It’s no secret that OT devices are ripe for exploitation by cybercriminals. From unencrypted connections to the fact that they can’t run security agents, these devices are prime targets for cybercriminals.
This is why Microsoft created Defender for IoT (D4IoT). This solution offers passive, agentless monitoring that thoroughly protects these devices.
But what devices can D4IoT support?
How do you set it up?
We’ve got all the answers here.
Key takeaways:
- D4IoT supports numerous types of OT devices, including SCADA systems, BMS, DCS, PLCs, and many more.
- D4IoT supports countless proprietary industrial protocols, including Modbus, DNP3, BACnet, and others.
- D4IoT can discover connected OT devices that you don’t even know about.
- D4IoT can integrate with Microsoft Sentinel, giving you a converged and comprehensive view of OT and IT security.
What types of devices does Defender for IoT actually support?
Defender for IoT is a specialized security solution for OT (operational technology) and industrial systems. It excels at protecting devices that can’t run their own security agents due to limited computing power.
While this list isn’t exhaustive, here are the most common types of OT devices that companies choose to protect with D4IoT.
- SCADA systems (Supervisory Control and Data Acquisition)
- BMS (Building Management Systems)
- DCS devices (Distributed Control Systems)
- PLCs (Programmable Logic Controllers)
- RTUs (Remote Terminal Units)
- HMIs (Human-Machine Interfaces)
- Industrial sensors and meters
- ICS (industrial control systems)
Does D4IoT work for both managed (like Windows) and unmanaged devices (like a thermostat or IP camera)?
D4IoT is designed to protect OT (operational technology) devices that don’t have operating systems. As such, it isn’t the right choice to act as a security agent for laptops, desktops, and servers. Any device with an operating system should use the appropriate version of Microsoft Defender for Endpoint.
That said, note that Windows machines can help D4IoT find devices on the network that require protection by D4IoT. Windows machines can assist here even though D4IoT doesn’t act as their security agent.
Here’s a table with several common types of devices and the security tool that they should use.
| Device Type | Recommended Security Solution | Why |
| Windows PC / Windows Server | Microsoft Defender for Endpoint | Windows endpoints are protected by MDE, not D4IoT. D4IoT alerts can be automatically correlated inside Microsoft Sentinel / Defender XDR incidents when monitored Windows computers are entities. |
| IP Cameras | Microsoft Defender for IoT | Agentless IoT/OT devices are secured via D4IoT network-layer monitoring. |
| Smart Thermostats / Building Automation | Microsoft Defender for IoT | Agentless IoT/OT devices are secured via D4IoT network-layer monitoring. |
| PLCs, RTUs (Industrial Controllers) | Microsoft Defender for IoT | Agentless IoT/OT devices are secured via D4IoT network-layer monitoring. |
| SCADA / HMI Systems | Microsoft Defender for IoT | Agentless IoT/OT devices are secured via D4IoT network-layer monitoring. |
| Network Devices (switches, routers that cannot run agents) | Microsoft Defender for IoT | As unmanaged OT/IoT devices, these are monitored via D4IoT’s agentless network visibility. |
| BYOD Mobile Phones (iOS/Android) | Microsoft Defender for Endpoint | These are managed/unmanaged IT endpoints, appropriate for MDE—not D4IoT. |
| Smart Sensors (temperature, vibration, environmental) | Microsoft Defender for IoT | Agentless IoT/OT devices are secured via D4IoT network-layer monitoring. |
Does Defender for IoT support specific industry protocols like Modbus, DNP3, or BACnet?
Yes. One of D4IoT’s strengths is its support for the proprietary protocols found in OT devices. D4IoT supports Modbus, DNP3, BACnet, and many others. In fact, the solution is protocol-agnostic, supporting almost any industrial protocol. Here are the most common protocols that are explicitly supported.
- MODBUS
- DNP3
- BACnet
- Siemens S7
- OPC
- Profinet
- IEC‑104
This broad protocol support is part of what enables D4IoT to provide deep visibility, anomaly detection, and threat monitoring across diverse industrial and operational technology networks.
How do I onboard industrial OT devices to Defender for IoT?
OT devices are not onboarded the same way as IT endpoints. With limited computational resources and locked-down and proprietary configurations, they can’t run a security agent in the same way that a laptop or server can. D4IoT provides passive monitoring of mirrored traffic, and this design dictates the onboarding process.
Here’s a quick overview of the D4IoT onboarding process for OT devices.
- Deploy an OT network sensor. D4IoT uses specifically designed OT sensors, which are physical or virtual machines connected to a SPAN port or network TAP. Choose between a VM appliance or a physical appliance, then connect the sensor to your chosen port, power it on, and access the local sensor UI.
