Critical Conflict: Microsoft Defender Antivirus Interferes with Siemens Industrial Control Systems
Siemens has encountered an unforeseen challenge: Microsoft’s antivirus solution is interfering with the operation of industrial facilities. The very software intended to safeguard corporate systems may inadvertently paralyze critical segments of production.
The source of this risk is the Microsoft Defender antivirus suite, which is used in conjunction with Siemens Simatic PCS platforms—systems that manage production lines and automate processes across sectors such as energy, raw material processing, and manufacturing.
According to Siemens’ documentation, the antivirus can, in theory, be configured to merely report the detection of suspicious files without interfering with operations. In practice, however, the reality is more complex: Defender lacks a true “monitor-only” mode in which threats are logged without triggering any action. If one selects the “ignore” setting, no alerts are displayed at all. Under any other configuration, the software may autonomously delete or quarantine files—including those essential to system functionality.
This places operators in a difficult position. They must either disable alerts along with protection—thus remaining unaware of potential threats—or enable standard settings, allowing Defender to unilaterally isolate files, which could disrupt the operation of automated systems.
Siemens warns that if the antivirus mistakenly removes critical components, portions of equipment may fail. For large-scale industrial operations, this poses significant risks: halted production lines, power delivery disruptions, and interruptions to complex technological workflows.
As Siemens and Microsoft engineers work toward a technical resolution, manufacturers are advised to assess their own risk tolerance. Companies must weigh the imperative of minimizing infection risks against the necessity of ensuring uninterrupted automated operations.
The interim recommendation is to tailor security configurations separately for distinct equipment groups. This approach aims to prevent widespread outages and reduce the chance of antivirus-related misjudgments, all without fully compromising security.
This incident once again underscores the intricate challenge of integrating industrial platforms with conventional IT tools. As production processes grow increasingly dependent on digital infrastructure, the issues of SCADA system reliability and cybersecurity become ever more pressing.
