OT Network Monitoring is the capability to understand what the equipment that enables the grid is actually doing. Historically, the fact that the grid was delivering electricity to customers was considered sufficient (a so called “run-to-failure” management approach). Over the years, SCADA systems have been increasingly deployed to collect basic of data regarding what is happening in the grid. More recently, software that collects information related to what networks and some underlying equipment are actually doing, have been deployed. Even with these systems, however, only a small fraction of information that grid assets can generate relative to their status and operations are actually communicated to a monitoring system that can analyze and make recommendations. However, advances in monitoring software are happening quickly, and much more sophisticated monitoring is available, advanced by a proliferation of vendors addressing this space. There is a great deal of confusion and misunderstanding in the industry that a Best Practice analysis will directly address.

This Topic was initially presented in the February Best Practices Conference by Dale Peterson, Creator and Program Chair of S4 Events, a leader in ICS Security Research. As an initial indication, Dale identified real-time Passive and Active monitoring as a Best Practice and named the top vendors in this quickly evolving area. Deep real-time network and asset monitoring provide a utility with an immediate analysis of what their networks and underlying assets are actually doing. For example, a utility can see a Zero Day 1 attack because one or more devices are acting differently than the normal baseline known to the Utility. The vendor capabilities in this are analogous to turning on a light in a room that was previously dark, and utilities that implement this approach take a giant leap forward on many cybersecurity dimensions.

Implementing OT monitoring is costly in both software and implementation. For any large utility, the cost would be in the low millions, and time to implement is multi-year but can be done in a phased approach, network by network. The passive component of this approach only “listens” to network traffic in an unobtrusive way, and then interprets the network traffic based on a very deep understanding of complicated assets. The active component of this approach pings assets in order to obtain a deeper understanding of what is happening in real-time.

1 A Zero Day attack is a vulnerability that is new-to-the-world and therefore defeats other existing protection mechanisms such as antivirus programs and firewalls. Zero Day vulnerabilities are common; nation states collect Zero Days for future use, and they are also available on the dark web for purchase.

Educational Institution Connections:

Protect Our Power has partnered with Washington State University to develop vendor comparisons and guidance for this Topic. Contact Erick Ford at for more information.