This episode examines a serious conflict between Siemens’ Simatic PCS industrial control systems and Microsoft Defender Antivirus. The absence of an “alert only” mode in Defender has created a significant operational risk for plants running Siemens’ systems. Without this functionality, operators must choose between ignoring potential malware detections—remaining unaware of infections—or allowing Defender to quarantine or delete critical files, potentially destabilizing control processes or halting operations entirely.
Siemens is actively working with Microsoft to resolve the issue. Until a fix is available, Siemens advises customers to perform risk assessments and carefully configure Defender to minimize the risk of unplanned outages. The incident underscores broader challenges in applying IT security tools within OT environments, where uptime and system availability are paramount.
The episode explores key elements of industrial cybersecurity in this context, including:
- The role of system hardening and reducing attack surfaces
- Implementing role-based access and password policies
- Using network segmentation to limit the impact of intrusions
- Adapting malware protection strategies for OT systems
- Managing updates through controlled patching processes
- Building effective incident response capabilities
This ongoing conflict between antivirus behavior and operational reliability highlights the complex balancing act required to secure ICS/OT systems. The episode draws from Siemens’ recommendations, industry best practices, and current threat intelligence to provide clear, actionable insights for professionals responsible for securing critical infrastructure.
