This document presents security requirements that grid operators can use in their procurement documents for new security monitoring solutions either for their SCADA systems or for the substations.
Our members have shown an increasing interest in deploying OT security sensors, which provide specialized intrusion detection capabilities for OT systems. The sensors see real-time network communications and monitor for deviations from known baselines or matches to attack signatures. Sensors can then send information to the security operations center (SOC) and help to find vulnerabilities and detect incidents.
We first assessed these solutions in 2017, when they were quite new. They were also expensive to deploy sensors in each high-voltage substation, which would require installing tens to hundreds of sensors. Therefore, most operators deployed them in their central systems, such as their SCADA system. Our assessment hence focused on the detection capabilities for protocols used between substations and central systems, such as IEC 104.
Over the last few years, the price of OT security monitoring solutions has dropped, making them more suitable for deployments in substations. Due to this, we revisited these solutions and possible requirements in 2020, this time focusing on the detection capabilities for protocols used between IEDs and gateways, such as IEC 61850 in a market survey and lab tests.