ICS SECURITY INFORMATION & EVENT MANAGEMENT

ICS SECURITY INFORMATION & EVENT MANAGEMENT

Traditional IT SIEM tools combine Security Event Monitoring (SEM) and Security Information Management (SIM) to provide insight into alerts and events for analysis and incident response in the context of typical IT cyber security.

However, because OT environments have different types of devices, usage scenarios, and skill sets, an OT/ICS-specific SIEM must provide additional operational data insights relevant to control system experts. In other words, an effective SIEM is priceless to operational security teams and engineers.

OT/ICS SIEM platforms combine the same security functions as their IT counterparts, but with operational data to provide a unique risk perspective that traditional IT SIEM cannot. The following are significant additions:

  • Detection of OT/ICS-specific threats
  • Device performance data
  • Accurate OT asset identification¬†
  • Alarm management data from process sensors and indicators

While the majority of the industry focuses on passive network analysis to detect network-borne threats, the Verve OT/ICS SIEM aggregates key real-time data directly from connected endpoints rather than just network traffic. This includes host logs, syslog, performance data, configuration changes, and network dataflows such as Netflow, but it can also be a game changer when detecting threats in OT environments.

This direct endpoint data enables visibility without the need for additional hardware taps or span ports throughout the network, which has a number of advantages including lower implementation costs, but it can also be supplemented with complementary data sources provided by passive network detection solutions.

Why should you use an OT/ICS SIEM?

Some clients ask if we can send SIEM data to their corporate/IT instance, and we can, of course. However, there are several advantages to keeping a separate (or isolated) OT/ICS SIEM:

  • Exceptional OT/ICS threat detection and response
  • Allow OT personnel to perform root cause analysis on data.
  • Reduce potential security false positives that would be alarming in IT environments but are routine in OT.
  • The collection of operational alarms, device reliability, and security data improves security and reliability.
  • Save money by sending only critical log/alert data to corporate log management solutions.
  • Monitor flows and logs to accelerate and improve network segmentation and design efforts.
  • Recognize potential system failures (or impending issues) caused by failing hardware, legacy technology, or overburdened resources.

As alerts are identified, OT personnel close ports, remove users, patch systems, and so on in a manner controlled by the OT engineering team to ensure a timely but reliable event response.

Contact us