Listen to this Post
Introduction
The convergence of Information Technology (IT) and Operational Technology (OT) has created a dangerous visibility gap. While security teams monitor network traffic and endpoint alerts, the human element remains fragmented across digital and physical domains. In most industrial environments, a single operator maintains three separate identities: an Active Directory account for IT access, a local login for an engineering workstation, and a badge ID for physical entry. This fragmentation prevents security systems from answering the most critical question during an incident: Was this specific person authorized to perform this specific action at this specific time? Bridging this gap requires converging identity management across IT, OT, and physical access control systems (PACS) to create a unified, auditable timeline of human activity.
Learning Objectives
- Understand the security gaps created by fragmented identity management in converged IT/OT environments.
- Learn how to map Active Directory accounts to local workstation logins and physical badge access data.
- Implement a basic correlation framework using open-source tools to link human identity with control system events.
You Should Know:
1. Auditing the IT-OT Identity Gap
Before you can converge identity, you must understand the current state of fragmentation. In most organizations, an engineer’s IT network login (AD) is completely separate from their Engineering Workstation (EWS) local account. An attacker who compromises an EWS can operate anonymously if local logs don’t tie back to the central identity.
Step‑by‑step guide: Auditing Local Account Usage against AD
- On a Windows Engineering Workstation (Run as Administrator): Use `wmic` to list local users and compare them to domain accounts that have recently logged on.
wmic useraccount get name,sid
- Check for recent interactive logons and map them to domain accounts using PowerShell. This script pulls logon events (Event ID 4624) and extracts the domain and username.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} -MaxEvents 50 | ForEach-Object { $xml = [bash]$<em>.ToXml() $username = $xml.Event.EventData.Data | Where-Object {$</em>.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty 'text' $domain = $xml.Event.EventData.Data | Where-Object {$<em>.Name -eq 'TargetDomainName'} | Select-Object -ExpandProperty 'text' $logonType = $xml.Event.EventData.Data | Where-Object {$</em>.Name -eq 'LogonType'} | Select-Object -ExpandProperty 'text' if ($logonType -eq 2 -or $logonType -eq 10) { Write-Output "User: $domain\$username logged on interactively." } } - Cross-reference this output with the physical access logs exported from your badge system. If you see a user logged into a workstation (Event ID 4624) but no badge-in event at the facility door within a reasonable timeframe, you have a potential identity gap or security incident.
2. Extracting Badge Access Data for Correlation
Physical Access Control Systems (PACS) are often the missing link. To correlate badge swipes with network activity, you need to export access logs in a machine-readable format.
Step‑by‑step guide: Parsing Badge Access Logs (Linux Environment)
Assume your PACS system exports a CSV log (access_log.csv) with fields: BadgeID, Name, Door, Timestamp.
1. View the raw data:
cat access_log.csv | head -n 10
2. Filter for entries from a specific engineer to see when they entered the facility or control room.
grep "John.Doe" access_log.csv | awk -F, '{print $4 " - " $3}'
3. Use `awk` to create a simplified timeline of a person’s physical presence. This can later be fed into a SIEM.
awk -F, '/John.Doe/ {print $4 "," $1 "," $3}' access_log.csv > john_doe_physical_timeline.csv
3. Mapping PLC Logic Changes to User Context
The ultimate goal is to know who changed a PLC’s logic. This requires extracting the SESSION context from the engineering software logs and merging it with the Windows Security Logs.
Step‑by‑step guide: Correlating a Siemens TIA Portal Project Change
1. Locate the Engineering Software Logs: TIA Portal logs actions locally. While proprietary, you can often find audit trails in Windows Event Logs under Applications and Services Logs.
2. Extract Process ID (PID) of the Engineering Session: Use PowerShell to find the process ID of the engineering software (e.g., Siemens.Automation).
Get-Process -Name TIA,Siemens | Select-Object Name, Id, StartTime
3. Find the User Associated with that PID: Use the PID to trace back to the logon session. This requires parsing Security Logs for Logon/Logoff events and mapping them to process creation events (Event ID 4688).
Find process creation event for the specific PID
Get-WinEvent -LogName Security | Where-Object { $<em>.Id -eq 4688 -and $</em>.Properties[bash].Value -eq "YOUR_PID_HERE" } | Format-List TimeCreated, Message
This command reveals the user account that launched the engineering tool, linking the OT action to an IT identity.
4. Building a Unified “Person” Timeline with SQLite
To combine AD, OT, and PACS data, you can use a lightweight database like SQLite to create a single source of truth for a specific user.
