www.microsoft.com
Open in
urlscan Pro
2a02:26f0:fb:595::356e
Public Scan
URL:
https://www.microsoft.com/security/blog/2022/03/03/secure-your-ot-and-iot-devices-with-microsoft-defender-for-iot-and-quza...
Submission: On March 08 via api from US — Scanned from DE
Submission: On March 08 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
Name: searchForm — GET https://www.microsoft.com/en-us/security/site-search
<form class="c-search" autocomplete="off" id="searchForm" name="searchForm" role="search" action="https://www.microsoft.com/en-us/security/site-search" method="GET" data-seautosuggest=""
data-seautosuggestapi="https://www.microsoft.com/services/api/v3/suggest"
data-m="{"cN":"GlobalNav_Search_cont","cT":"Container","id":"c3c1c9c3c1m1r1a1","sN":3,"aN":"c1c9c3c1m1r1a1"}" aria-expanded="false"
style="overflow-x: visible;">
<div class="x-screen-reader" aria-live="assertive"></div>
<input id="cli_shellHeaderSearchInput" aria-label="Search Expanded" aria-controls="universal-header-search-auto-suggest-transparent" aria-owns="universal-header-search-auto-suggest-ul" type="search" name="q" role="text"
placeholder="Search Microsoft Security" data-m="{"cN":"SearchBox_nav","id":"n1c3c1c9c3c1m1r1a1","sN":1,"aN":"c3c1c9c3c1m1r1a1"}" data-toggle="tooltip" data-placement="right"
title="Search Microsoft Security" style="overflow-x: visible;">
<button id="search" aria-label="Search Microsoft Security" class="c-glyph" data-m="{"cN":"Search_nav","id":"n2c3c1c9c3c1m1r1a1","sN":2,"aN":"c3c1c9c3c1m1r1a1"}"
data-bi-dnt="true" data-bi-mto="true" aria-expanded="false" style="overflow-x: visible;">
<span role="presentation" style="overflow-x: visible;">Search</span>
<span role="tooltip" class="c-uhf-tooltip c-uhf-search-tooltip" style="overflow-x: visible;">Search Microsoft Security</span>
</button>
<div class="m-auto-suggest" id="universal-header-search-auto-suggest-transparent" role="group" style="overflow-x: visible;">
<ul class="c-menu" id="universal-header-search-auto-suggest-ul" aria-label="Search Suggestions" aria-hidden="true" data-bi-dnt="true" data-bi-mto="true" data-js-auto-suggest-position="default" role="listbox" data-tel="jsll"
data-m="{"cN":"search suggestions_cont","cT":"Container","id":"c3c3c1c9c3c1m1r1a1","sN":3,"aN":"c3c1c9c3c1m1r1a1"}" style="overflow-x: visible;"></ul>
</div>
</form>Text Content
We use optional cookies to improve your experience on our websites, such as
through social media connections, and to display personalized advertising based
on your online activity. If you reject optional cookies, only cookies necessary
to provide you the services will be used. You may change your selection by
clicking “Manage Cookies” at the bottom of the page. Privacy Statement
Third-Party Cookies
Accept Reject Manage cookies
Skip to main content
Microsoft Edge is the only browser optimized for Windows. Maximize your PC
performance with features like Sleeping Tabs and Startup Boost.
