Open in app

Sign in

Write

Sign in

MSEM | OT Security Initiative

Derk van der Woude
6 min readNov 21, 2024

--

From global tensions on nation-state level to cybercriminals and script-kiddies, cybersecurity for OT (Operational Technology) becomes more and more important.

OT infrastructure is often the crown jewel for many companies, from nuclear power plants to consumer product manufactoring. This blogs decribes the new MSEM (Microsoft Security Exposure Management) | OT Security Initiative. Prerequisites:

  • XDR | Device discovery & inventory
  • XDR | Site security
  • XDR | Microsoft Defender Vulnerability ManagementXDR | Device discovery & inventory

Device discovery and inventory is mandatory for Security because you cannot protect what you don’t know. Microsoft offers different technology solutions for OT infrastructures where the ultimate vision is IT/OT convergence.

Why? 99% of all OT attacks start from IT, even air-capped infrastructures, Stuxnet is the best example of that.

Detecting OT (& IT for OT) devices in the OT network(s) for Device discovery and inventory can be achieved with the following products:

Microsoft Technology for OT Device Discovery
  • Defender for Endpoint in Basic (Passive) or Standard (Active) mode. The # of detected OT devices are visible on the All devices and OT/IoT devices category of the Asset inventory. Discovery sources (right) is Defender for Endpoint.
Defender XDR | Device Inventory
  • Defender for IoT Network sensor (Passive) connected to the SPAN port or a TAP device. The detected devices are visible in the Defender for IoT local sensor and/or Azure portal, section Device inventory.
Defender for IoT | Device Inventory

Merge of devices (deduplication) from the OT sensor and the onboarded MDE device visible in the Defender XDR portal will be a future release (my personal vision).

Defender for IoT in learning mode (default) creates a baseline for the devices in the environment, after the learning mode is disabled, each new device results in an alert.

XDR | Site security

A new feature in Defender XDR is Operational Technology | Site security.

The feature is only visible when a Defender for IoT — Site license is available

OT devices have a physical location (unlike computer and mobile devices) and the Site security bounds the discovered OT devices, and other devices in the same network, to a physical Site location.
Defender XDR | Operational Technology | Site security requirements:

  • Defender for IoT — Site license
  • At least one detected and categorized OT device, use the Device category filter OT to see all OT devices.

To create a site, the following Site details are required.

On the second page, one (or more) detected and categorized OT device(s) can be associated with the Site.

When the Site is created, the site is propogated (takes a few minutes) with other (OT, IoT, network and onboarded MDE devices that communicates with the network) within the same network (subnet) which are tagged with the Site name.

Available Site information is:

  • # of devices in the Site
  • Top vendors
  • Critical (crown jewels) devices
  • Highly exposed (vulnerable) devices
  • High risk (exploited) devices

Exzmples are Internet connected devices or devices with CVE score 10 and/or vulnerabilities with Public Exploits.

XDR | Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management (MDVM) provides an overview of all discovered and categorized devices including vulnerabilities.

  • Agent-based via the Defender for Endpoint (MDE) agent for on O.S. / Application level
  • Authenticated scan (via dedicated agent-based MDE device) leveraging SNMP for network devices (Windows auth scan will be deprecated by the end of November 2025)
  • Agent-less (via agent-based MDE devices)non-MDE onboarded or supported devices like OT/IoT devices on protocol level

MDVM provides Security baselines (benchmark) and prevention measures to lower the risk of compromise.

Security recommendations provide guidelines to comply with the baseline and/or optimize the security posture.

MSEM | OT Security Initiative

Microsoft Security Exposure Management (MSEM) has a feature called Initiatives which provides protection levels (posture management) scoped to security domains.

MESM | Initiatives

The OT Security Initiative is scoped to device vulnerabilities (leverage Microsoft Defender Vulnerability Management) in the OT site (leverage Site security).

The OT Security Initiative requires:

  • Defender for Endpoint (licensed via MDE P2 or M365 E5)
  • Defender XDR | Site security (see above for Site requirements and setup)

The OT Security Initiative consists of 4 Metrics and 6 Security Recommendations (at the time of writing).

OT Security | Metrics & Security recommendations

OT Security initiative | Metrics

Metrics represents a measurable value (percentage out of the total number of devices) of device related security (e.g. risk- and exposure level) in the OT Site security of the Defender XDR portal.

Security metrics
  • Highly vulnerable site-linked devices is the number of devices with critical vulnerabilities (e.g. CVE 10 and Public Exploit) linked to a site.
Critical CVE score 10 with Public exploit
  • Site-linked devices using insecure protocols is the number of devices using insecure protocols (e.g. SNMP V1 & V2, Telnet, etc.) linked to a site.
Insecure protocols
  • Unprotected OT devices is the number of OT devices without a security value. This information is also available in the Devices section of Defender XDR.
Unprotected OT devices
  • Site-linked devices without authentication is the number of vulnerable devices without authentication (e.g. anonymous Telnet) linked to a site.
Anonymous Telnet [port 23]

OT Security initiative | Security recommendations

Security recommendations are security settings to make the environment more secure and lower the risk of compromise.

Security recommendations, like insecure protocols, leverage the MDVM (Microsoft Defender Vulnerability Management) functionality of the M365 E5 license

  • Remove insecure administration protocols SNMP V1 and SNMP V2: Devices using SNMP V1 or V2 are vulnerable because SNMP V1 and V2 are not encrypted or secure communication protocols. Use a secure protocol such as SNMP V3 to administer devices.
  • Disable insecure administration protocol — Telnet: Devices using Telnet are exposed to malicious threats because Telnet is not a secure and encrypted communication protocol. Use secure protocols such as SSH to administer devices.
  • Onboard Microsoft Defender for IoT to protect OT devices: Protect OT devices in your estate by getting started with Microsoft Defender for IoT and setting up your sites.
  • Secure your devices with critical vulnerabilities linked to a site: Devices linked to a site with this recommendation have one or more vulnerabilities with a critical severity.
  • Require authentication for VNC management interface: VNC as a management interface allows admins to remotely manage devices. Without an authentication requirement, any user who has network access to these devices may compromise them. Update the device configuration to require authentication.
  • Require authentication for Telnet management interface: Telnet as a management interface allows admins to remotely manage devices. Without an authentication requirement, any user who has network access to these devices may compromise them. Update the device configuration to require authentication.

I hope this blog gives more insight in new OT Security Initiative to get more visibility of the OT infrastructure.

--

--

Derk van der Woude
Derk van der Woude

Written by Derk van der Woude

468 Followers
3 Following

Chief Technology Officer @ Nedscaper

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams