OT systems, which control real-world critical processes, present a significant target for cyberattacks. These systems are prevalent across various industries, from building heating, ventilation, and air conditioning (HVAC) systems, to water supply and power plants, providing control over vital parameters such as speed and temperature in industrial processes. A cyberattack on an OT system could transfer control over these critical parameters to attackers and enable malicious alteration that could result in malfunctions or even complete system outages, either programmatically via the programmable logic controller (PLC) or using the graphical controls of the human machine interface (HMI).

Adding to the potential damage of attacks on OT systems are their often-lacking security measures, which make OT attacks not only attractive for attackers but also relatively easy to execute. Many OT devices, notwithstanding common security guidelines, are directly connected to the internet, making them discoverable by attackers through internet scanning tools. Once discovered by attackers, poor security configurations, such as weak sign-in passwords or outdated software with known vulnerabilities, could be further exploited to obtain access to the devices.

The attractiveness of OT systems and attackers’ capabilities against systems with weak configurations were demonstrated in the Israel-Hamas war, which was accompanied by a spike in cyberattacks, including from OT-focused actors. Shortly after October 7, the Telegram channels of several such actors broadcasted their attacks against OT systems associated with Israeli companies. These publications were often accompanied by images of purportedly compromised systems, which the threat actors presented as alleged evidence for the attacks.

Microsoft’s analysis of multiple attacks by these actors revealed a common attack methodology: focusing on internet-exposed, poorly secured OT devices. This report will illustrate this attack methodology using the high-profile case of the November 2023 attack against Aliquippa water plant, for which CISA released an advisory in December 2023. CISA attributed the attack to the Islamic Revolutionary Guard Corps (IRGC)-affiliated actor “CyberAv3ngers”, tracked by Microsoft as Storm-0784. Microsoft assesses that the same methodology has been utilized by other OT-focused threat actors in multiple other attacks as well.

The attacks conducted by OT-focused actors were not limited to public sector facilities but also affected private companies in various countries. While the public sector has been implored to implement proper risk management and protection of OT systems, the diversity of target profiles illustrates that ensuring OT security in the private sector is equally crucial. Recommendations for organizations to protect against similar attacks and improve the security posture of their OT systems can be found at the end of this report.

Spike in activity of OT threat actors

Shortly after the outbreak of the Israel-Hamas war, Microsoft has seen a rise in reports of attacker activity against OT systems with Israeli affiliation. This included activity by existing groups such as the IRGC-affiliated “CyberAv3ngers”, and the emergence of new groups such as the “CyberAv3ngers”-associated “Soldiers of Solomon”, and “Abnaa Al-Saada”, a cyber persona presenting itself as Yemeni. Microsoft tracks both “CyberAv3ngers” and its associated group “Soldiers of Solomon” as Storm-0784.

The systems targeted by these groups included both OT equipment deployed across different sectors in Israel, including PLCs and HMIs manufactured by large international vendors, as well as Israeli-sourced OT equipment deployed in other countries. The attacks were made public by the actors using their Telegram channels, on which they also posted images of the target systems to enhance purported credibility and present evidence for the attack.

Researching the threat actors in question, Microsoft has identified a typical target profile that attackers appeared to focus on: internet-exposed OT systems with poor security posture, potentially accompanied by weak passwords and known vulnerabilities.

The Aliquippa case: A high-profile OT attack

In late November 2023, the Aliquippa water plant was affected by a cyberattack that resulted in the outage of a pressure regulation pump on the municipal water supply line in Aliquippa, Pennsylvania. In addition to impairing functionality, the attack, which targeted a PLC-HMI system by Israeli manufacturer Unitronics, also defaced the device to display a red screen with the name and logo of the “CyberAv3ngers” actor. The US Department of Treasury sanctioned officials in the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) in relation to the attack.

Around the same time, multiple other attack cases on Unitronics systems were reported across the industry in other parts of the world, with targeted equipment displaying the same message: “Every equipment ‘made in Israel’ is a Cyber Av3ngers legal target“.

Microsoft analyzed the publicly available data on the Aliquippa incident to find the victim system and assess how it was compromised. Leveraging researchers’ intimate OT knowledge to interpret the limited details known to the public has enabled the identification of a specific machine that Microsoft believes to be the victim.

According to publicly accessible sources, the targeted system was exposed to the internet, and it suffered both defacement and the shutdown of the pump it controlled. Designated engines that map internet-connected devices and their associated services allowed Microsoft researchers to compile a list of internet-exposed Unitronics devices of the relevant model, which also had a dedicated control port open. This configuration could potentially allow to reprogram the device reprogramming, leading to the observed defacement and shutdown.

The analysis of contextual data narrowed the device profile list, identifying a specific system that could be the victim. This system was geographically situated near the Aliquippa station, with its PLC Name field set to “Raccoon Primary PLC”, consistent with the Aliquippa water station serving Potter and Raccoon townships, and also aligning with a photograph disseminated by the media, depicting a sign that reads “PRIMARY PLC” on the targeted system.

The data gathered throughout the research of the Aliquippa attack case highlights a trend: a common target profile of internet-exposed OT systems with a weak security posture that mirrors other attack cases.

Attacks representing a broader concerning trend

The CISA advisory that was released following the attacks in November 2023 described the profile of the targeted OT systems as being internet-exposed and having weak sign-in configurations. In May 2024, CISA released another advisory following the more recent attacks against the water sector, which showed that the victims had a similar profile. Again, OT systems that were left internet-exposed and had weak passwords were targeted by nation-state attackers, this time by pro-Russia activists.

While attacks on high-profile targets, especially in the public sector, often receive significant media attention, it’s important to recognize that the private sector and individual users may also be impacted. Notably, the Aliquippa water plant was just one victim in a series of attacks on Unitronics by “CyberAv3ngers”, which also expanded to the private sector. Screenshots of affected systems with the same red screen and message have been posted by users on the Unitronics forum claiming their equipment was attacked, with similar reports also showing on social media platform X. Following the incidents, a vulnerability was assigned for the Unitronics default password configuration (CVE-2023-6448), and a patch was issued by Unitronics to require users to fix the issue.  

The common target profile for the attack cases analyzed reflects what attackers do to pick an easily accessible and appealing target in the first place. Attackers can, and do, obtain visibility on OT devices that are open to the internet using search engines, identify vulnerable models and open communication ports, and then use the contextual metadata to identify devices that are of special interest, such as ICS systems in water plants or other critical facilities. At that point, a weak password or an outdated system with an exploitable vulnerability is all that stands between them and remote access to the system.

The growing attention from attackers towards OT systems, observed across various sectors, is particularly concerning due to inadequate security practices on these systems. The Microsoft Digital Defense Report 2023 highlights that 78% of industrial network devices on customer networks monitored by Microsoft Defender for IoT have known vulnerabilities. Among these, 46% utilize deprecated firmware, for which patches are no longer available, while the remaining 32% operate outdated systems with unpatched vulnerabilities. For devices that are patched, many still use default passwords or have no passwords at all. Microsoft collects statistics on the prevalence of username and password pairs seen used in Microsoft’s sensor network, as was shared in the Microsoft Digital Defense Report 2022. Such outdated and vulnerable systems present attractive targets for future attacks, particularly when coupled with internet connectivity and default passwords. In the next sections, we share recommendations for improving the security posture of OT systems to help prevent attacks.

Mitigation and protection guidance

The analysis of the attack claims in question reveals diverse target profiles. It is therefore vital for organizations of all different sectors to ensure security hygiene for their OT systems to prevent similar threats.

• Adopt a comprehensive IoT and OT security solution such as Microsoft Defender for IoT to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft Defender XDR.
• Enable vulnerability assessments to identify unpatched devices in the organizational network and set workflows for initiating appropriate patch processes through  Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint with the Microsoft Defender for IoT add-on.
• Reduce the attack surface by eliminating unnecessary internet connections to IoT devices and OT control systems. Verify that no OT system is directly connected to the internet, for example, through IoT routers or Cellular bridged (LTE or 3G). Close unnecessary open ports and services on their equipment, eliminating remote access entirely when possible, and restricting access behind a firewall or VPN when full elimination cannot be achieved.
• Implement Zero Trust practices by applying network segmentation to prevent an attacker from moving laterally and compromising assets after intrusion. OT devices and networks should be isolated from IT with firewalls. Extend vulnerability and exposure control beyond the firewall with Microsoft Defender External Attack Surface Management. Turn on attack surface reduction rules in Microsoft Defender for Endpoint to prevent common attack techniques such as those used by ransomware groups.

