By: Christina Hoefer

In the last year, U.S. critical infrastructure has been under constant attack and regularly in the headlines. These attacks include a breach on American Water, one of the largest water and wastewater companies in the U.S., which shut down customer portals and billing temporarily; the Change Healthcare data breach, which compromised protected health information of approximately 100 million individuals; and the recent China-linked hack of several U.S. telecommunication firms, which intercepted surveillance data destined for law enforcement.

While attacks on critical infrastructure make great headlines, most hackers infiltrate systems through IT and connected Internet of Things (IoT) devices before spreading laterally across networks. Devices are increasingly connected — from IT systems to IoT and operational technology (OT) cyber-physical systems — and can be used as entry points for cybercriminals.

Research shows that as of June 2024, IoT devices with vulnerabilities increased by 136 percent since 2023. This problem will only persist with expectations that connected IoT devices will expand to over 25 billion by 2030. As digital systems become more integrated, attack surfaces only grow, leading to new security challenges, vulnerabilities, and risks. These trends in OT and IoT vulnerabilities tell us one simple truth: Immediate action is crucial to secure all devices. No sector or device can afford to be left unprotected.

How to Take Action to Secure IoT, OT, and ICS

OT and ICS security is no longer just a concern for industrial sectors like energy and manufacturing but across all critical infrastructure sub-industries — healthcare, communications, waste, transportation, and more. Consider devices such as robots on assembly lines, IP cameras monitoring the physical security of nuclear power plants, wireless access points and routers in offices, medical devices in hospitals, and even the security of remote sites such as wind turbines or ship vessels. All these devices, when connected to enterprise networks without protections or directly to the internet, can open new security backdoors and vulnerabilities for our most critical systems.

Despite increased awareness around the need to secure OT and ICS systems, many devices and systems remain vulnerable to internet exposure, which can lead to a range of cyber-attacks, including ransomware attacks. There are four essential steps that these industries, including critical services providers and telecommunications organizations, can take to maintain operational efficiency and secure all devices and endpoints on their networks.

1. Conduct an Inventory Assessment to Uncover Hidden Devices and Unknown Risks

First, organizations must do an asset inventory to gain comprehensive visibility across all connected devices to understand the dependencies, compliance status and governance, locations, and vulnerabilities or security gaps that may lead to security and operational risks. Organizations can’t manage risk if it’s hidden and in the dark. Think about the types of devices connected to the network and the unique challenges they bring:

OT Devices and ICS: These are often legacy systems that are not designed to connect to the internet and may not have or support the latest patches and software updates. However, OT systems are becoming increasingly connected, like IT systems, and smarter with analytics functions that are valuable for business operations, but security practices have not kept pace with this evolution.

IoT Devices: These include modern equipment (i.e., voice-over-IP devices, IP cameras, badge scanners, smart buildings, and datacenters, etc.) often manufactured quickly and relatively inexpensively and not with security in mind. Paired with default credentials and access configurations that are rarely changed they can leave the network exposed.

Today, many organizations also have many more remote management services enabled post-pandemic, which increases internet exposure and can potentially open the door to new security risks. Recent research finds that threat actors are heavily targeting VPNs and other perimeter devices, exploiting new vulnerabilities for initial access, with 20 percent of new exploited vulnerabilities targeting virtual private networks (VPNs) or network infrastructure appliances between January 1 and July 31, 2024.

2. Limit Connectivity to What is Essential for Business Processes and Implement a Robust Monitoring Infrastructure

For OT/ICS, connectivity offers operational and productivity advantages, but it also introduces significant risks. Opportunistic attackers are increasingly abusing this exposure, often driven by trends like current events, new hacking guides, or the discovery of vulnerabilities. To address these risks, organizations must limit connectivity to what is essential for business processes. Reducing risk across the network also requires implementing a robust monitoring infrastructure. This allows for the tracking of asset configurations and behavior, not only for security and compliance