Grid operators need to continuously develop their security monitoring capabilities to keep up with new threats and keep vulnerabilities under control. One of the challenges to develop these capabilities is defining the needed use cases for effective security monitoring.
This paper presents a risk-based approach that grid operator SOCs can use to determine the use cases for their specific context.