Intrusion Detection in Electrical Substations acc. to the BSI

Klaus Hunsänger from the German Federal Agency for Information Security (BSI) explains how to implement an intrusion detection system in electrical substations in accordance with the BSI recommendation BSI-CS “Station automation”. Being a long-time practitioner, he sheds light on the background of the BSI document and where a network-based IDS (NIDS) is best placed within a substation OT.

Duration:

26 min

Guest in this episode:

Klaus Hunsänger

Speaker for Industrial Control and Automation Systems BSI

FAQ

Facts on the topic

What does the BSI-CS 153 guideline require for Substation Automation?

The BSI-CS 153 guideline specifies cybersecurity requirements for the periphery of power grids, specifically focusing on substation automation. Since traditional security strategies based solely on central control centers are no longer sufficient, BSI-CS 153 emphasizes the implementation of localized intrusion detection. The goal is to identify modern attack vectors within telecontrol technology and the station bus at an early stage to ensure grid resilience.

Why is a Network-based IDS (NIDS) so effective in substations?

In Operational Technology (OT) environments, many components like IEDs (Intelligent Electronic Devices) or RTUs cannot host traditional security software. A network-based intrusion detection system (NIDS) is the most efficient solution because:

Rapid Deployment: NIDS can often be integrated into existing architectures with minimal disruption.‍
Anomaly Detection: Since OT network communication is deterministic, a NIDS reliably identifies deviations (anomalies) without needing pre-defined signatures.‍
Visibility: It provides immediate transparency into all data traffic across the station bus.

What is the difference between host-based and network-based intrusion detection?

Network-based Detection (NIDS): Monitors the entire network traffic. It is ideal for substations because it operates passively and does not impact the real-time communication of field devices.‍
Host-based Detection: This involves analyzing log data directly from endpoints (workstations, modern IEDs).The recommendation is a hybrid approach: while NIDS provides the fastest results and broadest coverage, host-based logs should be used complementarily for deep-dive forensics on modern components.

How does the SCD file (IEC 61850) improve cybersecurity?

In IEC 61850 compliant facilities, the SCD (Substation Configuration Description) file is the "source of truth" for the entire system. For SEO-relevant intrusion detection, this file is invaluable because:

It serves as the definitive reference for legitimate network configuration.
It significantly accelerates the "training" phase of an AI-driven NIDS.
Without this file, rapid recovery or forensic analysis after a security incident is nearly impossible.

Why is signature-based detection insufficient for OT security?

Unlike classic IT environments where attacks are often caught using known patterns (signatures), OT threats frequently involve Advanced Persistent Threats (APT). These attacks are highly customized and unique. However, because substation communication is extremely stable and predictable, anomaly detection is far superior. it allows the system to identify "zero-day" attacks and supply chain compromises that no signature-based tool would ever catch.

Summary

‍

Keywords

Federal Agency for Information Security, BSI, network-based intrusion detection, host-based intrusion detection, substation automation, NIDS, IEC 61850

‍

Sound Bites

"The attack vectors have moved to the remote control network and even to the station bus."

"I think, the energy sector [in Germany] is pretty well prepared compared to other sectors, even to other critical sectors."

"In some cases, we still see utilities that too heavily rely on their service providers when it comes to documentation."

"Network-based intrusion detection is best in networks where I can’t simply add another security software on all the IEDs and RTUs."

"APTs are pretty individual in how they attack. Signature-based detection is lacks the agility."

"There is no point in having an [isolated NIDS] box in your substation, that screams and wails when you only check it every few days."

‍

Chapters

00:00 Introduction

01:28 Background to the BSI document BSI-CS 153 “Station automation”

04:19 How the technical baseline has changed in electrical substations

06:25 Steps to implement OT security in electrical substations

07:05 How to connect the security staff with the technicians

08:26 The relevance of documentation in cybersecurity

10:11 The relevance of the .scd file in IEC 61850 infrastructure for error detection, intrusion detection and visibility

12:20 Where to place a network-based intrusion detection system (NIDS) in your electrical substation

14:26 Where is a host-based IDS worthwhile?

15:34 Are IEDs good information sources for cybersecurity?

17:10 Passive vs active intrusion detection

19:00 How does a NIDS with anomaly detection detect a supply chain compromise?

22:10 The question of vendor agnosticism and isolated integration of NIDS

25:14 How to work together with service providers

‍

Intrusion Detection in Electrical Substations acc. to the BSI

The Digital Nervous System: Why Building Automation Is True OT

CE Marking for Digital Products: How the CRA Is Correcting OT Vulnerabilities

Driving a Ferrari without a license? The right steps for OT security for CEOs

OT risk analysis

OT security monitoring & NIDS

Building OT cybersecurity know-how

SIEM Integration

Security compliance

Asset detection & inventory

Condition monitoring

Mitre Att&ck for ICS integration