Monzy Merza of Splunk had a S4x14 defensive session. Working with an actual, deployed Building Management System (BMS), Monzy wrote python scripts to export the data from the BMS to Splunk for analysis. He focused solely on what could be detected from info logged by the BMS.
The BMS was known vulnerable in the general sense that BACnet is an insecure protocol and specific sense in that Rios/McCorkle had found vulnerabilities in the Tridium Niagara AX.
Once the data was in Splunk, Monzy showed examples of how anomalies that could be cyber attacks could be detected in the data. The examples are specific to a BMS and should provide hints to anyone looking for attack detection in an ICS.