A catalogue of monitoring detection activities for OT systems linked to threats.
This document proposes a risk-based approach to OT security monitoring. Detection activities are presented to detect different stages of an attack:
- Vulnerability management activities find and fix vulnerabilities before attackers can exploit them
- Misuse detection activities look for signs of the exploits.
- Access monitoring activities look for unauthorized access by attackers once they have gained valid access.
- Reviewing access logs activities look for unauthorized steps taken by attackers once they have accessed a system.
Each of the detection activities is linked to threats. In this way, grid operators can select the most effective activities based on a risk assessment. Detection activities can be chosen to mitigate the highest risks and complement preventive measures.