Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) are increasingly under attack in recent years. Every year we developed more secure architectures. Security Information and Event Management (SIEM) systems are getting widely popular nowadays for different sectors of the industry but few for ICS/SCADA systems. We are lacking monitoring and alerting systems in the Power Grid. In today world business in different sectors of the industry use common defenses such as firewalls, two factor authentication, egress filtering and others to try to prevent attackers from getting into the network. While these defenses provide some security for known attacks other kinds of attacks are not detected. Anomaly behavior is difficult to detect and the previous defenses are not helping once an attacker is inside the network.

Typical SCADA systems lack monitoring systems in the OT network as is not part of the IT network. This paper provides an easy way to step up a monitoring and alerting system for substation in the OT network. Security onion is a free open source software that is deployed as a NIDS (Network Intrusion Detection System) on the OT network. The experiment was conducted using the Power Grid Lab in Iowa State using Siemens Relays.

In this paper, we provide a solution that incorporates a SIEM solution using well known free open source tools on the Security Onion Linux Distribution for monitoring and logging. We first understand why a SIEM solution is a good choice to be implemented in a ICS. Its advantages and capabilities and other cases where a SIEM solution have proved to help security. Later we also provide with a three-layer detection system for intrusion for Substations based on anomaly and signature detection using Snort as well as implementation, evaluation and results.