BlogOT SecuritySIGA OT SolutionsSecurity
Blog7 minute read

Closing the Cyber–Physical Gap by Combining Intrusion Detection Systems and Process-Level Monitoring

The post discusses the limitations of Intrusion Detection Systems (IDS) in monitoring network behavior without verifying physical process changes in Operational Technology (OT) environments, emphasizing that combining IDS with process-level monitoring at Level 0 provides comprehensive detection, operational clarity and regulatory compliance by confirming actual physical impacts of cyber incidents.

In this blog

  1. What IDS covers and where its visibility ends
  2. What process-level monitoring adds to the detection stack
  3. Understanding detection coverage through the Purdue Model
  4. Why both are needed for regulatory compliance and operational clarity
  5.  Conclusion: From detection to operational certainty

The use of Intrusion Detection Systems (IDS) has become more prevalent today, as over 50% of critical-infrastructure organizations now use operational technology (OT)-specific IDS or behavioral monitoring. IDS capabilities have also evolved.  

While IDS vendors promote advanced capabilities such as Zero-Trust access monitoring, device-to-device communication modeling and AI-driven anomaly detection, these capabilities are not consistently implemented across OT environments.

At the same time, a structural limitation remains: IDS monitors network behavior, not the physical state of the process. Whether the trigger is malicious commands, compromised logic or process-level manipulation, IDS cannot independently confirm what actually changed at the equipment or production level, and is ineffective once the attack has reached the control level. 

This visibility gap is becoming increasingly significant as organizations transition to remote operations, reduce onsite staffing, and increase automation levels. These conditions make it more challenging to independently verify the physical state of equipment, particularly in scenarios where controller data does not accurately represent real process behavior, whether due to faults, configuration changes or malicious manipulation.

Addressing this gap requires a complementary layer of detection: process-level monitoring, the independent verification of raw sensor and actuator behavior at Level 0. By directly comparing physical signals with the reported state of the control system, process-level monitoring provides a source of truth that network-based tools cannot offer.

This article outlines how IDS and process-level monitoring, when combined, create a more comprehensive detection picture, how each addresses a distinct dimension of risk, and why both are becoming increasingly important for OT cyberattack detection, operational assurance and regulatory reporting.

 What IDS covers and where its visibility ends

IDS tools provide visibility into network-layer behavior within Industrial Control Systems. They monitor controller communications, ICS protocol activity, authentication attempts, and traffic patterns associated with unauthorized access or lateral movement. Many platforms use machine learning to establish expected interaction patterns between PLCs, HMIs, servers and field devices. Deviations from these patterns can then be identified.

. However, IDS visibility stops at the network boundary. IDS tools cannot determine:

  • whether the equipment responded to a command
  • whether pressure, flow, current, or mechanical state changed
  • whether an asset deviated from expected physical behavior
  • whether production or safety conditions were affected

And this is the core issue: an IDS may detect anomalous network activity, but it has no access to the physical process. Network-layer alerts, even the most accurate ones, cannot confirm physical impact. In environments where operational decisions depend on knowing what actually changed at the process level, this becomes a critical limitation.

 What process-level monitoring adds to the detection stack

Consider two scenarios that expose cyber detection blind spots in OT environments.

In the first instance, an IDS detects suspicious behavior, such as unexpected network traffic or anomalous device communication. An alert is raised. What's not clear is whether anything has actually changed at the equipment level. Has a valve moved? Has production slowed? The alert may be valid, but without visibility into the physical process, operators are left guessing.

In the second scenario, the physical process changes, but there is no corresponding network signal. An attacker can manipulate controller logic, setpoints or device behavior in a way that produces no abnormal network traffic. Because the change occurs at the equipment or control layer, network-layer detection tools have no visibility into it and cannot identify that anything has changed.

Process Level monitoring addresses these scenarios directly. Rather than interpreting network behavior, it observes physical behavior: the actual signals from sensors, actuators, and Level 0 devices. This enables independent confirmation of what the process is doing, regardless of what the control system indicates or what the network traffic suggests.

