Analysis Summary
# Best Practices: Microsoft Defender Configuration for SIMATIC PCS 7 / PCS neo
## Overview
These practices address a critical limitation in Microsoft Defender Antivirus (MDAV) within Industrial Control Systems (ICS) environments. Specifically, MDAV lacks a native "Alert only" mode. Current GPO settings recommended in previous documentation either silently ignore threats (no alert, no action) or quarantine/delete files. In an OT environment, silent ignoring allows malware to persist, while quarantine can lead to system crashes and loss of plant control.
## Key Recommendations
### Immediate Actions
1. **Conduct a Risk Assessment:** Evaluate the trade-off between "Operational Availability" (ignoring threats) and "System Integrity" (blocking threats).
2. **Audit Current GPO Settings:** Check if the GPO "Specifying threat alert levels at which no default action should be taken" is set to "Ignore" (6).
3. **Identify Critical Assets:** Map out which SIMATIC PCS 7 or PCS neo nodes are most sensitive to file locking/quarantine (e.g., OS Servers, Batch Servers).
### Short-term Improvements (1-3 months)
1. **Device Clustering:** Segment devices into categories based on their function and risk profile. Apply different MDAV behaviors per cluster rather than a blanket policy.
2. **Compensating Controls:** If choosing the "Ignore" setting to prioritize availability, implement secondary security measures (e.g., network intrusion detection, strict USB lockdowns, or application allowlisting).
3. **Enhanced Monitoring:** If using the "Ignore" setting, ensure logs are being captured at the endpoint level via Windows Event Logs, as standard MDAV/SMMC alerts will not trigger.
### Long-term Strategy (3+ months)
1. **Solution Monitoring:** Follow Siemens ProductCERT for updates regarding the collaboration with Microsoft to implement a native "Alert only" functionality.
2. **Centralized Security Management:** Transition toward an integrated "Managing Endpoint Security Solutions" framework as per Siemens documentation [3].
## Implementation Guidance
### For Small Organizations
- Focus on the risk assessment. If one person manages the plant, the risk of a "silent" infection is high. Default to higher visibility/alerting for non-critical engineering stations.
### For Medium Organizations
- Utilize the **SIMATIC Management Console (SMMC)** to monitor the health of PCS 7 systems. Note that if MDAV is set to "Ignore," SMMC will not receive malware notifications. Ensure manual log reviews are scheduled.
### For Large Enterprises
- Implement **Device Clustering**. Use different GPOs for:
- **Control Level (High Availability):** Prioritize availability; use "Ignore" with extreme compensating network controls.
- **Supervisory/Office Level:** Prioritize security; enable quarantine/blocking to prevent lateral movement.
- Integrate endpoint logs into a **SIEM** to detect "silent" threats that MDAV might be ignoring at the OS level.
## Configuration Examples
### Risky Configuration (Current Specification)
**GPO Path:** `Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Threats`
- **Setting:** `Specifying threat alert levels at which no default action should be taken`
- **Value:** `6` (Ignore)
- **Result:** No malware action taken AND no alert generated to SIEM/SMMC.
### Alternative Configuration (High Security)
- **Setting:** Default (Not Configured) or specific actions (Quarantine/Remove).
- **Risk:** High probability of "False Positives" breaking the ICS application and causing a plant shutdown.
## Compliance Alignment
- **IEC 62443-4-2:** Requirements for malware protection and system integrity.
- **NIST SP 800-82:** Guide to Industrial Control Systems (ICS) Security.
- **CIS Controls:** Control 10 (Malware Defenses).
## Common Pitfalls to Avoid
- **Assuming "Ignore" means "Alert Only":** In MDAV, "Ignore" suppresses the notification entirely.
- **Lack of Compensating Controls:** Running with "Ignore" without secondary monitoring is equivalent to having no antivirus.
- **Automatic Updates:** Avoid applying MDAV signature updates without verifying them in a test environment, as new signatures can trigger false positives on critical Siemens binaries.
## Resources
- **Siemens ProductCERT:** hxxps[://]www[.]siemens[.]com/productcert
- **SIMATIC PCS 7 Compendium Part F:** hxxps[://]support[.]industry[.]siemens[.]com/cs/document/109988160
- **Industrial Security in SIMATIC PCS neo:** hxxps[://]support[.]industry[.]siemens[.]com/cs/document/109988873
- **Managing Endpoint Security Solutions:** hxxps[://]support[.]industry[.]siemens[.]com/cs/document/109978378