- Onboard the sensor to D4IoT. You’ll register your sensor with your D4IoT environment through your Azure portal. Doing so will trigger asset discovery for connected devices, protocol analysis, alerts, and vulnerability insights.
- Verify proper device discovery. D4IoT is incredibly good at detecting OT devices on your network, but it’s a good idea to compare its list with your list of known devices (if you have one). Note: You don’t need to touch or configure the OT device itself. Discovery happens passively, which means your devices continue to function with no interruption.
- Configure sensor settings (optional). As needed, you can configure OT sensors from your Azure portal. You can define VLANs and subnets, specify bandwidth caps, integrate with Active Directory, and more. This is where you can implement standard settings across multiple OT sites that are monitored by the same D4IoT instance.
- Integrate with Sentinel or other SOC tools (optional). Microsoft makes it easy to integrate D4IoT to Sentinel/Defender XDR, their market-leading SIEM (security information and event management) and SOAR (security orchestration automation & response) solution. You can also integrate with third-party SOC tools. This type of integration gives you a converged canvas for monitoring and protecting both OT and IT networks.
Will Defender for IoT monitor my legacy OT equipment running an old operating system that can’t be patched?
Absolutely. D4IoT is a passive, agentless solution that monitors mirrored traffic to the device. This means D4IoT doesn’t actually run on the device. This design eliminates the need for OS compatibility.
In other words:
- No software is installed on the device
- No OS updates are required
- Devices remain untouched and continue operating normally
As you can see, D4IoT offers a smart approach to protecting devices that can’t be updated.
Can D4IoT provide an inventory of all the OT devices on my network, including those I don’t even know I have?
Yes. D4IoT can find:
- Devices no one documented
- Devices that aren’t centrally managed
- Devices that use obscure or proprietary OT protocols
- Devices that can’t run agents or modern firmware
D4IoT automatically discovers device details and communication patterns directly from network traffic. This means it provides a full inventory of the OT devices on your network, whether they’ve been manually catalogued or not. In fact, this capability is one of the solution’s biggest strengths, as OT networks are notorious for having unknown devices connected to them.
How do I respond to an OT security incident using Defender for IoT?
Unlike IT incidents, OT incidents often involve industrial controllers, HMIs, PLCs, safety systems, and sensitive physical processes. Defender for IoT provides OT‑specific alerting, investigation tools, and integrations with Microsoft Sentinel to facilitate an appropriate response.
Here’s what the process looks like in detail.
- Review the OT alert. You can open the alert directly from the Alerts page in D4IoT or from a Sentinel incident if you’ve integrated D4IoT with Sentinel.
- Investigate the OT alert. Examine communication patterns and impacted devices. Understand the scope and timeline of the information and determine whether the activity is malicious or operational. If you’ve integrated D4IoT with Sentinel, you can check in Sentinel for any IT alerts that correlate with these signals to form a larger pattern.
- Contain the OT threat. Depending on the nature of the threat, you may need to block hostile IP addresses, isolate affected devices, and/or disable compromised accounts if the attack involves identity and access. OT sensors don’t actively block traffic, so you’ll need to use things like firewalls, network segmentation, and Sentinel automation playbooks to contain the threat.
- Eliminate the threat. Exact actions will depend on the type of threat and the nature of the affected device(s). Common actions include removing malicious configurations from devices and stopping rogue communications. Due to the limitations of OT devices, you may need to coordinate with plant floor operations to eliminate a threat completely.
- Document and close the incident. Gather and record as much information as possible so you can learn from it. Document what happened, which assets were affected, the root cause, response steps, and takeaways for preventing similar incidents in the future.
- Harden security measures. Use everything you learned from the incident to identify stronger security measures that may prevent similar incidents. Network segmentation (to include adopting the Purdue model of OT network stratification) and enhanced monitoring are common measures to implement or improve after an incident.
The takeaway: Don’t wait to protect your OT devices
The threats against OT devices are too significant to ignore. Microsoft Defender for IoT can solve these problems, but you need the resources to implement, integrate, and manage the tool. If you need assistance with OT security, Corsica Technologies can help. We’re a long-standing and proven Microsoft Solutions Partner for Security with specializations in Cloud Security, Identity and Access Management, and Threat Protection, and a member of the Microsoft Intelligent Security Association (MISA). We’ve helped 1,000+ clients achieve their goals with technology. Contact us today, and let’s take the next step in your OT journey.
Ready to secure your OT environment?
Reach out to schedule a consultation with our industrial security specialists.
