SEGRID Security Operations Model
Capability model for developing security operations for Operational Technology (OT) systems
Risk-based use cases for OT security monitoring
A catalogue of monitoring use cases for OT systems linked to threats.
This document proposes a risk-based approach to OT security monitoring. Use are presented to detect different stages of an attack:
- Vulnerability management use cases find and fix vulnerabilities before attackers can exploit them
- Misuse detection use cases look for signs of the exploits.
- Access monitoring use cases look for unauthorized access by attackers once they have gained valid access.
- Reviewing access logs use cases look for unauthorized steps taken by attackers once they have accessed a system.
Each of the use cases is linked to the threats it can detect. In this way, grid operators can select the most effective use cases based on a risk assessment. Use cases can be chosen to mitigate the highest risks and complement preventive measures.
Organizing OT Security Operations Best Practices
Best practices for organizing a security operations team for Operational Technology (OT) systems
This document gathers best practices on organizing a security operations team from different ENCS members. The security operations team is the team responsible for:
- vulnerability management,
- intrusion detection and security monitoring,
- and incident analysis and response.
The document gives advice on the mission and capabilities of the team, its place in the organization, and the possibilities for outsourcing.