TTechclick ⚡ XP 0% All lessons
Microsoft · Defender for IoT · Vulnerability ManagementInteractive · L1 / L2 / L3

Microsoft Defender for IoT — Vulnerability Management & Risk Assessment

OT devices carry CVEs just like servers — but you can almost never patch a PLC mid-production. Microsoft Defender for IoT matches your passive device inventory to known CVEs, scores every device by real-world risk, simulates the attack paths an adversary would walk, and lets your team record compensating controls so risk is managed even when a firmware patch is months away.

📅 2026-06-18 · ⏱ 16 min · 5 infographics · live path demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

How Microsoft Defender for IoT matches OT device inventory to CVEs, generates risk assessment reports, simulates attack paths, and lets OT teams prioritise with compensating controls where patching is impractical. (2026)

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Why OT is different

CVEs without patches — the OT vulnerability dilemma.

 2

CVE matching

Passive inventory meets the OT CVE database.

 3

Attack-path sim

Chain hops from IT exposure to Level 0 OT.

 4

Risk scores & controls

Prioritise by score; close with compensating controls.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Why can't OT teams just patch CVEs the way IT teams patch servers?

Answered in Why OT is different.

2. How does Defender for IoT discover firmware versions on a PLC without installing anything on it?

Answered in CVE matching.

3. What is a compensating control in OT vulnerability management?

Answered in Risk scores & controls.

Most engineers think…

Most people assume OT vulnerability management works like IT: find a CVE, push a patch, close the ticket. That model breaks almost immediately in a substation or factory floor.

Microsoft Defender for IoT takes a different path. It builds a passive device inventory entirely from DPI of network traffic — no agents, no active scans, zero impact on fragile PLCs or RTUs — then matches that inventory to a Microsoft OT CVE database maintained by the Section 52 research team. The result is not just a list of CVEs but a risk score per device that factors in CVSS severity, network exposure, Purdue level criticality, and alert history. An attack-path simulation then shows which devices sit on the adversary's most likely route from IT exposure to a critical process. And because patching is rarely an option, the workflow ends not with 'apply patch' but with recording compensating controls — segmentation, protocol whitelisting, enhanced monitoring — that reduce effective risk without touching the device.

① Why OT vulnerability management is a different problem

A Siemens S7-300 PLC running firmware from 2017 may carry a known CVE with a CVSS score of 9.8. On a Windows server you would patch it tonight. On a PLC controlling a water treatment plant, the vendor's firmware certification process takes months, the maintenance window is a single Sunday morning per year, and an unexpected restart triggers a safety interlock. The patch may simply never happen.

This is the core tension in OT security: CVEs accumulate, patches do not arrive. Microsoft Defender for IoT is built for this reality. Because it is fully agentless — the OT network sensor watches a SPAN/mirror port or TAP and uses deep packet inspection (DPI) to read firmware versions and protocols from traffic headers — it can build an accurate device inventory and CVE match list without touching a single PLC, RTU, or HMI. No software install, no active scan, zero operational impact on fragile OT devices.

The goal of OT vulnerability management is therefore not a zero-CVE state. It is risk reduction through visibility, prioritisation, and compensating controls — knowing exactly which devices carry which CVEs, which of those sit on a dangerous attack path, and what network-based mitigations are already in place.

Legenddiagram canvasloop step boxstep titlestep detail textflow arrows & heading
Figure 1 — OT vulnerability management — the passive-first loop
Defender for IoT runs this loop continuously without touching any OT device.OT vulnerability management — the passive-first loopPassive DPIread firmware fromtrafficCVE Matchvs. Section 52 DBRisk ScoreCVSS + exposure +levelAttack Pathmap lateral hopsRemediatepatch or comp. control
Defender for IoT runs this loop continuously without touching any OT device.
Quick check · Q1 of 10 · Understand

Why is OT vulnerability management fundamentally different from patching IT servers?

Correct: b. OT devices like PLCs and RTUs control physical processes 24/7. A restart triggers safety interlocks and halts production. Vendor firmware certification adds months of delay, so CVEs accumulate without patches — compensating controls become the primary risk response.
👉 So far: OT vulnerability management = visibility without touching devices. Passive DPI discovers firmware versions and CVEs with zero operational impact on PLCs, RTUs, or HMIs.

