Security monitoring strategies for your OT infrastructure

Abstract

Cyber security threats are an ever-increasing risk to industrial control systems (ICS). Therefore, by considering the impact of cyberattacks as part of improvements in operational technology (OT) infrastructure resiliency serves the ultimate goal of minimising production downtime. In order to achieve this, organisations should consider flexible and innovative security monitoring strategies as well as a security operations centre (SOC). Having security monitoring mechanisms and a SOC function benefits the OT infrastructure in multiple ways, including incident response management, threat and vulnerability management, asset inventory and management, network flow monitoring, security logs monitoring and correlation, as well as the core function of defence against cyberattacks. This paper demonstrates the best practices for security monitoring and protection used by different industry sectors and explains security monitoring tools and their special features, as well as how these monitoring tools are integrated within the SOC. The paper then illustrates the baseline design for building a SOC for OT infrastructure and what needs to be considered when implementing an OT SOC, including data onboarding from OT infrastructure, SOC use cases development, and other SOC functionalities such as vulnerability and risk management, malware detection and other features. The paper aims to benefit the OT security community by providing a general guidance, future vision and required information to build a functional security strategy for critical national infrastructure (CNI) by considering the security life cycle starting from monitoring, through detection, to response and reporting.