This report presents the test results for the Nozomi Guardian security sensors for a laboratory tests on substations traffic.
Our members have shown an increasing interest in deploying OT security monitoring solutions, which provide specialized intrusion detection capabilities for OT systems. The solutions see real-time network communications and monitor for deviations from known baselines or matches to attack signatures.
We first assessed these solutions in 2017, when they were mostly new and unknown. They were also quite expensive to deploy sensors in each high-voltage substation, which would require installing tens to hundreds of sensors. Therefore, most operators deployed them in their central systems, such as their SCADA system. Because of this, our assessment focused on the detection capabilities for protocols used between substations and central systems, such as IEC 104.
Lately, the cost of OT security monitoring solutions has been decreasing, making them more suitable for deployments in substations. Due to this, we revisited these solutions in 2020, this time focusing on the detection capabilities for protocols used between IEDs and gateways, such as IEC 61850.
We divided the new assessment in two stages:
- A market survey based on questionnaires, which allowed us to assess new features in previously assessed solutions, solutions that we did not assess before and how they all support the IEC 61850 protocol. It turned out that all solutions are quite balanced on paper.
- A test of the solutions in a virtualized environment at ENCS’ laboratory and in our members’ substations. The results allowed us to validate the claims made by vendors in the first stage and to understand how the features work in practice.