② CVE matching & risk assessment reports — know what you're sitting on

The OT network sensor's passive inventory captures, per device: vendor, model, firmware version, OS, IP/MAC address, open protocols, and Purdue level. That identity tuple is continuously matched against the Microsoft OT CVE database — a curated feed maintained and updated by Microsoft's Section 52 OT/ICS threat research team (part of MSTIC). Section 52 focuses specifically on industrial control system vulnerabilities that general IT scanners may never carry.

The risk assessment report

From that match, Defender for IoT generates a risk assessment report listing all discovered devices with their CVE count, individual CVSS severity scores, network exposure (how many other devices can reach them), Purdue level, and any open alerts. For cloud-connected sensors the report is available in the Azure / Defender portal; for air-gapped deployments it is accessible from the OT sensor's local interface. Reports export to PDF or CSV for OT team reviews, management briefings, and compliance evidence. The key insight: a Level 1 PLC with a moderate CVE but wide network exposure may be far more dangerous than a Level 3 server with a high CVSS but tightly segmented.

Figure 2 — Risk score inputs — four layers, one number
Defender for IoT combines these four inputs into a per-device risk score for prioritisation.Risk score inputs — four layers, one numberCVE SeverityCVSS score of open vulnerabilitiesNetwork Exposurereachability from IT and peer devicesPurdue CriticalityLevel 0/1 devices weighted highestAlert Historyprior anomaly or policy alerts on this device
Defender for IoT combines these four inputs into a per-device risk score for prioritisation.
🔍
Section 52 / MSTIC
tap to flip

Microsoft's OT/ICS-focused threat research team that discovers industrial CVEs and pushes threat intelligence packages to Defender for IoT sensors — cloud auto-update or USB for air-gapped.

📊
Risk Assessment Report
tap to flip

A per-site Defender for IoT report listing all devices with CVE counts, CVSS scores, network exposure, Purdue level, and alert history — available from the Azure portal or the sensor's local interface.

🗺️
Attack-Path Simulation
tap to flip

Maps the chain of lateral-movement hops from an IT-exposed entry point to critical Level 0/1 OT devices based on observed traffic — path position matters as much as CVSS score.

🛡️
Compensating Control
tap to flip

A recorded network-based mitigation — segmentation, protocol whitelisting, port disablement, enhanced monitoring — that reduces a device's unmitigated risk score when a firmware patch is not feasible.

Report available air-gapped

For air-gapped OT sensors that cannot reach the Azure portal, the full risk assessment report — CVEs, risk scores, exposure — is available directly from the OT sensor's local management interface. You do not need cloud connectivity to run OT vulnerability management.

Quick check · Q2 of 10 · Remember

Which Microsoft team maintains the OT CVE database and pushes threat intelligence packages to Defender for IoT sensors?

Correct: c. Section 52 is Microsoft's OT/ICS-focused threat research team within MSTIC. They discover industrial CVEs and package findings into threat intelligence updates for Defender for IoT — cloud-pushed to connected sensors or available as offline packages for air-gapped deployments.
👉 So far: The passive inventory feeds a Section 52 CVE match. The risk assessment report combines CVSS, network exposure, Purdue level, and alert history — available from the sensor's local interface even air-gapped.

③ Attack-vector & attack-path simulation — where does the adversary go next?

A raw CVE list tells you what is vulnerable. Attack-path simulation tells you whether it matters. Defender for IoT uses the observed protocol traffic map — every connection the sensor has seen — to simulate the lateral-movement chain an adversary could walk from a compromised entry point to a critical OT device.

Attack-vector simulation starts at a chosen entry point (e.g. an HMI exposed to the enterprise network) and enumerates which devices are directly reachable and over which protocols. Attack-path analysis chains those hops: enterprise network → Level 3 historian via RDP → Level 2 SCADA via OPC-DA → Level 1 RTU via IEC 60870-5-104. A Level 1 RTU at the end of that chain is a critical finding even if its individual CVE score is only moderate, because it is reachable from the internet-facing enterprise network in three hops.

