Before you go out and spend a lot of resources to purchase, deploy, and run a sophisticated OT cyber detection system, ask yourself if you are taking advantage of existing, higher fidelity detection sources. 

This week’s task is to use interview and brainstorming to identify all existing sources of information that could be used to detect OT cyber attacks. Common examples include:

  • Endpoint detection (anti-virus and other) alerts
  • Firewall logs (especially blocked packets where unauthorized traffic is not expected)
  • Log messages related to logic/program changes
  • Log messages indicating ICS protocol errors
  • New users being entered into an OS or application
  • Security related Operator call outs

Once you have the list, place it in an effectiveness (will it identify attacks) and efficiency (how much time and money will need to be spent to achieve the effectiveness) order. These two factors are usually related and typically hinge on the number of false positives that must be evaluated and discarded. 

For example, most asset owners have deployed anti-virus or other endpoint detection on computers in OT. An endpoint detection alert is a high fidelity signal that almost always indicates malware is trying to gain access to an OT cyber asset. It’s often on the top of the list detection source list when prioritized by effectiveness and efficiency. 

Blocked packets in a firewall log could be a high or low efficiency signal based on the communication hitting the firewall and how well the firewall is tuned. A SCADA WAN firewall is likely to have few blocked packets unless the carrier has misconfigured the WAN or an attacker has gained access to a field site … high efficiency. A firewall in a power plant might have many blocked packets if the cyber assets in the plant have not been locked down to only necessary functions … low efficiency.

False negatives are also important as they are tied to effectiveness. Did the detection measure fail to detect the attack? False negatives are harder to determine until after an incident has eventually been detected and you can review this as part of post incident analysis. Threat hunting and purple teams are other ways of considering if and how common attacks would be detected.


Write your prioritized OT detection information source list below. Rate the effectiveness (lack of false negatives) and efficiency (lack of false positives plus cost in time and money) on a qualitative high, medium, and low rating to help validate your prioritization.

Priority | Detection Information Source | Effectiveness | Efficiency

Once you have the prioritized list of existing OT detection source, look at the new detection sources that you are considering purchasing and deploying. Where would that new OT sensor fit on the list?