What is OT/ICS SIEM?  

Traditional IT SIEM tools combine Security Event Monitoring (SEM) with Security Information Management (SIM) to integrate insight into alerts and events for analysis and incident response from a typical IT cyber security perspective. 

However, OT environments have different types of devices, usage scenarios and skill sets, so an OT/ICS-specific SIEM needs to provide additional operational data insights relevant to those knowledgeable in control systems.  In other words, an effective SIEM is invaluable to OT security teams and engineers.

OT/ICS SIEM platforms integrate the same security functions as their IT brethren, but with operational data to provide a unique risk perspective that traditional IT SIEM cannot do natively. Key additions include:

  • OT/ICS specific threat detection
  • Device performance data
  • Accurate identification of OT assets
  • Alarm management data from process sensors and indicators

While most of the industry is focused on passive network analysis to detect network borne threats, the Verve OT/ICS SIEM aggregates key real-time data directly from connected endpoints, rather than just from network traffic. This includes host logs, syslog, performance information, configuration changes, and network dataflows such as Netflow, but also can be an absolute game changer when detecting threats in OT environments.

This direct endpoint data enables visibility without the need for additional hardware taps or span ports throughout the network, which has a number of advantages including a reduction of implementation costs, but can also be enhanced with complementary data sources provided by passive network detection solutions. 

Why use an OT/ICS SIEM? 

Some clients ask if we can forward our SIEM information to their corporate/IT instance, and, of course, we can. But there is value in maintaining a separate (or isolated) OT/ICS SIEM for several reasons:

  • Unique OT/ICS threat detection and incident response
  • Enable OT personnel to conduct root cause analysis on data
  • Reduce potential security false positives that would be alarming in IT environments, but are business as usual in OT
  • Aggregate operational alarms, device reliability and security data enhances security and reliability
  • Reduce cost by only sending critical log/alert data to corporate log management solutions
  • Accelerate and improve network segmentation and design efforts by monitoring flows and logs
  • Identify potential system failures (or impending issues) that often arise with failing hardware, legacy technology, or over saturated resources

The Verve OT/ICS SIEM also allows for rapid response actions using the Verve remediation platform. As alerts are identified, OT personnel close ports, remove users, patch systems, etc. in a way that is controlled by the OT engineering team to ensure rapid, but reliable event response.

SIEM in the Verve Security Center

Detect Anomalies

Detect anomalous patterns in behavior that indicate potential threats in environment

DCS Alarm Management

Integrated operational alarms simplify tasks of operator and improve event and incident response

OT/ICS Signals & Alerts

OT/ICS specific signals create alerts which can be sent to critical parties for vulnerability management, risk and compliance

Request a Demo

Speak with one of our ICS experts to learn how Verve’s SIEM solution makes investigation easier with centralized reporting

Request a Demo