic benefits of a cyberattack.

As digital transformation leads to an increase in unmanaged devices across industrial environments, the importance of a robust IoT security program to safeguard critical infrastructure from cyberattacks cannot be overstated. But what makes IoT security such a challenge for companies?

Keep in Mind: IoT Security Challenges

First of all, IoT devices are often unmanaged and inherently insecure. Once deployed, the software on these devices is seldom updated, especially firmware where many vulnerabilities exist. As a result, these devices remain susceptible to attacks that could easily be prevented on other managed devices. Secondly, the use of default passwords and weak authentication procedures makes these devices easier to