Intrusion Detection for Military OT and ICS Systems

Operational technology (OT) — the hardware and software that monitors and controls physical processes — is present throughout military infrastructure in ways that are not always visible to IT security teams. Base utilities (power generation and distribution, water treatment, HVAC systems) run on industrial control systems (ICS) and SCADA (Supervisory Control and Data Acquisition) platforms that were designed for availability and physical reliability, not cybersecurity. Weapon systems, vehicle platforms, and communications equipment contain embedded controllers that communicate using industrial protocols. These systems are high-value targets for adversaries: disrupting base power or water, or compromising the command-and-control systems of weapon platforms, creates operational effects that kinetic attacks might fail to achieve.

Traditional IT security tools — endpoint agents, IT network scanners, cloud-based EDR platforms — cannot protect OT systems and should not be applied to them. Applying an IT security agent to an OT device can crash it; running an active network scanner against an OT network can disrupt the control communications that keep physical processes stable. OT security requires a different approach, different tools, and a different threat model.

OT vs IT Security: Different Threat Models

The CIA triad (Confidentiality, Integrity, Availability) applies to both IT and OT security, but the priorities are reversed. In IT security, confidentiality is typically the primary concern. In OT security, availability is paramount — a power distribution system that goes offline affects physical operations immediately, and the consequences of downtime are measured in operational capability, not data breach notifications.

The no-patch-window constraint is the most fundamental difference between IT and OT security management. IT systems can typically be patched during maintenance windows that are measured in hours. OT systems controlling continuous industrial processes often cannot be taken offline at all — the process they control must run 24/7. A base power generation system with a known vulnerability may remain unpatched for months or years because the patch procedure requires a full system restart and a controlled power outage to the base, which requires extensive coordination across multiple commands and creates a significant operational planning burden.

Real-time requirements in OT create additional constraints: an ICS receiving commands from its SCADA system must process those commands within milliseconds for tight control loops. A security tool that adds latency to OT communications — even 10–50ms — can destabilize control loops in some process environments. This rules out any inline security tool (such as a Next-Generation Firewall performing deep packet inspection) for time-sensitive OT communications.

Military OT Scope: What Is Actually at Risk

Base infrastructure SCADA systems control the physical utilities that support military bases and installations: electrical generation and distribution (including backup generator management), water treatment and distribution, fuel storage and distribution, HVAC systems for climate-sensitive facilities (data centers, armories, medical facilities), and perimeter security systems (cameras, access control). These systems are typically managed by base operations and engineering commands, not by the IT/cyber units — creating a visibility and responsibility gap that adversaries actively exploit.

Weapon system controllers include fire control computers, targeting systems, radar and sensor controllers, and communications equipment embedded in vehicle and aircraft platforms. These systems use proprietary protocols and embedded operating systems (often real-time operating systems such as VxWorks or LynxOS) that are not accessible to standard IT security tools. Their cyber security posture is typically assessed during acquisition and certification, then largely static for the life of the platform — potentially 20–40 years.

Communications infrastructure — particularly the relay equipment, multiplexers, and signal management systems that route military communications — uses OT-like hardware with embedded controllers and often communicates using protocols that are not visible to standard IT network monitoring.

Passive Network Monitoring: The Core OT Security Technique

Passive network monitoring is the foundational security technique for OT environments: instead of actively scanning or probing OT devices, the security system observes the communications traffic without interacting with it. This is implemented via SPAN ports (Switch Port Analyzer — the network switch sends a copy of all traffic on monitored ports to the monitoring tool's network interface) or via network taps (physical devices inserted inline in the network cable that forward a copy of traffic to the monitoring tool without interrupting the flow).

Passive monitoring allows the security tool to build a baseline model of normal OT communications: which devices communicate with which other devices, which protocols they use, what commands are normally sent, at what frequency, and within what parameter ranges. Any deviation from this baseline is an anomaly worth investigating: a new device appearing on the network, a known device using an unexpected protocol, a command sent to a physical controller that falls outside normal operating parameters.

The baseline-and-anomaly approach is particularly powerful in OT environments because OT traffic is highly deterministic. Unlike IT networks, where traffic patterns vary enormously based on user activity, OT traffic follows predictable patterns driven by the physical process being controlled. A SCADA polling cycle for a power distribution system sends the same set of status queries to the same PLCs at the same intervals, day after day. Any deviation — a new query, a modified command, an unexpected response — is anomalous and likely security-relevant.

Protocol-Aware IDS: Deep Packet Inspection for OT Protocols

Generic IT network IDS tools inspect traffic at the IP and TCP/UDP level but cannot interpret the application-layer content of OT protocols. An IDS rule that says "alert on any Modbus traffic on non-standard ports" is marginally useful. An IDS rule that says "alert on any Modbus write command to a PLC register that controls the output current to a transformer above 115% of rated capacity" requires protocol-aware deep packet inspection — the ability to decode the Modbus protocol, identify the specific register being written, and evaluate the written value against physical parameter limits.

Modbus is the most widely deployed OT protocol, used in everything from simple sensor interfaces to complex SCADA systems. Its simplicity (no authentication, no encryption, no session management) makes it trivially vulnerable: any device on the same network can send arbitrary read or write commands to any Modbus device. Protocol-aware IDS for Modbus must detect unauthorized write commands (writes from unexpected source IPs, writes to registers that should be read-only under normal operating conditions) and parameter violations (values outside engineering safety limits).

DNP3 (Distributed Network Protocol 3) is widely used in electric utilities and water treatment, including on military bases. DNP3 Secure Authentication (SAv5) adds authentication to the protocol but is not universally deployed. IDS for DNP3 must detect authentication bypass attempts, unexpected unsolicited response traffic, and time-synchronization attacks (manipulating the DNP3 time synchronization mechanism to falsify timestamped event records).

IEC 61850 is the standard for digital substation automation and protection systems in electrical infrastructure. It carries protective relay functions — the systems that isolate failed equipment from the grid to prevent cascading failures. An attacker who can manipulate IEC 61850 traffic can potentially cause protection systems to either fail to operate (leaving failing equipment connected to the grid) or misoperate (unnecessarily disconnecting healthy equipment). Protocol-aware IDS for IEC 61850 must detect unauthorized GOOSE (Generic Object Oriented Substation Events) messages and unauthorized changes to protection relay settings via the MMS (Manufacturing Message Specification) application layer.

Purpose-Built OT Security Tools in Classified Environments

Three commercial platforms dominate the purpose-built OT security market: Claroty, Dragos, and Nozomi Networks. All three use passive monitoring as their foundational technique, all three provide protocol-aware deep packet inspection for the major OT protocols, and all three can operate in air-gapped deployments.

Claroty provides asset discovery, continuous threat detection, and secure remote access for OT networks. Its Continuous Threat Detection (CTD) platform is deployed passively via SPAN ports and builds an asset inventory and behavioral baseline automatically. Claroty has FedRAMP-compliant cloud offerings and supports air-gapped on-premises deployments for classified environments.

Dragos focuses specifically on industrial cybersecurity with a strong emphasis on threat intelligence relevant to ICS environments. Its WorldView threat intelligence service tracks OT-targeting threat groups (including groups specifically targeting defense-industrial and critical infrastructure targets) and provides detection rules aligned to those groups' known TTPs. Dragos supports air-gapped deployments and has worked with DoD programs.

Nozomi Networks combines asset visibility, anomaly detection, and threat intelligence in a single platform. Its Vantage IQ product supports both cloud-connected and air-gapped deployments and provides a central management console for large, distributed OT environments — relevant for military organizations managing multiple bases or installations from a single security operations team.