Close Switch now
Skip to main content
Microsoft
Microsoft Security
Microsoft Security
Microsoft Security
* Home
* Solutions
* Cloud security
* Identity & access management
* Information protection & governance
* Risk management
* Secure remote work
* SIEM & XDR
* Zero Trust
* Products
* App & email security App & email security
* Azure Dedicated HSM
* Azure Key Vault
* Microsoft Defender for Cloud Apps
* Microsoft Defender for Office 365
* Compliance Compliance
* Advanced eDiscovery
* Communication Compliance
* Compliance Manager
* Data Loss Prevention (DLP)
* Information Governance
* Information Protection
* Insider Risk Management
* Endpoint security Endpoint security
* Azure IoT Central
* Azure Sphere
* Microsoft Defender for Business
* Microsoft Defender for Endpoint
* Microsoft Defender for Identity
* Microsoft Defender for IoT
* Microsoft Endpoint Manager
* Identity & access management Identity & access management
* Azure Active Directory
* CloudKnox Permissions Management
* Conditional Access
* External identities
* Identity protection
* Multifactor authentication (MFA)
* Passwordless Authentication
* SSO solution: Secure app access with single sign-on
* Network security Network security
* Azure Application Gateway
* Azure DDoS Protection
* Azure Firewall
* Azure Firewall manager
* Azure Front-door
* Azure VPN Gateway
* Azure Web Application Firewall
* Privacy management
* Security posture Security posture
* Microsoft Defender for Cloud
* Microsoft Secure Score
* SIEM & XDR SIEM & XDR
* Microsoft 365 Defender
* Microsoft Defender for Cloud
* Microsoft Defender for Cloud Apps
* Microsoft Defender for Endpoint
* Microsoft Defender for Identity
* Microsoft Defender for IoT
* Microsoft Defender for Office 365
* Microsoft Sentinel
* Partners
* Find a partner
* Government partners
* Industry alliances
* Microsoft Intelligent Security Association
* Partners overview
* Resources
* Intelligence reports
* Security blog
* Security Insider
* Security technical content
* Service Trust Portal
* Services Services
* Compliance Program for Microsoft Cloud
* Trust Center
* More
* All Microsoft
* * Microsoft Security
* Azure
* Dynamics 365
* Microsoft 365
* Microsoft Teams
* Windows 365
* Tech & innovation Tech & innovation
* Microsoft Cloud
* AI
* Azure Space
* Mixed reality
* Microsoft HoloLens
* Microsoft Viva
* Quantum computing
* Sustainability
* Industries Industries
* Education
* Automotive
* Financial services
* Government
* Healthcare
* Manufacturing
* Retail
* All industries
* Partners Partners
* Find a partner
* Become a partner
* Partner Network
* Find an advertising partner
* Become an advertising partner
* Azure Marketplace
* AppSource
* Resources Resources
* Blog
* Microsoft Advertising
* Developer Center
* Documentation
* Events
* Licensing
* Microsoft Learn
* Microsoft Research
* View Sitemap
Search Search Microsoft Security
Cancel
March 3, 2022 • 7 min read
SECURE YOUR OT AND IOT DEVICES WITH MICROSOFT DEFENDER FOR IOT AND QUZARA
CYBERTORCH™
* Daniel Beaver Cyber Operations and Security Manager, Quzara
Share
* Twitter
* LinkedIn
* Facebook
* Email
* Print
This blog post is part of the Microsoft Intelligent Security Association guest
blog series. Learn more about MISA.
In recent years, malicious actors have started attacking industrial control
systems and key sectors of nations’ critical infrastructure to inflict damage
that transcends the cyber world and traditional IT assets. The risk to public
safety cannot be overstated, as these types of cyberattacks have real-world
potential to inflict harm on humans. These “industrial control systems” that
control the many facets of our nation’s critical infrastructure are more
commonly known as operational technology (OT) devices. The same goes for IoT
devices and industrial internet of things (IIoT) devices. IoT is the network of
physical objects that contain embedded technology to communicate, sense, or
interact with the internal or external state of its environment. The public and
private sectors have many OT and IoT devices in industries such as defense,
power generation, robotics, chemical and pharmaceutical production, oil
production, transportation, and mining—to name a few. OT devices are hardware
and software that monitor or control physical equipment, assets, and processes—
and they are being compromised at an increasing rate.1
Alarmingly, in 2021 there were two incidents of local water treatment plants in
the US being a target of cyberattacks. One cyberattack occurred in the San
Francisco Bay area in January 20212 and another occurred in February 2021 in
Oldsmar, Florida.3 In the Oldsmar, Florida cyberattack, the malicious actors
attempted to increase the amount of sodium hydroxide in the water supply to
potentially dangerous levels. Thankfully, the attack was thwarted by a plant
supervisor who caught the act in real-time and reverted the changes. These
cyberattacks occurred on OT devices used for critical infrastructure at local
level, but similar cyberattacks are playing out in the real world on a national
level as well.
