@whereisthespai @hacks4pancakes yeah I'm thinking I should probably just tackle it from the perspective of having any view at all beyond the most basic AV/EDR, since the orgs I generally work with don't have the security maturity to be spinning up and operating a full custom SIEM with all the trimmings. I do tend to recommend pushing middleware alerts to off-site syslog so they've got some backup in case of ransomware or wipers.

@gsuberland @whereisthespai @hacks4pancakes I have Seen quite sensible requirements from shipyards handed to contractors/Tier 1+ manufacturers. But most of this falls with the essential non-existence of physical security while a ship is in harbour.
With land-based OT, these do a lot of good research: https://www.tha.de/en/Computer-Science/HSA-innos.html