Many grid operators are using specialized security sensors to monitor their central OT networks. The sensors can automatically learn what normal network communication looks like, and then alert on deviations from normal to detect security incidents. ENCS evaluated such sensors in the 2017 member project on security monitoring . Since then, these sensors have become an important tool for most SOC and CSIRT teams working on OT systems.
Vendors of these sensors are also offering industrial PCs or embedded sensors that could be placed in field locations. The prices of such sensors have dropped considerably since 2017. So, it is becoming possible to deploy sensors in the internal networks of high voltage substations. ENCS has therefore started a project to evaluate the sensors for monitoring inside substations.
A market survey was conducted based on questionnaires to determine their capabilities. Unfortunately, it turns out the sensors are hard to evaluate on paper. Based on the questionnaires, they can all detect all vulnerabilities and all incidents. We found no real differences between sensors in the market survey.
This raises the question of how good the sensors are in practice. Can they detect all the vulnerabilities and incidents that vendors claim they do? And can they present these in a meaningful way to analysts?
To answer this questions, ENCS tested five sensors in our lab. The sensors were trained on substation traffic collected from members. Different test cases were injected in the traffic to see if the sensors detect them.