SIEM

SIEM (Security Information and Event Management) is a class of security platforms that collect, normalize, store, and analyze log and event data from multiple systems to support threat detection, incident response, and security monitoring.

Core meaning

A SIEM commonly refers to software or a service that:

• Ingests logs and events from many sources, such as firewalls, servers, endpoints, databases, applications, and OT devices
• Normalizes and correlates events to identify patterns that may indicate security incidents
• Raises alerts based on rules, correlation logic, and sometimes behavioral analytics
• Provides dashboards and reports for security operations and compliance monitoring
• Archives log data for forensic analysis and audit support

In manufacturing and other industrial environments, a SIEM often collects data from both IT and OT, including MES, historians, SCADA, PLC gateways, identity systems, and network infrastructure.

Operational use in industrial environments

Within plants and regulated manufacturing operations, a SIEM typically:

• Centralizes security-relevant events from production networks, corporate networks, and cloud services
• Monitors access to critical systems like MES, batch servers, quality systems, and engineering workstations
• Helps detect unauthorized changes to OT configurations, user accounts, or critical applications
• Provides evidence of monitoring, logging, and incident handling to support frameworks such as ISO 27001 or similar security management standards
• Supports investigations when there are suspected breaches involving shop-floor systems or production data

What SIEM is not

SIEM is not:

• A replacement for endpoint protection, firewalls, or identity management tools
• A control system or MES; it observes and analyzes events rather than executing production workflows
• Guaranteed proof of compliance; it can provide supporting evidence but does not itself constitute certification

Common confusion

• SIEM vs. log management: Log management focuses on collecting and storing logs. SIEM includes log management but adds correlation, alerting, and security-focused analytics.
• SIEM vs. SOAR: SOAR (Security Orchestration, Automation, and Response) tools automate workflows and responses to alerts. SIEM is primarily focused on detection and analysis, though some products combine both capabilities.

Relation to ISO 27001 in manufacturing

In the context of ISO 27001 and similar security standards, a SIEM is often used to:

• Provide centralized logging for critical IT and OT assets
• Demonstrate that security events are monitored and investigated
• Support incident recording, metrics, and evidence for audits involving production and shop-floor systems

Use of a SIEM does not by itself fulfill any specific control, but it can support multiple controls related to monitoring, incident management, and logging.