The process of recording activities happening on an IT system, including OT systems operated via IT. Monitoring and logging typically occurs on network level, where packages are being sent over TCP/IP (internet protocol) and captured at the edges, in the controlling entities (routers and gateways) or as an in-line device (such as a firewall, ids or ips). Network traffic typically records origin and destination IP address, the type of application, and contents. Some of the traffic could have been encrypted.
Network traffic can be captured via a monitoring port on network devices. This results in the recording of all events that have been instructed to be logged. During the monitoring phase, this near real time data can be evaluated and analyzed. On the basis of the traffic patterns can be detected that allow the understanding of how applications (such as ransomware) arrives inside the organization or on how confidential data might leave the organization.
Logging also happens on the device level, allowing to identify the activities taking place on the device (types of applications being used and identities of people accessing the devices). This allows to identify a user with a certain transaction, or allows better for the detection of data manipulation or data theft to take place. With Machine Learning techniques some behavioral actions on a network will be detected prior to the malicious action of theft or abuse taking place. On the basis of patterns and pattern recognition, actions and events which are being used by criminals can be detected and indicating that an incident is taking place.
By utilising similar data from the outside, incidents happening in other locations, in other factories and companies can be recorded and similar patterns (signatures) can be signaled amongst trusted partners. This allows for preventative instructions inside the intrusion prevention systems, which will be able to block IP addresses, block users and applications.
Finally the monitoring and logging is important for forensics. Once an incident has happened, the recorded sessions allow to understand what exactly happened, collect evidence and use as a means for future preventive actions.
In Digital Manufacturing Platforms a logging facitlity should be enabled allowing to record the manipulations and transactions that have happened inside the platform itself, and recording the access and identity of the persons who have been controlling the platform itself.
Penetration Testing (Pentesting) is a term used by Cybersecurity practitioners to describe the process of diligently assessing potential vulnerabilities in the information security infrastructure, including in the case of Manufacturing and Industrial environments also operational technology infrastructures. It typically uses a series of tools to automate the process, but will make use of the expert experiences focusing on known tricks and vulnerabilities. The goal for the pentester is to detect and report the leaks, but not to exploit them. It is also refered to as ethical hacking, in the perspective of not intentionally manipulating equipment, data, stealing data or leaving exploitable software behind. Pentesting is the ultimate means to demonstrate both the capabilities of the security infrastructure, as it is the way to identify the shortcomings upfront. A pentesting report will allow security managers to support their activities by indicating risks, threats, vulnerabilities and indicating the needs for a risk management process. Companies with a higher level of maturity will organize a systemic approach, allowing for pentesting to take place periodically, or following specific changes happening inside the infrastructure. This can also take place in the form of contests, having for instance red teams (the attackers) playing against the defenders (blue team); both utilizing their experiences of pentesting. With a Responsible Disclosure, organizatoins and individuals can call upon the community of ethical hackers (white hats) to help identifying vulnerabilities. These will be reported sometimes in return for a small bonus. Large hacking contests can be organized to test complete platforms. When vulnerabilities are found in technologies, including Platforms which are being sold, they are being reported as CVE's after a grace period of the reporting for about 3 to 6 months. For Digital Manufacturing Platforms pentesting should also take place in the platform itself, by performing software testing and testing the Platform being put into an operational environment, as it uses web and internet technologies making it susceptible for exploitation.
Cyber incident reponse capability is referred to as the means of an organization to cope with a cyber incident. Usually organized in a dedicated CSIRT (CyberSecurity Incident Response Team) or a CERT (Cyber Emergency Response Team) has developed a procedure for dealing with incidents (leakages, break-ins, attacks, ...) being detected in the organization and taking the necessary measures to mitigate, prevent and respond. This dedicated team should be empowered to be in control to prevent additional loss, and to fight an attack as it happens. That means that they are required to have a good understanding of the infrastructure and have the necessary means to deflect, increase security, limit access and ensure forensic means to collect during an incident. They should be in direct response and interaction with the crisis management team. During normal operations they will support the organization Security Operations (SOC) Team onsite or remote in coping with day to day alarms, investigating their threat levels and managing with the investigation of minor incidents.