Continuous Monitoring

The Continuous Monitoring feature of WinCC OA provides an interface for external tools to read and validate log and error messages of Security Events that were generated by the WinCC OA.

What is a Security Event?

  • Security Events are specific WinCC OA events that can be monitored by external SIEM (Security Information and Event Management) systems.

  • The Security Events defined by WinCC OA are an extension to the existing logging mechanism​.

What is a SIEM Tool?

Overview of SIEM Tools

A Security Information and Event Management (SIEM) tool is a comprehensive cybersecurity solution designed for the real-time analysis of security alerts generated by hardware and software network components. SIEM tools centralize data collection from various sources such as servers, network devices, and applications, enabling detailed monitoring and analysis. Key features of SIEM tools include log management, event correlation, real-time monitoring, and automated response capabilities. These tools are crucial for maintaining an organization's security posture, ensuring compliance with regulatory requirements, and protecting sensitive data from cyber threats.

Examples of SIEM Tools

There are several well-known SIEM tools available, each offering distinct features and capabilities:

  • IBM QRadar: Offers robust threat detection and incident response features, leveraging advanced analytics and machine learning.
  • Splunk: Known for its powerful search and analysis capabilities, Splunk handles large volumes of data efficiently.
  • ArcSight by Micro Focus: Provides comprehensive security monitoring and compliance management with strong event correlation and reporting functionalities.
  • LogRhythm: Emphasizes rapid threat detection and response to mitigate security risks effectively.
  • AlienVault USM: Integrates SIEM capabilities with additional security tools such as asset discovery and vulnerability assessment.

These tools enhance an organization's security operations and mitigate potential risks effectively.

Why use a SIEM Tool?

A SIEM Tool (e.g., QRadar from IBM) may be helpful to collect and evaluate information. Although WinCC OA does not directly connect to a SIEM tool, it is possible to establish an interface via available tools in WinCC OA. Here are examples of how relevant information could be forwarded to a SIEM Tool:

  • WinCC OA writes logging information into plain text files, and a SIEM Tool could evaluate those files. Furthermore, it is possible to write Security Events to the System Log for further evaluation from a central position.
  • An API extension called ExternErrHdl-Plug-in can be designed to prepare and send the required logging information to a SIEM tool.
  • A SIEM tool may detect an ongoing attack and forward the required information via a specific interface like an SNMP-trap. WinCC OA can receive this trap and activate an alarm to inform the on-site operator.

Therefore, a SIEM tool is essential for actively alerting operators to suspicious activities, such as a high number of failed login attempts. Crucially, it involves setting thresholds for such activities and configuring alerts when these thresholds are crossed, aiding in the proactive identification and mitigation of security threats. Key indicators that can trigger SIEM alarms include:

  • Unusual Out-of-Hours Access: An alarm is generated for logins outside normal business hours, even if successful.
  • Multiple User Account Creations: An alarm is triggered when an unusually high number of user accounts are created in a short time frame.
  • Excessive Configuration Changes: A significant number of alterations in user configurations or audit settings may be indicative of suspicious activity, prompting an alarm for further investigation.