How would you design a logging and monitoring strategy for OT networks that balances security needs with performance?

• A. Disable logs to maximize performance.
• B. Centralize logs where possible, enable essential telemetry, apply log retention policies, use encrypted transmission, and implement alerting with rate-limiting to avoid performance impact.
• C. Store logs only on local devices indefinitely.
• D. Send all logs to the cloud with no retention policy.

Answer: (B)

Focus on gaining visibility while preserving OT performance. Centralize logs where possible to enable correlation and faster detection, but do so through secure, segmented paths and gateway collectors when devices are isolated. Enable only essential telemetry to avoid log floods and added load, prioritizing security-relevant events, anomalies, and safety interlocks. Apply retention policies to balance regulatory needs and storage costs, keeping critical logs longer and pruning older data appropriately. Ensure all log data in transit is encrypted to protect confidentiality and integrity, and implement alerting with rate-limiting so security teams are notified about meaningful issues without overwhelming operators or impacting control systems. Disabling logs removes visibility and response capabilities; storing logs only locally indefinitely hampers analysis and resource use; and sending everything to the cloud with no retention can create latency, reliability, and storage concerns in OT environments.