Microsoft Defender for IoT detections

Microsoft Defender for IoT provides detections for suspicious behaviors of OT and IoT devices. Alerts related to internet access and modification of PLC behavior will detect activity of this type, such as:

• External address within the network communicated with Internet
• Internet Access Detected
• Unauthorized Internet Connectivity Detected
• Unauthorized PLC Program Upload
• Unauthorized PLC Programming

References

• IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities | CISA
• Municipal Water Authority of Aliquippa hacked by Iranian-backed cyber group – CBS Pittsburgh (cbsnews.com)
• Aliquippa Water Authority – Municipal Water Authority of Aliquippa
• Cyber group backed by Iran is taking credit for Pennsylvania water system cyberattack
• PLC Hacking – More Commonplace Than You Might Think – Best Programming Practices – Unitronics Support Forum: Programmable Controllers (PLC + HMI All-in-One)
• Full Pint Beer on X: “Ugh – the brewery control system received a CYBER ATTACK over the weekend!!! We are working to restore things to working order, kudos to the crew at @Brewmation for working with us over the Thanksgiving weekend! Thank goodness for backups! #cyberattack #automation #ransomware https://t.co/SNdXY9ne4h” / X
• NVD – CVE-2023-6448 (nist.gov)
• Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf (unitronicsplc.com)
• Iranian cyber attack targets Israeli tech used by several US bodies | The Times of Israel

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Exposed and vulnerable: Recent attacks highlight critical need to protect internet-exposed OT devices appeared first on Microsoft Security Blog.

To overcome this challenge, Microsoft released ICSpector, an open-source framework that facilitates the examination of the information and configurations of industrial programmable logic controllers (PLCs). This framework simplifies the process of locating PLCs and detecting any anomalous indicators that are compromised or manipulated. This can assist you in safeguarding the PLCs from adversaries who intend to harm or disrupt their operations. 

Many operational technology (OT) security tools based on network layer monitoring, such as Microsoft Defender for IoT, provide network protection for OT/IoT environments, allowing analysts to discover their devices and respond to alerts on vulnerabilities and anomalous behavior. However, one of the biggest challenges is retrieving the code running on the PLC and scanning it as part of an incident response to understand if it was tampered with. This act requires caution, because the PLCs are actively operating vital industrial process. This is where ICSpector can help individuals or facilities perform this task with best practices.

Industrial control systems in brief 

Industrial Control Systems (ICS) and Operational Technology (OT) are critical to modern society, powering everything from power grids and water treatment plants to manufacturing facilities and transportation systems. These systems typically rely on a combination of hardware and software components to perform their functions. Programmable logic controllers (PLCs) are used to manage and control the various processes within an industrial environment. As these systems become increasingly digitized and interconnected, they are also becoming more vulnerable to cyberattacks.  

Due to their critical role in ensuring the smooth operation of industrial processes, and the physical danger or extreme financial losses that could result if attacked, ICS devices are prime targets of cyberattacks, making ICS security an increasingly critical issue in today’s digital landscape. 

Figure 1: Known ICS-targeted cyberattacks that occurred between 2010 and 2022. (Image from Cyber Signals: Risks to critical infrastructure on the rise)

With ICS cyberattacks on the rise, facilities require a holistic solution to address the unique nature of critical infrastructure environments. A common threat involves ICS malware attempting to modify the controller program logic to disrupt operations and cause physical harm. 

Extracting data from a controller can be challenging, as it requires specialized expertise in communicating with the device and understanding the specific, and at many times proprietary, protocols used to transmit and store data. This expertise is critical for conducting forensic operations because investigators must be able to extract specific data from a controller to identify security risks and determine the root cause of issues. The challenges around securing OT and the potentially large impact from even one controller being infected in a critical environment, highlight the need for effective security measures and forensic tools to investigate and remediate incidents. 

Challenges in ICS forensics 

ICS forensics differs from standard IT forensics, because ICS environments possess distinctive features that distinguish them.  

Cybersecurity forensics in IT environments involves the collection, analysis, and preservation of digital evidence to identify the cause and extent of a security breach or cyberattack. This includes analyzing network traffic, logs, and system data to identify the source of the attack and to patch vulnerabilities. In contrast, forensics in OT environments involves analyzing ICS data, including data from sensors and controllers used in manufacturing and industrial settings. 

While OT communication protocols and execution methods are based on general principles, each vendor can implement its own protocol for data exchange and management. As a result, there is no universal protocol that applies to all controllers, and researchers must investigate each device separately, from its communication patterns to its internal data structure. 

Another challenge has to do with talent and tools. Because OT and IT environments were historically isolated and had distinct security operations center teams with different tools, most incident response specialists lack the expertise to analyze OT. And while the IT domain has a variety of forensics tools, such as Autopsy, The Sleuth Kit and FTK, the OT forensics domain is still emerging, lacks a common methodology, and requires OT experts to develop their own solutions. 

Specialized tools and techniques have started to emerge to address the unique challenges of conducting investigations in ICS environments. These include the Top 20 Secure PLC Coding Practices, specific OT protocols implementations available on GitHub, and paid tools for an overview of controller programs for a specific set of protocols. Notably missing from these options has been an open-source solution that provides a comprehensive implementation of OT protocols and gives forensics investigators the ability to analyze extracted data and drill down into informative and suspicious areas within the controller loaded project.  

ICSpector for industrial engineers and cybersecurity analysts 
Microsoft aspired to fill the gap in the market by creating the ICSpector framework. Written in Python and available on GitHub, ICSpector is a framework with tools that enable investigators to: 

• Scan their network for programmable logic controllers. 
• Extract project configuration and code from controllers. 
• Detect any anomalous components within ICS environments.  

Security experts can use these forensic artifacts to identify compromised devices as part of manual verification, automated monitoring of tasks, or during incident response. The framework’s modular, flexible design makes it convenient for investigators to customize it to their specific needs. 

The framework is composed of several components that can be developed and executed separately. The overall architecture is as follows:  

Figure 2: The main modules of the ICSpector framework architecture (left to right) are: input handling, network scanner, protocol plugin, data analyzer, and output.

The network scanner identifies devices that communicate in the supported OT protocol and ensures they are responsive, based on a provided IP subnet. Alternatively, a user can provide a specific IP list that was exported from OT security products such as MDIoT, and the network scanner will only verify these devices are connected before beginning data extraction. After feeding the plugin the list of available devices, it extracts the PLC project metadata and logic. Then, the analyzer converts the raw data into a human-readable form and extracts different logic to highlight areas of the project artifacts that usually indicate malicious activity. The framework lets each component run independently with the required input. You can easily modify each component, adapting the operation to current needs, such as introducing protocol changes and analysis methods or altering the output. With the framework, users gain an inventory of assets based on the protocol scanning ability. In the data extraction phase, you can create snapshots of the controller projects and then compare changes over time. 

Note: while the framework is not designed to disrupt the production process, due to the sensitive nature of ICS environments, we advise executing the data extracting component in a monitored environment. 

Figure 3: Anomalous artifacts that can be extracted by ICSpector include timestamps outliers, author information, tasks usage, network capabilities, and online vs. offline project compare.

The forensic analysis component of ICSpector allows to dive deep into malicious modifications of controller code. With the ICSpector framework, you can extract timestamp outliers indicating that someone changed the controller code at an unexpected time. Author information is provided as well to help detect suspicious code writers. You can extract network capabilities to surface unexpected communication ports and network libraries. Tasks are the code components responsible for the entire code execution, and the framework gives you an overview of the execution flow Tasks are data structures that trigger the execution of the PLC project, and the framework gives you an overview of existing tasks and their configuration. Additionally, the entire call graph is exported to obtain a clear view of the execution flow. Stuxnet, a sophisticated computer worm that was responsible for causing significant damage to Iran’s nuclear program in 2010, altered a cyclic task to monitor its malicious activities and added malicious logic to the main block of the program. Since the code running on the controller may differ from an engineer’s hard copy, the framework lets you compare the differences between the online and the offline code to catch malicious changes. All of these analysis capabilities could have helped detect the presence of Stuxnet in the network. 

Get started with ICSpector 
ICSpector is a novel solution that enables OT experts and cybersecurity analysts to enhance their reactive and proactive incident response capabilities in ICS environments. The OT cybersecurity community can participate in and benefit from security efforts in OT forensics, advancing our vision of better security practices in the OT field. 

ICSpector can be used in conjunction with Microsoft Defender for IoT, Microsoft Security’s solution for defending IoT and ICS/OT devices that maps out your OT network and alerts you of malicious activity. Defender for IoT, or any other OT security solution, can help with both proactive and reactive OT incident response. Try ICSpector to see how it could benefit your organization. Our how-to guide will walk you through the installation of the framework and explain the components and how to use them in your environment.  

Currently, the system supports three OT protocols: Siemens S7Comm, which is compatible with the S7-300/400 series, Rockwell RSLogix, using the Common Industrial Protocol, and Codesys V3, which is a widely used SDK for industrial control devices and is implemented by different vendors.   

We encourage you to contribute to the tool by adding new OT protocols and forensic logic. 

 
Learning about ICS basics, PLC programming and investigation methodologies can be done through the webinar, hosted by Microsoft Defender for IoT Research team. 

To get started with OT security, watch the “Introduction to ICS/OT Security” webinar series, hosted by Microsoft Security Community. 

The post ​​Investigating industrial control systems using Microsoft’s ICSpector open-source framework appeared first on Microsoft Security Blog.

CODESYS is compatible with approximately 1,000 different device types from over 500 manufacturers and several million devices that use the solution to implement the international industrial standard IEC (International Electrotechnical Commission) 611131-3. A DoS attack against a device using a vulnerable version of CODESYS could enable threat actors to shut down a power plant, while remote code execution could create a backdoor for devices and let attackers tamper with operations, cause a PLC to run in an unusual way, or steal critical information. Exploiting the discovered vulnerabilities, however, requires user authentication, as well as deep knowledge of the proprietary protocol of CODESYS V3 and the structure of the different services that the protocol uses.

