Most SIEM rules are built for IT environments and fail spectacularly in OT contexts. A rule that detects unusual login patterns triggers constantly in control room environments where the same operators work shifts. A rule that flags lateral movement based on SMB traffic within an engineering network will fire thousands of times daily. Without tuning, OT SIEMs produce alert fatigue that makes detection impossible.
Effective OT detection requires rules built on deep understanding of your specific environment—your normal shift patterns, your baseline traffic, your authorized tools, and your typical change windows. One facility's critical alert is another facility's routine maintenance.
Foundational Detection Strategies for OT
Begin with baselines. Profile normal network behavior for each shift, each facility area, and each device type. Once baselines are established, detect deviations: unusual packet sizes, off-shift activity, out-of-sequence commands, or traffic to unexpected destinations. Focus on behavior, not signatures, because OT malware is often legitimate tools used illegitimately.
Prioritize rules that detect early-stage intrusions before attackers reach control systems. Monitor for reconnaissance activity, credential harvesting, and lateral movement from IT networks toward OT networks. These indicators fire infrequently and with high specificity if tuned correctly.
High-Confidence Detection Rules for OT
- Cross-zone traffic: Alert on any data flow from IT to OT zones outside scheduled maintenance windows and approved change tickets.
- Engineering tool usage anomalies: Monitor for use of engineering software from unexpected workstations, at unusual times, or against unusual devices.
- Credential harvesting indicators: Detect bulk password attempts, dumped credential hashes, or interactive login failures from unusual sources.
- Supply chain artifact delivery: Alert when firmware files, configuration files, or patches are transferred across network boundaries without cryptographic signatures.
Tuning and Refinement
Build SIEM rules incrementally, starting with high-confidence detections and expanding as baselines mature. Accept initial false positives as the cost of learning your environment. Over time, baselining and tuning reduce noise and improve signal. If you'd like to discuss OT SIEM implementation, rule tuning, or detection strategy for your facility, reach out.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.