By ProServeIT on April 21, 2022

How to Protect Your Operational Technology (OT): All You Need to Know

Would you know if someone introduced a new USB stick or a new wifi connection into your environment? If you had a comprehensive security solution, every time a new device is deployed, you would see an alert and action could be taken immediately to determine if there is a new threat. Explore how you can leverage existing workflows and tools to centralize cybersecurity efforts to be able to demonstrate to auditors that you have a safe and secure environment where you can utilize true security monitoring and know that all your devices are talking safely to each other.

Related Blogs

Protect Your Digital Assets with a Managed Cybersecurity Solution

What is Social Engineering & 4 Ways to Prevent Attacks


Discovery is the First Step to Protect your OT

The first step to protecting your operational technology (OT) and all the devices used within your business is to perform a discovery. You can’t protect your operational environment if you don’t have a good idea of what is in it and if the devices are authorized or not. Often after performing an asset discovery, our customers find that there are many devices in use that have risks and vulnerabilities. Many factory systems, for example, were built in the 1980s or even earlier and they may still continue running for many more decades. There are some devices that cannot be upgraded to modern standards where operating systems receive regular updates and protections from cyber threats.

We will be able to cover all our bases and secure these devices with Microsoft Defender for IOT.

IOT devices are vulnerable because they are usually not built with security in mind and there are rarely automated means to patch these devices and protect them from vulnerabilities. Any network traffic between these devices are also rarely encrypted.

What is an IOT device?

IOT devices are very common. They include greenfield dedicated IOT devices that are purpose built such as built-in temperature, height, or geo sensors. In industrial settings, IOT devices include operational technology like Programmable Logic Controllers (PLCs) which are industrial computers used in automation environments to control electrical mechanical processes or physical equipment.

General purpose industrial IOT devices include cameras, thermostats, HVAC systems, and the like. In enterprise networks, there may be corporate IOT devices such as IP cameras, printers, smart TVs, VoIP phones. Network devices such routers and switches are also considered IOT devices. Our traditional endpoints (e.g., tablets or mobile phones) that we use on a regular basis are also IOT devices. As you can see, IOT devices can be found in almost any environment.

What are the Cyber Risks with Operational Technology?

The risks in an Operational Technology environment are different from an IT environment in several ways. The first difference is safety. An OT system failure could directly cause physical harm or death to employees working on or next to heavy machinery, or to customers using or consuming a product, or to residents living or working near a physical facility. Also some of these systems are located far from the nearest technician who could easily access them or reboot them in case there is a failure. Another difference is OT hardware and software have much longer operating life cycles than a typical IT system and it’s not unusual to find equipment that is 50 or 100 years old or equipment that was last modernized to electronic control systems 30 or 50 years ago.

OT security hygiene is also different because these systems were not frequently built with modern threat protocols while IT security best practices include regular software patching and upgrades. Basic security hygiene for OT starts with network isolation, threat monitoring and carefully managing vendor access risks.

Cybersecurity Video Series

Including best practices, tools to keep in mind, and tips and tricks on preventing potential cyberattacks, this free "Cybersecurity Solutions" video series for IT Security Executives and Managers is a clear way to gain cybersecurity awareness, combat ever-evolving cyberthreats, and ensure that security is the foundation of your organization. More episodes

The Purdue Model

The Purdue Model has been around since the 1990s and is the standard for organizing enterprise and industrial control system safety measures and network functions. It is a safety system designed to save lives and prevent catastrophic events such as explosions. For safety systems, there are multiple levels from zero to level 3.

Purdue Model Safety Levels for OT Environments:

Level 0 - Process ⚙️: Physical devices doing physical activities (e.g., actuators, pumps, mechanical arms)

Level 1 – Basic Control 🎛️: Physical devices that move in the real world and have basic controls (e.g., control system gives instructions for the device to turn left or right, maximum pressure allowed, etc.)

Level 2 – Supervisory Control 🖲️: Devices with Programmable Logic Controllers (PLCs) (e.g., conveyor belts)

Level 3 – Site Operations 👨🏻‍💻: Computers give information to a human to allow them to interact with the device (e.g., through Linux or Windows operating systems) by providing feedback to operators

Purdue Model Safety Levels for IT Environments:

Levels 4 & 5 – Zero Trust 🚫: Modern IT operations, internet connections, phishing campaigns, multi-factor authentication protocols

Levels 0 to 3 pertain to OT environments where appropriate responses to safety threats include isolation, threat monitoring and managing vendor access risk. There is a divide at Levels 4 and 5, the Zero Trust levels, which pertain to our modern connected IT world where a physical hardwired connection no longer exists. At Levels 4 and 5, network, identity and other controls are aligned to business workloads and business risk. End users are dynamically granted access on explicit validation of current end user and device risk levels.