This reframes prioritisation: path position matters as much as CVSS score. An isolated Level 0 device with a CVSS 9 CVE but no network neighbours is lower priority than a CVSS 6 device that sits as hop 2 on a path to ten Level 1 PLCs. Attack-path simulation is how OT teams make that call without guesswork.

Figure 3 — Attack-path simulation — IT exposure to Level 1 RTU
A three-hop path from enterprise network to an RTU is critical even if each individual CVE score is moderate.Attack-path simulation — IT exposure to Level 1 RTUEnterprise netIT-exposed entry pointL3 HistorianRDP hopL2 SCADAOPC-DA hopL1 RTUIEC 104 — critical OT
A three-hop path from enterprise network to an RTU is critical even if each individual CVE score is moderate.
Figure 4 — Compensating controls — five ways to reduce OT risk without patching
When patching is impossible, these network-based controls reduce a device's effective risk score in Defender for IoT.Compensating controls — five ways to reduce OT risk without patchingOT Deviceun-patchable CVENetwork segmentProtocol whitelistDisable unused portsEnhanced monitoringSentinel SOAR ticket
When patching is impossible, these network-based controls reduce a device's effective risk score in Defender for IoT.
CVSS score alone mis-ranks OT risk

Sorting purely by CVSS gives you a list that prioritises isolated, unreachable devices over exposed, reachable ones. Always layer attack-path simulation on top of CVSS: a CVSS 6 device at hop 2 on a path to ten Level 1 PLCs is far more urgent than a CVSS 9.8 device with no network neighbours.

▶ Watch a CVE finding drive a remediation ticket end-to-end

How Defender for IoT turns a passive CVE match into a closed finding. Press Play for the healthy path, then Break it to see the classic OT gap.

① Passive DPIThe OT sensor reads the Siemens S7 firmware version from Siemens S7 protocol headers in the traffic mirror — no active scan, no impact on the PLC.
② CVE MatchThe firmware tuple is matched against the Section 52 OT CVE database. A CVSS 8.1 vulnerability is found for this exact firmware revision.
③ Attack PathAttack-path simulation shows this PLC is reachable from the enterprise network in two hops via a historian — it jumps to the top of the risk-scored device list.
④ Comp. ControlOT team applies protocol whitelisting on the Level 3.5 firewall and records the compensating control in Defender for IoT — effective risk score drops; Sentinel auto-closes the ticket.
Press Play to step through the CVE-to-remediation path. Then press Break it.
Quick check · Q3 of 10 · Apply

An attack-path simulation shows a Level 1 RTU is reachable from the enterprise network in three hops via a historian and SCADA server. The RTU's individual CVE CVSS score is 6.2. How should you prioritise it?

Correct: a. Attack-path simulation reframes prioritisation: a device reachable from the IT network in a short hop chain is high priority regardless of its individual CVSS score. Path position reflects real attacker opportunity — a moderate CVE on a reachable Level 1 RTU is more dangerous than a critical CVE on an isolated device with no network neighbours.
👉 So far: Attack-path simulation chains lateral hops from IT exposure to Level 0/1 OT devices. Path position matters as much as CVSS — a reachable moderate-CVE device is higher priority than an isolated critical one.

④ Risk-based scoring & compensating controls — act without patching

Each device in Defender for IoT carries a risk score that combines four inputs: CVE severity (CVSS) of open vulnerabilities; network exposure (reachability from other devices — especially from IT-side networks); Purdue level criticality (Level 0/1 field devices are weighted higher because they directly control physical processes); and alert history (devices that have generated behavioural or policy anomaly alerts). The portal sorts devices by this score, giving OT teams a ranked work list for the next maintenance window.

Compensating controls — close the finding without a patch

Because patching is often months or years away, Defender for IoT lets analysts record a compensating control against a CVE: network segmentation applied, protocol whitelisting configured on the Level 3.5 firewall, unused ports disabled on the adjacent switch, or enhanced monitoring active. Once recorded, the control is reflected in the risk score — the finding is not deleted, but its contribution to the unmitigated risk count drops. Integration with Microsoft Sentinel SOAR playbooks can auto-create ServiceNow or JIRA tickets for each high-risk CVE, routing the right finding to the right team (OT ops for network controls, IT for firewall rules) without manual triage.