Microsoft researchers reported the discovery to CODESYS in September 2022 and worked closely with CODESYS to ensure that the vulnerabilities are patched. Information on the patch released by CODESYS to address these vulnerabilities can be found here: Security update for CODESYS Control V3. We strongly urge CODESYS users to apply these security updates as soon as possible. We also thank CODESYS for their collaboration and recognizing the urgency in addressing these vulnerabilities. 

Below is a list of the discovered vulnerabilities discussed in this blog: 

In this blog, we provide an overview of the CODESYS V3 protocol structure, highlighting several key components, and describe the main issue that led to our discovery of the vulnerabilities. The full research and the results can be found in our report on Github. We also provide an open-source forensics tool to help users identify impacted devices, security recommendations for those affected, and detection information for potentially related threats.

CODESYS: A widely used PLC solution

CODESYS is a software development environment that provides automation specialists with tools for developing automated solutions. CODESYS is a platform-independent solution that helps device manufacturers implement the international industrial standard IEC 611131-3. The SDK also has management software that runs on Windows machines and a simulator for testing environments, allowing users to test their PLC systems before deployment. The proprietary protocols used by CODESYS use either UDP or TCP for communication between the management software and PLC.

CODESYS is widely used and can be found in several industries, including factory automation, energy automation, and process automation, among others. 

Discovering the CODESYS vulnerabilities

The vulnerabilities were uncovered by Microsoft researchers while examining the security of the CODESYS V3 proprietary protocol as part of our goal to improve the security standards and create forensic tools for OT devices. During this research, we examined the structure and security of the protocol that is used by many types and vendors of PLCs.  We examined the following two PLCs that use CODESYS V3 from different vendors: Schneider Electric Modicon TM251 and WAGO PFC200.

CODESYS V3 protocol

The CODESYS network protocol works over either TCP or UDP:

• Ports 11740-11743 for TCP
• Ports 1740-1743 for UDP

The CODESYS network protocol consists of four layers:

1. Block driver layer: The layer that creates the capability to communicate over a physical or software interface, over TCP or UDP.
2. Datagram layer: The layer that enables communication between components and endpoints through physical or virtual interfaces. 
3. Channel layer: The layer that is responsible for creating, managing, and closing communications channels.
4. Services layer: Represents a combination of several layers of the ISO/OSI model session layer, presentation layer, and application layer. It consists of components, each of which is responsible for a portion of functionality of the PLC and has services that it supports. Other tasks of the Services layer include encoding/decoding and encrypting/decrypting the data transmitted on that layer. Additionally, the Services layer is also responsible for tracking the client-server session. Each component is identified by a unique ID, such as:

These components use the Tags layer for data transmission and encoding, which is transmitted over the Services layer.

There are two types of tags: parent and data. Both tags have identical structure but different sizes and purposes. The following table provides the basic structure of tags:

Tags can represent any type of data, and it is extracted by the component. The difference between a parent tag and a data tag is that a parent tag is used for linking several tags into one logical element.

Tags contain several important structures, including BTagReader and BTagWriter, which include the following fields:

• Data
• Current position in data
• Size of data

These structures are allocated for each request and exist only in the context of the request. Each request handler creates BTagWriter and BTagReader tags and uses them to parse and handle requests. Tag IDs are not unique across services, meaning each service may have its own definition for a tag ID. Tag IDs are handled in the context of each service.

The following figure provides an example of a Tag layer and relevant fields.

This example contains the following tags:

• Tag1 – )TAG ID 0x01( 10 00 00 00
• Tag2 – (TAG ID 0x23) Authentication method type
• Tag3 – (TAG ID 0x81) Parent tag that contains two sub tags
• Tag4 – (TAG ID 0x10) Username tag
• Tag5 – (TAG ID 0x11) Hash of a password tag

CODESYS components

CODESYS consists of components and each component is responsible for a portion of functionality of the PLC. The following is a list of example components:

• CmpAlarmManger – Manages alarm events, registers clients that receive events, etc.
• CmpApp – Manages running applications and application event usage.
• CmpAppBp – Manages breakpoints in IEC tasks.
• CmpCodeMeter – Manages the CodeMeter License containers.
• CmpCoreDump – Manages creating, reading, and printing to file coredumps.
• CMPTraceMgr – Enables tracing of information inside the IEC tasks.

Each component includes a number of services that the client can ask to use. For example, CMPTraceMgrincludes the following:

• TraceMgrPacketCreate – Creates a new trace packet
• TraceMgrPacketDelete – Deletes a trace manager packet
• TraceMgrPacketStart – Starts tracing, which is triggered by the TraceTrigger
• TraceMgrRecordUpdate – Records the current value of the TraceVariable together with the current timestamp
• TraceMgrRecordAdd – Creates a new TraceRecordConfiguration and adds it to a specific trace packet for a specific IEC task/application

Each service is identified by a unique number for the specific component.

Tags layer vulnerability

A security issue was discovered inside the tag decoding mechanism that led to multiple vulnerabilities that could put devices at risk of attacks such as RCE and DoS.  

In order to understand the security issue, let’s analyze the service TraceMgrRecordAdd of the component CMPTraceMgr by examining the code that activates the relevant service.

The TraceMgrRecordAddByTag appears to correspond to TraceMgrRecordAdd.

As displayed in Figure 5, the following code initializes structure from tags that are sent to the service.  

The following figure looks at the code for the TraceMgrAddNewRecordPartByTag method, which copies data from different tags into an output buffer.

The whole tag is copied into the buffer without validating the size, causing buffer overflow.

Fifteen places in CODESYS V3 SDK were found with the same issue in different components that could lead to remote attackers gaining full control over the device.

Exploitation approach

We were able to apply 12 of the buffer overflow vulnerabilities to gain RCE of PLCs. Exploiting the vulnerabilities requires user authentication as well as bypassing the Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) used by both the PLCs. To overcome the user authentication, we used a known vulnerability, CVE-2019-9013, which allows us to perform a replay attack against the PLC using the unsecured username and password’s hash that were sent during the sign-in process, allowing us to bypass the user authentication process.

IEC tasks

IEC tasks are the execution unit of CODESYS runtime. It is the equivalent to thread in operating systems. A single component can have more than one task and will have at least one IEC task. The tasks are managed by CODESYS runtime. 

Each IEC task has a memory segment with read, write, and execute permissions. If a threat actor writes code there, it could be run without the data execution prevention mitigation being applied.

The IEC task segment is also where the stack is defined, meaning we don’t need to handle DEP.

Since the IEC tasks are part of the CODESYS code, they are present on all PLCs of all vendors that utilize CODESYS.

Full exploit

By looking for gadgets, we can bypass the ASLR. In the examples below, we can see part of the gadgets that we used in our exploit.

The complete exploit steps:

1. Steal credentials with CVE-2019-9013.
2. Create a new channel for the attack.
3. Sign-in to the device with the stolen credentials.
4. Exploit the vulnerabilities with a malicious packet that triggers buffer overflow.
5. Gain full control of the device.

We were able to exploit the two PLCs that we researched.

Demo video:

Critical importance of ICS security 

With CODESYS being used by many vendors, one vulnerability may affect many sectors, device types, and verticals, let alone multiple vulnerabilities. All the vulnerabilities can lead to DoS and 1 RCE. While exploiting the discovered vulnerabilities requires deep knowledge of the proprietary protocol of CODESYS V3 as well as user authentication (and additional permissions are required for an account to have control of the PLC), a successful attack has the potential to inflict great damage on targets. Threat actors could launch a DoS attack against a device using a vulnerable version of CODESYS to shut down industrial operations or exploit the RCE vulnerabilities to deploy a backdoor to steal sensitive data, tamper with operations, or force a PLC to operate in a dangerous way.

Mitigation and protection guidance

CODESYS V3 versions prior to 3.5.19.0 are vulnerable to the discovered vulnerabilities. It is recommended to first identify the devices using CODESYS in your network and check with device manufacturers to determine which version of the CODESYS SDK is used and whether a patch is available. It is also recommended to update the device firmware to version to 3.5.19.0 or above. 

General recommendations: 

• Apply patches to affected devices in your network. Check with the device manufacturers for available patches and update the device firmware to version to 3.5.19.0 or above. 
• Make sure all critical devices, such as PLCs, routers, PCs, etc., are disconnected from the internet and segmented, regardless of whether they run CODESYS.  
• Limit access to CODESYS devices to authorized components only. 
• Due to the nature of the CVEs, which still require a username and password, if prioritizing patching is difficult, reduce risk by ensuring proper segmentation, requiring unique usernames and passwords, and reducing users that have writing authentication.   

To assist with identifying impacted devices, the cyberphysical systems research team has released an open-source software tool on GitHub that allows users to communicate with devices in their environment that run CODESYS and extract the version of CODESYS on their devices in a safe manner to confirm if their devices are vulnerable. In addition, the cyberphysical system research team also released a tool for performing a forensics investigation on CODESYS V3 devices as part of its arsenal of open-source tools available on GitHub.

