What is Microsoft Doing in the World of IoT and OT Security?

To begin understanding the world of IoT and OT, it’s important to know that new devices and technologies have changed the vulnerability of the IT landscape. Internet of things (IOT) incorporates technologies such as machine learning to capture data and deliver convenience to users through a cloud-based service.

The main difference between IOT and OT is that Operational Technologies (OT) refers to the hardware and software used to change, monitor, or control physical devices, processes, and events. IOT technologies are introduced to compliment OT systems. The common use of technology platforms and cloud-based applications have made IoT and OT systems a primary target for attackers.

In 2020, Microsoft purchased a top IoT vendor called CyberX, which focused on predicting, detecting, and stopping breaches in IoT and OT networks. This capability has been rebranded as Microsoft Defender for IoT and is part of the Defender platform, integrated with the wider Microsoft security suite.

Defender for IoT (D4IoT) is a software-as-a-service (SaaS) solution from Microsoft. It requires an additional license beyond the Microsoft Security product portfolio.

At a high level, Defender for IoT:

  • Is an agentless solution that listens on a Switch SPAN port to give visibility on your device landscape.
  • Delivers a complete inventory and monitoring capabilities for IoT and OT devices without impacting device performance
  • Can also use a micro agent that is most likely deployed by the device vendor but can be deployed to “modern” devices (running on Ubuntu).
  • Can use a hybrid network scan relying on the Defender for Endpoint (DFE) to extend your device inventory.
  • Has a direct connector and alert pipeline into Microsoft Sentinel.

Here at Ontinue, our customers don’t want to manage and optimize these tools themselves – that’s where our Microsoft expertise comes in. The Ontinue ION managed extended detection and response service empowers our customers’ teams to focus on security strategy and efficacy, instead of managing the tools.

Exploring the Azure control plane of IoT

Now, let’s get into the details. Say your organization is pretty excited about using Defender for IoT. What would the back-end infrastructure look like in Azure? What are the best practices you need to consider?

We’ll start with the Azure high level recommendations around areas, such as your subscriptions, Identity and Access Management (IAM) and general Security settings. The latest version of Defender for IoT doesn’t use or need us to deploy an IoT Hub in Azure. There are a number of Azure artifacts that are used (like event hubs, but they are provisioned in the background).

With IoT we have two major concepts when it comes to Azure: management and security. Azure has a raft of tools to help you manage your devices but securing them with Defender for IoT doesn’t require any of the management artifacts.

Azure Subscription Format

The hub-and-spoke model is generally accepted as the most accepted way to organize Azure. The hub generally has “admin” components like Authentication, Monitoring, Routing, Security artifacts, and so forth.

To deploy Defender for IoT and feed the alerts into Sentinel, you need a Sentinel instance. And for that you need a Log Analytics workspace.

The most basic steps we should take to secure our subscriptions are:

  • Use MFA for access to your subscriptions
  • Use conditional access policies that control access to your subs
  • Use Defender for cloud apps to protect subscription access

What’s Next?

Securing IoT and OT can feel like a daunting task, but there are plenty of resources to help you along. Microsoft has a fair amount of documentation, from introductory documentation to in-depth information on Defender for IoT if you choose to go that route.

Ontinue has unique expertise and experience with the entire Microsoft security ecosystem. If you’re a Microsoft enterprise customer, or you’re thinking of becoming one, and have questions about how you can put Microsoft to work protecting your IoT and OT assets, contact us today.

Article By

AI-Powered MXDR

We detect and respond to security threats. Quickly. With AI-driven automation that enables smarter, faster decision-making and action. But we’re also in the business of preventing threats—with always-on protection that keeps going. And learning. And improving. Well past your previous definition of secure.