What is an IDS (Intrusion Detection System)?
An IDS is an Intrusion Detection System – a system designed to detect and report unauthorised, suspicious or malicious activities on a network or system.
The aim of an IDS is to detect threats early, so that action can be taken, without intervening directly the way a firewall or IPS (Intrusion Prevention System) would.
🧠 How does an IDS work?
An IDS inspects network traffic or system logs and compares them with:
- Signatures of known attacks (such as viruses or exploits)
- Anomalies relative to normal behaviour (e.g. unusual data traffic or timing)
An IDS can detect and log either in real time or offline (after the event).
📦 Types of IDS
| Type | Description |
|---|---|
| NIDS | Network-based IDS: monitors network traffic |
| HIDS | Host-based IDS: monitors activity on individual devices |
| Passive IDS | Detects and reports, but does not intervene itself |
| Active IDS | Reports and automatically performs predefined actions (hybrid with IPS) |
🏭 IDS in industrial networks (OT)
In OT environments, IDS is used to monitor:
- Unexpected communication between PLCs or SCADA systems
- Changes to Setpoints outside of scheduled times
- Access to a Historian or MES from unusual IP addresses
- Traffic on fieldbuses such as Modbus, ProfiNET, DNP3, etc.
Industrial IDSs (such as Nozomi, Claroty or Dragos) are specifically designed for OT protocols.
🔐 IDS and Defence in Depth
An IDS is an important component of a broader Defense in Depth strategy, alongside:
📌 In summary
An IDS is a security system that helps detect cyberattacks, unwanted access or anomalous behaviour in good time. In industrial environments, it forms a critical layer between detection and response, without directly disrupting processes.
Want examples of IDS alerts or a comparison between IDS and IPS? Let me know!