The latest Nozomi Networks Labs OT & IoT Security Report: Unpacking the Threat Landscape with Unique Telemetry Data, malware activity and alerts on unwanted applications increased dramatically in OT and IoT environments as nation-states, criminal groups and hacktivists continue to target healthcare, energy and manufacturing.
Real World Telemetry
Unique telemetry from Nozomi Networks Labs – collected from OT and IoT environments covering a variety of use cases and industries worldwide – found malware-related security threats spiked 10x over the last six months. In the broad category of malware and potentially unwanted applications, activity increased 96 percent. Threat activity related to access controls more than doubled. Poor authentication and password hygiene topped the list of critical alerts for a second consecutive reporting period – though activity in that category declined 22 percent over the previous reporting period.
“There’s good news and bad news in this latest report,” said Chris Grove, Nozomi Networks Director of Cybersecurity Strategy. “A significant decrease in activity per customer in categories such as authentication and password issues and suspicious or unexpected network behavior suggests that efforts to secure systems in these areas may be paying off. On the other hand, malware activity increased dramatically, reflecting an escalating threat landscape. It’s time to ‘put the pedal to the metal’ in shoring up our defenses.”
Below is the list of top critical threat activity in real world environments over the last six months:
- Authentication and Password Issue – down 22%
- Network Anomalies and Attacks – up 15%
- Operational Technology (OT) Specific Threats – down 20%
- Suspicious or Unexpected Network Behavior – down 45%
- Access Control and Authorization – up 128%
- Malware and Potentially Unwanted Applications – up 96%
Specific to malware, denial-of-service (DOS) activity remains one of the most prevalent attacks against OT systems. This is followed by the remote access trojan (RAT) category commonly used by attackers to establish control over compromised machines. Distributed denial of service (DDoS) threats are the top threat In IoT network domains.
Data from IoT Honeypots
Malicious IoT botnets remain active this year. Nozomi Networks Labs uncovered growing security concerns as botnets continue to use default credentials in attempts to access IoT devices.
From January through June 2023, Nozomi Networks honeypots found:
- An average of 813 unique attacks daily – the highest attack day hit 1,342 on May 1st
- Top attacker IP addresses were associated with China, the United States, South Korea, Taiwan and India
- Brute-force attempts remain a popular technique to gain system access – default credentials are one of the main ways threat actors gain access to IoT
ICS Vulnerabilities
On the vulnerability front, Manufacturing and Energy and Water/Wastewater remain the most vulnerable industries. Food & Agriculture and Chemicals move into the top five replacing Transportation and Healthcare which were among the top 5 most vulnerable sectors in our previous six-month reporting period. In the first half of 2023:
- CISA released 641 Common Vulnerabilities and Exposures (CVEs)
- 62 vendors were impacted
- Out-of-Bounds Read and Out-of-Bounds Write vulnerabilities remained in the top CWEs – both are susceptible to several different attacks including buffer overflow attacks
Nozomi Networks Labs ‘OT & IoT Security Report: Unpacking the Threat Landscape with Unique Telemetry Data’ provides security professionals with the latest insights needed to re-evaluate risk models and security initiatives, along with actionable recommendations for securing critical infrastructure.