Step‑by‑step guide: Creating a Correlation Database
1. Install SQLite (Linux/Windows) and create a database:
sqlite3 identity_correlation.db
2. Create tables for each data source:
CREATE TABLE ad_logons (timestamp TEXT, username TEXT, workstation TEXT); CREATE TABLE badge_access (timestamp TEXT, badge_id TEXT, door TEXT); CREATE TABLE plc_changes (timestamp TEXT, asset TEXT, file_name TEXT);
3. Import your CSV data:
.mode csv .import --skip 1 ad_logons.csv ad_logons .import --skip 1 badge_access.csv badge_access .import --skip 1 plc_changes.csv plc_changes
4. Query to build a converged timeline for a user (e.g., ‘jsmith’): This joins badge access with AD logons based on time proximity.
SELECT
ad.timestamp as Logon_Time,
ad.workstation as Workstation,
badge.door as Door_Accessed,
plc.asset as PLC_Modified
FROM ad_logons ad
LEFT JOIN badge_access badge ON ad.username = badge.badge_id
AND ABS(strftime('%s', ad.timestamp) - strftime('%s', badge.timestamp)) < 300
LEFT JOIN plc_changes plc ON ad.username = plc.asset -- Simplified join logic
AND ABS(strftime('%s', ad.timestamp) - strftime('%s', plc.timestamp)) < 3600
WHERE ad.username = 'jsmith';
This query attempts to find badge swipes within 5 minutes of a logon, and PLC changes within an hour, linking them to the same person.
5. Configuring Sysmon for Enhanced Process-to-User Mapping
Sysmon (System Monitor) provides detailed process creation logs that include the hash and process GUID, which can be used to track user actions across reboots and sessions more reliably than standard Windows logs.
Step‑by‑step guide: Deploying Sysmon for OT Workstations
1. Download Sysmon from Microsoft Sysinternals.
- Create a basic configuration file (
sysmon_config.xml) to log process creation and network connections:<Sysmon schemaversion="4.22"> <EventFiltering> <ProcessCreate onmatch="exclude"/> <NetworkConnect onmatch="exclude"/> </EventFiltering> </Sysmon>
Note: For OT, you typically want to log everything and filter later. An exclude rule with no conditions will log all events.
3. Install Sysmon with the config:
sysmon64 -accepteula -i sysmon_config.xml
4. Query Sysmon events (Event ID 1 for Process Creation) to link a user to a specific engineering tool launch:
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} -MaxEvents 20 | Where-Object {$<em>.Message -like "TIA" -or $</em>.Message -like "Studio 5000"} | Format-List TimeCreated, Message
This provides a forensic-grade record of exactly when a user executed an engineering application.
- Implementing a Basic SIEM Correlation Rule (Sigma Logic)
To automate the detection of “identity gaps,” you can write a Sigma rule (a generic signature format for SIEMs) that triggers when a PLC change occurs without a preceding physical access event.
Conceptual Sigma Rule for Unauthorized OT Changes:
title: OT Logic Change Without Physical Presence id: 12345678-90ab-cdef-1234-567890abcdef status: experimental description: Detects a PLC program change where the associated user did not badge into the facility within the last hour. logsource: product: windows service: security detection: selection_plc_change: EventID: 4688 Process Creation NewProcessName|endswith: - 's7epgtw.exe' Siemens TIA Portal Gateway - 'rslogix.exe' Rockwell Software timeframe: 1h condition: selection_plc_change and not badge_event fields: - SubjectUserName - Computer - NewProcessName falsepositives: - Remote desktop connections - Users who badged in before the 1-hour lookback window level: high
This rule logic would need to be adapted to your specific SIEM (Splunk, QRadar, Elastic) to query the PACS data source concurrently with the Windows Event Logs.
What Undercode Say:
- Identity is the New Perimeter: In OT, you cannot secure what you cannot see. Fragmented identity is the root cause of most insider threats and account takeovers. Converging IT, OT, and physical identities transforms anonymous alerts into actionable security incidents.
- Correlation Requires Context: Simply collecting logs is not enough. You must build a unified data model where a badge swipe is treated as a first-class security event, equal to a Windows logon. The technical lift to correlate these is minimal compared to the investigative power it unlocks.
This approach moves OT security from reactive asset monitoring to proactive human-centric auditing. By treating the person as the single point of correlation, you close the blind spot created by disparate systems and finally hold the human accountable for the machine’s actions.
Prediction:
Within the next three years, regulatory bodies in critical infrastructure sectors (energy, water, transport) will mandate “Identity Convergence” as a standard compliance control. We will see the rise of “Identity Fabric” solutions specifically designed for OT, natively integrating badge access with SCADA user roles. Organizations that fail to adopt this converged model will be unable to defend against sophisticated supply chain attacks where a compromised IT credential is used to cause physical consequences, leading to catastrophic failures that cannot be accurately attributed or investigated.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Zakharb Primion – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
