SIEM USE CASES

FOR OT
(OPERATIONAL
TECHNOLOGY)
WITH SCENARIO
EXAMPLE AND
SIMULATION

BY IZZMIER IZZUDDIN
LIST OF OT-SIEM USE CASES
1. ACCESS CONTROL & AUTHENTICATION IN OT

1. Unauthorised Access to SCADA, PLC or DCS

2. Multiple Failed Login Attempts on OT Systems
3. Login from an Unusual Location or Device in OT Network
4. Privileged User Logging into OT Devices Outside Working Hours
5. Unexpected Remote Access to Industrial Systems (VPN, RDP, SSH,
TeamViewer)
6. Simultaneous Logins from Different Locations (Impossible Travel in OT)
7. Attempted Use of Default or Hardcoded Credentials in OT Devices

2. NETWORK SECURITY & ANOMALY DETECTION IN OT

8. Unusual Traffic from IT to OT Network (IT-OT Convergence Breach)

9. Unauthorised Device Connecting to the OT Network
10. Lateral Movement in OT Environment (Attacker Moving Across OT Systems)
11. Unusual Increase in Network Traffic to SCADA/ICS Controllers
12. Communication with External IPs from OT Devices (Potential Malware Activity)
13. Unusual Use of Non-Standard Ports in OT Network
14. Unexpected Protocol Usage in OT (Example: HTTP on ICS/SCADA Systems)
15. Communication with Known Malicious IPs or Threat Intelligence Indicators
16. Detection of Port Scanning and Reconnaissance on OT Assets
17. New or Unauthorised Services Running on OT Devices

3. MALWARE & THREAT DETECTION IN OT SYSTEMS

18. Malware Infection Detected on an Industrial Workstation (HMI, SCADA Server)

19. Indicators of Ransomware on OT Networks (Mass File Encryption)
20. Execution of Known Malicious Scripts (PowerShell, Python, EXE)
21. Multiple Antivirus Alerts on Critical OT Devices
22. Unauthorised Changes to Firmware on PLCs, RTUs or ICS Devices
23. Suspicious File Transfers to or from an OT System
24. Unusual Increase in Failed Process Execution on OT Systems
25. Detection of Fileless Malware in an OT Environment
26. Execution of Unauthorised Software on an OT Workstation

4. INSIDER THREAT & DATA LOSS PREVENTION (DLP) IN OT

27. Unauthorised Access to Critical Industrial Control Systems

28. Unusual Data Transfer from OT Network to External Storage
29. Massive File Downloads from Industrial Servers
 30. Attempted Modification of Critical OT Configurations
31. Suspicious User Behavior in an Industrial Environment
32. Abnormal Privilege Escalation on OT Accounts
33. OT System Configuration Changes Outside Maintenance Window
34. Detection of New or Unapproved USB Device on an OT System

5. INDUSTRIAL PROTOCOL MONITORING & INTEGRITY CHECKS

35. Unauthorised Modbus, DNP3 or OPC Communication Attempts

36. Unexpected PLC/RTU Commands (Start/Stop/Change Setpoints)
37. Unauthorised Firmware Upload to Industrial Controllers
38. Unusual HMI Configuration Changes
39. Repeated Failed Attempts to Read/Write Industrial Control Registers
40. Unexpected Changes in Process Values from Sensor Data
41. Data Tampering on Industrial Control System Logs
42. Unauthorised Software or Patch Installation on SCADA Systems

6. COMPLIANCE & REGULATORY MONITORING FOR OT (NIST, IEC 62443,

NERC CIP, ETC.)

43. Violation of Change Management Policy in OT Environment

44. Unapproved Configuration Changes on Critical ICS Systems
45. Detection of Unauthorised User Activity on OT Components
46. Failure to Apply Critical Security Patches in OT Environment
47. Log Deletion or Tampering Detected in OT SIEM Logs
48. Access to Industrial Control Data Without Authorisation
49. Unauthorised Access to OT Logs and Historical Data
50. Excessive Failed Authentication Attempts on Critical OT Devices

7. INCIDENT RESPONSE & FORENSICS FOR OT CYBERSECURITY

51. Detection of Multiple Security Alerts Originating from the Same OT Host
52. Automatic Isolation of Compromised OT Devices Based on SIEM Alerting
53. Tracking of Suspicious Activities Across IT and OT Networks
54. Forensic Analysis of Logs to Identify Root Cause of Industrial Incidents
55. Unusual Restart or Shutdown of Critical OT Systems
56. Unauthorised Modification or Deletion of Historical Process Data
57. Correlating Multiple Anomalous Events for Threat Hunting in OT
58. Detection of OT System Restart Following Suspicious Changes
59. Unusual Backup or Restore Activity on OT Infrastructure
60. Tracking Malicious Indicators in Historical OT Logs

