Presenter:
This session argues that OT security teams are sitting on valuable detection data—they’re just not using it. Critical signals already exist across industrial environments, but they’re overlooked, uncollected, or not operationalized.
Key takeaways
- The data is already there
- Logs from PLCs, HMIs, historians, network gear
- Engineering workstations and control systems generate signals
- Most of it is ignored or never centralized
- Visibility gaps are self-inflicted
- Teams focus on adding new tools instead of using existing telemetry
- Logging isn’t enabled, retained, or analyzed properly
- Blind spots persist even in “monitored” environments
- OT logging is different—and misunderstood
- Not as standardized as IT logs
- Requires context about industrial processes
- Without that context, signals look like noise
- Detection requires context, not just data
- You need to understand what “normal” looks like on the plant floor
- Process-aware monitoring is critical
- Otherwise, meaningful anomalies get missed
- Integration is where things break down
- OT data isn’t flowing into SIEM/SOC workflows effectively
- Security teams and engineers don’t share visibility
- Insights stay siloed and unused
