The German Federal Office for Information Security (BSI) has issued a recommendation for the security monitoring of station automation in energy networks entitled ‘Monitoring in station automation’. In the document published in March 2025, the BSI recommends installing a network-based attack detection system or Network Intrusion Detection System (NIDS) in decentralised energy supply systems such as substations.
- The Federal Office for Information Security recommends dedicated security monitoring for station automation in the German energy supply system.
- The recommendation focuses on industrial plants and systems.
- German OT cybersecurity company Rhebo confirms the BSI’s warning that most substations are currently insecure.
The German Federal Office for Information Security (BSI) has issued a recommendation for security monitoring of station automation in energy networks entitled ‘Monitoring in station automation’. In the document published in March 2025, the BSI recommends installing a network-based attack detection system or Network Intrusion Detection System (NIDS) in decentralised energy supply facilities such as substations.
The BSI justifies its latest recommendation with the digitalisation and networking of critical systems through exposed network components and the growing risk of supply chain compromise. In this type of cyberattack, attackers attempt to penetrate a network via both the component manufacturers and the service providers, who usually have extensive privileges for the systems. OT (operational technology, i.e. network control and remote control technology) is particularly vulnerable to external compromise and disruption due to its low level of cybersecurity.
‘The BSI’s decision reflects our observations over the last ten years from vulnerability assessments and the ongoing operation of our attack detection system in OT networks,” comments René Krause, Team Lead Support at Rhebo. The Leipzig-based technology company has been offering a NIDS developed specifically for OT since 2015, which combines passive security monitoring with anomaly detection. The attack detection system already protects a large number of network control centres of German energy supply companies against multi-stage attacks, hidden security risks and technical faults. ‘The core threat to the OT of the German energy supply comes from outdated systems, weak authentication and comprehensive remote access privileges (see figure). However, these security gaps cannot be easily eliminated. A NIDS is therefore the best solution for managing this residual risk. ‘What I cannot secure directly, I must monitor continuously.’
Minimise workload and ensure responsiveness
The aim of the BSI recommendation is to enable energy supply companies to detect security-relevant events (SREs) in their station automation systems as quickly as possible and respond to them. To this end, the BSI also recommends that the industrial attack detection system transmit the SREs to a central instance within the company – usually a SIEM – in order to integrate OT security into general IT security in a resource-efficient manner. Since 2019, Rhebo has enabled the transmission of security messages to SIEM systems, including those from Splunk and IBM QRadar.
For easy training of the NIDS, the BSI recommends in IEC 61850 infrastructures the use of the existing .scd file – a method offered by Rhebo for several years to automate the baselining of anomaly detection.
‘The recommendation for monitoring in station automation is an important step towards making the German energy supply resilient to existing and future cyber threats,” says René Krause. This is because, as the BSI notes in its recommendation, it is less likely that attacks will be carried out directly via the central control technology. Instead, attackers would ’target systems that are only weakly secured and controlled. […] Monitoring in substations is therefore just as important for protecting critical services as protecting central network control technology.”
