In an increasingly connected industrial world, MQTT (Message Queuing Telemetry Transport) has become one of the leading protocols for communication between IIoT devices. Designed to be lightweight, fast, and efficient, MQTT has gained ground over traditional protocols such as Modbus TCP or OPC UA in environments where data collection must be constant, asynchronous, and scalable.
However, this flexibility comes at a cost: most MQTT implementations lack default security mechanisms. This can turn it into an attack vector if an adequate cybersecurity strategy is not applied.
MQTT in Industrial Environments
MQTT follows a publish/subscribe architecture, where devices (clients) publish or subscribe to messages identified by a ‘topic’. A central MQTT broker manages the distribution of these messages among connected devices.
Advantages for OT networks:
- Efficient and stateless communication
- Low bandwidth consumption
- Configurable QoS (quality of service) support
- Ideal for distributed sensors, IIoT gateways, or controllers connected to wireless or mobile networks
Typical Architecture and Use Cases
Common scenario in industrial plants:
- Sensors publish values such as plant1/temperature/zone3
- A SCADA or dashboard subscribes to those topics
- An internal broker distributes messages, even among remote nodes or in the cloud
Common uses:
- Environmental monitoring (temperature, humidity, CO₂)
- Telemetry of mobile industrial assets
- Remote control of actuators through topics such as plant1/valve1/close
Risks and Attack Vectors
Although MQTT can coexist stably in OT networks, most industrial MQTT brokers and devices are installed with minimal security configuration. This implies serious risks:
- Public topics allow attackers to spy on the entire network
- No authentication allows anonymous access or default passwords
- Unencrypted messages (without TLS) make data interception easier
- Command injection through control topics can cause unwanted actions
- Malicious persistence via retained messages or high QoS can prolong attacks
Simulation and Exploitation of MQTT
An attacker could subscribe to ‘#’, receive sensor data, and publish commands to critical topics, causing unauthorized shutdowns of equipment.
In controlled environments, it is possible to simulate real attacks against MQTT brokers with tools such as:
- MQTT Explorer
- mosquitto_sub/mosquitto_pub
- Metasploit
- Wireshark
An attacker could subscribe to ‘#’, receive sensor data, and publish commands to critical topics, causing unauthorized shutdowns of equipment.
OT Cybersecurity Best Practices with MQTT
To reduce the risks associated with MQTT in OT environments, we recommend the following measures:
- Broker isolation in a segmented network
- Strong client authentication
- Mandatory use of TLS
- Topic filtering via ACLs
- Continuous monitoring of MQTT traffic
- Deployment of MQTT honeypots for threat detection
- Event and access logging and auditing
Conclusion
MQTT is a powerful tool for improving operational efficiency, but in OT environments its implementation must be done with special caution. Its simplicity and flexibility should not overshadow the risks involved if not accompanied by an adequate security strategy. Tools like InprOTech Guardian allow monitoring and identification of anomalous behaviors in industrial networks, enabling secure integration of protocols like MQTT within resilient and controlled OT architectures.