On May 7, 2021, Colonial Pipeline, an American oil pipeline system responsible
for 45 percent of all fuel consumed on the US East Coast, suffered a ransomware
cyberattack that crippled all pipeline operations for about six days.4 The
aftermath of this attack caused fuel shortages in six US states as well as the
US capital, Washington D.C.
These cyberattacks on OT devices may not be new, but they underscore how
dangerous the threat is to our critical infrastructure, as well as how great the
risk is to our overall public safety.
The US government has taken notice of the increased threat against OT systems
and has responded accordingly. Per the President’s Executive Order on Improving
the Nation’s Cybersecurity issued on May 12, 2021, “The Federal Government must
bring to bear the full scope of its authorities and resources to protect and
secure its computer systems, whether they are cloud-based, on-premises, or
hybrid.5 The scope of protection and security must include systems that process
data (information technology (IT)) and those that run the vital machinery that
ensures our safety (operational technology (OT)).” The Quzara CybertorchTM
solution, in conjunction with Microsoft Defender for IoT and Microsoft Sentinel,
help agencies meet compliance with various aspects of this executive order. This
includes, but is not limited to, providing agencies a means to monitor IT and OT
operations and alerts, respond to attempted and actual cyber incidents, and
facilitate logging, log retention, and log management.
With the threat of cyberattacks impacting OT and IoT devices on the rise, it is
important now more than ever for national, state, local governments, and their
private sector partners to be vigilant in securing their OT and IoT devices that
operate or assist critical infrastructure.
THE CURRENT STATE OF CYBERSECURITY IN OT AND IOT ENVIRONMENTS
While it is encouraging that the US Government is giving greater emphasis to
secure OT and IoT infrastructure, they and private corporations with OT and IoT
devices face an uphill battle. This is because many OT and IoT environments use
outdated (and therefore, unsecure) operating systems and software. A
comprehensive report from CyberX (acquired by Microsoft) in June 2020 titled
Global IoT and ICS Risk Report was compiled based on data gathered from 1,821
production OT and IoT networks using passive, agentless monitoring with patented
deep packet inspection (DPI) and network traffic analysis (NTA) algorithms.
These production networks spanned diverse IoT and ICS systems—including
robotics, refrigeration, chemical, and pharmaceutical production, power
generation, oil production, transportation, mining, and building management
systems (heating, ventilation, and air conditioning (HVAC), closed-circuit
television (CCTV), and more). These are the findings in the report:
* 71 percent had outdated or unsupported operating systems.
* 64 percent had unencrypted passwords.
* 54 percent were remotely accessible.
* 22 percent had indicators of threats.
* 27 percent had direct internet connections.
* 66 percent had no automatic updates.
Figure 1. CyberX report high-level findings.
SECURING AND MONITORING OT AND IOT DEVICES
It is critical for national, state, local governments, and their private sector
partners to secure their OT and IoT environments from cyberattacks—but first,
security must be made easier to incorporate. To make it easier for these
entities to incorporate OT and IoT security, Quzara CybertorchTM, a managed
security service provider (MSSP), partnered up with Microsoft to leverage
Microsoft Defender for IoT. By leveraging Microsoft Defender for IoT, Quzara
CybertorchTM is able to discover all OT and IoT devices in an environment,
identify vulnerabilities present on these devices, and provide continuous
security monitoring of these devices.
AUTOMATED ASSET INVENTORY
Microsoft Defender for IoT is an agent-less solution that—connecting to a
mirroring port on a network’s switch—passively listens to real-time OT and IoT
traffic in the industrial network. Quzara CybertorchTM uses this tool to quickly
create an “Asset Inventory Map” that shows all assets on the network, identifies
which machines are interacting with each other, and at which layer of the Purdue
model they operate.6
Figure 2. Auto-generated Asset Inventory Map in Purdue model layout.
