SANS ICS 5 Critical Controls
The SANS ICS 5 Critical Controls provide a proven framework for protecting industrial control systems from cyber threats. ICS Watch Dog Sysmon configurations are designed to directly support these controls by providing host-level visibility that complements network monitoring tools.
Only 1 in 8 organizations (12.6%) report full visibility across the ICS Cyber Kill Chain. Sysmon on endpoints directly addresses this gap by providing the host-side telemetry that network monitoring alone cannot deliver. (SANS State of OT Security 2025)
Control #1: ICS Incident Response
Goal: Develop a comprehensive incident response plan specifically designed for ICS environments with clear roles, communication protocols, and containment procedures.
How Sysmon Helps
Without host-level telemetry, incident responders are blind to what happened on compromised systems. Sysmon provides the forensic evidence needed for effective ICS incident response:
- Process creation chains - Reconstruct exactly what ran, when, and what launched it (parent process tracking)
- Network connections - Identify which processes communicated with which systems and on which ports
- File changes - Determine what files were created, modified, or deleted during an incident
- Registry modifications - Detect persistence mechanisms and configuration changes
- Timeline reconstruction - All events include UTC timestamps for correlation across systems
Supported By
All ICS Watch Dog configurations support this control. Even the IT Baseline provides the foundational forensic telemetry needed for incident response.
Control #2: Defensible Architecture
Goal: Construct a network architecture that effectively segments and isolates critical systems with DMZs, strict access controls, and minimized attack surface.
How Sysmon Helps
Sysmon validates that architectural controls are holding by detecting when they are violated:
- Boundary crossing detection - Network connection logging (Event ID 3) reveals processes reaching across network segments
- Unauthorized services - Driver loading (Event ID 6) and service registration (registry monitoring) detect unauthorized software installation
- Jump host monitoring - The Jump Host config provides comprehensive monitoring of the primary architectural chokepoint into OT networks
- AppLocker enforcement - Registry monitoring detects changes to application whitelisting policies
Supported By
OT Baseline, Jump Host, OT Enhanced, and OT Advanced configurations.
Control #3: ICS Network Visibility and Monitoring
Goal: Achieve continuous monitoring of ICS networks to promptly detect anomalies and potential threats using specialized monitoring tools.
How Sysmon Helps
Network monitoring tools see traffic but cannot tell you which process generated it. Sysmon provides the host-side complement to network monitoring:
- Process-to-connection correlation - Every network connection (Event ID 3) is tied to a specific process, providing context that network tools alone cannot
- Anomaly detection - Unexpected processes making network connections (e.g., cmd.exe connecting to port 502) are immediately suspicious
- DNS query logging - Identifies what domains systems are resolving, useful for detecting C2 beaconing
- Industrial port awareness - OT configs can monitor connections to known industrial protocol ports (Modbus/502, EtherNet-IP/44818, OPC-UA/4840)
Important: Sysmon monitors process-to-port connections, not protocol payloads. It cannot inspect Modbus commands or OPC-UA operations. For protocol-level monitoring, deploy dedicated ICS network monitoring tools alongside Sysmon.
Supported By
OT Baseline (basic network logging), OT Enhanced (industrial port awareness), Jump Host (all connections logged).
Control #4: Secure Remote Access
Goal: Implement secure, controlled remote access solutions with multi-factor authentication, encrypted communications, and strict access controls.
How Sysmon Helps
Remote access is one of the most exploited attack vectors in ICS/OT environments. CISA, NSA, and MS-ISAC have issued joint advisories specifically about the malicious use of legitimate remote access tools. Sysmon detects:
- Remote access tool execution - All ICS Watch Dog configs detect known RMM tools including TeamViewer, AnyDesk, ScreenConnect, VNC variants, LogMeIn, Bomgar, Splashtop, RustDesk, MeshAgent, Ammyy Admin, and others
- RDP session activity - Process creation and network connection logging captures RDP usage
- Clipboard transfers - The Jump Host config monitors clipboard changes (Event ID 24), detecting data transfer between networks via RDP clipboard
- Portable/renamed tools - File creation monitoring detects portable RMM executables being dropped in unexpected locations
All configs include remote access tool detection enabled by default. Administrators must tune these rules for their organization's approved remote access solution.
Supported By
All configurations (IT Baseline through OT Advanced). The Jump Host config provides the most comprehensive remote access monitoring.
Control #5: Risk-Based Vulnerability Management
Goal: Conduct systematic vulnerability assessments and prioritize remediation based on potential impact on critical systems.
How Sysmon Helps
Effective vulnerability management requires knowing what software is running in your environment. Sysmon supports this by logging:
- Software execution - Process creation logs with full command lines reveal what applications are actively running
- Driver loading - Identifies drivers in use, supporting vulnerability scanning and patch management
- Service changes - Registry monitoring detects new services being installed or existing services being modified
- File hashes - SHA256 and MD5 hashes of executed files enable comparison against known vulnerability databases
- Change detection - File and registry monitoring provides a baseline for detecting unauthorized changes
Supported By
All ICS Watch Dog configurations support this control through process and service logging.
Config-to-Control Mapping
| Configuration | #1 IR | #2 Architecture | #3 Visibility | #4 Remote Access | #5 Vuln Mgmt |
|---|---|---|---|---|---|
| IT Baseline | Yes | - | - | Yes | Yes |
| OT Baseline | Yes | Yes | Yes | Yes | Yes |
| Jump Host | Yes | Yes | Yes | Primary | Yes |
| OT Enhanced | Yes | Yes | Enhanced | Yes | Yes |
| OT Advanced | Yes | Yes | Yes | Yes | Yes |