About StationGuard

StationGuard is an intrusion detection system tailor-made for the power grid. It monitors Ethernet networks in substations and control centers and identifies cyber threats, prohibited activity, and malfunctions. Regardless of whether your system is based on IEC 60870-5-104, DNP3, Modbus TCP or IEC 61850, StationGuard deeply inspects all communication to find cyber threats, prohibited activity and errors.

StationGuard does not use a time-consuming learning / baselining phase, but a new approach where an allow list (whitelist) is created based on the expected function of each device in the network. Based on our 25+ years of experience in power utility automation systems, StationGuard truly understands the communication in substation automation and SCADA systems. With its unique system model approach, this knowledge is used to determine between legitimate traffic and malicious activity. For IEC 61850 systems, the configuration process can be sped up by importing SCL / SCD engineering files. But even without this, the configuration is usually done within a few hours. After this, StationGuard is fully set up and ready to protect the power grid.

Due to the deep verification of all traffic, StationGuard will also detect failures and errors in the system. This includes configuration errors, interoperability issues, time synchronization problems, incorrect communication, and much more. Thus, StationGuard combines cybersecurity and functional monitoring. You can monitor the substation or SCADA network 24/7 to analyze issues later.

StationGuard automatically recognizes all devices in the network, creates an asset inventory, and visualizes communication. In addition, it generates detailed information for each asset by combining the actual network analysis with SCL engineering files.

Made for efficient collaboration between security officers and power engineers

Security officers and engineers who are responsible for power grid automation networks, work in different departments and often seem to speak a different language. This becomes noticeable when devices in the network should be identified and when the cause of intrusion detection system (IDS) alerts need to be analyzed. So-called learning-based or baseline-based IDS have the disadvantage that many false alarms appear for each process value which was different than during the learning phase. With StationGuard, we provide the lowest number of false alerts because StationGuard knows the function of each device. If there are alerts, StationGuard can detect the event behind the protocol activity and it will display it in a graphical diagram. Both will improve the collaboration between security officers and power engineers significantly.

Support for more than 300 additional OT and IT protocols

The unprecedented level of detail for inspecting IEC 61850 protocols has been extended to support Deep Packet Inspection (DPI) on over 300 additional IT and OT protocols. The DPI support ranges from protocols used in the power grid, such as IEC 60870-5-104, DNP3, Modbus TCP and Synchrophasor, to IT protocols, such as HTTP, FTP, RDP, NTP, SNMP, and many more. Using DPI, StationGuard not only detects encoding violations, but also, for example, if port numbers of remote connections are hijacked by unexpected applications (port spoofing). This application detection even works for encrypted communication, such as HTTPS and TLS.

Not just the port numbers, but also the detected applications are now part of the StationGuard allow list. When you allow a connection in StationGuard 2.0, the detected application running on that connection will be added to the allow list. If the application using that connection changes, an alert will be raised. StationGuard can currently recognize over 1400 different applications.

Integrated support for maintenance and commissioning

StationGuard is the first IDS which has built-in support for maintenance phases and commissioning situations. This avoids false alarms and increases the security level by allowing fine-grained control when engineering activity is allowed.

Engineering protocols and IED web interfaces have many known vulnerabilities and new ones are being released every month. However, these interfaces are needed in the commissioning phase and during routine maintenance. To protect your substation against attacks on these ports, you should generally prohibit engineering activity and only allow it when needed. For this purpose, you can turn on the “Maintenance Mode” in StationGuard. It greatly enhances safety by prohibiting engineering activities during normal operation, while providing a low number of false alarms during maintenance phases. For example, the Engineering PC in the substation must not communicate for the majority of time and may only use a certain vendor protocol or access the web interface of switches while Maintenance is active on StationGuard. If the Engineering PC shows potentially dangerous or suspicious activity, this will always trigger an alert. In contrast to baseline or learning-based IDS, StationGuard supports the different phases in the lifecycle of a substation with high selectivity in the alerts.