CRITICISM: OT and IoT network anomalies are ubiquitous 

CRITICISM: OT and IoT network anomalies are omnipresent - Image by Gerd Altmann on Pixabay

Share post

A new report shows that network anomalies and attacks are the most common threats to OT and IoT environments, especially in the area of ​​critical infrastructure. Vulnerabilities in critical production areas have increased by 230 percent.

Nozomi Networks has released its latest Networks Labs OT & IoT Security Report. The experts' analysis shows that network anomalies and attacks represent the greatest threat to OT and IoT environments. Another reason for concern: vulnerabilities in critical production areas have increased by 230 percent. Therefore, cybercriminals have many more opportunities to access networks and cause these anomalies.

Collected telemetry data from 25 countries

Nozomi Networks Labs collects unique telemetry data in OT and IoT environments in 25 countries, covering a variety of use cases and industries. Analysis of this data revealed that network anomalies and attacks accounted for the largest share (38 percent) of threats in the second half of 2023. Network anomalies, which are a major concern, increased by 19 percent compared to the previous reporting period. This in turn is an indication that there are criminals at work here who have a lot of know-how.

Network scanning topped the list of alerts for network anomalies and attacks, closely followed by TCP flood attacks. Large amounts of data are sent to systems in order to paralyze them or make them inaccessible. Accordingly, TCP flood and anomalous packet alerts have increased significantly over the past six months, both in terms of total alerts and average values ​​per customer, which have more than doubled and sixfold, respectively.

123 percent increase in alerts

The number of access control and authorization threat alerts increased by 123 percent compared to the previous reporting period. In this category, alerts for multiple failed logins grew by 71 percent and brute force attacks grew by 14 percent. This trend highlights the ongoing challenges posed by unauthorized access attempts and shows that identity and access management in OT, as well as other challenges related to user passwords, continue.

Over the past six months, Nozomi experts have observed these five critical threat activities most frequently in real-world environments:

  • Network anomalies and attacks – 38 percent of all alerts
  • Authentication and password issues – 19 percent of all alerts
  • Access control and authorization issues – 10 percent of all alerts
  • Specific operational technology (OT) threats – 7 percent of all alerts
  • Suspicious or unexpected network behavior – 6 percent of all alerts

ICS vulnerabilities

Given this cluster of network anomalies, Nozomi Networks Labs identified the industries that should be on high alert based on an analysis of all ICS security alerts issued by CISA over the past six months. The manufacturing industry tops the list. Here the number of CVEs (Common Vulnerabilities and Exposures) has increased to 621, a dramatic increase of 230 percent compared to the previous reporting period.

Manufacturing, energy and water/wastewater continued to be the most vulnerable sectors for the third consecutive reporting period. However, the total number of reported vulnerabilities fell by 46 percent in the energy segment and by 16 percent in water supply/wastewater. Commercial real estate and communications moved into the top five, replacing food and agriculture and chemicals (both of which fell out of the top 5). Notably, healthcare, public administration, transportation and emergency services are all represented in the top 10. In the second half of last year:

  • CISA published 196 new ICS advisories on 885 common vulnerabilities and exposures (CVEs) - an increase of 38 percent compared to the previous half of the year.
  • 74 providers were affected – an increase of 19 percent.
  • The Out-of-Bounds-Read and Out-of-Bounds-Write vulnerabilities remained among the top CVE for the second year in a row - both are vulnerable to various attacks, including buffer overflow attacks.

Data from IoT honeypots

Nozomi Networks Labs also analyzed a large amount of data on malicious activity against IoT devices and identified some notable trends that the mentioned industries should consider. The results show that malicious IoT botnets remain active this year and that criminals continue to use these botnets to access IoT devices using standard credentials.

From July to December 2023, Nozomi Networks was able to determine a whole series of interesting numbers through the use of honeypots:

  • An average of 712 unique attacks per day (a 12 percent decrease from the daily average in the previous reporting period) - the day with the highest number of attacks was October 6th with 1.860 attacks.
  • The IP addresses of the attackers with high activity come from China, the USA, South Korea, India and Taiwan.
  • Brute force attempts remain a popular technique for gaining access to systems - standard credentials remain one of the main ways attackers gain access to the IoT. Remote Code Execution (RCE) also remains a popular technique, often used for targeted attacks and the distribution of various types of malware.

Nozomi Networks Labs' OT & IoT Security Report provides security professionals with the latest insights they need to re-evaluate risk models and security initiatives, as well as easy-to-implement recommendations for securing critical infrastructure.

More at


About Nozomi Networks

Nozomi Networks accelerates digital transformation by protecting critical infrastructure, industrial and government organizations from cyber threats. Nozomi Networks' solution provides exceptional network and asset visibility, threat detection and insights for OT and IoT environments. Customers rely on it to minimize risk and complexity while maximizing operational resilience.


Matching articles on the topic

CRITICISM: OT and IoT network anomalies are ubiquitous 

A new report shows that network anomalies and attacks are the most common threats to OT and IoT environments, especially in the area of ​​critical infrastructure. ➡ Read more

Report: More Email Server Attacks and Evasive Malware

WatchGuard Internet Security Report documents a dramatic increase in so-called “evasive malware,” contributing to a significant increase in overall malware volume. ➡ Read more

Dangerous misconception: “We have no IT vulnerabilities”

“We have taken good precautions and I believe that we are well protected.” This often-uttered sentence creates a false sense of security ➡ Read more

Phishing: Dangerous invoices from law firms

The Threat Fusion Center (TFC), a division of BlueVoyant, has uncovered the "NaurLegal" phishing campaign with fake invoices from law firms ➡ Read more

New danger: AI DarkGemini fulfills hackers' wishes

In addition to Google's AI Gemini, DarkGemini has now appeared and fulfills the wishes of cyber gangsters and malware writers. There are still first editions ➡ Read more

Protect dynamic attack surfaces in the cloud

More and more companies are moving digital assets to the cloud. As a result, the IT attack surface expands and becomes, ➡ Read more

Phishing: This is how employees avoid cyber criminals’ traps

In phishing attacks, even one wrong mouse click can cause millions in damage. To ensure that employees make the right decision if the worst comes to the worst, ➡ Read more

German companies: 4th place among global ransomware victims

Check Point's Threat Intelligence Research Division (CPR) has released its 2024 Annual Cyber ​​Security Report. This year's edition takes the ➡ Read more