← All Updates
EDUCATIONMay 25, 2026

How Six PLC Events Cover Most Incident Signals

Effective OT detection starts with controller state. A small set of high-value PLC events often provides more visibility than collecting millions of network records.

OT security without signal focus becomes noise collection.

Many security programs collect more data every year.

More packet captures.

More protocol decoders.

More dashboards.

More alerts.

Yet critical process-level changes remain invisible.

Today’s Reality

Most OT environments generate large volumes of telemetry.

The challenge is not the amount of data.

The challenge is identifying which signals actually indicate risk.

Many incident investigations eventually lead back to the same place:

The controller.

Not dashboards.

Not reports.

Not visualization layers.

Controller state.

In many environments, process-impacting changes are introduced by trusted users, engineering activities, maintenance operations, or configuration modifications.

Understanding what changed inside the controller is often more valuable than collecting another million packets.

The Core Idea

A surprisingly large portion of process-level incidents can be observed through six PLC event categories.

1. Login Success

Who accessed the controller?

2. Login Failed

Who attempted to access the controller?

3. Configuration Change

What settings were modified?

4. Program Change

Was logic altered?

5. Program Start / Stop

Was execution interrupted or resumed?

6. PLC Restart

Why did the controller reboot?

What These Signals Reveal

Together these events can expose:

  • Unauthorized control actions
  • Credential misuse
  • Engineering workstation activity
  • Logic modifications
  • Alarm suppression attempts
  • Process disruption
  • Configuration drift
  • Unexpected operational changes

Many industrial attack techniques eventually require one or more of these controller-level actions.

That makes them high-value signals for detection engineering.

What Breaks in Most Deployments

Many OT security projects begin with:

  • Packet capture
  • Protocol analysis
  • Network-wide monitoring
  • Traffic analytics

These capabilities are valuable.

But controller state is frequently overlooked.

As a result, organizations gain visibility into communication while losing visibility into operational changes.

The network becomes observable.

The controller does not.

A System Principle

More data does not automatically create more understanding.

Signal selection does.

The objective is not maximum collection.

The objective is meaningful visibility.

In many industrial environments, six controller signals can provide more actionable security context than thousands of low-value events.

Validation Matters

Detection logic should not be assumed to work.

It should be tested.

Labshock environments are used to replay process behavior, generate controller events, and validate detections against actual PLC state changes.

The goal is simple:

Move from assumptions.

To validation.

From documentation.

To execution.

OT security must be testable.

Not assumed.

How are PLC state changes currently tracked inside your SIEM?

LABSHOCK SECURITY — OT SECURITY MUST BE TESTABLE, NOT DOCUMENTED
← Older
Future OT Environments Will Be Continuously Testable
Newer →
Three Directions Are Changing OT Security
← Back to all updates