Listen to this Post

Introduction:
Operational Technology (OT) Security Information and Event Management (SIEM) is often perceived as an insurmountable challenge due to the complexity of bridging IT security protocols with industrial control systems. The key to demystifying this field lies in moving beyond theoretical slides to practical, hands-on experience with real-world data, allowing professionals to understand how to collect, parse, and analyze logs from critical infrastructure.
Learning Objectives:
- Build and configure a functional OT/DMZ/IT lab environment that generates realistic traffic and logs.
- Deploy and set up Splunk to ingest OT-specific data sources and differentiate critical events from noise.
- Develop and implement six Programmable Logic Controller (PLC) use cases to cover approximately 80% of common OT SIEM detection scenarios.
You Should Know:
1. Building the OT/DMZ/IT Lab Environment
The foundation of any OT security strategy is understanding the network architecture that separates the operational floor from the corporate enterprise. In this masterclass, participants construct a simulated environment that includes a PLC (Programmable Logic Controller) generating live traffic, a DMZ (Demilitarized Zone) for data historians and jump boxes, and an IT network where the SIEM resides.
To replicate this locally, you can use virtualization tools like VMware or VirtualBox. The goal is to create a network where OT devices (simulated via tools like `pylogix` or Snap7) communicate using protocols like Modbus/TCP or S7comm, while the SIEM collector sits on the DMZ network to ensure a secure, one-way data flow where possible.
Step-by-step guide to generating OT traffic:
If you are using a Linux-based machine to simulate PLC traffic, you can use `nmap` to scan for industrial services or use Python scripts to generate logs.
Example: Simulating Modbus traffic using Python on Linux
pip install pymodbus
python -c "from pymodbus.client import ModbusTcpClient; client = ModbusTcpClient('192.168.1.10'); client.connect(); client.write_coil(1, True); client.close()"
On Windows, you can use tools like `Modbus Poll` to simulate a master device. For network traffic capture, use `Wireshark` with filters `modbus` or `s7comm` to validate that data is flowing from your simulated PLC to the network segment where your forwarder resides.
2. Configuring the Data Collection Flow
Once the environment generates traffic, the next step is configuring the log collection. In OT, you cannot simply install an agent on a PLC. Instead, you must rely on syslog relays, network taps, or port mirroring. For this exercise, we configure a universal forwarder on a Linux host in the DMZ that ingests syslog data from network switches and PLC logs from a simulation tool.
Step-by-step guide to setting up a Splunk Universal Forwarder:
1. Installation: Download the Splunk Universal Forwarder from the official site.
2. On Linux (Debian/Ubuntu):
wget -O splunkforwarder.deb 'https://www.splunk.com/en_us/download/universal-forwarder.html' sudo dpkg -i splunkforwarder.deb sudo /opt/splunkforwarder/bin/splunk start --accept-license
3. On Windows: Run the MSI installer with administrative privileges.
4. Configure Inputs: Navigate to `/opt/splunkforwarder/etc/system/local/inputs.conf` on Linux or `C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf` on Windows.
[monitor:///var/log/syslog] index = ot_network sourcetype = syslog disabled = false
5. Configure Outputs: In outputs.conf, specify your Splunk Indexer or Heavy Forwarder IP.
[bash] defaultGroup = primary [tcpout:primary] server = 10.0.0.50:9997
6. Restart the forwarder: `sudo /opt/splunkforwarder/bin/splunk restart`
3. Deploying and Setting Up Splunk
With data flowing, the core of the exercise is the Splunk deployment. This involves setting up an indexer, configuring parsing rules, and creating knowledge objects specific to OT. The masterclass emphasizes indexing strategies to manage high-volume OT data (like process variables) separately from security events.
