Skip to main content
Microsoft Security

Leverage cloud-powered security with Microsoft Defender for IoT

Traditionally, operational technology (OT) and IT have occupied separate sides of enterprise security. But with digital transformation and the advent of Industry 4.0, the old, siloed approach is showing its age.1 The rise of manufacturing execution systems has enabled more “smart factories” to deliver improved manageability and data collection. While increased OT connectivity in energy production, utilities, transportation, and other critical industries help drive greater efficiency, it also creates new vulnerabilities. Roughly 41.6 billion devices are projected to be internet-facing by 2025, creating an enormous attack surface.2 And unlike IT environments, a breach in OT can have potentially life-threatening consequences, as evidenced by the 2021 cyberattack against a Florida city’s water supply.3

It is with great pleasure that we announce the general availability (GA) of the Microsoft Defender for IoT cloud-managed platform, which lets businesses interconnect their OT environment without compromising security. Powered by Microsoft’s scalable, cost-effective cloud technology, Defender for IoT helps you manage assets, track emerging threats, and control risks across enterprise and mission-critical networks—both in connected and air-gapped environments. In this blog, we’ll look at today’s connected OT environment, including the advantages of cloud-managed security and how a converged security operations center (SOC) can offer advantages over the traditional siloed approach.

Why choose a cloud-powered solution for IoT and OT security?

The proliferation of connected devices—everything from manufacturing systems, heating, ventilation, and air conditioning (HVAC), and building management systems (BMS) to heavy machinery for mining, drilling, and transportation—means that OT security solutions require speed, accuracy, and context on a massive scale. In the December 2022 issue of our Cyber Signals threat brief, Microsoft identified unpatched, high-severity vulnerabilities in 75 percent of the most common industrial controllers used in our customers’ OT networks. Even using ordinary Internet of Things (IoT) devices like printers and routers, attackers can breach and move laterally through an IT system, installing malware and stealing sensitive intellectual property. Cloud-powered IoT and OT security solutions offer several advantages over traditional solutions:

With any type of OT security, mean time to recovery (MTTR) provides a critical metric. A target MTTR for IT is typically between 30 minutes and two hours. However, because IoT and OT security often involves cyber physical systems used in utilities, healthcare, or energy production, every minute counts. Cloud-based OT security can make a difference by enabling real-time response rates across multiple locations. But what if you could take your security a step further by enabling a faster MTTR through a unified SOC for both IT and OT?

Unifying security efforts with a converged IT, IoT, and OT SOC

Empowering OT and IT security teams to work together helps create a unified front against evolving threats, maximizing your resources while gaining a comprehensive view of vulnerabilities. This way, a converged SOC taps into the strengths of both teams, creating a streamlined, cost-effective approach to enterprise security. By establishing common goals and key performance indicators, IT and OT security teams can work together on tabletop exercises to build cohesion. To learn more about how to empower OT and IT security teams to work together, watch our webinar, OT/IoT Enabled SOC with Microsoft Sentinel and Microsoft Defender for IoT.

The key benefits of a converged SOC include:

Screenshot of Microsoft Defender for IoT’s graphical user interface displaying the inventory of devices in the environment.

Figure 1. Defender for IoT—Device inventory view.

Microsoft Defender for IoT is a unified solution for today’s converged SOC

Given the 75 percent vulnerability rate in industrial controllers, nearly every organization using OT will need to reevaluate the security posture of both its legacy equipment (brownfield; lacking security) and its newer devices (greenfield; with some built-in security).2 Older network monitoring systems are not familiar with IoT and OT protocols, making them unreliable. A purpose-built solution is needed for today’s converged SOC.

With Microsoft Defender for IoT, you can achieve faster time-to-value, improve agility and scalability, increase visibility, and strengthen the resiliency of your network and infrastructure without making significant changes. The Defender for IoT cloud is designed to augment your on-premises processing power while providing a source of centralized management for global security teams—raising the bar for OT defense. Let’s walk through how a typical scenario might play out.

How Defender for IoT works—scenario:

  1. A new common vulnerability and exposure (CVE) is published with information that may affect your organization’s OT devices. Even more concerning, you discover that hackers have been sharing this vulnerability widely online.
  2. With Microsoft Threat Intelligence, the new CVE is ingested automatically and shared across our cloud-based security services, including Defender for IoT.
  3. Using the Microsoft Azure Portal, your SOC can begin monitoring for the new vulnerability across all devices and sites.
  4. Result: Securing your IoT and OT environment becomes faster and more comprehensive.

Additional scenarios where your SOC could see immediate benefit with Defender for IoT include:

See and protect everything with Device inventory

With the GA of Defender for IoT, Device inventory now allows your SOC to confidently manage OT devices from a single pane of glass through the Microsoft Azure Portal. By supporting unlimited data sources (such as manufacturer, type, serial number, firmware, and more), Device inventory helps your security team gain a complete picture of your IoT and OT assets and proactively addresses any vulnerabilities using Microsoft’s scalable, cloud-managed platform.

Screenshot of Microsoft Defender for IoT’s graphical user interface displaying specific device details for a selected device in the environment, including type, subtype, vendor, model and firmware version.

Figure 2. Defender for IoT—Comprehensive view of an asset with backplane modules.

Simplified integration for end-to-end protection

To enable comprehensive protection across your enterprise, Defender for IoT easily integrates with Microsoft Sentinel. Together, Defender for IoT and Microsoft Sentinel provide security information and event management (SIEM) for both OT and IT environments. Defender for IoT also shares threat data with Microsoft 365 Defender, Microsoft Defender for Cloud, and non-Microsoft products like Splunk, IBM QRadar, and ServiceNow. This extensive and integrated ecosystem allows your converged SOC to tune alerts automatically across IoT and IT, creating baselines and custom alerts that help reduce alert fatigue.

Creating security for all—you’re invited

To learn more about how Microsoft Defender for IoT can help create a unified security solution for your converged SOC, remember to mark your calendars for the RSA Conference, April 24 to 27, 2023, and visit us at Microsoft booth 604. Register now for the special RSA Microsoft pre-day event.

Want to be among the first to see the AI-powered future of cybersecurity and the latest advances in cloud defense? Join us at Microsoft’s new digital security-only event, Microsoft Secure, on March 28, 2023.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.


1Industry 4.0 technologies assessment: A sustainability perspective, Chunguang Bai, Patrick Dallasega, Guido Orzes, and Joseph Sarkis. November 2020.

2The convergence of IT and OT: Cyber risks to critical infrastructure on the rise, Microsoft. December 2022.

3Someone tried to poison a Florida city by hacking into the water treatment system, sheriff says, Amir Vera, Jamiel Lynch, and Christina Carrega. February 8, 2021.