In customer meetings, there is often uncertainty about what exactly an intrusion detection system in OT entails. A firewall? A SIEM? A network monitoring system? What exactly does it need to be capable of? In two blog posts, we compare the legal and technical requirements with possible solutions.
First of all: An intrusion detection system does not describe a specific product, but rather an objective. To get the most comprehensive idea possible, three sources are worth consulting:
- ENISA: “An Intrusion Detection System (IDS) is a software component (often integrated with a hardware device, especially in the case of commercial solutions) that monitors and analyses network traffic or operating system behaviour for unauthorised or malicious activities. An IDS system typically works in a passive mode: it detects a threat, logs information and triggers an alert.” 1
- Mitre: “An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.” 2
- CISA; “Intrusion detection systems detect and report malicious activity. Intrusion prevention systems attempt to stop the activity.” 3
Thus, there is a clear distinction between an IDS and an IPS. Some solutions combine both capabilities. However, while IPS with automated reaction is easily embedded in IT environments, it is a different story in OT environments, where the only automated process shall be the industrial process – not a security processing potentially disrupting it (more on that later).
Basic requirements for a SzA
Four requirements can be derived from the above definitions, which should be taken into account in OT.
1. IDSs are located within the network
This requirement already distinguishes them from firewalls. While firewalls are located at the network boundaries and look outwards, an IDS operates within the boundaries of a network. Firewalls remain indispensable for cybersecurity. However, they are supplemented by a comprehensive internal view of the networks and systems used (Fig. 1). The reason for this second line of defense lies in the development of initial attack vectors over the last ten years. Malware and active hacking have declined as initial vectors. Attacks via exploitedvulnerabilities and stolen access data, which firewalls cannot detect, now account for over 50%. 4,5
IDSs can generally be integrated host-based (HIDS) and network-based (NIDS). Due to the limited CPU capacities of most OT components and often proprietary operating systems, a Network Intrusion Detection System (NIDS) is the simplest and most comprehensive solution for OT.
For example, the data collectors of the Rhebo Industrial Protector NIDS can be integrated via mirror port switches (hardware solution) or on existing gateways (software solution). Both variants enable a quick rollout without disrupting running industrial processes.
2. IDSs continuously analyze communication for suspicious or malicious activity.
Threats are no longer limited to known patterns or signatures (see point 1). It therefore makes sense to supplement classic signature-based intrusion detection (firewalls and virus scanners) with behavior-based intrusion detection (e.g. a NIDS with anomaly detection).
As explained in point 1, network intrusion detection systems (NIDS) are particularly useful and applicable in OT networks. A NIDS identifies threats that are already within the networks and follow novel, complex (multi-staged) attack patterns. Lateral movements, attacks via vulnerabilities, compromised user accounts, and living-off-the-land (LOTL) techniques are thus made visible and reported to those responsible at an early stage.
In addition, existing log entries from end devices can be used as a source, if available and relevant to security. It makes sense to consolidate all log entries and alarm messages in a higher-level Security Information & Event Management (SIEM) system in order to obtain an overall picture of the company's cybersecurity posture and risk landscape (IT and OT).
3. IDSs primarily function passively
This requirement is particularly crucial in OT networks, where active blocking of communication and active network scans are undesirable or can jeopardize operations. Passive operation is also useful in the context of anomaly detection. Not all detected anomalies automatically justify active, immediate blocking but need a contextual analysis before deciding on any actions.
4. (Bonus) IDSs go hand in hand with prevention and response
This said, the goal of cybersecurity is not only to detect threats, but also to block and remove them. Thus, an IDS forms the foundation for actively combating threats and incidents.
It detects threats and provides all relevant information to the incident response team so that they can quickly understand a security-related event and respond in a targeted manner. This information includes, among other things:
- involved systems and components (IP and MAC addresses),
- chronological sequence of events,
- associated processes,
- protocols used,
- contents of the incidents.
A NIDS such as Rhebo Industrial Protector therefore provides the packet capture (pcap) for each detected anomaly, in which all data and meta information relating to the incident is stored.
From a certain size of infrastructure onwards, a Security Operation Center (SOC) helps to bring all measures and functions of OT cybersecurity under one roof.
1 ENISA: Proactive Detection of Security Incidents, 2012
2 https://d3fend.mitre.org/dao/artifact/d3f%3AIntrusionDetectionSystem/
3 CISA: TIC Core Guidance Volume 3:Security Capabilities Catalog, 2021
4 Verizon: 2025 Data Breach Investigations Report
5 Cyentia: Information Risk Insights Study 2025