8. OPERATIONAL SECURITY & AVAILABILITY IN OT NETWORKS

 61. High CPU/Memory Usage on SCADA, PLC or HMI Devices
62. Unexpected System Downtime or Service Disruption
63. Loss of Connectivity Between Critical OT Systems
64. Sudden Increase in Bandwidth Consumption on Industrial Network
65. Detection of Repeated OT Device Failures
66. Loss of Telemetry Data from Remote Industrial Sites
67. Unauthorised Changes in Redundant OT Systems or Failover Configurations
68. Monitoring for Unusual Equipment Failures Linked to Cyber Events
69. Unusual Load Changes or Power Consumption in OT Environment
70. Detection of Unauthorised Changes to Industrial Safety Systems

9. INTEGRATION OF THREAT INTELLIGENCE & THREAT HUNTING IN OT

71. Detection of Known Bad IPs or Indicators of Compromise (IoCs) in OT Traffic

72. Unusual Communication Patterns from OT Systems to External Networks
73. Detection of Advanced Persistent Threats (APTs) Targeting OT Environments
74. Monitoring of Newly Discovered Vulnerabilities in OT Devices
75. Tracking Anomalous Event Chains That Indicate Early-Stage Cyber Attacks

10. ZERO TRUST & NETWORK SEGMENTATION IN OT

76. Detection of Unauthorised Lateral Movement Between OT Zones

77. Blocking Unapproved IT-to-OT Communications
78. Unauthorised VLAN Hopping in OT Networks
79. Misconfigured Firewall or Network Access Control (NAC) in OT Environment
80. Unauthorised Wireless Access Point in an OT Facility
SCENARIO EXAMPLE AND SIMULATION
USE CASE 1: UNAUTHORISED REMOTE ACCESS TO SCADA SYSTEM

Scenario: A threat actor attempts to gain access to the SCADA system via RDP (Remote
Desktop Protocol) from an external IP.

Analysis of the Simulated OT Cybersecurity Alert

1. Alert Summary

• Use Case: Unauthorised Remote Access to SCADA System

• Threat Detected: An external IP attempted multiple failed logins to a SCADA server
via RDP. After six attempts, the login was successful. Shortly after, a PLC
configuration change was detected within the SCADA network.
• Impact: Potential unauthorised access leading to industrial process manipulation.

2. Log Analysis

Timestam Source IP Destination Protoco Event Device Locatio

p IP l n
2025-03- 203.0.113.4 192.168.1.1 RDP Failed Login SCADA External
04 5 0 Attempt (5x) Server Network
08:56:12
2025-03- 203.0.113.4 192.168.1.1 RDP Successful SCADA External
04 5 0 Login (6th Server Network
08:56:12 attempt)
2025-03- 192.168.1.1 10.0.0.5 Modbus PLC Industria SCADA
04 0 Configuratio l PLC Network
08:56:12 n Change

3. Investigation Steps

Step 1: Validate the Source IP (203.0.113.45)

• This IP belongs to an external network and should not have access to the SCADA
environment.
• Check whether this IP has been seen in previous attack attempts.

Step 2: Identify Login Behavior

• The username “operator_admin” was used in multiple failed attempts before

succeeding.
• Possible brute-force attack or compromised credentials.
Step 3: Review Privileged Actions After Login

• Shortly after the login, an unauthorised PLC configuration change was detected.
• The Modbus protocol is used for controlling industrial equipment, suggesting
possible sabotage.

4. Risk Assessment

• Threat Level: High

• Impact: Unauthorised access to critical industrial systems could lead to physical
damage or operational disruption.

5. Recommended Mitigation Actions

• Immediate Actions:
o Disconnect and isolate the affected SCADA server.
o Revoke the compromised user credentials.
o Analyse the PLC for unauthorised changes and roll back configurations if
needed.
• Long-Term Actions:
o Implement network segmentation to block unauthorised external access.
o Enforce multi-factor authentication (MFA) for SCADA logins.
o Monitor and alert for brute-force login attempts in SIEM.
o Conduct a forensic investigation to determine how credentials were
compromised.
USE CASE 2: UNUSUAL DATA EXFILTRATION FROM ICS NETWORK

Scenario: A potential insider threat or malware is exfiltrating a large amount of data from
an Industrial Control System (ICS) network to an unknown external server.