The gap between the hardwired world and the modern IT world is actually called Level 3.5. This involves the area between your company’s infrastructure and the internet – the so-called DMZ or demilitarized zone. This is where the operational network ends before reaching the outside world. An external network can only access what is exposed in the DMZ while the rest of your organization’s network is protected behind firewalls.

Applying Zero Trust Protection to the Industrial Environment

With an application like Microsoft’s Defender for IOT, we can now apply zero trust principles to securing IOT industrial environments. We can do this by deploying sensors in the DMZ at the Purdue Model’s Level 3.5, the gap between your operational environment and the outside world.

The sensor would be a Linux-based machine that can either be on physical hardware or on a virtual machine running inside an existing server in your network. The process is simple and a sensor can be quickly deployed to capture network information to understand the risks. This can even be used in industries where an offline air gap network is required. The sensor can be connected to the span port, the top port of your network switch, to allow us to listen to the network without impacting the devices.

It’s also possible to use multiple sensors to monitor different networks at different sites. Defender for IOT allows us to see threats across multiple systems and across multiple sensors from a single location. If it needs to be offline, it can be connected to a local SIM (security information management) solution.

The sensor listens to the network and creates a .pcap file which contains data that can only be launched by certain applications like Wireshark, a program used for analyzing networks. The contents of the .pcap file can be replayed inside the Defender for IOT sensor and we can discover what devices are talking to each other without the need to connect to the outside world.

In this way, you can take alerts and signals from your OT world into your IT world to analyze and manage them. If you have an older environment running on Windows NT 4.0 or Windows XP, you may be able to stop an attack sooner in the attack chain before it reaches Level 3, 2, 1 or 0.

If the OT environment has been modernized to operate on Windows 7, Windows 10, Windows 11 or is running on Linux, we have the ability to integrate Microsoft’s Defender for Endpoint as well. Using Defender for Endpoint, the solution can be integrated with a SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution like Microsoft Sentinel to automate responses against attacks from the IT world.

Protect your assets

A Holistic View of Your IOT and IT World

Integrating Defender for IOT and Defender for Endpoint with Microsoft Sentinel helps us to understand the attack in a holistic fashion. With this solution, you can not only passively monitor for any threats but also define automated responses. Microsoft Sentinel provides a unified dashboard to see everything that’s happening in your environmental traffic and to provide alerts and logs that can be investigated.

In Microsoft Sentinel, you can even have a view of your environment according to the Purdue model. You will be able to look specifically at the DMZ layer on your dashboard to see if there is any unauthorized activity. Going further to the lower Purdue levels you will be able to see activities on devices like fire safety suppressors or mechanical arms as well. Red marks around a specific device lets you know there is an alert involved. If a device that is connected to the internet shows an alert, that presents a risk if it were to be compromised. By clicking on a device, you will be able to see the IP address, how it is connected to the network and other attributes.

Microsoft’s threat intelligence platform is based on a tremendous amount of research behind the scenes by an expert team of security analysts. Alerts can be viewed by severity and filters can be applied so that you can determine the best action to take.

To identify specific risks, you can run simulations with a specified number of attack vectors. This can be accomplished in a few seconds to a few minutes depending on the size of your network. With older devices, you may decide to decommission some of them if they are presenting a vulnerability and if they are not strictly necessary to your operation.

A risk assessment report can give you a security score and identify the number of vulnerable devices that may need remediation. The report will show an overview of different vendor types with the number of devices and some attack vectors that have been commonly used. The best strategy is to start with the devices that are at higher risk and review the recommended actions.

With an integrated security solution, you can view everything in your environment with data captured from firewalls, servers, and every connected device and endpoint. You can predefine a playbook with step-by-step instructions to respond to specific activity like excessive repeated login attempts to, for example, segregate the device from your environment until you can perform an investigation. You can also use Microsoft’s analytic rules to deploy workbooks that are generated by Microsoft. These are all included with Microsoft Sentinel.


Protect Your OT with Microsoft Defender for IOT

If you want to get started, all you have to do is register for your Microsoft Azure subscription with Defender for IOT. Take advantage of Microsoft’s free 30-day trial and upload 100 sensors or more with the free trial. Then start capturing network traffic packets for analysis.

If you would prefer to leverage expert advice from ProServeIT, access our marketplace offer for a Defender IOT Risk Assessment with this link. We can perform a risk assessment and provide a detailed report within four weeks.

We also have a service solution called Alarm Guardian which has Microsoft Sentinel as the underlying technology. This service is supported by ProServeIT’s Security Operations Center’s security analysts and security engineers on a 24 x 7 x 365 basis. It allows us to enable real-time analysis and response to security events generated by your servers, IOT devices, firewalls and network device users. Each of our service packages comes with a customized security roadmap for your organization. Get more information on our service packages here, or contact us at


Content from: Cybersecurity Framework Webinar Series by George Abou-Samra

Edited by: Betty Quon

Published by ProServeIT April 21, 2022