By identifying which assets communicate with each other in a Purdue model
format, valuable information is gathered that depicts which machines can
communicate out to the internet from the OT network. These internet-connected
machines are the ones we prioritize locking down and monitor more closely for
suspicious traffic. Identifying internet-connected assets is just one example of
what the Asset Inventory Map can display. The Asset Inventory Map also reveals
any shadow devices that are on the OT and IoT network. In other words, by
revealing all assets on the OT network, the Asset Inventory Map will identify
any IT, OT, and IoT devices that the IT department may not be officially aware
of. Furthermore, the Asset Inventory Map helps IT security teams identify
“single points of failure” in their environment based on the network topology
and architecture. Quzara CybertorchTM encourages hardening these assets that are
“single points of failure” and creating redundancy to ensure operations aren’t
disrupted if these assets were to ever go down unexpectedly.
VULNERABILITY MANAGEMENT OF OT AND IOT DEVICES
Quzara CybertorchTM can identify known vulnerabilities on OT and IoT devices by
leveraging Microsoft Defender for IoT. Microsoft Defender for IoT proactively
identifies vulnerabilities such as unpatched devices, unauthorized Internet
connections, and subnet connections. Beyond identifying vulnerabilities,
Microsoft Defender for IoT also identifies changes to device configurations,
programmable logic controller (PLC) code, and firmware. Quzara CybertorchTM
consolidates all this information and generates executive summary reports
listing out all the vulnerabilities for all OT and IoT devices in a network—
which includes prioritized remediation steps. Prioritized remediation steps may
include prioritizing fixes based on risk scoring (for example, through common
vulnerability scoring system (CVSS) scores and other factors) and automated
threat modeling. These reports contain an overall security score for the OT and
IoT devices on the network. As remediation occurs, continuous improvement can be
measured by subsequent reports showing the overall security score improving.
Figure 3. Vulnerabilities present on an OT workstation.
CONTINUOUS MONITORING FOR OT AND IOT DEVICES
Quzara CybertorchTM is a security operations center as a service that leverages
Microsoft Sentinel to continuously monitor IT environments as well as OT and IoT
environments. Microsoft Sentinel is a security information and event management
(SIEM) tool with security orchestration, automation, and response (SOAR)
capabilities. Microsoft Sentinel has native interoperability with Microsoft
Defender for IoT and is cloud native. Using Microsoft Sentinel, Quzara
CybertorchTM can ingest logs from IT, OT, and IoT devices, creating a unified
bird’s-eye view across IT and OT boundaries and empowering our security
operations center (SOC) analysts to then analyze for signs of malicious
activity.
When using other products, typically a lot of work and expertise is required to
create rules that aggregate disparate alerts into consolidated incidents. Quzara
CybertorchTM greatly reduces the work that is required to create targeted rules
for OT and IoT incidents, as Microsoft Sentinel has pre-built analytics rules
for OT and IoT devices when used in conjunction with Microsoft Defender for IoT.
Functionality also exists to create custom rules and playbooks from these OT and
IoT alerts. This functionality empowers our SOC analysts to help detect, alert,
and assist personnel in mitigating vulnerabilities on OT and IoT devices.
Figure 4. Microsoft Defender for IoT analytics rules in Microsoft Sentinel.
If your team, company, or clients have an OT or IoT environment and are
interested in obtaining an OT or IoT cybersecurity risk assessment, please reach
out to Quzara CybertorchTM or by email here.
ABOUT QUZARA CYBERTORCH™
Quzara Cybertorch™ is a security operations center as a service and managed
detection and response (MDR) purpose-built to meet the needs of U.S. Civilian,
Department of Defense (DoD), and Defense Industrial Base (DIB) customers for
extended detection and response (XDR), Vulnerability Management, OT and IoT
monitoring, and security monitoring needs. Their security operations center as a
service, vulnerability management, and XDR capabilities are based on the
National Institute of Standards and Technology (NIST) 800-53 FedRAMP HIGH
controls. Their entire technology stack leverages FedRAMP HIGH Authorized
systems. Quzara Cybertorch’s™ team of Security Analysts are all based and
operate within the US, with emphasis on security clearances and government
support experience. Explore Quzara Cybertorch ™ and visit the Quzara Cybertorch
™ listing in the Microsoft commercial marketplace.
LEARN MORE
* Explore Microsoft Defender for IoT.
* Start using Microsoft Sentinel today.