Microsoft 365 Defender detections 

Microsoft 365 Defender is becoming Microsoft Defender XDR. Learn more.

Microsoft Defender for IoT 

Microsoft Defender for IoT with all versions of the sensor and TI package after April 2023 provides the following protections against these vulnerabilities and associated exploits and other malicious behavior:  

• Defender for IoT detects and classifies devices that use CODESYS.  
• Defender for IoT raises alerts on unauthorized access to devices using CODESYS, and abnormal behavior in these devices.  
• Defender for IoT raises alerts if a threat actor attempts to exploit these vulnerabilities. Alert type: “Suspicion of Malicious Activity”

Microsoft Defender Threat Intelligence 

Microsoft Defender Threat Intelligence shows devices running CODESYS that are exposed to the internet by searching for “CODESYS” components on IPs.  

Vladimir Tokarev

Microsoft Threat Intelligence Community

References 

• https://www.codesys.com/the-system/codesys-inside.html
• https://store.codesys.com/engineering/codesys.html
• https://github.com/microsoft/CoDe16/tree/main
• https://store.codesys.com/en/alarm-manager.html
• https://content.helpme-codesys.com/en/libs/CmpApp/Current/index.html
• https://content.helpme-codesys.com/en/libs/CmpAppBP/Current/index.html
• https://content.helpme-codesys.com/en/libs/CmpCodeMeter/Current/index.html
• https://content.helpme-codesys.com/en/libs/CmpTraceMgr/Current/index.html
• https://content.helpme-codesys.com/en/libs/CmpApp/Current/AppStartApplication.html
• https://help.codesys.com/webapp/TraceMgrPacketCreate;product=CmpTraceMgr;version=3.5.16.0
• https://help.codesys.com/webapp/TraceMgrPacketDelete;product=CmpTraceMgr;version=3.5.16.0
• https://help.codesys.com/webapp/TraceMgrPacketStart;product=CmpTraceMgr;version=3.5.16.0
• https://help.codesys.com/webapp/TraceMgrRecordUpdate;product=CmpTraceMgr;version=3.5.16.0
• https://help.codesys.com/webapp/TraceMgrRecordAdd;product=CmpTraceMgr;version=3.5.17.0
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9013
• https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=12943&token=d097958a67ba382de688916f77e3013c0802fade&download=
• https://www.codesys.com/download
• https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-192-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-192-04.pdf&_ga=2.25212925.1579834642.1689503846-267712980.1687697317
• https://cert.vde.com/de/advisories/VDE-2023-026/
• https://ics-cert.kaspersky.com/publications/reports/2019/09/18/security-research-codesys-runtime-a-plc-control-framework-part-1/
• https://ics-cert.kaspersky.com/publications/reports/2019/09/18/security-research-codesys-runtime-a-plc-control-framework-part-2/
• https://ics-cert.kaspersky.com/publications/reports/2019/09/18/security-research-codesys-runtime-a-plc-control-framework-part-3/

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

The post Multiple high severity vulnerabilities in CODESYS V3 SDK could lead to RCE or DoS  appeared first on Microsoft Security Blog.

Microsoft’s IoT security commitments 

While customers are familiar with our approach to Windows PC and server security, many are unaware that Microsoft has taken similar steps to strengthen the security of business-critical systems and the networks that enclose them, including vulnerable and unmanaged IoT and OT endpoints. Microsoft often detects a wide range of threats targeting IoT devices, including sophisticated malware that enables attackers to target compromised devices using botnets³ or compromised routers,⁴ and a malicious form of cryptomining called cryptojacking.⁵ This blog post details Microsoft’s efforts to help partners create IoT solutions with strong security, thereby supporting initiatives outlined in the new National Cybersecurity Strategy and other US Cybersecurity and Infrastructure Security Agency (CISA) initiatives.

Developing and deploying software products that are secure by design and default is both a challenging and costly endeavor. According to recent guidance from the CISA, Secure-by-Design requires significant resources to incorporate security functions at each layer of the product development process.⁶ To maximize effectiveness, this approach needs to be integrated into a product’s design from the onset and cannot always be “bolted on” later.

Security by design and default is an enduring priority at Microsoft. In 2021, we committed to investing USD100 billion to advance our security solutions over five years (approximately USD20 billion per year) and today we employ more than 8,000 security professionals.⁷ One result of these investments is Windows 11, our most secure version of Windows yet. At Microsoft, we have a great deal of experience around security by design and default and have strived to implement best practices into our products and programs to assist partners who combine hardware, innovative functionality, online services, and operating systems (OS) to produce and maintain IoT solutions with robust security.

Applying Zero Trust to IoT

Instead of believing everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originated from an uncontrolled network. Regardless of where the request originates or what resource it accesses, the Zero Trust model teaches us to “never trust, always verify.” A Zero Trust approach should extend throughout the entire digital estate and serve as an integrated security philosophy and end-to-end strategy.

Microsoft advocates for a Zero Trust approach to IoT security, based on the principle of verifying everything and trusting nothing (see Seven Properties of Highly Secure Devices). Zero Trust is also aligned with the new directives in the US National Cybersecurity Strategy and the requirements of the new US cybersecurity labeling program.

A traditional network security model often doesn’t meet the security or user experience needs of modern organizations, including those that have embraced IoT in their digital transformation strategy. User and device interactions with corporate resources and services now often bypass on-premises, perimeter-based defenses. Organizations need a comprehensive security model that more effectively adapts to the complexity of the modern environment, embraces the mobile workforce, and protects their people, devices, applications, and data wherever they are.

To optimize security and minimize risk for IoT devices, a Zero Trust approach requires:

1. Secure identity with Zero Trust: Identities—whether they represent people, services, or IoT devices—define the Zero Trust control plane. When an identity attempts to access a resource, verify that identity with strong authentication, and ensure access is compliant and typical for that identity. Follow least privilege access principles.
2. Secure endpoints with Zero Trust: Once an identity has been granted access to a resource, data can flow to a variety of different endpoints—from IoT devices to smartphones, bring-your-own-device (BYOD) to partner-managed devices, and on-premises workloads to cloud-hosted servers. This diversity creates a massive attack surface area. Monitor and enforce device health and compliance for secure access.
3. Secure applications with Zero Trust: Applications and APIs provide the interface by which data is consumed. They may be legacy on-premises, lifted and shifted to cloud workloads, or modern software as a service (SaaS) applications. Apply controls and technologies to discover shadow IT, ensure appropriate in-app permissions, gate access based on real-time analytics, monitor for abnormal behavior, control user actions, and validate secure configuration options.
4. Secure data with Zero Trust: Ultimately, security teams are protecting data. Where possible, data should remain safe even if it leaves the devices, apps, infrastructure, and networks the organization controls. Classify, label, and encrypt data, and restrict access based on those attributes.
5. Secure infrastructure with Zero Trust: Infrastructure—whether on-premises servers, cloud-based virtual machines, containers, or micro-services—represents a critical threat vector. Assess for version, configuration, and just-in-time access to harden defense. Use telemetry to detect attacks and anomalies, automatically block and flag risky behavior, and take protective actions.
6. Secure networks with Zero Trust: All data is ultimately accessed over network infrastructure. Networking controls can provide critical controls to enhance visibility and help prevent attackers from moving laterally across the network. Segment networks (and do deeper in-network micro-segmentation) and deploy real-time threat protection, end-to-end encryption, monitoring, and analytics.
7. Visibility, automation, and orchestration with Zero Trust: In our Zero Trust guides, we define the approach to implement an end-to-end Zero Trust methodology across identities, endpoints and devices, data, apps, infrastructure, and networks. These activities increase your visibility, which gives you better data for making trust decisions. With each of these individual areas generating their own relevant alerts, we need an integrated capability to manage the resulting influx of data to better defend against threats and validate trust in a transaction.

Microsoft’s Edge Secured-Core program

At Microsoft, we understand Secure-by-Design and Secure-by-Default are difficult to build and even more challenging to get right. To simplify this process, we created Edge Secured-Core, a Microsoft device certification program that codifies and operationalizes the security tenets such as secure by default and Zero Trust into a clear set of requirements. Edge Secured-Core also provides tooling and assistance to our device ecosystem partners to help them build devices that meet these security requirements. We have further customized those requirements for various platforms that manufacturers use to build devices, including Microsoft-provided operating systems Windows IoT and Microsoft Azure Sphere, and ecosystem-provided operating systems based on Linux. Edge Secured-Core devices from partners including Intel, AAEON, Lenovo, and Asus can be found in the Azure Certified Device Catalog today. 

Windows IoT

Windows IoT is a platform that leverages our long history and investment in Windows security to enable more secure and reliable IoT solutions. Whether you are building devices for industrial usage, healthcare or retail sectors, or other scenarios, Windows IoT provides key capabilities to protect your devices and data from the many prevalent threats in today’s digital landscape. 

