OT and IT: Two worlds, one security strategy

At IT-Sec Expo, I had the privilege of joining my good friends from RIEDEL Networks at their booth. There we spoke to visitors from both worlds - IT professionals who see OT as an often overlooked risk, and OT professionals who have similar security concerns but face very different challenges.

For those less familiar with the topic: The traditional distinction between OT and IT has always been clear. Operational Technology (OT) refers to the hardware and software that monitors, controls and manages physical processes and industrial equipment - for example in production facilities, energy supply companies or in the oil and gas industry. Information Technology (IT), on the other hand, comprises traditional computers, servers and cloud infrastructures.

For many companies, especially IT security teams, OT environments remain largely a mystery - they only occasionally overlap via the Internet of Things (IoT). But in industries such as utilities, oil & gas and manufacturing, the OT landscape is vast. The key difference is that cyber incidents in OT environments can have a physical impact in the real world. An attack on an IT system can disrupt business operations - but an attack on an OT system can endanger human lives. Think of blast furnaces at 1,800°C or robotic arms moving at high speed across the production floor - if these systems are compromised, the danger is immediate and serious.

At the stand, I noticed that many OT companies approached us cautiously at first - looking for SIEM solutions for their OT environments. A common misconception was that integrating OT protocols into a SIEM was difficult or even impossible. But our philosophy at SIEMonster has always been simple:

"If a device can generate an event, we can capture and process it."

We collect events from all levels - from field devices and PLCs to central SCADA systems and network traffic - without having to install agents where this is not technically possible.

Perhaps I take this capability for granted because SIEMonster has been doing this successfully for over a decade. Our first customer was a global steel manufacturer - a company with a huge IT infrastructure (over 10,000 employees in sales, marketing, finance and legal) and a complex OT environment with blast furnaces, robotic arms, paint shops and SCADA/PLC systems. In short: SIEMonster was forged in fire. For us, the integration of IT and OT logs has always been part of our daily business.

SCADA and SIEM

In SCADA (Supervisory Control and Data Acquisition) environments, data does not flow directly from each sensor to a central controller. These systems are multi-layered and each layer represents a potential SIEM entry point.

• Sensors and field devices form the basis - e.g. temperature sensors, flow meters or pressure sensors that generate analog or digital signals. These usually send their data to local controllers, not directly to the central system.

• PLCs and RTUs (Programmable Logic Controllers / Remote Terminal Units) collect data from these sensors, execute local control logic (e.g. opening a valve if the pressure is too high), and can log or summarize events before sending them to the central SCADA or HMI system.

• At the top level, the SCADA/HMI layer consolidates data from all PLCs and RTUs, stores it in a historian and provides operators with dashboards, alarms and trend analysis to ensure a complete overview of plant status.

Although SCADA implementations vary depending on the industry - from nuclear energy and water treatment to petrochemicals and robotics - one basic principle always applies: if a device generates an event, we can capture it. Whether through network taps, automated data collection or agents, SIEMonster can capture, correlate and analyze these events in real time.

We have found that although SCADA systems do not offer uniform standards or rules that would make our work as architects easier, one principle remains universal: if a device - be it in nuclear energy, water treatment, petrochemicals or robotics - generates events, we can capture them from the network layer, through automated queries or with the help of agents and feed them into the SIEM system to analyze them.

Event classification

The classification of events plays a crucial role in these solutions. In many cases, OT environments are customized - developed according to very specific requirements. This results in unique log data that differs greatly in its significance.

An example:
A low flow in a nuclear power plant cooling system would have a much higher priority than a low flow warning in a wastewater system.
On the other hand, in a water treatment plant, an alarm indicating harmful chemicals after treatment would have a higher priority than a slight decrease in power consumption in the nuclear power plant. A SIEM system that processes such alerts must therefore be able to take these differences in importance and urgency into account and prioritize them accordingly.

Example: Logging in a nuclear environment

An example of a logged message from a nuclear SCADA environment could look like this:

<10>1 2025-10-23T10:30:05+00:00 SCADA-Server01 CitectSCADA - - - [Alarm] Tag: Pump01_Pressure Value: 120 PSI State: ACTIVE Area: Reactor_1_cooling

This example message contains several unique pieces of information that can be identified and prioritized. First, the data must be split into key-value pairs (KVPs) in order to process them consistently and reliably. In the SIEMonster environment, a so-called decoder based on regular expressions (regex) - either PCREGEX or OSREGEX- is created for this purpose.

The following logical fields can be extracted from the sample data:

• Event Type: Alarm

• Item_monitor: Pump01_Pressure

• Value: 120 (without "PSI" so that the value can be processed as a number)

• State: ACTIVE

• Area: Reactor_1_cooling

A simple decoder could automatically recognize these fields and convert them into structured data. The output would then be prepared accordingly for visualization and analysis in the SIEM system.

To extract these, a rudimentary decoder would look like this:

The output would then look as follows:

Visualization:

Conclusion

For us, this integration is second nature. OT and IT have always been part of the same security ecosystem for us. Over the years, we have worked with Hewlett Packard (HP) on BIOS securityand event logging projects and have supported numerous OT companies in North America and the Middle East - particularly in the power and critical infrastructure sectors.

Thanks to our partnership with RIEDEL Networks in Germany - a company with deep expertise and high credibility in the OT space - SIEMonster and RIEDEL jointly deliver a unified enterprise-grade SIEM solution that secures IT and OT infrastructures under a common, powerful interface.