This study aims to investigate the impact of Security Operations Center (SOC) onboarding in Operational Technology (OT) systems. The research seeks new insights into tailored OT SOC monitoring, contributing to a deeper understanding of integrating a SOC platform in industrial environments.
This paper presents findings from a longitudinal qualitative study examining the onboarding process between a SOC-as-a-Service (SOCaaS) provider and a Norwegian petroleum company, using observations and interviews. Data were collected from a Norwegian petroleum company and analyzed using Empirically Closed (EC) coding.
The study examines how industrial legacy systems, safety-critical operations, and cross-organizational collaboration shape SOC onboarding practices. It identifies key enablers, such as dedicated ticket triage, collaborative meetings and domain-specific knowledge sharing, as well as barriers, including limited trust between the SOCaaS provider and OT personnel and the need for standardized log-collection practices.
The paper proposes a revised onboarding framework tailored to ICS environments. This framework emphasizes system hardening, alert fine-tuning and stakeholder alignment to enhance SOC effectiveness and help SOCaaS providers better understand industrial customers’ needs. The findings offer practical guidance for both SOCaaS providers and industrial customers, addressing human and organizational challenges in cybersecurity practices, particularly in safety-critical sectors where operational continuity and trust are essential.
