OMICRON Magazine

solution works with the operator to evaluate the resulting communication and decide whether or not the alarms have occurred as part of a routine operation. In the first case, the alarm is “acknowledged” and will be disregarded. The benefit of this approach is that it functions independently of signatures. Still, there is a risk that it may assess the activities of malicious software that was already in the OT network before the normal learning phase started. The lengthy learning process is time, resource, and cost-intensive. Specification-Based Approach There are usually adequately documented specifications for systems (IEC 61850 SCL files, signal lists, IP address lists). These specifications describe the system and its communication comprehensively. The information about the system is transmitted to the IDS, making it immediately operational. It analyzes all data traffic immediately and assesses whether this communication is allowed in the system model, enabling the efficient and prompt detection of potential attacks and functional defects. There is no need for a time-consuming learning phase or ensuring that signatures are up to date. When these approaches are compared directly, the allow list-based solutions are preferable for OT networks in the energy sector because minimal implementation effort is required. An in-depth understanding of familiar processes (protection testing, maintenance work, etc.) makes the day-to-day operation much easier for IT and OT employees and helps conserve personnel resources. IT Cybersecurity ≠ OT Cybersecurity However, all three intrusion detection options have one thing in common at a network level: They have to be integrated into operators’ process networks in a passive and nonreactive manner. This reveals a key difference between these security systems and the cyber security systems in classic (office) IT. In OT control networks, it’s essential that switch commands 24

RkJQdWJsaXNoZXIy NTkxNzY=