Operational Technology, used in factory automation, faces a growing number of cybersecurity threats. Microsoft’s Defender for IoT (MD4IoT) monitors these networks for malicious and unusual activity, provides alerts, and notifies users of vulnerabilities that require remediation.<\/p>\r\n\r\n
MD4IoT goes beyond monitoring computers on a network. It can scan, detect, and report on OT equipment such as PLCs, HMIs, VFDs, and more. This information is aggregated into a local dashboard on the MD4IoT appliance and in the Azure dashboard for the product. It is ingestible by SOC software like Service Now\u00a0(SNOW), Splunk, and LogRhythm.<\/p>\r\n\r\n
DMC\u2019s client reached out to get AD4IoT implemented at their various sites across the globe. We implemented the program in four phases: Discovery, Design, Deployment, and Operationalization.<\/p>\r\n\r\n
Discovery<\/strong><\/h3>\r\n\r\n
DMC began by collaborating with the client site and their third-party vendor to remotely gather information from the client\u2019s existing network. We developed a questionnaire, and the answers helped us to determine the type of network the client used, the types of devices used, and the number of devices on that network. Our discovery included switch diagnostic information, which allowed developing detailed network diagrams and device relationships.<\/p>\r\n\r\n
Design<\/strong><\/h3>\r\n\r\n
Using the information gathered during the discovery phase, DMC built a map that plotted the connections between switches at each site. Once we had a thorough understanding of how each switch was connected, we created switch configurations to route OT traffic via SPAN\/RSPAN to the central manager.<\/p>\r\n\r\n
RSPAN was used for the distribution switches and SPAN was used for traffic mirroring to the sensor. We then developed commands for the sensor that was to be installed. The sensor is a local AD4IoT instance that aggregates traffic and sends data to the global central manager instance of MD4IoT used for reporting.<\/p>\r\n\r\n
Deployment<\/strong><\/h3>\r\n\r\n
Next, DMC installed the MD4IoT operating system, which is Ubuntu based, on the client-provided Dell R350 PowerEdge Server at each site. There were three network ports to configure on the server:\u00a0one that was used for AD4IoT Management, one used for ingesting SPAN data, and one used for Dell server administration (iDRAC).<\/p>\r\n\r\n
We reconfigured their network by adding around 15 \u2013 20 configuration changes for each distribution and core switch. To minimize risk and issues that are likely to occur in OT Networks such as the high traffic caused by high-definition cameras, we performed thorough testing.<\/p>\r\n\r\n
Operationalization<\/strong><\/h3>\r\n\r\n
DMC then made improvements to the monitored targets and subnets that the SPAN brought in. We also applied alert filtering to reduce anomalies and false positives in reports. Any alert determined to be a false positive was cleared and filtered so that future alerts provided the most meaningful data.<\/p>\r\n\r\n
Each server was connected to a central manager, which allowed the client to access data from multiple sites via a single pane of glass.\u00a0DMC then conducted administrator training for IT and OT personnel so that they could operate the AD4IoT sensor appropriately.<\/p>\r\n\r\n<\/figure>\r\n\r\n<\/figure>\r\n\r\n<\/figure>\r\n\r\n
![\"\"](\"https:\/\/cdn.dmcinfo.com\/wp-content\/uploads\/2025\/05\/27165446\/microsoft-defender-1-edit-2_1.png\")
<\/figure>\r\n\r\n![\"\"](\"https:\/\/cdn.dmcinfo.com\/wp-content\/uploads\/2025\/05\/27165446\/Microsoft-defender-2-edit_1.png\")
<\/figure>\r\n\r\n![\"\"](\"https:\/\/cdn.dmcinfo.com\/wp-content\/uploads\/2025\/05\/27165445\/microsoft-defender-3-ed.png\")
<\/figure>\r\n\r\n