Analysis of the Simulated OT Cybersecurity Alert

1. Alert Summary

• Use Case: Unusual Data Exfiltration from ICS Network

• Threat Detected: A SCADA workstation transferred a large file (5GB) to an external
IP via HTTPS.
• Impact: Potential data leakage of sensitive industrial control data or proprietary
information.

2. Log Analysis

Timesta Source IP Destinatio Protoc Event Fil Device Locatio

mp n IP ol e n
Sis
e
2025-03- 10.0.0.10 192.168.1.1 SMB Large 5G SCADA ICS
04 00 File B Workstati Networ
08:57:15 Transfer on k
Detecte
d
(Internal)
2025-03- 192.168.1.1 203.0.113.1 HTTPS Unusual 5G SCADA ICS
04 00 00 Data B Workstati Networ
08:57:15 Transfer on k to
to Externa
External l
IP
2025-03- 203.0.113.1 Unknown N/A Data 5G External Unkno
04 00 Exfiltrati B Server wn
08:57:15 on
Confirm
ed

3. Investigation Steps

Step 1: Validate the Source of Data Transfer

 • The SCADA workstation (192.168.1.100) sent a large file over SMB (port 445)
internally.
• Shortly after, the same file was transmitted over HTTPS (port 443) to an unknown
external IP (203.0.113.100).

Step 2: Identify the User Responsible

• The transfer was performed by engineer01.

• Check logs for any unauthorised login activity or privilege escalation on this
account.

Step 3: Review External IP Destination

• The external IP (203.0.113.100) does not belong to a known business partner.

• Conduct an OSINT lookup to determine if this IP is associated with threat actors, C2
servers or cloud storage services.

4. Risk Assessment

• Threat Level: Critical

• Impact:
o Potential intellectual property theft.
o Possible compromise of industrial control system (ICS) configurations.
o Could indicate insider threat or malware infection (data-stealing Trojan).

5. Recommended Mitigation Actions

• Immediate Actions:
o Block the external IP (203.0.113.100) at the firewall.
o Disable the user account (engineer01) and initiate an access review.
o Investigate the SCADA workstation (192.168.1.100) for malware or
unauthorised software.
o Notify incident response teams to prevent further data loss.
• Long-Term Actions:
o Implement DLP (Data Loss Prevention) controls to detect and block large file
transfers from ICS.
o Enforce network segmentation to prevent unauthorised internet access from
SCADA systems.
o Audit privileged accounts and enforce least privilege access.
o Deploy anomaly detection in SIEM to flag unusual data movements.
USE CASE 3: UNAUTHORISED PLC CONFIGURATION CHANGE

Scenario: A malicious actor or an insider makes unauthorised changes to a Programmable

Logic Controller (PLC) configuration, which could disrupt industrial operations.

Analysis of the Simulated OT Cybersecurity Alert

1. Alert Summary

• Use Case: Unauthorised PLC Configuration Change

• Threat Detected: An unauthorised user altered critical setpoints and issued a
STOP command to an industrial PLC.
• Impact: This could cause equipment failure, production downtime or safety
hazards.

2. Log Analysis

Timestam Source IP Destination Protoco Event Devic Change

p IP l e Details
2025-03- 192.168.10.5 192.168.10.10 Modbus Unauthorise PLC- Setpoint
04 0 0 d PLC 01 altered
08:58:10 Configuratio from
n Change 200°C
to
500°C
2025-03- 192.168.10.5 192.168.10.10 Modbus Unauthorise PLC- PLC
04 0 0 d PLC Stop 01 switche
08:58:10 Command d from
Issued RUN to
STOP
mode
2025-03- 192.168.10.5 192.168.10.1 SSH Suspicious SCAD Failed
04 0 SSH Access A SSH
08:58:10 Attempt Server login
attempt
s
detecte
d

3. Investigation Steps

Step 1: Verify the Source of the Attack

• The source IP 192.168.10.50 made unauthorised changes to the PLC.

 • The same IP attempted an SSH login on the SCADA server (192.168.10.1), indicating
possible lateral movement.

Step 2: Identify the Account Used

• The changes were made using operator_admin, suggesting stolen credentials or

insider threat.
• Verify recent login activity and check for unauthorised access.

