Setting up security monitoring for Operational Technology (OT) systems can be a daunting task. Sensors need to be placed in the OT systems to detect vulnerabilities and incidents. New types of sensors are often needed to see everything. But it is not always clear how effective they sensors are.
The sensor information then needs to be analyzed to decide if it shows there was an incident. But many sensors just say they have seen something unusual, which give analysts little to go on. Additional data needed for the analysis is often hard to get. Moreover, skilled analysts that can interpret the data are hard to find.
And, if the analysis shows something did happen, there needs to be a plan on how to respond. Critical parts of the SCADA system cannot be easily shut down or isolated. Responding to incidents in substations can only be done together with the engineers maintaining them.
Finally, if everything has been set up, how do you know you are monitoring the right thing? Luckily, security incidents are still rare in OT systems. Banks may get hundreds of attempted attacks per day. So, they can track the effectiveness of their monitoring. As grid operators you do not get this kind of feedback. It is hard to tell if you are reacting to the right alerts, or just doing busywork following up whatever the sensors generate?
The best way to solve this is through a risk assessment. With few real attacks it is hard to know attacker methods and motivations. But most grid operators know pretty well where there OT systems are vulnerable. The monitoring activities should reduce these vulnerabilities.
The important thing to know then is what type of monitoring reduces what vulnerability. Luckily a lot of experience is now available on this. Different ENCS members now have long running deployments of different approaches, including:
• Monitoring logs with SIEM systems
• Specialized OT security sensors, such as Security Matters, Nozomi, or Cyberbit
• Host-based monitoring with anti-virus software, both centrally and at the substations
The document tries to gather these experiences in a compact form. It gives a set of five use cases to get started with OT security monitoring.