When integrated alongside IDS, process-level monitoring offers two critical benefits:

  • It can confirm or rule out physical impact following a suspicious network event.
  • It can identify equipment-level anomalies that may have no network signature at all.

This layer of physical truth is essential for understanding what's real, what has been impacted and what needs to be done. It turns network-layer alerts into operational decisions - and fills a detection gap that remains open for most OT environments.

 Understanding detection coverage through the Purdue Model

The diagram below is based on the Purdue Enterprise Reference Architecture (PERA), a widely used model for structuring OT networks across logical layers. It separates programmable layers (Levels 1-4) from physical process control (Level 0), helping to clarify where different cybersecurity tools operate.

The architecture below illustrates the split between programmable OT layers - where IDS tools operate - and the unprogrammable physical layer monitored by SIGA OT.

While Level 0 monitoring provides independent visibility into the raw physical process, SIGA's architecture also includes SigaGuardX, which connects physical signals to the programmable layers. SigaGuardX correlates Level 0 behavior with the logic and commands executed at Levels 1 and 2, making it possible to determine whether controller activity matches the real process. This correlation layer closes the gap between network-layer monitoring and physical-state verification, providing a complete picture of intent versus actual process behavior."

A diagram of a computer system AI-generated content may be incorrect.

 

  • IDS tools operate across Levels 1- 4, monitoring network traffic, controller behavior, and communications.
  • Process-level monitoring operates at Level 0, directly observing raw signals from sensors and actuators.

This layered structure makes it clear why both forms of monitoring are needed: IDS detects intent and communication, while Level 0 monitoring verifies real-world physical outcomes.

 Why both are needed for regulatory compliance and operational clarity

Across critical infrastructure sectors, cybersecurity regulations are converging on a shared expectation: organizations must clearly document the impact of an OT cyber incident.

For example, under EU NIS2 and the U.S. Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), operators are required to document and report the severity, affected systems, and operational impact of cyber incidents within tight timelines. NIS2 mandates that final reports include a detailed description of the incident, including the root cause, the physical impact and what mitigation steps were taken. Similarly, CIRCIA requires that operators provide indicators of compromise, attack vectors, and the functional consequences of an attack on operations.

In North America's energy sector, NERC CIP-008-6 obligates utilities to submit incident reports that explicitly identify which OT assets were compromised, how the incident affected operational control (e.g., generation, load balancing), and the level of intrusion achieved or attempted.

The goal is to determine whether the attack specifically targeted the network. or actually changed something in the physical process.

Here's the challenge:

  • IDS tools can report unauthorized access or malicious commands, but they cannot verify the physical manifestation of the attack -  whether production slowed, a pump was overridden or a safety threshold was breached.
  • Process-level monitoring, by contrast, offers that physical verification. By capturing raw signals from Level 0 devices, it confirms what actually happened, enabling faster triage and more defensible reporting, both to regulators and internally.

  Conclusion: From detection to operational certainty

There is a fundamental gap in OT cybersecurity: most tools monitor digital behavior, but none can independently verify the physical state of the process. IDS tools detect intent and activity on the network, yet they cannot confirm what actually changed in the field.

As cyberattacks grow more sophisticated (fueled by AI, remote access, and increasingly targeted OT exploits), closing this cyber–physical gap has never been more important.

Integrating IDS with process-level monitoring creates end-to-end visibility: detecting threats, validating impact, and confirming whether safety, continuity or production were affected.

The ability to distinguish between a network anomaly and a confirmed physical event provides the insights necessary to prevent overreaction to false alarms, ensure timely intervention when real changes occur, and support post-incident reporting that meets both regulatory and operational demands.

Organizations that close this cyber–physical gap today are better positioned for what's next: AI-driven attacks, rising compliance burdens, and the growing need for provable, process-aware security.

Technologies