OT SIEM Implementation by NIST - Part 2

In the previous Article, I described the first path to implementing OT SIEM in accordance with the NIST 800-82 standard. Please read it before this part!

Today you will see most important part "Detect: Anomalies and Events" - practical guide how to collect and manage Events from ICS/OT systems.

Logs in OT/ICS environments store vital events across both traditional IT systems and industrial control systems, including PLCs, SCADA systems, network and other OT devices. Effective log management in these settings involves collecting, storing, and analyzing log data to detect cybersecurity incidents, troubleshoot operational issues, and ensure compliance.

This guide offers a practical approach based on NIST 800-92 with focus on OT/ICS to enhance log management, focusing on cybersecurity planning that addresses the unique demands of OT systems. It provides flexible, actionable steps to help organizations prioritize their logging needs, creating a safer, more resilient environment across critical infrastructure.

Guide contains 4 sections and defines the high-level sections:

Current State  >  Target State  >  Gaps  >  Mitigation Plan        

INV - Update Logging Related Inventories

Take a close look at your organization's current cybersecurity logging by creating a few simple inventories. The goal here is to get a solid, up-to-date picture of the people, processes, and tools that play a role in your cybersecurity logging.

To assess the Current State of logging, update the following inventories:

There are interdependencies between these tasks, so changes to one inventory may necessitate changes to other inventories!

This is not an assessment, only information gathering!

INV-1 Update the Inventory of Log Source Types

Update your inventory of log sources across the organization. A log source is any system, like an OS, PLC, SCADA that generates cybersecurity logs. The goal is to create a clear, up-to-date view of all the types of log data available.

Tasks to perform:

1. Determine which log source type to record in inventory
2. Update inventory to reflect standard configurations for logging
3. Update inventory to reflect exceptions to standard configurations
4. Update inventory to reflect all other types not included in #2 or #3

Examples of log source types:

• Control Systems:

Supervisory Control and Data Acquisition - SCADA

Data Historians

• Workstations / Interfaces:

Engineering Workstation - EWS

Operator Workstation - OWS

Human Machine Interface - HMI

• Servers:

App, Data Gateway, Remote Control

Patch Management, AD

• Control Devices:

Programmable Logic Controllers - PLC

Remote Terminal Units - RTU

Distributed Control Systems - DSC

• Networking and Communication Devices:

Industrial Ethernet Switches and Routers

Firewalls, Network Traffic

Intrusion Detection System - IDS

• Endpoint protection:

Antivirus - EDR

File Integrity Monitoring - FIM

• Safety and Security Devices:

Safety Instrumented Systems - SIS

Physical Security Devices

INV-2 Update the Logging Infrastructure Inventory

Update your inventory of all components in your organization’s cybersecurity logging infrastructure. This includes the hardware, software, systems, services, and networks used for transmitting, storing, analyzing, and disposing of log data. The goal is to create a clear, complete, and current state of all logging infrastructure components.

Tasks to perform:

1. Update inventory to reflect current state of logging infrastructure
2. Update characteristics recorded for each component
3. Update logging infrastructure architecture diagrams and docs

Examples of logging infrastructure components:

• Security Information and Event Monitoring - SIEM
• Relay for secure log transferring from ICS network
• Cold data storage
• Cyber threat intelligence feeds from third-party services
• Data lakes that act as centrally accessible log storage
• Managed services for log monitoring and analysis

INV-3 Update the Logging Use Case Inventory

Update your organization’s inventory of logging use cases along with the goals for each. This helps refine logging policies to ensure that logs are collected with clear purpose, not just for data’s sake. Additionally, consider each use case when defining the target state for cybersecurity log management.

Tasks to perform:

1. Document the known logging use cases and the desired outcome of each
2. Share the use cases with stakeholders and get feedback

Examples of possible use cases:

• Integrate OT systems with SIEM for centralized log management
• Monitor OT systems in real-time for abnormal activity
• Detect early signs of malicious actions in ICS networks
• Collect logs for compliance with standards and regulations
• Track OT/ICS systems health for functional and security checks
• Provide logs to support incident detection and remediation
• Log security events for effective OT security management
• Use logs for advanced threat detection and investigation
• Enforce zero-trust security by logging and verifying access

INV-4 Update the Requirements Inventory

Update the inventory of existing requirements that are applicable to your organization’s cybersecurity logging. Requirements may come from applicable laws, regulations, standards, and internal policies. The desired outcome is a reasonably comprehensive set of current requirements for your organization’s cybersecurity logging.

