This document present a strategy to monitor the security of substation. The strategy makes it difficult for advanced threats to execute controlled attacks. Advanced threats may be able to penetrate into substations. But this only has value for them if they can stay there, and control or disrupt the grid at a moment that is expedient for them. So, they somehow need to establish a permanent foothold in the substation, and establish communication with it. The strategy tries to detect such a foothold.