Given the current cyber threat landscape, it’s no surprise that organizations are advancing their cybersecurity protections to defend their operational technology (OT) environments. Organizations know they need to increase visibility within their OT environments, but struggle to maximize the efficacy of logs produced by equipment running in an OT environment. To effect real change and improve OT cybersecurity visibility organizations must identify log sources within their OT environments and centralize those log sources with IT security, application, network, and event logging.
Here’s how to get started:
- Don’t overlook common log sources. You can’t detect malicious activity if you don’t know what normal activity looks like in your environment. Consider forwarding the following log data to an aggregator or SIEM:
- Application and Operating System (OS) Logs from supporting IT infrastructure
- Network Infrastructure and firewalls
- HMI’s / Operator Workstations
- Time Servers
- Process Data
- Telecommunication Data
- Syslog or other data from Field Devices / Components
- Centralize whenever you have the opportunity. Centrally aggregated logs between IT and OT environments will correlate seemingly unrelated events and introduce a new level of cybersecurity intelligence to your organization. When IT and OT centralized logging is monitored inside a Security Operations Center (SOC) environment, the alerting, monitoring, and response capabilities of your cybersecurity defenders are significantly increased. With both IT and OT data sources at their fingertips, skilled analysts can quickly investigate data sources, which enables them to enumerate the tactics, techniques, and procedures (TTP) used, and possibly prevent an adversary from completing their malicious intentions.
- Address the noise. The introduction of additional log sources can be overwhelming for a SOC, especially when staffed with analysts who lack experience working within an OT environment. To help with the transition to monitoring an OT environment, SOC management should engage OT business units to better understand the data being ingested. This knowledge transfer is best performed through workshop exercises, where OT Operators and Administrators provide overviews of their responsibilities, the type of equipment managed and its purpose, and normal device communication baselines.
Cybersecurity issues affecting OT infrastructure have moved from the realm of speculation to the realm of reality, with more breaches being disclosed in the news and multiple categories of threat actors showing increased interest in OT environments. When SOCs lack visibility into their OT environments, they reduce their likelihood of identifying malicious code or actors targeting operational environments. Enterprise security must include OT network defense as a critical component of a mature cybersecurity posture. Consider your logs a first step toward maturing your OT cybersecurity monitoring.