Tasks to perform:

1. Recheck existing requirements in inventory and remove outdated
2. Identify all new requirements applicable to existing log source types
3. Identify all requirements applicable to new log source types

Examples of requirements (full list you can find in my Article):

• General laws and regulations
• Sector-specific laws and regulations
• Federal agency-specific requirements
• Management Framework
• Standards that the organization chooses to follow
• The organization’s cybersecurity, privacy, and data retention policies
• Requirements and policies of a parent organization/enterprise

INV-5 Update the Work Role Inventory

Review and update the list of cybersecurity logging roles handled by your team or third parties. Each role includes tasks that need specific knowledge and skills, based on NIST SP 800-181. This helps make sure that all roles and tasks are covered and guides training and documentation planning for the organization

Tasks to perform:

• Confirm that all roles already in the inventory are still applicable
• Identify any new roles, and add them to the inventory
• Update which tasks are associated with each role
• Update which knowledge and skill statements are associated with each task
• Share the updated work role inventory with stakeholders
• Disseminate the updated work role inventory information to affected parties

Examples:

• OT Engineers / Network Administrators

configure logging and synchronize timestamps on systems and network devices

configure systems and devices to forward log data to the logging systems

perform regular maintenance of the logs and logging software

handle authorized requests from security administrators

• OT Security Officers

manage, secure, and monitor log management infrastructures

identify the changes needed to system logging configurations

report on the results of log management activities

assist others with configuring logging and performing log analysis

• Analysts

archive log data once it is no longer needed

monitor logging configurations and operational statuses for individual systems

initiate appropriate responses to events, including incidents and errors

• Incident response teams

use log data when investigating and handling incidents

• Application developers

whose applications perform logging

• Auditors / Compliance officers

use log data when performing audits or verifying compliance

TS - Define Target State

Set a clear goal for your organization’s cybersecurity logging. This goal should include all required standards from laws, regulations, and internal policies, along with your organization’s own goals for balancing risk reduction and resilience in logging. The outcome is a prioritized list of logging requirements and objectives that you can update regularly, especially when new laws, technology, or threats arise.

To have a clear goal for cybersecurity logging, define Target State for:

There are interdependencies between these tasks!

For example, generating a higher volume of logs may necessitate increasing resources for log storage. Conversely, a firm limit on log storage resources may necessitate generating less log data, being more selective about which generated log data is stored, or reducing how long some log data is stored.

TS-1 Forecast Future Changes to Logging Inventories

Anticipate changes to your organization’s logging setup, such as new log sources, infrastructure, use cases, requirements, and roles. Think about how these changes might impact each other and your logging practices. The goal is to create a prioritized list of expected changes to guide your logging goals.

Tasks to perform:

• Forecast future changes to log source types
• Forecast future changes to the logging infrastructure
• Forecast future changes to logging use cases
• Forecast future changes to requirements
• Forecast future changes to work roles

There are interdependencies between these tasks!

Examples of possible changes:

• Adding a new PLC or SCADA system to the environment
• Upgrading a DCS application to a version with enhanced logging for system
• Shifting log storage for ICS data from on-site servers to a secure cloud environment
• Implementing a new log analysis tool specifically designed for OT environments
• Setting up a new use case to detect anomalous communications between devices
• Adding passive monitoring for Modbus or other industrial protocol traffic
• Meeting a new regulatory requirement to retain ICS logs for two years instead of one
• Transferring some logging and monitoring tasks to a centralized SOC

TS-2 Define Target State for Log Generation

Set clear requirements and goals for log generation for each type of cybersecurity log source in your organization. The goal is to have a complete, prioritized list that guides your organization’s logging strategy.

For each log source, decide:

• Its level of necessity: required, recommended, not recommended, or prohibited
• What events should or shouldn’t be logged
• What metadata should or shouldn’t be logged
• If it might capture sensitive data
• The frequency of event logging
• How to handle log generation errors
• When logs should include cleartext or encrypted data
• Clock sync and timestamp format requirements
• How to protect log generation
• How to monitor and confirm that logging works correctly

Recording more log data is not necessarily better!
Generally, organizations should only require logging the necessary data and also have recommendations for which other types and sources of data should be logged if resources permit.        

TS-3 Define Target State for Log Storage and Transfer

Set your organization’s requirements and goals for log storage and transfer, considering log source types, event types, system locations, and other relevant factors. The goal is to create a clear, prioritized list to guide cybersecurity log storage and transfer in line with your organization’s target state.

Tasks to perform:

• Set retention periods for each log event at its source
• Decide which events should be transferred and estimate needed bandwidth
• Define event correlation across log sources
• Specify log transfer methods, frequency, and out-of-band options
• Ensure protection of log data during storage and transfer
• Set required storage capacity at log sources and infrastructure
• Plan for handling storage and transfer errors
• Decide when to move log events to cold storage
• Choose a log format, type
• Monitor and validate log storage and transfer security

Completing these tasks effectively designs the high-level architecture of the log infrastructure, such as the logical and physical locations of centralized log data storage and various log analysis services.

TS-4 Define Target State for Log Access

Define what your organization needs when it comes to log access. Consider the needs of auditors, law enforcement, courts, and any relevant government agencies. The goal is to create a clear set of priorities and requirements for log access that help define your organization’s target state.

