Detecting Attacks on SCADA Systems

When to Use

• When deploying intrusion detection capabilities in a SCADA environment for the first time
• When investigating suspected cyber attacks against industrial control systems
• When building detection rules for OT-specific attack patterns (Stuxnet, TRITON, Industroyer)
• When integrating OT network monitoring with an enterprise SOC for unified threat visibility
• When responding to alerts from OT security monitoring tools (Dragos, Nozomi, Claroty)

Do not use for detecting attacks on IT-only networks without SCADA/ICS components, for building generic network IDS rules (see building-detection-rules-with-sigma), or for incident response procedures after an attack is confirmed (see performing-ot-incident-response).

Prerequisites

• Passive network monitoring sensors deployed on SPAN/TAP ports at OT network boundaries
• OT intrusion detection system (Dragos Platform, Nozomi Guardian, Claroty xDome, or Suricata with OT rulesets)
• Understanding of industrial protocols in use (Modbus, DNP3, OPC UA, EtherNet/IP, S7comm)
• Baseline of normal SCADA communication patterns (polling intervals, function codes, register ranges)
• Access to process historian data for physical process anomaly correlation