While it’s a widely exaggerated theory that "SCADA is very different," it’s still got Ethernet, Windows, and TCP/IP - all the same IT technologies for hackers to turn against OT.
From that perspective, building solid OT protection requires establishing a defense-in-depth strategy with all its well-known layers like Network, Software, and Hardware Security.
You may hear from a security perspective what you "can’t" do with OT:
Thanks to these, passive network monitoring replaced first-choice security technology for OT, claiming it’s fast to deploy and safe for the industrial environment.
The problem is that network monitoring tools (NTA/NDR) alone have a natively limited number of actionable insights.
And it was one of the reasons why technology parameter monitoring has been added to industrial NTA offerings, as an attempt to enhance product value.
Still, it was the wrong direction, as we know now.
According to NIST SP 800-82 Industrial Controls guidelines, there are a lot of important log events that have to be continuously tracked in an industrial environment, like:
Multiple failed login attempts
Unauthorized creation of new accounts
Unexpected remote logins (e.g., logons of individuals that are on vacation, remote login when the individual is expected to be local, remote logon for maintenance support when no support was requested)
Cleared event logs
Unexpectedly full event logs
Disabled antivirus or other disabled security controls
Being just a part of a SOC Visibility Triad (events management, evolved anti-malware, network detection), passive network monitoring cannot fulfill that alone and must be complemented with a SIEM system for the security team to get enriched and actionable insights throughout the whole kill chain.
Although, there are a couple of issues that stop SIEM adoption in OT:
Simply put, you must carefully design a log collection system while planning SIEM expansion to OT, and pass a FAT (Factory Acceptance Test) if necessary.
Compared to specific industrial network monitoring as a first-choice tool to secure an OT network (albeit, firewall and antivirus are the number one), SIEM has a good advantage.
Security engineers are familiar with SIEMs and can start working with them immediately.
As a part of an OT network security program covered by log collection and analysis, SIEMs can increase your security posture dramatically, leaving fewer blind spots for a real hacker to hide in.
And establishing industrial security events management and, at least, generic network monitoring (NTA-like) enables an insightful mechanism to detect a hacker before he starts tampering with technology parameters.
Is this what we aim for?