Week 43: OT Security Log Management

20 Oct 2025 | A Year In OT Security

Security logs are essential in incident response and after incident investigations. Do you know:

  • What OT security related logs you have?
  • where they are?
  • where they’re archived? 
  • who is responsible for the log? 
  • would the log still be available after a cyber incident? 

This week will position you to say yes to these questions.

You have a head start on this task. You identified possible OT detection information sources in the last two weeks, and this should include security related logs. Last week you determined what security logs / OT detection information sources you will actively monitor, analyze, and act on. What you will consider to proactively detect attacks.

The security related logs that are not monitored to detect attacks, those below the line, are very helpful in after incident investigation for response and recovery. Helpful if you can access them, and they are intact.

Take the list of OT detection information sources and add to it any additional logs that could help with incident response or recovery. One way to do this is to go through each OS, application, and device and consider each log that is available. In most cases it’s better to err on the side of including rather than excluding logs if you are uncertain. Storage is cheap.

Once you have the security log list, fill in the detail of where each log is stored and who is responsible for the log storage / archive.

The final step is to determine if a cyber attack could jeopardize the log availability or integrity, and adjust your log strategy if necessary. Cyber attacks can include a clean-up step to delete or modify logs to hide attack details. To prevent this, logs can be written to write once memory, stored off network, or otherwise protected.

It may be determined to be impractical to protect all security logs given the cost and process requirements. This is acceptable. You are making risk management decisions. The key is to make and implement a decision and know what security logs will be available for incident response and recovery.

Security Log Location Administrator Protected?