Operational Integration and Customization of a SIEM System in ANDE's OT Network

Administration (ANDE) of Paraguay, which is responsible for critical transmission and distribution infrastructure as well as part of the electricity generation system, this situation represents a substantial cybersecurity challenge. This paper presents the integration and customization of a Security Information and Event Management (SIEM) system within

ANDE’s OT network, moving beyond initial deployment to emphasize its practical use for improving security visibility and supporting incident management.

The primary objective of this work is to provide a technically grounded case study on the configuration and tailoring of a SIEM platform to meet the specific requirements of a live electrical OT environment. The adopted methodology follows an applied and descriptive approach, based on an incremental implementation in a real-world production context. It involves the progressive integration of relevant assets, iterative system customization aligned with operational needs, and continuous refinement of monitoring, visualization, and alerting capabilities as the deployment evolves.

Within this approach, the SIEM system was progressively expanded to incorporate key assets, including firewalls, Supervisory Control and Data Acquisition (SCADA) servers, network devices, and Wide Area Monitoring, Protection, and Control (WAMPAC)-related infrastructure, using secure protocols such as Simple Network Management Protocol version 3

(SNMPv3) and syslog, complemented by vendor-provided agents where required. System customization focused on enabling effective operational use through the development of rolespecific dashboards, structured event queries and filters, and integration with Active Directory

(AD) to support centralized authentication and access control. Additional configurations were implemented to optimize data quality and platform performance, including log filtering policies, configurable data retention, and automated alerting mechanisms. To support efficient analysis and monitoring, asset information from integrated devices is centrally organized and contextualized within the platform, providing a consistent view of monitored systems and their relationships.

The integration of the SIEM system into ANDE’s OT network represents a significant step toward strengthening cybersecurity governance. The implemented solution enabled centralized supervision of security-relevant events, improved identification of anomalous behavior, and more efficient incident analysis, establishing a consistent framework for monitoring and assessment. Based on the current deployment scope and level of process formalization achieved, the system aligns with an intermediate cybersecurity maturity level (Tier 2 – Risk

Informed) according to the National Institute of Standards and Technology (NIST)

Cybersecurity Framework (CSF).