MQTT in OT Environments: Efficient Communication and Emerging Threats

Techpapers

In an increasingly connected industrial world, MQTT (Message Queuing Telemetry Transport) has become one of the leading protocols for communication between IIoT devices. Designed to be lightweight, fast, and efficient, MQTT has gained ground over traditional protocols such as Modbus TCP or OPC UA in environments where data collection must be constant, asynchronous, and scalable.

However, this flexibility comes at a cost: most MQTT implementations lack default security mechanisms. This can turn it into an attack vector if an adequate cybersecurity strategy is not applied.

MQTT in Industrial Environments

MQTT follows a publish/subscribe architecture, where devices (clients) publish or subscribe to messages identified by a ‘topic’. A central MQTT broker manages the distribution of these messages among connected devices.

Advantages for OT networks:

  • Efficient and stateless communication
  • Low bandwidth consumption
  • Configurable QoS (quality of service) support
  • Ideal for distributed sensors, IIoT gateways, or controllers connected to wireless or mobile networks

Typical Architecture and Use Cases

Common scenario in industrial plants:

  • Sensors publish values such as plant1/temperature/zone3
  • A SCADA or dashboard subscribes to those topics
  • An internal broker distributes messages, even among remote nodes or in the cloud

Common uses:

  • Environmental monitoring (temperature, humidity, CO₂)
  • Telemetry of mobile industrial assets
  • Remote control of actuators through topics such as plant1/valve1/close

Risks and Attack Vectors

Although MQTT can coexist stably in OT networks, most industrial MQTT brokers and devices are installed with minimal security configuration. This implies serious risks:

 

  • Public topics allow attackers to spy on the entire network
  • No authentication allows anonymous access or default passwords
  • Unencrypted messages (without TLS) make data interception easier
  • Command injection through control topics can cause unwanted actions
  • Malicious persistence via retained messages or high QoS can prolong attacks

 

Simulation and Exploitation of MQTT

An attacker could subscribe to ‘#’, receive sensor data, and publish commands to critical topics, causing unauthorized shutdowns of equipment.

In controlled environments, it is possible to simulate real attacks against MQTT brokers with tools such as:

  • MQTT Explorer
  • mosquitto_sub/mosquitto_pub
  • Metasploit
  • Wireshark

An attacker could subscribe to ‘#’, receive sensor data, and publish commands to critical topics, causing unauthorized shutdowns of equipment.

OT Cybersecurity Best Practices with MQTT

To reduce the risks associated with MQTT in OT environments, we recommend the following measures:

 

  • Broker isolation in a segmented network
  • Strong client authentication
  • Mandatory use of TLS
  • Topic filtering via ACLs
  • Continuous monitoring of MQTT traffic
  • Deployment of MQTT honeypots for threat detection
  • Event and access logging and auditing

Conclusion

MQTT is a powerful tool for improving operational efficiency, but in OT environments its implementation must be done with special caution. Its simplicity and flexibility should not overshadow the risks involved if not accompanied by an adequate security strategy. Tools like InprOTech Guardian allow monitoring and identification of anomalous behaviors in industrial networks, enabling secure integration of protocols like MQTT within resilient and controlled OT architectures.

References

  1. MQTT.org. MQTT Version 5.0 Specification. 
  2. OWASP MQTT Security Assessment Cheat Sheet
  3. Eclipse Mosquitto – An open source MQTT broker.
  4. Rapid7 – Metasploit Framework.

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

keyboard_arrow_up