Step-by-step guide for initial Splunk setup on a Linux server:
1. Download and Install Splunk Enterprise:
wget -O splunk-9.x.tgz 'https://www.splunk.com/en_us/download/splunk-enterprise.html' tar -xzf splunk-9.x.tgz cd splunk ./bin/splunk start --accept-license
2. Set Admin Password:
./bin/splunk edit admin -password <YourStrongPassword>
3. Configure an Index for OT Data: Using the Splunk Web UI (port 8000) or CLI:
./bin/splunk add index ot_security -datatype event -homePath /data/ot_security/db
4. Enable Receiving on port 9997: This allows forwarders to send data.
./bin/splunk enable listen 9997
4. Creating PLC Use Cases (Detection Logic)
The most valuable part of the hands-on session is transforming raw logs into actionable detections. Six PLC use cases typically cover unauthorized access attempts, firmware changes, logic uploads/downloads, state changes, and communication faults. Using Splunk’s Search Processing Language (SPL), participants learn to query for anomalies.
Step-by-step guide to writing a detection for unauthorized PLC access:
Assume we are ingesting logs from a PLC security event log or a network sensor.
1. Identify the Data: Ensure you have a sourcetype named `plc_events` or network_traffic.
2. Write the SPL Query: Search for specific error codes or source IPs.
index=ot_network sourcetype=plc_events "Access Denied" OR "Connection Refused" | where src_ip NOT IN (trusted_engineering_workstations) | table _time, src_ip, dest_plc, event_message | sort - _time
3. Create an Alert: In Splunk, save this search as an alert to trigger when the condition is met.
index=ot_security "Write Access" plc_program | stats count by user, src_ip, dest_plc | where count > 5 within 10 minutes
5. SIEM Architecture Hardening for OT
Unlike IT, OT environments cannot tolerate resource-heavy agents or active scanning. The masterclass discusses configuring Splunk to act as a passive collector. This involves tuning the `limits.conf` to manage concurrent searches, setting up a search head cluster for availability, and ensuring the DMZ forwarder has no inbound firewall rules to the OT network, only outbound.
Step-by-step guide to configuring a heavy forwarder as a syslog server:
To accept syslog from OT devices that cannot run a universal forwarder:
1. Install a Heavy Forwarder (similar to Universal Forwarder but with full Splunk processing).
2. Configure syslog input: Edit `inputs.conf`.
[udp://514] connection_host = ip sourcetype = syslog_ot index = ot_network
3. Firewall Configuration: Ensure the Linux OS allows UDP 514.
sudo ufw allow 514/udp
6. Detection Engineering and Mitigation
The final step involves taking the alerts and building a response strategy. For OT, this is often about isolation and manual intervention. Participants practice using Splunk’s dashboards to visualize the Purdue Model (Levels 0-4) and map alerts to specific layers.
Step-by-step guide to building a “PLC Last Known Good Configuration” baseline:
1. Ingest baseline data: Configure the SIEM to ingest checksums of PLC ladder logic daily.
2. SPL for Change Detection:
index=ot_assets sourcetype=plc_checksum | streamstats latest(checksum) as prev_checksum by plc_name | where checksum != prev_checksum | table _time, plc_name, user, prev_checksum, checksum
3. Response: When triggered, the analyst can immediately correlate this change with engineering workstation logs to verify if a legitimate change occurred or if unauthorized code was uploaded.
What Undercode Say:
- Practicality Over Theory: The most effective way to learn OT SIEM is by building the environment yourself. Simulating traffic and configuring Splunk from scratch provides a deeper understanding than passive watching.
- Data is the Differentiator: Success in OT security hinges on knowing which logs matter. Focusing on PLC use cases and the Purdue Model helps filter out noise and focus on high-impact detections.
- Tool Mastery is Essential: Proficiency with Splunk SPL and Linux command-line tools (like
tcpdump,nc, andsyslog-ng) is non-negotiable for security engineers aiming to secure industrial networks.
Prediction:
As the IT and OT convergence accelerates, the demand for professionals who can deploy and manage SIEM solutions in industrial environments will skyrocket. In the near future, hands-on, lab-based training like this will become the standard industry certification, replacing slide-based courses. The ability to not just analyze but generate and collect OT data will be a baseline skill for security operations centers (SOCs) protecting critical infrastructure.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Zakharb Ot – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