Windows IoT capabilities include:

• BitLocker, which encrypts the data stored on the device to prevent unauthorized access.
• Secure Boot, which verifies the integrity of the boot process and prevents malicious code from running.
• Code integrity, which verifies the integrity of operating system files when loaded and enforces device manufacturer policies that dictate the drivers and applications that can be loaded on the device.
• Exploit mitigations, which automatically applies several exploit mitigation techniques to operating system processes and apps (examples include kernel pool protection, data execution protection, and address space layout randomization).
• Device attestation, which proves the identity and health of the device to cloud services.

Windows IoT also offers end-to-end management and updates using the trusted Windows infrastructure, ensuring consistent and timely delivery of security patches and feature enhancements. Some versions of Windows IoT support a 10-year servicing term, allowing partners to receive updates and maintain application compatibility, reducing the risk of obsolescence and vulnerability. 

Another benefit of Windows IoT is the flexibility to run containerized workflows, including Linux, on the same device. This allows partners to use existing skills and tools, thereby optimizing performance and resource utilization. Containers provide isolation and portability, enhancing the security and reliability of applications.

Defending against threats with Microsoft Azure Sphere

Microsoft Azure Sphere is a fully managed, integrated hardware, operating system, and cloud platform solution for medium- and low-power IoT devices. It offers a comprehensive approach to secure IoT devices from chip to cloud. 

Azure Sphere devices combine a low-power Arm Cortex-A processor running a custom Linux-based operating system serviced by Microsoft with Arm Cortex-M processors for real-time processing and control. Device manufacturers can develop, deploy, and update their applications, while Microsoft independently provides operating system security updates and device monitoring. Additionally, Azure Sphere devices embed the Microsoft Pluton security architecture, providing a hardware-based root of trust and cryptographic engine. Pluton protects the device identity, keys, and firmware from physical and software attacks and enables secure boot and remote attestation. 

Azure Sphere provides deep defense by employing multiple layers of protection to mitigate the impact of potential vulnerabilities, such as secure boot, kernel hardening, and a per-application network firewall. Azure Sphere devices communicate with a dedicated cloud service, the Azure Sphere Security Service, which attests the device is running expected and up-to-date software, performs both operating system and application updates, provides error reporting, and retrieves a Microsoft signed certificate that is renewed daily.

Similar to Windows IoT, Azure Sphere also offers a 10-year term for security fixes and operating system updates for all devices, as well as an application compatibility promise that ensures existing applications will continue to run on future operating system versions. Also, supporting CISA’s secure-by-design recommendations, Azure Sphere has started enabling embedded development using Rust, a coding language designed to improve memory safety and reduce mistakes during development.⁸

Enhancing security on Linux devices

While Microsoft directly provides operating system updates for Windows IoT and Azure Sphere, Edge Secured-core provides a way of ensuring the same security tenets of secure-by-design and default principles are applicable for devices that use ecosystem-provided distributions of the Linux OS. We collaborate with Linux partner companies to ensure their distributions meet security requirements such as committing to security updates for at least five years, building in support for Secure boot, etc. Microsoft incorporates security checks to onboard operating system partners and ongoing monitoring using Microsoft security agents on these devices, thus providing confidence to customers.

Secure your IoT devices with Microsoft Defender for IoT

Next to consumers, organizations are investing in automation and smart technology to streamline operations, cyber-physical systems, once completely isolated from the network, are now converging with mainstream IT infrastructure. Microsoft Defender for IoT is a security solution that enables organizations to implement Zero Trust principles across enterprise IoT and OT devices to minimize risk and protect these mission-critical systems from threats, as their attack surface expands.⁹

Defender for IoT empowers analysts to discover, manage, and secure enterprise IoT and OT devices in their environment. With network layer monitoring, analysts get a full view of their IoT and OT device estate as well as valuable insights into device-specific details and behaviors. These insights in tandem with generated alerts help analysts protect their environment by easily identifying and prioritizing risks like unpatched systems, vulnerabilities, and anomalous behavior all from a centralized user experience.

Support for the broader IoT ecosystem

Beyond these core platforms, Microsoft provides additional programs and services to enable partners to create more secure IoT devices. For example, due to the wide range of possible configurations and hardware platforms, operating systems such as Azure RTOS place the responsibility of security more heavily on the device manufacturer. SDKs and services like Device Update for Microsoft Azure IoT Hub allow partners to add support for over-the-air software updates to their products.

Microsoft Security supports the US National Cybersecurity Strategy

Microsoft remains committed to supporting the US National Cybersecurity Strategy and helping partners effectively deliver and maintain more secure IoT solutions using powerful technology, tools, and programs designed to improve security outcomes. It is vitally important that partners focus on IoT security by prioritizing security through smart design and development practices and carefully selecting platforms and security defaults that are secure as possible to lower the cost of maintaining the security of products.

Learn more

Learn more about Microsoft Defender for IoT.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹United States National Cybersecurity Strategy, The White House. March 2023.

²Biden-⁠Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers, The White House. July 13, 2023.

³Microsoft research uncovers new Zerobot capabilities, Microsoft Threat Intelligence. December 21, 2022.

⁴Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure, Microsoft Threat Intelligence. March 16, 2022.

⁵IoT devices and Linux-based systems targeted by OpenSSH trojan campaign, Microsoft Threat Intelligence. June 23, 2023.

⁶Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default, CISA. April 13, 2023.

⁷Satya Nadella on Twitter. August 25, 2021.

⁸Modernizing embedded development on Azure Sphere with Rust, Akshatha Udayashankar. January 11, 2023.

⁹Learn how Microsoft strengthens IoT and OT security with Zero Trust, Michal Braverman-Blumenstyk. November 8, 2021.

The post Adopting guidance from the US National Cybersecurity Strategy to secure the Internet of Things appeared first on Microsoft Security Blog.

With industry-leading AI, Microsoft synthesizes 65 trillion signals a day across many types of devices, apps, platforms, and endpoints—allowing for an unparalleled view of the evolving threat landscape.¹

We recently announced the Microsoft Supply Chain Platform, an open, flexible, and collaborative platform designed to address the needs of supply chain leaders. This is done by enabling end-to-end visibility and control of processes and data across new or existing supply chain management and enterprise resource planning solutions.

Microsoft Security solutions are a key part of this platform. A cybersecurity breach can lead to operational disruptions, reputational damage, financial losses for companies involved in the supply chain, and even lead to loss of life in the case of critical industries like manufacturing, healthcare, energy, and transportation. That’s why it’s essential for organizations to invest in advanced security solutions to protect their supply chains.

According to Gartner, “By 2025, 60 percent of organizations will use cybersecurity risk as a significant determinant in conducting third-party transactions and business engagements.”²

Find out more about Microsoft Defender for IoT, Microsoft Entra and the rest of our Microsoft Security solutions that play a critical role in securing your supply chains at Hannover Messe, from April 17 to 21, 2023, at the Microsoft Stand, Hall 17. Explore how to interact with us while there and register for Microsoft’s “Supply Chain Reimagined at Hannover Messe” session on April 19, 2023, during the event. We hope to see you there! 

Cloud-powered security with Microsoft Defender for IoT

IoT and OT devices proliferate throughout supply chains, hence why IoT and OT security solutions are an essential component of supply chain security. These solutions protect connected devices and systems, which can be vulnerable to attacks that seek to disrupt operations or, often, move laterally into IT environments to steal data or intellectual property.

IoT and OT environments have unique security challenges. Many legacy devices are unmanaged and older network monitoring systems are not familiar with IoT and OT protocols, making them unreliable. Microsoft provides a range of IoT and OT solutions, including Azure Sphere, Azure IoT Edge, and Azure Digital Twins, which enable organizations to securely connect, manage, and analyze their IoT and OT devices and systems.

Microsoft Defender IoT secures these environments, offering asset discovery, threat detection, incident response, compliance reporting, and more. Defender for IoT can be deployed on-premises or in the cloud and it integrates with Microsoft Defender, Microsoft Threat Intelligence, and Microsoft Sentinel to enable security operations center teams to collaborate more effectively and efficiently. Learn more about Defender for IoT and how a cloud-powered OT security solution delivers the best value.

“By combining Defender for IoT and Device Update for Azure IoT Hub, we’ll have the efficiency and flexibility to cover multiple use cases on more powerful hardware yet be able to protect multiple operating systems and applications on a single device.”

—Claus von Reibnitz, Managing Director for Leibherr

Secure access for suppliers and partners

IAM solutions are another critical component of supply chain security. By their very nature, supply chains include multiple organizations—such as suppliers, distributors, and retailers—whose employees and partners need to access information. Every organization must ensure that only the right users (such as employees, partners, vendors, contractors, and guests) have appropriate access at the right time.

Microsoft Entra is a cloud-based solution that offers complete identity and access management services for organizations. The granular authorization policies of Microsoft Entra ensure that only approved users and devices can access sensitive data and systems. This includes support for multifactor authentication with phishing-resistant systems and passwordless technologies. Microsoft Entra also integrates with other Microsoft services, such as Microsoft 365 and Microsoft Dynamics 365, for a seamless and secure experience for users accessing these services.

“We concluded that it would be much safer and more productive for us to understand and enjoy cloud services like Microsoft 365 and Microsoft Azure rather than taking the risks in maintaining our own systems.”

