Mohamed Atta’s Post

OT Detection Use Cases for your OT SOC When it comes to building an OT SOC, there’s a big misconception: many assume success is about collecting every log or integrating every system In reality, the key is focusing on operationally meaningful visibility — the detections that actually help you understand what’s happening inside your control network >> In industrial environments, context defines everything > The same Modbus write command could mean two very different things: > a maintenance engineer performing a scheduled update — or an attacker changing control logic. > Without context, both look identical in your SIEM. >> An OT SOC must speak the language of process, assets, and operations, not just alerts. It should tell you when something changes, who initiated it, and whether it threatens safety, reliability, or integrity >> Below are 10 detection use cases I always recommend as a starting point. They’re mapped to MITRE ATT&CK for ICS and NCA OTCC, but more importantly, they’re grounded in what actually happens inside real plants and industrial networks 1. Unauthorized PLC Programming Detect logic or configuration changes outside scheduled maintenance windows 2. ICS Protocol in IT Zone Flag Modbus, DNP3, or BACnet traffic on IT networks — strong evidence of segmentation drift or misconfiguration 3. PLC Stop or Mode Change Command Detect STOP or PROGRAM mode changes — an event that can halt production and indicate malicious control 4. Remote Access to HMI from Unapproved Source Identify RDP, VNC, or TeamViewer sessions from IT zones targeting OT HMIs — a common lateral movement path 5. New Device in Control VLAN Catch unauthorized or rogue devices joining deterministic control networks where new assets should rarely appear 6. PLC Firmware Downgrade or Version Change Detect unauthorized firmware rollbacks — a subtle but serious method of tampering or hiding malicious code 7. OPC UA Anonymous Session Identify untrusted or anonymous OPC UA sessions that bypass normal authentication or encryption 8. Engineering Software on Non-Engineering Host Detect the execution of TIA Portal, Control Builder, or similar tools on unauthorized systems — often a sign of credential misuse or insider activity 9. PLC Configuration Upload Monitor FTP/TFTP uploads to PLCs — an activity that could replace control logic or inject malicious configuration 10. Abnormal HMI Behavior Spot rapid screen changes, tag edits, or command spamming from operators — signs of misuse, automation, or compromise They aren’t just security detections — they’re process integrity safeguards. Each one gives the SOC visibility into the exact actions adversaries use during real OT incidents — often before physical impact occurs When combined with contextual data (authorized engineers, maintenance schedules, device baselines) and network telemetry , these detections evolve from simple alerts into actionable operational intelligence #OTSOC #OTsecurity #ICSsecurity