Michael Hoffman is currently the global Principle ICS Security SME for Shell Downstream and has over 19 years of combined experience in ICS Security, Controls and Automation, and Instrumentation. Past roles have included Instrumentation & Analyzer Specialist in Downstream, Controls & Automation Specialist in Upstream, and ICS Security Engineer in Downstream.
Michael desires to continuously learn and give back to the ICS community by training the next generation of ICS security experts. He is currently pursuing a Master of Science in Information Security Engineering from the SANS Technology Institute and holds the following certifications: CISSP, GSTRT, GICSP, GCIP, GCIH, GCIA, GPYC, GSEC, CCNA, and MCSA.
Although there are many techniques and tools available to gather event logs and provide visibility to SOC analysis in the IT realm, there are limited resources available that discuss this topic specifically within the context of the ICS industry. As many in the ICS community struggle with gaining logging visibility in their environments and understanding collection methodologies, logging implementation guidance is further needed to address this concern. Logging methods used in ICS, such as WMI, Syslog, and Windows Event Forwarding (WEF), are common to the IT industry. This paper examines WEF in the context of Windows ICS environments to determine if WEF is better suited for ICS environments than WMI pulling regarding bandwidth, security, and deployment considerations. The comparison between the two logging methods is made in an ICS lab representing automation equipment commonly found in energy facilities.