—Keita Nakano, Deputy Chief of Information Planning, Nissin Foods

One of the key advantages of Microsoft Security solutions in the Microsoft Supply Chain Platform is their ability to operate with other Microsoft products and services. For example, IAM solutions such as Microsoft Azure Active Directory (part of Microsoft Entra) can be integrated with other Microsoft Cloud services, such as Microsoft 365 and Dynamics 365. IoT and OT solutions can also be integrated with other Microsoft services, such as Azure AI and Azure Analytics, to enable organizations to gain insights into their IoT and OT data and use these insights to improve supply chain operations.

Another advantage of Microsoft Security solutions is their flexibility. These solutions can be deployed in a variety of environments, including on-premises, cloud, and hybrid environments. This allows organizations to choose the deployment model that best meets their specific security and compliance requirements. Microsoft Security solutions also offer advanced threat protection capabilities that use machine learning and AI to detect and respond to threats in real time, reducing the risk of data breaches and other cyberthreats.

In addition to IAM and IoT and OT solutions, data protection, compliance and governance, and security analytics help organizations protect their sensitive data, ensure compliance with regulations and standards, and gain insights into their security posture.

Cybersecurity breaches can significantly impact supply chains and contribute to the ongoing disruptions we face in meeting partner and customer needs. However, organizations can mitigate the risks by investing in advanced security solutions with Microsoft Security. With the ability to integrate with other Microsoft products and services, deploy in a variety of environments, and provide advanced threat protection capabilities, Microsoft Security solutions include a comprehensive set of tools and services for securing supply chains and ensuring the continuity of operations.

Learn more about cybersecurity and resiliency for supply chains

Get details on Microsoft Security solutions, including Microsoft Defender for IoT and our multicloud, identity and access capabilities with Microsoft Entra. And to dive deeper into Microsoft Security solutions, join us on April 13, 2023, for Microsoft Secure Technical Accelerator. Engage with our product and engineering teams through a live question and answer during each session, learn best practices, build community with your security peers, and get prescriptive technical guidance that will help you and your organization implement our comprehensive security solutions, Save the date and RSVP for event updates.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Security reaches another milestone—Comprehensive, customer-centric solutions drive results, Vasu Jakkal. January 25, 2023.

²Gartner Unveils the Top Eight Cybersecurity Predictions for 2022-23, Gartner. June 21, 2022.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

The post Improve supply chain security and resiliency with Microsoft   appeared first on Microsoft Security Blog.

It is with great pleasure that we announce the general availability (GA) of the Microsoft Defender for IoT cloud-managed platform, which lets businesses interconnect their OT environment without compromising security. Powered by Microsoft’s scalable, cost-effective cloud technology, Defender for IoT helps you manage assets, track emerging threats, and control risks across enterprise and mission-critical networks—both in connected and air-gapped environments. In this blog, we’ll look at today’s connected OT environment, including the advantages of cloud-managed security and how a converged security operations center (SOC) can offer advantages over the traditional siloed approach.

Why choose a cloud-powered solution for IoT and OT security?

The proliferation of connected devices—everything from manufacturing systems, heating, ventilation, and air conditioning (HVAC), and building management systems (BMS) to heavy machinery for mining, drilling, and transportation—means that OT security solutions require speed, accuracy, and context on a massive scale. In the December 2022 issue of our Cyber Signals threat brief, Microsoft identified unpatched, high-severity vulnerabilities in 75 percent of the most common industrial controllers used in our customers’ OT networks. Even using ordinary Internet of Things (IoT) devices like printers and routers, attackers can breach and move laterally through an IT system, installing malware and stealing sensitive intellectual property. Cloud-powered IoT and OT security solutions offer several advantages over traditional solutions:

• Discovery of assets end-to-end: Asset profiling involves analyzing network signals to discover and categorize network assets, the information collected about those assets, and the types of assets they represent. Profiling in the cloud is driven by an extensive collection of classifiers, allowing for high-fidelity categorization into categories such as servers, workstations, mobile devices, and IoT devices. Monitoring and analyzing potential security risks can be done once the assets have been classified properly. This is critical for protecting an organization’s networks, as vulnerabilities or misconfigurations in any asset can create a potential entry point for attackers. By identifying and mitigating these risks, organizations can ensure that their infrastructure is secure and protects sensitive information.
• Detect and respond to threats as they occur in real-time: Reduce response times from days to minutes by detecting and responding to threats as they occur. Through collaboration between defenders from different industries, we can share best practices and information to better protect against emerging threats. By leveraging collective knowledge, defenders can stay ahead of malicious actors and respond to incidents as they occur. As a result, a cloud-powered OT solution can help prevent breaches and minimize their effects. For instance, by detecting malicious activity on a network or a suspicious login attempt, security analysts can respond immediately to prevent a breach or limit its extent.
• Defend against known and unknown threats: Microsoft AI and machine learning alerts provide real-time detection of threats, as well as automated responses to known or unknown attacks. These alerts are designed to help security teams quickly identify and investigate suspicious activity, then take the necessary steps to protect the organization. For instance, a security system that monitors network activity in real-time can detect suspicious activity within minutes of it occurring, alerting security administrators to take action before the attack has a chance to succeed. 
• Compliance reports tailored to your requirements: Organizations can easily create and manage tailored compliance reports that are up-to-date, secure, and compliant with industry standards. With customizable reporting tools available in Microsoft Azure, users can obtain data from multiple sources and build robust, customized reports. Along with providing automated reporting and scheduling capabilities, Azure Workbooks provide a collaborative experience across silos.
• Workflows and integrations that leverage the cloud: Cloud-to-cloud integrations help organizations streamline workflows and easily access data from multiple sources. By connecting multiple cloud services, organizations can gain better visibility into their operations, automate processes, and reduce manual labor. Additionally, cloud-to-cloud integrations help organizations scale quickly and eliminate the need to purchase additional hardware and software. As a result, organizations can reduce costs and increase efficiency.

With any type of OT security, mean time to recovery (MTTR) provides a critical metric. A target MTTR for IT is typically between 30 minutes and two hours. However, because IoT and OT security often involves cyber physical systems used in utilities, healthcare, or energy production, every minute counts. Cloud-based OT security can make a difference by enabling real-time response rates across multiple locations. But what if you could take your security a step further by enabling a faster MTTR through a unified SOC for both IT and OT?

Unifying security efforts with a converged IT, IoT, and OT SOC

Empowering OT and IT security teams to work together helps create a unified front against evolving threats, maximizing your resources while gaining a comprehensive view of vulnerabilities. This way, a converged SOC taps into the strengths of both teams, creating a streamlined, cost-effective approach to enterprise security. By establishing common goals and key performance indicators, IT and OT security teams can work together on tabletop exercises to build cohesion. To learn more about how to empower OT and IT security teams to work together, watch our webinar, OT/IoT Enabled SOC with Microsoft Sentinel and Microsoft Defender for IoT.

The key benefits of a converged SOC include:

• Improved collaboration: Increase your team’s effectiveness in identifying and responding to threats by utilizing both IT skills and OT knowledge, creating a better understanding of potential impacts on both IT and OT systems.
• Greater visibility: Gain a complete picture of vulnerabilities across both the business and industrial sides of your organization. Then take proactive measures to prevent a breach.
• Streamlined response: Eliminate the need to transfer incidents between IT and OT teams, reducing response times. Mitigate security incidents with swift, coordinated actions to reduce potential damage.
• Strengthened compliance: Share knowledge and expertise easily to ensure that all areas of the business comply with industry regulations and standards.

Figure 1. Defender for IoT—Device inventory view.

Microsoft Defender for IoT is a unified solution for today’s converged SOC

Given the 75 percent vulnerability rate in industrial controllers, nearly every organization using OT will need to reevaluate the security posture of both its legacy equipment (brownfield; lacking security) and its newer devices (greenfield; with some built-in security).² Older network monitoring systems are not familiar with IoT and OT protocols, making them unreliable. A purpose-built solution is needed for today’s converged SOC.

With Microsoft Defender for IoT, you can achieve faster time-to-value, improve agility and scalability, increase visibility, and strengthen the resiliency of your network and infrastructure without making significant changes. The Defender for IoT cloud is designed to augment your on-premises processing power while providing a source of centralized management for global security teams—raising the bar for OT defense. Let’s walk through how a typical scenario might play out.

How Defender for IoT works—scenario:

1. A new common vulnerability and exposure (CVE) is published with information that may affect your organization’s OT devices. Even more concerning, you discover that hackers have been sharing this vulnerability widely online.
2. With Microsoft Threat Intelligence, the new CVE is ingested automatically and shared across our cloud-based security services, including Defender for IoT.
3. Using the Microsoft Azure Portal, your SOC can begin monitoring for the new vulnerability across all devices and sites.
4. Result: Securing your IoT and OT environment becomes faster and more comprehensive.

Additional scenarios where your SOC could see immediate benefit with Defender for IoT include:

• OT security and compliance audits.
• Attack surface reduction consulting.
• Tabletop exercises.

