Monitoring and Maintenance

The monitoring and maintenance of cybersecurity are important components of a defense-in-depth approach.

Monitoring

Through proactive monitoring, intrusion attempts can be detected and stopped before they can do any damage. There are several methods of monitoring a network for suspicious activity. They include, but are not limited to:

Select from the options below to display the details required:

  • Monitor device event logs for unusual activity.

  • Monitor MS Windows Event Viewer (Control Panel/Administrative tools/Event Viewer/Application Log) for unusual activity.

  • Monitor log files produced by devices, for example:

    • Programmable automation controller (PAC) log files.

    • Alarm log files from PACs and other devices.

    • Diagnostic log files such as those produced by managed Ethernet switches.

    • Syslog files such as those produced by industrial firewalls.

  • Enable Simple Network Management Protocol (SNMP) authentication traps on all devices that support SNMP to monitor for unauthorized log in attempts.

  • Use network diagnostic tools to monitor and immediately investigate unusual traffic load.

An Intrusion Detection System (IDS) serves as a digital surveillance layer, monitoring network activity to log and report traffic anomalies that may indicate a security threat. A typical IDS tracks patterns such as file access, port status changes, failed authentication attempts, and hardware malfunctions to maintain environment integrity.

Types of IDS include:

  • Network intrusion detection system (NIDS) - This system monitors and analyzes traffic across an entire network segment by inspecting individual data packets moving to and from all connected devices. To gain this visibility without disrupting the flow of data, a NIDS typically collects traffic through a TAP (Test Access Point), which provides a physical copy of the data stream, or via Port Mirroring (SPAN), which configures a switch to mirror traffic to the NIDS sensor. These are strategically positioned at network boundaries or within Demilitarized Zones (DMZs) to act as a perimeter watchtower.

  • Host intrusion detection system (HIDS) - Unlike network-wide tools, a HIDS is a software agent installed directly on an individual host or endpoint. It provides deep visibility into the internal workings of that specific device by analyzing system calls, application logs, and modifications to critical system files. By monitoring the host’s internal state and "behavioral" signatures, it can detect localized threats—such as unauthorized privilege escalation or file integrity changes—that a NIDS might miss.

A Security Information and Event Management (SIEM) system acts as a centralized intelligence hub that aggregates and analyzes security data from across the entire IT/OT infrastructure. It functions by embedding and normalizing data from diverse sources: it ingests Log files from operating systems and applications to track user activity, utilizes Simple Network Management Protocol (SNMP) traps to monitor the health and status of network devices, and integrates alerts from IDS sensors to provide context to potential threats. By correlating this data in real-time, a SIEM can identify complex attack patterns that individual tools might miss, providing a comprehensive "single pane of glass" for security orchestration and incident response.

Maintenance

Continual maintenance of a control system includes the scheduled routine updating of anti-virus software with the latest signatures and installing the latest patches for software and firmware used on devices in the network.

A regular assessment and test of the control system network for security risks should be performed. Check that device configurations are appropriate with security in mind using the latest security standards and practices and update as and when required.

See An Example of Network Security Architecture and Methods of Attack for details.

Last update - February 2026