The L-ADS inspects and analyses metadata of network packets, and for the most popular OT protocols, such as Modbus-TCP and DNP3, and in the power grid sector IEC 60870-5-104 and IEC 61850 GOOSE & SV, it provides a deep packet inspection. L-ADS derives a large number of behavioural characteristics from ICS/SCADA components’ communications, such as function codes utilisation, which empower the detection of anomalies and attacks. The anomalies represent any deviation from legitimate traffic. L-ADS provides explainability of why the anomalies are detected, with useful information on critical behavioral characteristics, their value difference and direction of intrusion.

L-ADS also adopts a new type of characteristics called conformity features that, in addition to the behavioral ones, indicate how much network traffic conforms (or does not) to the different legitimate dimensions indexed during training. These features reinforce L-ADS’s visibility on intrusions on border areas (between legit and anomalous) where advanced or stealthy attacks mostly evade detection. The L-ADS conformity monitoring ranges from monitoring whitelist IP (v4/v6) and MAC addresses to finer-grained monitoring of traffic conformity between legitimate entities in ICS/SCADA environments per protocol, per protocol and day of week, and even per hour a day. All conformity info is automatically indexed and configured during training.

The L-ADS offers custom deep leaning models and extended OT protocol monitoring for the most popular OT protocols as indicated above. It alerts on anomalies even when new, “zero-day” attacks take place. Whether an attacker performs a network reconnaissance or a lateral movement, the L-ADS will detect and alert such traffic.

It has been validated in several pilot OT environments (e.g., a substation of distribution power, and PV plant) under OT specific attacks, but also on several intrusion detection datasets¹. A summary of LADS’s detection capability is listed below.

1. Promising high detection rate results achieved for all attacks in datasets IEC104,DNP3,Modbus,IEC61850.

In contrast with classic rule-based intrusion detection tools, the L-ADS does not require creation of customized rules, load specific rulesets or complex configurations for getting it started. Its setup process is much simpler and automatic than most classic IDSs.

The L-ADS is provided as a Docker container with a Compose file to ease its deployment and configuration. The L-ADS can be scaled to more complex infrastructures with segmented networks by deploying multiple instances at critical (e.g., gateway) points such as those of field or telecontrol LANs. The following diagram shows the typical deployment view of the L-ADS in an OT environment, but other deployments are well available across Edge-to-Cloud continuum.