The present embodiments relate to monitoring and analyzing programmable logic controllers (PLC) for security threats. By way of introduction, the present embodiments described below include apparatuses and methods for non-intrusive monitoring and forensic data collection for PLCs. Security monitoring and forensic applications are provided to perform secure collection, compression and export of PLC information. The security monitoring and forensic applications collect data indicative of low level PLC data and operations, and a forensic environment is provided to analyze the PLC data and operations and to perform forensic simulations.

In a method for determining a threat situation for an automation component of the controller or field level, wherein the automation component has at least one essentially cyclic program behavior, a number of required program behaviors is established in a learning phase in a processor, and the determined required program behaviors are stored and compared cyclically with actual program behaviors, that are established in operation of the automation component. The result of the comparison is logically linked with results of other security components for verification as to whether a threat situation exists.