Cyber ​​attacks are multiplying and all organizations are concerned. To protect themselves, companies are increasingly using a SOC, completing a logic of prevention with a monitoring of their information system. The same reasoning must prevail in industry, adapting IT security measures to the specificity of industrial control systems.

control center room

As all studies show, the shadow of cyberattacks is increasing every year . In 2013, 70% of companies worldwide were affected and the looted economic value was € 190 billion . To protect themselves, most organizations have put in place measures to prevent computer threats. But that is not enough, or more, because in terms of cybersecurity, zero risk does not exist. Whatever steps are taken, companies will be attacked one day or another. It is therefore necessary that they know how to defend themselves and respond when the security of their information system is threatened. To achieve this, the implementation of a SOC (Security Operation Center) is imperative.


A SOC is an information system security management and administration system that, through event collection, detects, analyzes, and responds to security incidents. alert. Its ultimate goal is to provide 24/7 monitoring to restore the security of the information system as soon as possible when threatened.

Yet, too few organizations are equipped with such a device. The reasons for such a lack can be listed in 3 points:

  • Organizations do not always have the in-house skills to drive a SOC.
  • Setting up a SOC is expensive and companies do not necessarily have the financial means.
  • Some organizations do not have the tools or methods to drive a SOC.

And even when a company is equipped with a SOC, it can be inefficient. A survey conducted by HP in 2014 shows that 87% of the SOC studied do not have the recommended level of maturity to achieve their objectives.

Solutions exist, however, to implement an effective SOC. The SANS Institute delivers the 4 key steps.


1 – Cyber ​​Security Risk Mapping

To carry out the risk mapping, the organization must first identify what are its critical processes. It will then identify the vulnerabilities and threats, based on the probability and the financial impact, of which these critical processes may be subject. It will also ensure the relevance and updating of all information related to cybersecurity issues. It is further recommended to classify all risks.

In a second step, the organization will have to implement intrusion tests in order to provide precise information on the risks related to cybersecurity. These tests consist of simulating a computer attack by a malicious user or malware. They make it possible to analyze the potential risks due to a bad configuration of a system, a programming fault or a vulnerability related to the tested solution. Its main objective is to detect vulnerabilities that will make it possible to propose an action plan to improve the security of the information system.

2 – Identification and establishment of a dedicated team

The organization will have to set up a dedicated team and set its objectives. The purpose is to list the skills of each member of the team and compare them against the objectives set. This step makes it possible to set up a training plan for the team. Having teams informed of the latest news and endowed with adequate technical competence is indeed essential. Internal monitoring and regular training sessions are expected.

 3 – Implementation of information system event monitoring technology

The dedicated team will have to equip itself with a technology to supervise the events of the industrial information system, and be competent not to make mistakes of qualification or investigation. It is imperative that structures are able to monitor their information system and detect suspicious events, through alert generation. These alerts will be investigated to determine the reasons for such an event.

However, given the complexity and expertise required to manage such a tool, a number of companies decide to entrust the maintenance and operation of such a tool to a provider through an appliance. .

4 – Definition of an incident management process

This incident management process must consist of 3 main phases:

  • identification of the incident;
  • response according to the level of criticality;
  • restore the network to a normal level.

It should also be noted that the SOC must meet legal and regulatory requirements. They aim in particular to implement a device for detecting computer attacks and to notify security incidents to the competent authorities.


The Gartner firm notes in its blog that while 80% of cybersecurity problems encountered in industrial control systems are identical to those of information systems, 20% are totally different.
Among these differences, note that:

  • The nature of the risks is much greater, as they can have an extremely serious environmental impact and lead to physical death.
  • Industrial equipment, automated, must be available continuously. It is therefore very difficult, if not impossible, to interrupt them. However, since security updates for a system or service most often require them to be restarted, it is clear that industrial systems are rarely up-to-date and therefore vulnerable to security breaches.
  • While originally designed to operate in isolation, industrial control systems are increasingly interconnected with the rest of the company and its stakeholders, increasing risk.

To respond to this specificity, it is necessary to develop cybersecurity management solutions adapted to the world of operational technologies (OT) . In other words, these solutions must be specially designed to have no impact on the production tool. The establishment of probes to map the industrial network and analyze the behavior of automata is a solution.

In this case, the purpose of setting up a dedicated SOC will be to provide real-time monitoring of the data collected, generate alerts in the event of an incident and make
recommendations for the rehabilitation of the data collected. industrial control system.

The need for a SOC is dictated by the multiplicity and complexity of cyber threats that organizations face today, especially industry. Continuous and real-time monitoring of information systems and industrial control systems is imperative for their optimal protection.