Tasks to perform:

• Decide who needs local or remote access to log data, directly or indirectly
• Decide how should access be logged and protected
• Ensure compliance with legal requirements for log protection and integrity
• Manage Sensitive Data Disclosure
• Define steps for handling accidental or unauthorized disclosures in logs
• Monitor and Validate Access
• Ensure only authorized parties have the appropriate access to logs

TS-5 Define Target State for Log Disposal

Set your organization’s requirements and goals for securely disposing of log data. The goal is to establish a clear set of priorities for cybersecurity log disposal that help define your organization’s target state.

Tasks to perform:

• Set rules for how and when to dispose of each type of log at the source.
• Set rules for how and when to dispose of each type of log within the log infrastructure.
• Define how to monitor, check, and test log disposal processes to prevent unauthorized log destruction.

GRC - Document Gaps and Their Root Causes

Document the gaps between the current and target states for cybersecurity logging, along with the root causes of each gap. The goal is to create a list of gaps, including an assessment of the risk level and the underlying reasons for each one.

To create document Gaps and their Root Causes, you need to:

Root cause analysis should dig deeper than surface-level issues to find the true underlying factors. For instance, if one log source is generating less data than similar sources, and it’s traced to configuration errors, analysis should continue to uncover why this misconfiguration happened - whether due to weak enforcement of policies, an exception that needs review, human error, possible compromise, or storage limitations.

GRC-1 Scope and Plan the Assessment

Scope the gap analysis, and determine how the gap analysis will be performed. The desired outcome is an assessment plan.

Tasks to perform:

• Define the scope of the gap analysis. This might include all critical systems, security configuration baselines, and a sample of non-baselined log sources that represent key logging use cases.
• Plan the assessment approach, whether by using automation, conducting interviews, or manually reviewing specific components.

GRC-2 Conduct the Assessment and Document Findings

Execute the assessment plan for identifying gaps and their root causes. The desired outcome is a stakeholder-reviewed list of findings.

Tasks to perform:

• Carry out the assessment: document each gap from the target state, assess the risk of each gap, identify root causes, and estimate the importance and cost of addressing each root cause
• Summarize findings, gather feedback from stakeholders, and make revisions as needed

PMG - Develop a Plan to Mitigate the Gaps

Create a plan to address the root causes of the identified gaps to achieve the target state. The plan should prioritize gaps based on their importance, consider the resources required, and account for dependencies. The goal is a project plan that, once implemented, resolves root causes and closes the identified gaps.

To create a productive Plan to mitigate the Gaps, you need to:

PMG-1 Draft the Plan

Draft the plan for addressing the root causes of identified gaps. The desired outcome is a project plan draft that is ready for stakeholder review and feedback.

Tasks to perform:

• Identify changes to logging inventories (log sources, infrastructure, use cases, requirements, roles)
• Estimate costs for addressing gaps in people, processes, and technology, including one-time and ongoing expenses (new tools, configurations, retraining)
• Plan for action milestones and compensating controls until gaps are addressed
• Account for other projects impacting logging
• Set a schedule for regular plan reviews and updates, such as annual reviews or audits
• Ensure all plan elements are aligned

PMG-2 Revise Affected Policies

Revise the organization’s policies to support the draft project plan. The desired outcome is a set of draft revised policies that are ready for stakeholder review and feedback.

Tasks to perform:

• Identify policies that may be impacted by the draft project plan
• Update the affected policies to align with the revised requirements
• Ensure that all policy changes are consistent and aligned.

It may be appropriate to specify future effective dates for certain policy changes, depending on the timeframes for the corresponding items in the draft project plan.

PMG-3 Address Feedback on Draft Plan and Policies

Address stakeholder feedback on the draft plan and policies. The desired outcome is a final project plan and policy set.

Tasks to perform:

• Identify key stakeholders for feedback
• Share the draft plan and policies with stakeholders
• Review and assess feedback, considering its impact on overall plan
• Revise the plan and policies based on feedback
• If major revisions are made, seek further feedback
• finalize and communicate the updates

It may be appropriate to specify future effective dates for certain policy changes, depending on the timeframes for the corresponding items in the draft project plan.

Conclusion

In this article, we walked through NIST 800-92 to get a complete view of the Log Management process, which is essential for building an effective OT SIEM. By following these steps, organizations can set up a solid logging foundation that supports security, compliance, and incident response in OT environments.

This process ensures that logging is purposeful and aligned with the unique needs of OT/ICS systems. Went through four sections now we can update Inventories, define target state, document gaps and develop plan to mitigate the gaps regarding NIST standard.

In the next part, I’ll go into more detail on next part of NIST 800-82: "Detect, Security Continuous Monitoring". We will learn how to check protective measures in OT/ICS systems.

?? Stay tuned and Try Harder! ??