Step 3: Assess the Impact of Configuration Changes

• The temperature setpoint was changed from 200°C to 500°C, which could lead to
overheating and system damage.
• The PLC was stopped, disrupting industrial operations.

4. Risk Assessment

• Threat Level: Critical

• Impact:
o Safety risk: Uncontrolled temperature increase could lead to equipment
failure or fire hazards.
o Production loss: Stopping a PLC could halt manufacturing processes.
o Potential malware or ransomware activity targeting OT systems.

5. Recommended Mitigation Actions

Immediate Actions:

• Block access from source IP (192.168.10.50) at the firewall.

• Disable user account (operator_admin) and force password reset.
• Roll back PLC configurations to a safe state.
• Investigate SCADA server (192.168.10.1) for signs of compromise.

Long-Term Actions:

• Implement network segmentation between IT and OT networks.

• Enable multi-factor authentication (MFA) for PLC and SCADA system access.
• Monitor Modbus traffic with SIEM for unusual commands.
• Deploy anomaly detection to flag unauthorised setpoint changes.
USE CASE 4: BRUTE FORCE ATTACK ON HMI (HUMAN-MACHINE
INTERFACE)

Scenario: A threat actor attempts multiple failed login attempts on an HMI, indicating a
possible brute-force attack.

Analysis of the Simulated OT Cybersecurity Alert

1. Alert Summary

• Use Case: Brute Force Attack on HMI

• Threat Detected: Multiple failed login attempts targeting an HMI (Human-Machine
Interface) suggest a brute-force attack.
• Impact: If successful, an attacker could gain control over industrial operations,
leading to system manipulation or downtime.

2. Log Analysis

Timestam Source IP Destination IP Protoco Event Devic Details

p l e
2025-03-04 192.168.20.5 192.168.20.10 HTTPS Failed HMI- 5 failed
08:59:07 5 0 Login 01 login
Attempt attempts
detected
2025-03-04 192.168.20.5 192.168.20.10 HTTPS Brute HMI- 50 failed
08:59:07 5 0 Force 01 login
Detecte attempts
d detected
2025-03-04 192.168.20.5 192.168.20.10 HTTPS Account HMI- Account
08:59:07 5 0 Locked 01 locked
due to
excessiv
e failures

3. Investigation Steps

Step 1: Verify the Source of the Attack

• The attack originated from 192.168.20.55, targeting the HMI-01.

• Identify if this is an internal user, compromised system or external threat.

Step 2: Identify the Attack Pattern

 • The number of failed login attempts increased from 5 to 50, indicating brute-force
automation.
• The admin account was locked, preventing further logins.

Step 3: Check for Other Compromise Indicators

• Examine other login attempts in the network for similar patterns.

• Look for malware or unauthorised access on the source machine (192.168.20.55).

4. Risk Assessment

• Threat Level: High

• Impact:
o Potential unauthorised access to the HMI, leading to industrial process
manipulation.
o Possible ransomware or system takeover if the attacker gains access.
o Operational downtime if the HMI remains locked.

5. Recommended Mitigation Actions

Immediate Actions:

• Block access from source IP (192.168.20.55) in the firewall.

• Reset the admin account credentials and enable MFA.
• Scan the source system (192.168.20.55) for malware or unauthorised tools.

Long-Term Actions:

• Enforce account lockout policies after multiple failed attempts.

• Deploy anomaly detection in SIEM to flag brute-force attempts.
• Restrict access to the HMI to specific whitelisted IPs.
• Conduct security awareness training to prevent credential-based attacks.
USE CASE 5: UNAUTHORISED USB DEVICE DETECTED IN OT NETWORK

Scenario: A removable USB storage device is plugged into an ICS Engineering Workstation,
which is against security policies in the OT environment.

Analysis of the Simulated OT Cybersecurity Alert

1. Alert Summary

• Use Case: Unauthorised USB Device Detected

• Threat Detected: A USB device was inserted into an ICS Engineering Workstation,
violating security policies.
• Impact: The USB contained malware (Trojan.IndustrialSpy) and was used to
attempt file exfiltration of critical PLC configuration backups.