To learn more about the Microsoft Intelligent Security Association (MISA), visit
our website where you can learn about the MISA program, product integrations,
and find MISA members. Visit the video playlist to learn about the strength of
member integrations with Microsoft products.
To learn more about Microsoft Security solutions, visit our website. Bookmark
the Security blog to keep up with our expert coverage on security matters. Also,
follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
--------------------------------------------------------------------------------
1Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational
Technology Compromises, Mandiant, May 25, 2021.
2Hackers Tried to Poison California Water Supply in Major Cyber Attack, News
Week, June 18, 2021.
3The Florida water plant attack signals a new era of digital warfare—it’s time
to fight back, Darktrace, February 16, 2021.
4Ransomware Attack Shuts Down A Top U.S. Gasoline Pipeline, NPR, May 9, 2021.
5Executive Order on Improving the Nation’s Cybersecurity, The White House. May
12, 2021.
6The “Purdue Model” is a structural model for industrial control system security
concerning physical processes, systems, and the IT machines that manage or
interact with them.
FILED UNDER:
* Cybersecurity,
* Microsoft Intelligent Security Association (MISA),
* Microsoft Sentinel
YOU MAY ALSO LIKE THESE ARTICLES
Featured image for Microsoft shares 4 challenges of protecting sensitive data
and how to overcome them
March 1, 2022 • 5 min read
MICROSOFT SHARES 4 CHALLENGES OF PROTECTING SENSITIVE DATA AND HOW TO OVERCOME
THEM
Breaches of sensitive data are extremely costly for organizations when you tally
data loss, stock price impact, and mandated fines from violations of General
Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), or
other regulations. They also can diminish the trust of those who become the
victims of identity theft, credit card fraud, or…
Read more Microsoft shares 4 challenges of protecting sensitive data and how to
overcome them
Featured image for How Microsoft can help reduce insider risk during the Great
Reshuffle
February 28, 2022 • 8 min read
HOW MICROSOFT CAN HELP REDUCE INSIDER RISK DURING THE GREAT RESHUFFLE
These are exciting and demanding days for organizations adapting to hybrid work
realities, including a wider distributed workforce and more rapid change in
employee roles. These dramatic shifts drive business resilience and upside in a
world still coping with pandemic disruptions.
Read more How Microsoft can help reduce insider risk during the Great Reshuffle
Featured image for MSTICPy January 2022 hackathon highlights
February 25, 2022 • 4 min read
MSTICPY JANUARY 2022 HACKATHON HIGHLIGHTS
In January 2022, MSTIC ran its inaugural hack month for the open-source Jupyter
and Python Security Tools library, MSTICPy. This blog highlights some of the
contributions.
Read more MSTICPy January 2022 hackathon highlights
GET STARTED WITH MICROSOFT SECURITY
Microsoft is a leader in cybersecurity, and we embrace our responsibility to
make the world a safer place.
Learn more Get started with Microsoft Security
Get all the news, updates, and more at
@MSFTSecurity twitter
What's new
* Surface Pro 8
* Surface Laptop Studio
* Surface Pro X
* Surface Go 3
* Surface Duo 2
* Surface Pro 7+
* Windows 11 apps
* HoloLens 2
Microsoft Store
* Account profile
* Download Center
* Microsoft Store support
* Returns
* Order tracking
* Virtual workshops and training
* Microsoft Store Promise
* Flexible Payments
Education
* Microsoft in education
* Office for students
* Office 365 for schools
* Deals for students & parents
* Microsoft Azure in education
* Education consultation appointment
Enterprise
* Azure
* AppSource
* Automotive
* Government
* Healthcare
* Manufacturing
* Financial services
* Retail
Developer
* Microsoft Visual Studio
* Windows Dev Center
* Developer Center
* Microsoft developer program
* Channel 9
* Microsoft 365 Dev Center
* Microsoft 365 Developer Program
* Microsoft Garage
Company
* Careers
* About Microsoft
* Company news
* Privacy at Microsoft
* Investors
* Diversity and inclusion
* Accessibility
* Security
English (United States)
* Sitemap
* Contact Microsoft
* Privacy
* Manage cookies
* Terms of use
* Trademarks
* Safety & eco
* About our ads
* © Microsoft 2022