Article
Efficient OT system visibility and detection start with the right log sources
Broad monitoring coverage means little if the signals that matter are buried or never collected in the first place. Threat modeling, grounded in real attack data, is the discipline that makes the difference.
You cannot monitor everything at once, and in OT (operational technology) environments, complete visibility is often simply not achievable. Legacy systems may lack logging capabilities altogether. Vendor restrictions or operational constraints may prohibit installing agents or forwarding logs from certain systems such as controllers or HMIs. This is the reality of many industrial networks, and it must be accounted for. In some cases, logs from some assets are not likely to be useful at all, even during incidents.
The answer is smart prioritization of what you collect. Focus on the systems attackers must pass through or compromise, and on the assets they ultimately want to reach
Start with real attack data
Threat modeling should be anchored in observed reality, not hypothetical scenarios. Begin by studying what attackers actually do—specifically against systems and networks similar to yours. Collect enough documented cases to identify the techniques that appear consistently across incidents. These are the ones that demand your attention first.
The techniques that appear in nearly every real-world attack are the ones your detection capability must prioritize to cover
The open-source knowledge base MITRE ATT&CK already has a good collection of various attacks mapped to a common language, which enables comparison in an effective way—and this is a good start.
From this analysis, you can determine which log sources are necessary to observe those techniques, on the devices most likely to be targeted. This produces something valuable: a clear priority order for your logging and detection investments.
This should be a continuous work, to collect new cases relevant to use in your threat model. Systems are continuously updated, and new technologies such as AI introduce new attack surfaces that didn’t exist just a few years ago.
Expand your detection surface
Log coverage alone is not enough. Complementary OT focused security controls such as well-segmented networks with no internet exposure, enforced multi-factor authentication, and timely patching of remote accessible systems serve a dual purpose. They raise the difficulty for attackers and, in doing so, make attackers louder. When an attacker is forced to attempt more techniques to succeed, they generate more signals. That creates more opportunities to detect the intrusion earlier and more time to contain it before it spreads.
What comes next
AI models capable of autonomously finding and exploiting vulnerabilities are no longer a distant concern. AI-driven attacks are likely to compress the timeline between initial access and impact dramatically. As these capabilities mature, foundational security hygiene becomes more important. The right visibility and detection make it possible to understand what is happening inside critical infrastructure–and to respond in time.