2. Log Analysis

Timestam Source IP Device Event USB User Status

p Seria
l
2025-03- 192.168.30. ICS- Unauthoris USB- operator_0 Blocked
04 10 Workstatio ed USB XYZ- 1
09:00:06 n-01 Inserted 1234
2025-03- 192.168.30. ICS- Malware USB- N/A Quarantine
04 10 Workstatio Detected on XYZ- d
09:00:06 n-01 USB 1234
2025-03- 192.168.30. ICS- User USB- operator_0 Blocked
04 10 Workstatio Attempted XYZ- 1
09:00:06 n-01 to Copy 1234
Files

3. Investigation Steps

Step 1: Verify the Unauthorised Device

• A USB device (USB-XYZ-1234) was inserted into ICS-Workstation-01.

• The user operator_01 attempted to access it.

Step 2: Malware Detection

• Trojan.IndustrialSpy was found on the USB, designed to steal industrial control

system data.
• The malware was quarantined before execution.
Step 3: Prevent Data Exfiltration

• The user attempted to copy PLC configuration files to the USB device.
• The action was blocked, preventing potential sabotage or unauthorised access.

4. Risk Assessment

• Threat Level: High

• Impact:
o Possible industrial espionage or sabotage if data was successfully
exfiltrated.
o Potential widespread malware infection if the USB was executed on other OT
systems.
o Operational disruption if PLC configurations were modified or deleted.

5. Recommended Mitigation Actions

Immediate Actions:

• Isolate ICS-Workstation-01 and perform a full malware scan.

• Investigate operator_01 to determine intent (negligence vs. insider threat).
• Retrieve USB for forensic analysis to understand its origin and malware payload.

Long-Term Actions:

• Enforce USB restrictions on all ICS and OT devices.

• Deploy endpoint protection to automatically quarantine threats.
• Implement Data Loss Prevention (DLP) to prevent unauthorised file transfers.
• Conduct employee security awareness training on USB threats.
USE CASE 6: UNUSUAL NETWORK TRAFFIC FROM SCADA SYSTEM

Scenario: A SCADA system is unexpectedly communicating with an unknown external IP

address, indicating possible malware activity or unauthorised remote access.

Analysis of the Simulated SCADA Cybersecurity Alert

1. Alert Summary

• Use Case: Unusual Network Traffic from SCADA System

• Threat Detected: SCADA-Controller-01 is communicating with an external
unknown IP (203.0.113.50), suggesting potential data exfiltration and C2 (Command
& Control) activity.
• Impact: Possible APT (Advanced Persistent Threat) malware infection designed to
steal industrial control system data or execute remote commands.

2. Log Analysis

Timestam Source IP Destinatio Protoco Event Device Status

p n IP l
2025-03- 192.168.40.10 203.0.113.5 TCP Unusual SCADA- Active
04 0 0 Outbound Controller
09:00:41 Connectio -01
n
2025-03- 192.168.40.10 203.0.113.5 HTTPS Data SCADA- Ongoing
04 0 0 Transfer Controller
09:00:41 Detected -01
2025-03- 192.168.40.10 203.0.113.5 HTTPS Command SCADA- Detecte
04 0 0 & Control Controller d
09:00:41 Traffic -01

3. Investigation Steps

Step 1: Identify the Unusual Traffic

• 500MB of data was sent from SCADA-Controller-01 to 203.0.113.50, which is not an

approved IP in the network.

Step 2: Confirm Data Exfiltration

• The data file "sensor_readings.log" was being transferred externally.

• This could indicate data theft or espionage targeting critical ICS telemetry.

Step 3: Detect Potential Malware

 • The activity is linked to IndustroSpy.APT, a malware associated with industrial
espionage.
• Malware uses HTTPS for covert communication with a C2 server, possibly waiting
for further commands.

4. Risk Assessment

• Threat Level: Critical

• Impact:
o Compromise of sensitive industrial data (sensor readings, control logs).
o Remote takeover risk, allowing attackers to manipulate SCADA functions.
o Potential operational shutdown if attackers execute malicious commands.

5. Recommended Mitigation Actions

Immediate Actions:

• Isolate SCADA-Controller-01 to contain the malware.

• Block outbound traffic to 203.0.113.50 via firewall and SIEM rules.
• Perform a full malware scan and forensic analysis to determine infection vector.
• Investigate network logs for other compromised devices.

Long-Term Actions:

• Deploy anomaly detection to flag unusual SCADA network behavior.

• Restrict outbound internet access for all OT/ICS devices.
• Implement Zero Trust architecture to prevent unauthorised external
communications.
• Harden SCADA endpoints by applying the latest security patches.
• Conduct ICS security training for OT engineers to recognise threats.