Figure 5 — OT vulnerability management vs IT vulnerability management
The same CVE database, but a completely different response path in OT environments.OT vulnerability management vs IT vulnerability managementIT vulnerability managementScan actively — agents or networkPatch within SLA (days to weeks)Reboot acceptable — servicesRisk closed by patch deploymentOT (Defender for IoT)Passive DPI only — zero impact onPatch may take months or neverReboot = production or safetyRisk closed by compensating
The same CVE database, but a completely different response path in OT environments.

Priya Nair, OT security analyst at Bharat Power Grid Ltd. in Nagpur, faces this

A risk assessment report flags 40+ CVEs across the substation network including a high-severity Siemens S7 firmware vulnerability, but the OT ops team says patching is impossible — substations run 24/7.

Likely cause

Three RTUs at Level 1 are reachable from the IT network in three hops via a Level 3 historian that has an open RDP port, putting them on a critical attack path despite not having the highest individual CVE scores.

Diagnosis

Defender for IoT portal → Device inventory → sort by risk score → attack-path simulation shows: enterprise network → Level 3 historian (RDP) → Level 2 SCADA (OPC-DA) → Level 1 RTUs (IEC 60870-5-104). The historian's RDP exposure is the chain's weak link.

Defender portal ▸ Device inventory ▸ Risk score sort ▸ Attack-path simulation
Fix

1. Close or restrict RDP on the historian to break the attack chain (compensating control recorded). 2. Apply protocol whitelisting on the Level 3.5 firewall — allow only IEC 60870-5-104 between historian and RTUs. 3. Create a Sentinel SOAR playbook to auto-ticket any new high-risk CVE finding to the OT ops team.

Verify

Re-run attack-path simulation — the historian-to-RTU hop is no longer in the critical path. Risk assessment report shows compensating controls recorded against the S7 CVE; effective risk scores for the three RTUs drop below critical threshold.

Prove the control reduced the path

After recording a compensating control (e.g. a firewall segment), re-run attack-path simulation to confirm the hop is actually gone — not just assumed gone. The simulation uses observed traffic, so if the firewall rule was mis-configured and traffic still flows, the path will still appear. Simulation is your verification step.

Quick check · Q4 of 10 · Analyze

After recording a network-segmentation compensating control against a CVE in Defender for IoT, what changes in the risk assessment?

Correct: d. Compensating controls do not delete CVE findings — they record that a mitigation is in place, which reduces the device's unmitigated risk score. This gives OT teams an auditable record that risk is managed even without a patch, while keeping the CVE visible for future review.
👉 So far: Risk score = CVSS + exposure + Purdue criticality + alert history. Compensating controls (segmentation, protocol whitelist, monitoring) reduce the unmitigated risk score and produce an audit trail — even when patching is months away.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which method does Defender for IoT use to discover OT device firmware versions for CVE matching?

Correct: b. Defender for IoT is fully agentless. The OT sensor monitors mirrored traffic via SPAN/TAP and reads firmware versions from OT protocol headers using DPI — no active scan, no agent, zero operational impact on devices.
Q6 · Understand

A Level 1 RTU has a CVSS 6.2 CVE. An isolated Level 3 historian has a CVSS 9.1 CVE but no network neighbours. Which device is higher priority in a risk-based OT model?

Correct: c. Defender for IoT's risk scoring combines CVSS with network exposure and path position. A reachable Level 1 RTU on a two-hop attack path from the enterprise network is higher priority than an isolated historian with a higher individual CVSS — the RTU represents real attacker opportunity.
Q7 · Apply

An air-gapped OT sensor has not received a threat intelligence update in six months. A new Section 52 CVE advisory was published last month. What happens?

Correct: d. Air-gapped sensors do not receive automatic threat intelligence updates. The CVE database stays at the last imported package version. New Section 52 advisories must be downloaded from the portal and imported via USB or file transfer — until that happens, the CVE match will not fire for the affected device.
Q8 · Analyze

After blocking RDP from the enterprise network to a Level 3 historian, an analyst records a compensating control in Defender for IoT. What is the correct next verification step?

