Hermes OSIndustrial Intelligence Platform
Back to the library

OT Cybersecurity

Audit & Logging

Audit trails, log collection, and compliance evidence in OT.

Cybersecurity

Overview

Audit and logging build the evidentiary record of OT: who downloaded what to which controller, when forces were set, and whether time across systems can support reconstruction.

Engineering purpose

Prove compliance, enable forensics, and — equally — prove innocence when something breaks after a change window.

How it works

Controller and HMI events (downloads, forces, parameter changes, logons) flow to central collection; NTP discipline makes timestamps comparable; retention policy balances forensic depth against storage.

  • Controller and HMI events (downloads, forces, parameter changes) are the audit trail of record — collect them centrally.
  • Clock sync (NTP) across devices is a precondition: unsynchronized logs cannot reconstruct an incident.
  • Logs prove both compliance and innocence — retention must match regulatory and forensic needs.

Common faults

Logs scattered on local devices and lost with them; clock drift making sequence reconstruction impossible; retention too short for slow-burn incidents; nobody assigned to actually review anything.

Diagnostic checks

  1. 1Confirm program downloads and forces appear in the central log with correct timestamps.
  2. 2Check time synchronization across PLCs, HMIs, and servers.
  3. 3Perform a test download and force, then confirm both appear centrally with correct timestamps and attribution.

Safety notes

Audit trails around safety-system changes are themselves safety records — protect their integrity and retention accordingly.

Commissioning notes

Stand up NTP first, then central collection, then verify the event chain end-to-end before declaring the audit capability operational.

Related concepts

Central log collection, NTP discipline, change attribution, retention policy, review ownership.

audit · logging · compliance · syslog · review · ممیزی · لاگ · انطباق

Related articles

Network Segmentation

Zones, conduits, and DMZ design per IEC 62443.

Access Control

Identity, remote access, and least privilege in OT.

Security Monitoring

Detection of anomalies and intrusions on OT networks.

When Hermes Brain uses this article

Cited for change-tracking requirements, post-incident reconstruction, compliance evidence, and logging architecture.