See and protect everything with Device inventory

With the GA of Defender for IoT, Device inventory now allows your SOC to confidently manage OT devices from a single pane of glass through the Microsoft Azure Portal. By supporting unlimited data sources (such as manufacturer, type, serial number, firmware, and more), Device inventory helps your security team gain a complete picture of your IoT and OT assets and proactively addresses any vulnerabilities using Microsoft’s scalable, cloud-managed platform.

Figure 2. Defender for IoT—Comprehensive view of an asset with backplane modules.

Simplified integration for end-to-end protection

To enable comprehensive protection across your enterprise, Defender for IoT easily integrates with Microsoft Sentinel. Together, Defender for IoT and Microsoft Sentinel provide security information and event management (SIEM) for both OT and IT environments. Defender for IoT also shares threat data with Microsoft 365 Defender, Microsoft Defender for Cloud, and non-Microsoft products like Splunk, IBM QRadar, and ServiceNow. This extensive and integrated ecosystem allows your converged SOC to tune alerts automatically across IoT and IT, creating baselines and custom alerts that help reduce alert fatigue.

Creating security for all—you’re invited

To learn more about how Microsoft Defender for IoT can help create a unified security solution for your converged SOC, remember to mark your calendars for the RSA Conference, April 24 to 27, 2023, and visit us at Microsoft booth 604. Register now for the special RSA Microsoft pre-day event.

Want to be among the first to see the AI-powered future of cybersecurity and the latest advances in cloud defense? Join us at Microsoft’s new digital security-only event, Microsoft Secure, on March 28, 2023.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Industry 4.0 technologies assessment: A sustainability perspective, Chunguang Bai, Patrick Dallasega, Guido Orzes, and Joseph Sarkis. November 2020.

²The convergence of IT and OT: Cyber risks to critical infrastructure on the rise, Microsoft. December 2022.

³Someone tried to poison a Florida city by hacking into the water treatment system, sheriff says, Amir Vera, Jamiel Lynch, and Christina Carrega. February 8, 2021.

The post Leverage cloud-powered security with Microsoft Defender for IoT appeared first on Microsoft Security Blog.

OT is a combination of hardware and software across programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). Examples of OT can include building management systems, fire control systems, and physical access control mechanisms, like doors and elevators.

With increasing connectivity across converging IT, OT, and IoT increasing, organizations and individuals need to rethink cyber risk impact and consequences. Similar to how the loss of a laptop or modern vehicle containing a homeowner’s cached Wi-Fi credentials could grant a property thief unauthorized network access, compromising a manufacturing facility’s remotely connected equipment or a smart building’s security cameras introduces new vectors for threats like malware or industrial espionage.

With more than 41 billion IoT devices across enterprise and consumer environments expected by 2025—according to International Data Corporation (IDC) research¹—devices such as cameras, smart speakers, or locks and commercial appliances can become entry points for attackers.

As OT systems underpinning energy, transportation, and other infrastructures become increasingly connected to IT systems, the risk of disruption and damage grows as boundaries blur between these formerly separated worlds. Microsoft has identified unpatched, high-severity vulnerabilities in 75 percent of the most common industrial controllers in customer OT networks, illustrating how challenging it is for even well-resourced organizations to patch control systems in demanding environments sensitive to downtime.

For businesses and infrastructure operators across industries, the defensive imperatives are gaining total visibility over connected systems and weighing evolving risks and dependencies. Unlike the IT landscape of common operating systems, business applications, and platforms, OT and IoT landscapes are more fragmented, featuring proprietary protocols and devices that may not have cybersecurity standards. Other realities affecting things like patching and vulnerability management are also factors.

While connected OT and IoT-enabled devices offer significant value to organizations looking to modernize workspaces, become more data-driven, and ease demands on staff through shifts like remote management and automation in critical infrastructure networks, if not properly secured, they increase the risk of unauthorized access to operational assets and networks.

David Atch, Microsoft Threat Intelligence, Head IoT and OT Security Research, highlights in this edition’s profile that to address IT and OT threats to critical infrastructure, organizations must have full visibility into the number of IT, OT, and IoT devices in their enterprise, where or how they converge, and the vital data, resources, and utilities accessible across these devices. Without this, organizations face both mass information disclosure (such as leaked production data of a factory) and the potential elevation of privilege for command and control of cyber-physical systems (such as stopping a factory production line). He shares additional insights in the Cyber Signals digital briefing where we take a deeper dive into wider risks that converging IT, IoT, and OT systems pose.

Securing IoT solutions with a Zero Trust security model starts with non-IoT specific requirements—specifically ensuring you have implemented the basics to securing identities and their devices and limiting their access. These requirements include explicitly verifying users, having visibility into the devices on the network, and real-time risk detections. 

Learn more

Read the third edition of Cyber Signals today.

We hope these resources are helpful in understanding and managing this evolving risk. To learn more about IT, OT, and IoT threats and explore the latest cybersecurity insights and updates visit Security Insider.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹The Growth in Connected IoT Devices is Expected to Generate 79.4ZB of Data in 2025, According to a New IDC Forecast, Business Wire. June 18, 2019.

The post Cyber Signals: Risks to critical infrastructure on the rise appeared first on Microsoft Security Blog.

What is the S2C2F?

We built the S2C2F as a consumption-focused framework that uses a threat-based, risk-reduction approach to mitigate real-world threats. One of its primary strengths is how well it pairs with any producer-focused framework, such as SLSA.¹ The framework enumerates a list of real-world supply chain threats specific to OSS and explains how the framework’s requirements mitigate those threats. It also includes a high-level platform- and software-agnostic set of focuses that are divided into eight different areas of practice:

Each of the eight practices are comprised of requirements to address the threats and reduce risk. The requirements are organized into four levels of maturity. We have seen massive success with both internal and external projects who have adopted this framework. Using the S2C2F, teams and organizations can more efficiently prioritize their efforts in accordance with the maturity model. The ability to target a specific level of compliance within the framework means teams can make intentional and incremental progress toward reducing their supply chain risk.

Each maturity level has a theme represented in Levels (1 to 4). Level 1 represents the previous conventional wisdom of inventorying your OSS, scanning for known vulnerabilities, and then updating OSS dependencies, which is the minimum necessary for an OSS governance program. Level 2 builds upon Level 1 by leveraging technology that helps improve your mean time to remediate (MTTR) vulnerabilities in OSS with the goal of patching faster than the adversary can operate. Level 3 is focused on proactive security analysis combined with preventative controls that mitigate against accidental consumption of compromised or malicious OSS. Level 4 represents controls that mitigate against the most sophisticated attacks but are also the controls that are the most difficult to implement at scale—therefore, these should be considered aspirational and reserved for your dependencies in your most critical projects.

The S2C2F includes a guide to assess your organization’s maturity, and an implementation guide that recommends tools from across the industry to help meet the framework requirements. For example, both GitHub Advanced Security (GHAS) and GHAS on Azure DevOps (ADO) already provide a suite of security tools that will help teams and organizations achieve S2C2F Level 2 compliance.

The S2C2F is critical to the future of supply chain security

According to Sonatype’s 2022 State of the Software Supply Chain report,² supply chain attacks specifically targeting OSS have increased by 742 percent annually over the past three years. The S2C2F is designed from the ground up to protect developers from accidentally consuming malicious and compromised packages helping to mitigate supply chain attacks by decreasing consumption-based attack surfaces. As new threats emerge, the OpenSSF S2C2F SIG under the Supply Chain Integrity Working Group, led by a team from Microsoft, is committed to reviewing and maintaining the set of S2C2F requirements to address them.

Learn more

View the S2C2F requirements or download the guide now to see how you can improve the security of your OSS consumption practices in your team or organization. Come join the S2C2F community discussion within the OpenSSF Supply Chain Integrity Working Group.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Supply chain Levels for Software Artifacts (SLSA).

²8^th Annual State of the Software Supply Chain Report, Sonatype.

The post Microsoft contributes S2C2F to OpenSSF to improve supply chain security appeared first on Microsoft Security Blog.

Subsequently, we did a survey to understand the top concerns around the security of IoT devices, and we shared the findings in a previous blog about best practices for managing IoT security concerns. The following list summarizes the top security concerns from companies that have adopted IoT solutions:

• Ensuring data privacy (46 percent).
• Ensuring network-level security (40 percent).
• Security endpoints for each IoT device (39 percent).
• Tracking and managing each IoT device (36 percent).
• Making sure all existing software is updated (35 percent).
• Updating firmware and other software on devices (34 percent).
• Performing hardware/software tests and device evaluation (34 percent).
• Updating encryption protocols (34 percent).
• Conducting comprehensive training programs for employees involved in IoT environment (33 percent).
• Securely provisioning devices (33 percent).
• Shifting from device-level to identity-level control (29 percent).
• Changing default passwords and credentials (29 percent).

To help address these concerns, Microsoft is thrilled to announce today the general availability of the extension of our Secured-core platform to IoT devices along with new Edge Secured-core certified devices from our partners Aaeon, Asus, Lenovo and Intel in the Azure certified device catalog. We have added this new device certification for our Edge Secured-core platform so customers can more easily select IoT devices that meet this advanced security designation.   

As outlined in Microsoft’s Zero Trust paper, a key investment, especially around new devices, is to choose devices with built-in security. Devices built with Azure Sphere benefit from industry-leading built-in security, with servicing by Microsoft.

