Atkins' Jason Kirk gets the privileged user monitoring process and policy spot on in this podcast. 

Having been in the SIEM and security monitoring space for over eight years I can say with certainty that marrying process, policy and associated contextual risk to technology features is the key to success. 

Starting with the five layers from Atkins provides a good foundation for organisations to review criticality, asset, scope, ability and technology for certain departments. 

Having focused specifically on CNI over the last six months within LogRhythm, we've found this and similar approaches are incredibly effective for monitoring OT environments. Particularly where we engage all the relevant departments in as many discussions as possible. 

Too much communication during the design process, rather than too little, lets the SOC understand not only the context but also the processes that OT teams live and breath by. This is important considering the risk associated to the day-to-day operation of the OT environment.

With the NIS Directive providing more granular controls, CNI operators have a good framework to build on. Understanding the context, assets, risk, scope and ability of OT environments and users is critical for effective security monitoring. 

Once the above has been mapped into a SIEM solution, both the legacy capabilities of basic correlation (A+B+C) and the advanced algorithms used in next-gen SIEMs, allow a rich, contextually aware monitoring capability increasing the accuracy of anomaly detection and time to response.