MID-085: Export Logs Over the Network Off of Device
Mitigation Level: Foundational
Description
Exporting logs over the network to a network-accessible server can decrease the ability for threat actors to impact device owner/defender via log manipulation. For example, a threat actor that can manipulate logs on the device after they are logged and placed into an on-device database will not necessarily be able to manipulate the logs that are sent over the network, as long as they are sent before they can be edited by a user in the database. Therefore, threat actors that are trying to hide their tracks or confuse defenders looking at these logs will not be able to completely blind defenders to the actions on their device. Also, by storing logs on a separate server, device owners can cross-reference on-device logs with server-stored logs to check for discrepancies during routine or automated device audits. A discrepancy will likely lead to the discovery of device failure or malicious behavior.
Consideration: Sending data over the network to be logged comes with non-security engineering tradeoffs. One benefit is that by logging data over the network devices don’t have to worry about on-device storage limitations. The device can store a limited number of relevant logs (say, the past 200 events) and the rest of the historical data can be viewed on the logging server. Some downsides of remote logging though include having to worry about network bandwidth capabilities, available processing power, and battery life. However, some IoT platforms-as-a-service have features that can make the logging and storing of logs process easier.
Note: Exporting logs over the network will mean that the device has property PID-41: Device exposes remote network services, and therefore the device should take into account threats related to PID-41 and its applicable sub-properties.
IEC 62443 4-2 Mappings
CR 6.1 – Audit log accessibility
CR 3.9 – Protection of audit information
References
[1] C. Binnie. “Remote Logging With Syslog, Part 1: The Basics.” linux.com. Accessed: Mar. 11. 2025. [Online]. Available: https://www.linux.com/topic/networking/remote-logging-syslog-part-1-basics/