Every networking device and computers generates logs of the activities being performed on them. SIEM extracts the logs from each device and presents the entire data in a graphical format like dashboards.so that analysis can quickly identify the anomalies or unusual behaviour.
A Monitoring solution is to be developed to gather logs from each of components and forward it to the centralized database to corelate with the existing rules or systems behaviors and take out the anomalies if any.
Highly skilled professionals should implement SIEM solutions, like to design which logs to be captured and use same to detect cyber-attacks before it even hits the ICS systems.
Accidentally or unfortunately if a system is compromised by any zero-day attack then same logs can be utilized to know the pattern of attack, enforce security measure to make sure that these kinds of attacks are detected in the future.