Announcements for Edge Secured-core

Edge Secured-core is a certification in the Azure Certified Device program for IoT devices. Devices that have achieved this certification provide enterprises the confidence that the devices they’re purchasing deliver the following security benefits:

• Hardware-based device identity: In addition to the various security properties that a hardware-based device identity provides, this also enables the use of the hardware-backed identity when connecting to Azure IoT Hub and using the IoT Hub device provisioning service.  
• Capable of enforcing system integrity: Using a combination of processor, firmware, and OS support to facilitate measurement of system integrity to help ensure the device works well with Microsoft Azure Attestation.
• Stays up-to-date and is remotely manageable: Receives the necessary device updates for a period of at least 60 months from the date of submission.
• Provides data-at-rest encryption: The device provides built-in support for encrypting the data at rest using up-to-date protocols and algorithms.
• Provides data-in-transit encryption: IoT devices such as gateways, which are often used to connect downstream devices to the cloud, need inherent support for protecting data in transit. Edge Secured-core devices help support up-to-date protocols and algorithms that are used for data-in-transit encryption.
• Built-in security agent and hardening: Edge Secured-core devices are hardened to help reduce the attack surface and include a built-in security agent to help secure from threats.

In addition to addressing many of the top concerns that we’ve heard from customers around the security of their IoT devices, our data shows that Secured-core PCs are 60 percent more resilient to malware than PCs that don’t meet the Secured-core specifications. We’ve brought the learnings from Secured-core PCs to define the requirements for Edge secured-core devices.

Today, we’re excited to announce the availability of Windows IoT Edge Secured-core devices available in the Azure Certified Device catalog.

Additionally, Microsoft invests with semiconductor partners to build IoT-connected industry-certified MCU security platforms that align with Microsoft’s security standards.  

Get started with Microsoft Security

Email us to request a call for more information about Azure Sphere, Edge Secured-core devices, or industry-certified devices. Learn more about Azure IoT security.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Securing your IoT with Edge Secured-core devices appeared first on Microsoft Security Blog.

• Ensuring data privacy (46%).
• Ensuring network-level security (40%).
• Security endpoints for each IoT device (39%).
• Tracking and managing each IoT device (36%).
• Making sure all existing software is updated (35%).
• Updating firmware and other software on devices (34%).
• Performing hardware/software tests and device evaluation (34%).
• Updating encryption protocols (34%).
• Conducting comprehensive training programs for employees involved in IoT environment (33%).
• Securely provisioning devices (33%).
• Shifting from device-level to identity-level control (29%).
• Changing default passwords and credentials (29%).

Figure 1: Types of IoT security.

The importance of security for IoT

Rewinding back to 2016, a major Distributed Denial of Service (DDoS) attack took place on a major internet service provider, impacting multiple websites and their customers. Why? Thousands of users failed to change the default passwords on their connected devices, providing an opportunity for attackers to form a botnet attack. Consequences? Detrimental. Fast-forwarding to the more recent years, security in IoT is finally starting to gain attention due to the realization of the impact any attack has on organizations and users. As outlined in Microsoft’s Zero Trust paper, below are some of the many consequences of IoT breaches:

• Operation and revenue impact due to potential changes in production, quality, and core business.
• Customer impact due to changes in product and service experience and reputation.
• Regulation impact due to non-compliance with government and industry-wide regulations.

Design lifecycle and risk diligence

Microsoft provides numerous tools, services, and capabilities that address IoT Security concerns, while also providing effective solutions to mitigate top IoT Security issues.

When designing an IoT solution, it is important to understand the potential threats within the design. This will provide an opportunity to integrate security and risk diligence in each step of the design lifecycle, as well as harden and maintain your solution’s security protocols. First step is understanding how to secure your IoT environment. Second step is identifying and mitigating potential security issues within your design. Third step is maintaining a security maturity model that allows you to track and manage the maturity of your design’s information security management. Finally, fourth step is following Microsoft’s Zero Trust principles to mitigate top security concerns.

Top properties of a highly secured IoT environment (device security)

Building a secure IoT solution is not an easy task. However, following the most studied and recommended principles and practices will provide you with the necessary tools needed to achieve optimal security within the design. Refer to Figure 2 for the top seven properties utilized within all highly secured and connected devices: hardware-based root of trust, small trusted computing base, defense in depth, compartmentalization, certificate-based authentication, renewable security, and failure reporting.

Figure 2: Top properties of highly secure devices.

For a deep dive on each of the seven properties, please read the Seven Properties of Highly Secure Devices.

Threat modeling

When designing an IoT solution, one must understand the potential threats that accompany that solution and identify the best protocols to defend the solution from such threats. Starting the design of a solution with security as a top aspect will help with this process. This is why Microsoft offers the Threat Modeling Tool, which is a key aspect of Microsoft Security Development Lifecycle. The tool encompasses five major steps in the security lifecycle: define, diagram, identify, mitigate, and validate. Additionally, the tool enables users to share information about their systems’ security designs, analyze designs for security issues, and provide mitigation suggestions for the identified issues.

For more details on the Threat Modeling Tool, please visit Microsoft Security Development Lifecycle Threat Modeling.

For information on Microsoft Security Development Lifecycle, please visit Microsoft Security Development Lifecycle.

Security Maturity Model (SMM)

What is SMM and how does it help? Security maturity is the measure of the understanding of the current security level, its necessity, benefits, and cost of its support. It provides a degree of confidence in the effectiveness of security implementation in meeting organizational needs, with an understanding of necessity, benefits, and costs:

• Builds on existing maturity models, frameworks, and concepts.
• Provides a holistic solution addressing process, technology, and operations.
• Provides actionable guidance for specific IoT scenarios.
• Connects maturity with control frameworks, best practices, and other guidance.
• Enables IoT providers to invest appropriately in security mechanisms to meet their requirements.

To help prioritize IoT Zero Trust investments, you can use the Industry IoT Consortium’s (IIC) IoT Security Maturity Model to help assess the security risks for your business.

Zero Trust principles and best practices for end-to-end security

When designing an IoT solution, it is extremely important to identify and understand potential threats to that solution. To help with this process, Microsoft established five Zero Trust principles that encourage defense in depth procedures and provide clear guidelines on achieving optimal security within IoT solutions.

Our customers and partners have IoT security-related concerns, such as ensuring data privacy and maintaining a solid process for changing default passwords. To address these concerns, we apply the Zero Trust principles within our products and services. The following sections are linked to our Well-Architectured Framework for IoT security, which expands on many of the Microsoft products and services that provide highly secured protocols for IoT solutions.

Strong identity

The first pillar of Zero Trust principles is having a strong identity for IoT devices. Maintaining a strong identity within your IoT ecosystem can be achieved using a variety of processes and protocols. To name a few, having a hardware root of trust, strong authentication and authorization protocols, and renewable credentials are great steps towards mitigating the top identity concerns.

Least-privileged access

In addition to the strong identity provided by integrated devices and services, Zero Trust requires least-privileged access control to limit any potential blast radius from authenticated identities that may have been compromised or running unapproved workloads. From access control policies and protocols to strong authentication mechanisms, Microsoft has its customers covered with a strong list of services such as Microsoft Azure Sphere, which securely connects microcontroller unit (MCU)-powered devices from the silicon to the cloud, while implementing least-privilege access by default.

Additionally, Microsoft provides a wide variety of training programs and resources to anyone interested in or working in an IoT environment. From Cybersecurity 101 training to Cybersecurity Awareness Month, employees can benefit from Microsoft’s implementations for IoT and operational technology (OT) security. For a full list of Microsoft Security trainings and programs, please read #BeCyberSmart—When we learn together, we’re more secure together.

Device health

Maintaining a device’s health means regularly running scans that provide effective information such as potential threats, vulnerabilities, weakened passwords, and anomalous behaviors. A trusted device must be continuously verified for its health, and such scans will enable such verification and ensure that only trusted and verified devices can access the larger IoT ecosystem. Microsoft tools such as Microsoft Defender for IoT and Microsoft Sentinel will help your organization track and manage its IoT devices and perform the necessary tests and evaluations to understand where your devices’ health stands.

Continual updates

To maintain IoT device health, continuous software and firmware updates are critical. A healthy target state should be identified and met at all times through centralized configuration and compliance management. Azure Device Update for IoT Hub is a great service for deploying over-the-air (OTA) updates to your IoT devices.

Security monitoring and response

Coupled with continuous monitoring for trusted device health, security monitoring and response further hardens the security of IoT devices by quickly identifying threats and providing the best mitigation protocols. Microsoft follows a defense in depth approach and offers IoT services that follow the key Zero Trust capabilities. This includes monitoring and controlling access to public endpoints, running security agents for security monitoring and detection, and incorporating response systems in all IoT devices. Tools and services like the Microsoft Defender for IoT will bring your IoT solutions one step closer to strong security.

Learn More

To learn more about strengthening your IoT security, visit Azure IoT Security.

Explore the Microsoft Zero Trust approach to comprehensive security.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft best practices for managing IoT security concerns appeared first on Microsoft Security Blog.