# [Zettel Feedback] Monitoring physical variables in ICS for early attack detection

Monitoring physical variables in ICS for early attack detection
tags: #informationsecurity #ics #incidentmanagement #detection

While monitoring network and software data can be used to discover anomalies and detect early signs of attacks, expanding to monitor the status of physical variables, such as temperature and sounds can indicate unusual activity. Early detection of an attack in the ICS environment could minimize the potential impact of an attack as it could be used to pivot [[20210908145033 Simplified Attack Vector OT IT]] into other parts of the network (like the enterprise network) [[20220120110715 Incident Response in ICS - Detection]].

• edited January 27

Mind to explain what is your convention for link contexts? I don't understand if you're treating them as superscripts or they're the text inside [[]].

To clarify, superscripts are the numbers or letters placed high above the text. They appear at the end of a phrase or sentence. For example, side effects include:

• Nausea[^1]
• Panic[^2]
• Death[^3]

Imagine that [^a] is a footnote, where a is any number. I don't know how to make superscripts in Markdown.

• @Drante, you've got an illuminating zettel here that appears to fit into your overall ZK. Well-formed and atomic, focusing on a single idea. The title reveals the atomic idea you've captured.

I have a couple of knit-picky suggestions.
1. I'd include the UUID for this note under the title. When you view this note in your ZK app, it is easy to see the date of creation for this zettel. When this note is viewed out of your ZK's context, the creation date and its age are not visible to the reader.
3. The last sentence could be written in two sentences for a bit more clarity, hopefully clearing up any subject-verb confusion.

• [Links removed just for clarity]

"Early detection of an attack in the ICS environment could minimize the potential impact of an attack as it could be used to pivot into other parts of the network (like the enterprise network)."

Becoming

"Monitoring the ICS environment minimizes the impact of an attack. Early detection prevents attacks from pivoting into other parts of the network (like the enterprise network)."

I hope this provides the critique you were looking for.

Will Simpson
“Read Poetry, Listen to Good Music, and Get Exercise”
kestrelcreek.com

• edited January 27

The brevity makes feedback simple

I wonder if the title could be more actionable, depending on you ruse case, but my English language intuition might just not be enough to give proper feedback there. It's currently this:

Monitoring physical variables in ICS for early attack detection

Is this note intended as a description of a connection between monitoring and early detection, or do you intend to use this as advice? If the latter, one could consider an imperative phrasing which I find instructive for (programming) practice:

Monitor physical variables in ICS to detect early attacks

But, again, that depends on how this note is intended to be used.

Author at Zettelkasten.de • https://christiantietze.de/

• Much appreciated feedback both on my note and my method.

@ctietze Thank you so much for your feedback! In cybersecurity attack detection is the term used for detecting attacks!

@Will thank you very much for your feedback! I'll appreciate your knit-picky suggestions and I agree UUID could be very useful in the note itself.

@Annabella Yes, the links are used as superscripts. When I write something I have a "connection" in mind and that is just how I reference or Link to my connection. Also, I believe it can be useful to redirect myself if I think "oh yeah, what was the attack vector for IT/OT. Thank you for the question.

• edited January 28

Glad to see that you got the feedback you needed. It goes to show how useful the "Zettel Feedback" category is.

Also, my links work like superscripts too! High five!