The difference between IoT and OT from a Security perspective

5 min readJan 18, 2023

Ps. this is my personal view on the difference between OT & IoT with black&white glasses on, there are of course grey areas but I don’t want to make it too complex.

Let’s first set the scene from the ‘better’ known IT (Information Technology) Security perspective.

A bad actor has two objectives:

the 1st objective is the attack surface (like an identity- or device compromise) to gain access to the end goal
the 2nd objective is the end goal which in IT is data

The attack surface is discovered via reconnaisance before initial access is executed. The main attack surface in IT is anidentity (credential compromise) and/or a device (e.g. malware), apps is an extra layer to reach the end goal which is data.

Data can be stolen (intellectual property for financial gains), hijacked (ransomware for financial gains) or destroyed (e.g. NotPetya malware for total destruction like cyberwar).

IoT (Internet of Things)

Let’s start with IoT (Internet of Things) which is often part of the attack surface (initial access) and sometimes the end goal (e.g. access to a IP camera to ‘spy’ like the AIVD hacked a Russian IP camera during an investigation on the Cozy Bear group).

The ratio computer & mobile versus IoT devices in a home network is 1:5–10

IoT devices are stand-alone devices connected to the network (including outbound internet) to faciliate the business (or home network). Some IoT devices are also connected inbound from the internet to the internal network, to allow access from outside the home network, for example access to an IP camera or baby monitor.

The main risk with IoT devices is the use of default (admin) username and password (how often do you Google the default username and password to access your access point or wifi repeater for example) and outdated sofware (when was the last time you updated your IP camera or televisioin) which can be exploited (for example via exploit database or metasploit).

Home compromise example

Shodan is a web site which scans the internet for open ports (masscan can also be used). A lot of of IoT devices have specific ports (range above 1.024) which need to be open from the internet (for example IP camera’s) for remote access. Shodan can be (ab)used to scan for specific devices (via the specific port) and (bad or curious) people can access the devices unauthenticated or authenticated if the default username and password is not changed.

Business compromise example

In 2017 a high roller database was hacked where initial access was obtained via a fish tank (smart thermostat) connected to the internet, from there access to the internal network resulted in a compromised database with information of high rollers.

MIRAI botnet

Another example of IoT abuse is the Mirai botnet which compromised a lot of internet connected IoT devices for one ot the largest DDoS (Distributed Denial of Service) botnets in the world.

Remediation

Always change the default username and password of the admin account. Second you cannot protect what you do not know so asset discovery/inventory is key, vulnerability management is the third important aspect of keeping IoT devices and the network in general more safe.

Enterprise IoT (EIoT) is a term used to differentiate business and home IoT

Microsoft Defender for Endpoint and Enterprise IoT can help with:

IoT Device Discovery
Threat Protection (to and from IT devices)
Vulnertability Management (of IoT devices)

OT (Operational Technology)

OT (Operation Technology or Old :-) Technology) is hard- and software used in industrial environments (e.g. critical infrastructure) with terms like ICS (Industrial Control Systems) and SCADA (Supervisory Control and Data Acquisition). OT is always the end goal for bad actors (in 99%% of the cases nation-state) like data is in IT environments.

Stuxnet

The most famous example of an OT attack is Stuxnet. Before we dive into the Stuxnet attack let’s go back to the year 1981. Operation opera was executed by the Mossad (Israel National Intelligence Agency) to bomb a nuclear plant (threat to Israel) in Iraq. Many years later Iran was building a nuclear plant (for nuclear weapons) but this time the building was 30m underground so bombing was no option (also the risk of war).

Stuxnet was created in 2005 by Israel (Mossad), the US (CIA/NSA) and with the help of the Netherlands (AIVD) deployed in the air-gapped plant via a USB-stick. Stuxnet was discovered in 2010 and at the time the most complex malware ever created, the goal for Stuxnet was to stay undetected by the SCADA (SIemens S7) systems but periodic spin the centrifuges out of the safety limits to slowly destroy the centrifuges and delay the go-to-production date by many years.

Triton

Another example of an OT attack is Triton in 2017 where an petrochemical plant in Sauodi Arabia was attacked via the Triton malware. The Triton malware was targeting the SIS (Safety Instrumented System) which prevents gas release and explosion in case of emergency.

Again, with 99% certainty this was a nation-state attack but I foresee less complex attacks in the future by competitors for example or even script kiddies.

Remediation

Because OT systems can be very old (some vendors even don’t exist anymore) so patch management (e.g. bring down a plant costs 1M dollar per dag) is another league, or even not possible at al compared to IT. So discovery of assets (you cannot protect what you do not know) and detection of anomalies (e.g. an OT device communication outside of the Purdue network of even worse to the internet) is very important for OT Security