Virtual DCS Security Operator for Incident Detection and Response

What is claimed is: 1 . A method for security incident detection in a cloud-native distributed control system (DCS) in industrial process automation, the method comprising: monitoring information technology (IT)-related data and operation technology (OT)-related data at a production process and at a containerized DCS associated with the production process; joint analyzing of first data indicative of first monitoring data from the monitoring of the IT-related data and of second data indicative of second monitoring data from the monitoring of the OT-related data, the joint analyzing based on correlating at least part of the first data with at least part of the second data and/or based on correlating at least part of the second data with at least part of the first data; based on the joint analyzing, detecting a security incident under consideration of predetermined security incident detection rules; and based on a result of the detecting, responding on a detected security incident for handling of the detected security incident under consideration of predetermined security incident response rules. 2 . The method according to claim 1 , further comprising performing the monitoring, the joint analyzing, the detecting and the responding by a virtual DCS security operator, wherein the virtual DCS security operator is a software agent running in a container orchestration cluster associated with the DCS; and/or wherein the virtual DCS security operator is an autonomously running security operator. 3 . The method according to claim 1 , wherein the first monitoring data represents the monitored IT-related data comprising monitored system diagnostics data, and wherein the second monitoring data represents the monitored OT-related data comprising monitored process data; and/or wherein the correlating comprises correlating at least part of the first monitoring data with at least part of the second monitoring data and/or correlating at least part of the second monitoring data with at least part of the first monitoring data. 4 . The method according to claim 1 , wherein the monitoring of the IT-related data and of the OT-related data comprises monitoring the IT-related data and the OT-related under consideration of predetermined security incident monitoring rules; and/or wherein the monitoring of the IT-related data and of the OT-related data comprises monitoring data coming from a Kubernetes Application Programming Interface, API, server and from an Open Platform Communications Unified Architecture, OPC UA, server; and/or wherein the method further comprises accessing the Kubernetes API server; and performing the responding based on adjusting parameters available in the Kubernetes API server. 5 . The method according to claim 1 , wherein the joint analyzing comprises detecting a security incident in one of the first data and the second data; and analyzing the other one of the first data and the second data for an event associated with the detected security incident. 6 . The method according to claim 1 , wherein the production process and the containerized DCS correspond to a certain domain, and wherein the predetermined security incident detection rules and the predetermined security incident response rules are specific for the certain domain. 7 . The method according to claim 1 , wherein the method further comprises using virtual DCS security custom resources that comprise at least part of the predetermined security incident detection rules, of the predetermined security incident response rules, and of the predetermined security incident monitoring rules. 8 . The method according to claim 7 , further comprising modifying the virtual DCS security custom resources for at least one of the predetermined security incident detection rules, the predetermined security incident response rules, and the predetermined security incident monitoring rules, wherein the modifying is performed manually by a user, automatically by a reasoning system associated with the DCS and without involving the user, or semi-automatically where the user provides guidance to the reasoning system. 9 . The method according to claim 1 , wherein the responding comprises at least one of: notifying a user about the detected security incident; applying a command received by a user regarding the detected security incident; autonomously applying of a predetermined security incident response rule from the predetermined security incident response rules regarding the detected security incident; and simulating a response on the detected security incident before performing the response, and performing the responding further based on a result of the simulating. 10 . The method according to claim 1 , wherein the method further comprises exchanging third data with a security information and event management (SIEM) system; and performing at least one of the monitoring, the joint analyzing, the detecting, and the responding further based on the third data; wherein the third data is indicative of at least one of: recorded events occurred at the production process and/or the containerized DCS, performed responses, additional, removed and/or updated security incident monitoring rules, additional, removed and/or updated security incident detection rules, and additional, removed and/or updated security incident response rules. 11 . A data processing apparatus for security incident detection in a cloud-native distributed control system (DCS) in industrial process automation, the data processing apparatus comprising a processor configured to carry out a method for security incident detection in a cloud-native distributed control system (DCS) in industrial process automation, the method comprising: monitoring information technology (IT)-related data and operation technology (OT)-related data at a production process and at a containerized DCS associated with the production process; joint analyzing of first data indicative of first monitoring data from the monitoring of the IT-related data and of second data indicative of second monitoring data from the monitoring of the OT-related data, the joint analyzing based on correlating at least part of the first data with at least part of the second data and/or based on correlating at least part of the second data with at least part of the first data; based on the joint analyzing, detecting a security incident under consideration of predetermined security incident detection rules; and based on a result of the detecting, responding on a detected security incident for handling of the detected security incident under consideration of predetermined security incident response rules. 12 . The data processing apparatus according to claim 11 , comprising a Kubernetes client, an OPC UA client, an incident detector, an incident responder and an user interface, wherein the Kubernetes client is communicatively connected with the incident detector and the incident responder, the OPC UA client is communicatively connected with the incident detector and the incident responder, the incident detector is communicatively connected with the user interface and the incident responder, and the incident responder is communicatively connected with the user interface and the incident detector, wherein the Kubernetes client and the OPC UA client are configured to monitor information technology (IT)-related data and operation technology (OT)-related data at a production process and at a containerized DCS associated with the production process; wherein the incident detector is configured to joint analyze first data indicative of first monitoring data from the monitoring of the IT-related data and