"Prevention is ideal, but detection is a must" – Dr. Eric Cole
Once the ICS network is adequately segmented, security controls can be distributed across the secure zones to reduce the risk of (sustained) compromise by adding monitoring capabilities to increase the visibility of the network and host activity. Depending on the controls, provisioning to traverse the IDMZ might have to be designed. For example, a log aggregation solution in the Industrial Zone needs a conduit to the Enterprise Zone to send back information or receive instructions:
The two main sources of network and security monitoring and logging information come from network packet captures and event logs.