Security logging and SIEM (Security information and event management) is an important security tool for real-time analysis of security alerts generated by applications and network hardware. This is not trivial to set up in a normal IT environment and even less so in ICS and IIoT. ICSs are often large and diverse systems with combinations of both completely new and very old hardware and software. In ICS there is common to see multiple OS, embedded systems, insecure legacy systems and large geographic spread which all complicates the matter. There are usually many endpoints not designed to send security logging information and there are many speciality ICS protocols in use. The introduction of IoT into ICS, so-called industrial internet of things (IIoT) or Industry 4.0, is another complication.
The task of this thesis is to analyse the current use of security logging and SIEM in ICS and IIoT, evaluate efficient and practical solutions and propose guidelines for implementing these solutions.