Specifically, in its December 2022 ‘Cyber Signals’ report, Microsoft noted the following:

• 78% increase in Over 1 million connected disclosures of high-severity devices publicly visible on vulnerabilities from 2020 to 2022 in industrial control equipment produced by software still widely used by popular vendors.
• Unpatched, high-severity vulnerabilities in 75% of the most common industrial controllers in customer OT networks.
• Over 1 million connected devices publicly visible on the Internet running Boa, an outdated and unsupported software still widely used in IoT devices and software development kits (SDKs).

So, why are the vulnerabilities so rampant? Jokes Bryson Bort of ICS Village at Def Con security conference, ““What is an industrial control system?” he asks. “Any computer that’s at least 20 years old.” They are so old that the software they run on is often outdated and not supported anymore by the vendor. Also, they were designed with availability and safety in mind, not security. Says Bryson, “The security of these things is now catching up…It’s sort of, ‘Oh, wait a second. We’ve got computers in these, they’re interconnected, that’s a problem and we have to do something about it.’”

Further compounding the problem, according to David Atch, head of IoT/OT security research at Microsoft Defender Threat Intelligence, is that ICS often run on platforms with lower power consumption and memory restrictions, thus making it challenging to run complicated software on them.

Some of the biggest challenges found within ICS are the following:

• Continued use of unsupported legacy software.
• Default configurations that have not been changed.
• Lack of encryption.
• Lack of network segmentation.
• Lack of well-written information security policies and procedures.
• Missing or poorly written incident response plans and contingency plans.

About Arlington

We are Arlington, a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®.  Learn more at arlingtonintel.com.

About Arlington

We are Arlington, a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®.  Learn more at arlingtonintel.com.