Alerting on safety-logic changes
Demonstrate that unauthorized or undocumented modifications to safety-critical logic are detected in real time and generate actionable alerts to designated personnel.
Description
What this control does
This control establishes real-time monitoring and alerting mechanisms that trigger notifications whenever safety-critical logic—such as industrial control system (ICS) ladder logic, safety instrumented system (SIS) code, or operational technology (OT) firmware—is modified, uploaded, or deleted. Alerts are generated automatically based on change-detection mechanisms integrated with programmable logic controllers (PLCs), distributed control systems (DCS), or configuration management databases (CMDBs). The control ensures that unauthorized, accidental, or malicious alterations to systems responsible for physical safety are immediately detected and investigated before they can cause harm or process disruption.
Control objective
What auditing this proves
Demonstrate that unauthorized or undocumented modifications to safety-critical logic are detected in real time and generate actionable alerts to designated personnel.
Associated risks
Risks this control addresses
- An attacker modifies safety interlock logic to disable emergency shutdown systems, enabling physical damage or loss of life during an incident
- Insider threat actor covertly alters process control parameters to cause equipment failure, production sabotage, or environmental release
- Accidental misconfiguration of safety logic during maintenance goes unnoticed, resulting in undetected unsafe operating conditions
- Malware such as TRITON/TRISIS modifies SIS controller logic to override safety functions without operator awareness
- Lack of change visibility delays incident response, allowing attackers to persist in OT environments and escalate privileges
- Regulatory non-compliance due to inability to demonstrate continuous monitoring of safety-critical systems as required by IEC 61511 or ISA/IEC 62443
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's inventory of safety-critical systems, including PLCs, SIS controllers, DCS nodes, and associated logic repositories.
- Review alerting system configuration documentation to identify which systems are monitored for logic changes and which personnel or teams receive alerts.
- Examine SIEM, OT monitoring platform, or change-detection tool configurations to verify that safety-logic modification events are classified as high-priority and routed appropriately.
- Select a sample of at least three safety-critical controllers and review their audit logs or change histories for evidence of change-detection events over the past 90 days.
- Interview operational technology personnel to confirm receipt, review, and escalation procedures for safety-logic change alerts.
- Conduct a controlled test by simulating or witnessing a non-disruptive logic modification on a test or production controller to verify alert generation, content, and timeliness.
- Review incident response or change management tickets corresponding to at least two historical alerts to validate that notifications resulted in investigation and documentation.
- Confirm that alert thresholds, suppression rules, and escalation paths are documented, approved by operational and security leadership, and reviewed at least annually.
Where this control is tested