What is Monitoring?
Monitoring is the continuous collection, observation and analysis of data from systems and networks to keep track of their status, performance and security. In OT environments, monitoring covers both operational processes and cybersecurity threats.
Monitoring is the eyes and ears of the OT network — without monitoring, detection, fault analysis and incident response are impossible.
🧠 How does Monitoring work?
- Data collection from various sources:
- Network traffic (e.g. via SPAN or TAP)
- System logs (Syslog, Windows Event Logs)
- Devices such as PLCs, SCADA, HMIs
- Security tools (Firewall, EDR, IDS, SIEM)
- The data is analysed for:
- Performance (uptime, latency, CPU usage)
- Anomalies (anomaly detection)
- Incidents (intrusion attempts, ransomware, privilege misuse)
- Visualised via dashboards, alerts and reports
- Automated actions are possible via SOAR or alarm flows
Monitoring can be used both proactively (early detection) and reactively (incident analysis).
🏭 Application of Monitoring in industrial networks
- Watching communication between PLC and HMI to detect anomalies
- Detection of unusual logins on the Engineering Station or SCADA
- Visibility of network load and performance via OT monitoring platforms
- Alerts on firmware changes or unexpected data spikes
- Historical analysis of process data for root-cause analysis
Monitoring is essential when implementing Defense in Depth and Zero Trust in OT.
🔍 Types of Monitoring
| Type | Application |
|---|---|
| Operational | Process status, line performance, OEE |
| Network | Traffic, connections, ports |
| Security (Security Monitoring) | Detection of cyber threats and attacks |
| User activity | Logins, sessions, changes |
| System performance | CPU usage, memory pressure, uptime |
🔐 Security considerations
- Combine with SIEM for correlation, alerting and forensic logging
- Integrate with anomaly detection and Threat Intelligence
- Ensure time-synchronised logging (NTP) for forensic reliability
- Implement read-only monitoring on critical OT nodes to limit risk
- Requires network access via SPAN, TAP or inline sensors
In OT environments, monitoring must be non-invasive so as not to disrupt operational continuity.
📌 In summary
Monitoring is the foundation for visibility, detection and control in industrial networks. Continuous monitoring of both processes and systems creates a resilient OT landscape with insight into performance and threats alike.