In 2017, ENCS ran a member project on monitoring the security of operational technology (OT) systems. The project delivered:

  • Best practices in organizing security operations team
  • Use cases based on risks
  • A market survey of new security monitoring sensors
  • A training for security operations analysts

Key documents:

  • Organizing OT Security Operations – Best Practices
  • A Risk-Based Approach to OT Security Monitoring
  • Five Use cases to Get Started with OT Security Monitoring
  • OT Security Sensors – Market Survey
  • OT Security Monitoring Requirements

Organizing OT security operations teams

The project gathered best practices in organizing security operations from ENCS members. It collected experiences from all monitoring deployments and pilots at members. A whitepaper was written covering:

  • the business case for OT security operations
  • the capabilities a security operations team  needs
  • staffing of the security operations team
  • collaboration between IT and OT departments
  • possibilities for outsourcing.

Use cases based on risks

The project defined a set of risk-based monitoring use cases. Each use case describes defines all steps needed to implement:

  • which data should be gathered
  • how the data should be analysed
  • how analysts can respond to incidents

Each use case is also explicitly linked to the threats it mitigates. This allows grid operators to select use cases based on a risk assessment, so that analysts are not flooded by alerts.

A selection of five use cases was made that provide a starting point to set up monitoring. The use cases mitigate common major risks to SCADA systems. They can be implemented by small teams with moderate resources.

Market survey of OT security sensors

The project performed a market survey and evaluation of new security sensors for OT. Several vendors have developed network-based sensors that can detect vulnerabilities and intrusions in OT systems. A survey was held to compare the capabilities of these sensors.

Three of the sensors were also tested in the ENCS lab:

  • Cyberbit
  • Nozomi
  • Security Matters

Based on the market survey requirements were developed for procuring the sensors.