@hacks4pancakes @gsuberland fwiw, I concur on this. Even industrial-specialized monitoring systems aren’t going to be all that great out of the box for a random environment and basic architecture along with asset inventories are far more crucial to start with.
Some systems basically need a customized SIEM that’s kept tuned to the specific environment month to month to actually give any value on monitoring how it runs just because not all systems even manage meaningful logs.
For perspective, there are actively used code bases where the lower levels don’t have the concept of a user. Fundamentally they have all the cybersecurity and access control of a manual valve you’ve got your hand on.
@whereisthespai @hacks4pancakes yeah I'm thinking I should probably just tackle it from the perspective of having any view at all beyond the most basic AV/EDR, since the orgs I generally work with don't have the security maturity to be spinning up and operating a full custom SIEM with all the trimmings. I do tend to recommend pushing middleware alerts to off-site syslog so they've got some backup in case of ransomware or wipers.
@gsuberland @whereisthespai @hacks4pancakes I have Seen quite sensible requirements from shipyards handed to contractors/Tier 1+ manufacturers. But most of this falls with the essential non-existence of physical security while a ship is in harbour.
With land-based OT, these do a lot of good research: https://www.tha.de/en/Computer-Science/HSA-innos.html
@wamserma @whereisthespai @hacks4pancakes the IMO also created new regs as of January 2023 to try to ensure remote monitoring has sufficient isolation and security assurance.