Correct: b. Recording a compensating control is not the same as verifying it works. Re-running attack-path simulation uses the current observed-traffic map to confirm the hop no longer exists. If the firewall rule was mis-configured, the path will still appear — simulation is the verification step.
Q9 · Evaluate

An interviewer asks: 'Why does Defender for IoT use a risk score rather than just listing all CVEs sorted by CVSS?' Best answer?

Correct: b. Pure CVSS sorting is misleading in OT: it prioritises isolated high-severity findings over exposed, path-critical ones. The risk score's additional factors — network exposure, Purdue level criticality, alert history — ensure that a reachable Level 1 device on an attack path ranks ahead of an isolated high-CVE server with no network neighbours.
Q10 · Evaluate

A power utility cannot patch any OT CVEs in the next 12 months due to certification timelines. What is the correct risk management approach in Defender for IoT?

Correct: c. When patching is unavailable, compensating controls — network segmentation, protocol whitelisting, enhanced monitoring — are the primary risk response. Recording them in Defender for IoT reduces the unmitigated risk score, creates an audit trail, and keeps CVE findings visible for when a maintenance window finally opens. This is the intended OT workflow.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why does Defender for IoT use a risk score instead of just listing CVEs by CVSS severity? Then compare with the expert version.

Expert version: Raw CVSS ranks isolated, unreachable devices above exposed, path-critical ones — a dangerous mis-prioritisation in OT. Defender for IoT's risk score adds network exposure (how many devices can reach it), Purdue level criticality (Level 0/1 field devices weighted highest because they control physical processes), and alert history to CVSS severity. Attack-path simulation then shows which devices sit on the adversary's most likely route. The result: a Level 1 RTU reachable from the enterprise network in two hops ranks higher than an isolated SCADA server with a higher CVSS — which is exactly what you want when you have limited maintenance windows and cannot patch anything.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

CVE (Common Vulnerabilities and Exposures)
A standardised identifier for a known security flaw in a specific product or firmware version, with a CVSS severity score.
CVSS
Common Vulnerability Scoring System — a 0–10 numeric severity score for a CVE, used as one input (not the only input) in Defender for IoT's risk scoring.
Section 52 / MSTIC
Microsoft's OT/ICS-focused threat research team that discovers industrial CVEs and publishes threat intelligence packages for Defender for IoT sensors.
Risk assessment report
A per-site Defender for IoT report listing all devices with CVE counts, CVSS scores, network exposure, Purdue level, and alert history for prioritised remediation.
Attack-path simulation
Analysis that chains the lateral-movement hops from an IT-exposed entry point to critical Level 0/1 OT devices based on observed protocol traffic.
Compensating control
A recorded network-based mitigation — segmentation, protocol whitelisting, enhanced monitoring — that reduces a device's unmitigated risk score when a firmware patch is not feasible.
Purdue model
A reference architecture for OT/ICS networks (Levels 0–5 + Level 3.5 IT/OT DMZ) used by Defender for IoT to classify devices and weight risk — Level 0/1 field devices rated most critical.
DPI (Deep Packet Inspection)
Parsing the full payload of network packets to extract application-layer data, including OT firmware versions and protocol details without active scanning.

📚 Sources

  1. Microsoft — Defender for IoT vulnerability management overview. learn.microsoft.com/en-us/azure/defender-for-iot/
  2. Microsoft — Create a risk assessment report for OT networks (Defender for IoT). learn.microsoft.com/en-us/azure/defender-for-iot/
  3. Microsoft — Visualize vulnerabilities — attack vector simulation in Defender for IoT. learn.microsoft.com/en-us/azure/defender-for-iot/
  4. Microsoft — Update OT threat intelligence packages on the sensor. learn.microsoft.com/en-us/azure/defender-for-iot/
  5. Microsoft Security Blog — Section 52: researching OT/ICS threats and vulnerabilities. microsoft.com/security/blog
  6. Microsoft — Manage your OT device inventory from the Azure portal (Defender for IoT). learn.microsoft.com/en-us/azure/defender-for-iot/

What's next?

Got vulnerability management? Next, see how Defender for IoT feeds CVEs and alerts into Microsoft Sentinel — OT analytics rules, SOAR playbooks, and unified IT+OT incident correlation in one SOC.

Next · All interview lessons → Practice on exam.techclick.in →