An increasing number of grid operators search for solutions to monitor the security of their substations from inside the internal LANs. They see passive monitoring as the best approach since the monitored devices are critical and often legacy. A large group of vendors sells OT security solutions that work passively and have specialized functions for OT environments.
Deploying such solutions requires setting up communication to sensors in the substation to collect alerts, analyze the network traffic, change the configuration, upload new detection rules, and update the software. These solutions therefore typically connect the sensors to a central management server.
Such connections create new security risks. The baseline to mitigate these risks is secure communications and a secure development lifecycle. This paper adds a set of security architecture building blocks to the baseline. They ensure that:
- sensors can only read traffic from the substation LAN, so that they cannot function as a backdoor into the substation
- communication between the sensors and the central management servers is segregated, so that it cannot disrupt normal communication to the substation