Energy infrastructure relies on critical assets that form the backbone of power generation and distribution.
Traditional network-based tools cannot confirm how the physical process is actually behaving.
SIGA provides an uncompromised source of truth and step-by-step playbooks to verify process integrity and accelerate incident response.
SIGA monitors raw electrical signals at Level 0 to provide an unfiltered view of the physical process.
By analyzing data directly from the source, it identifies malicious manipulation of PLC logic or sensor values – including false data injections – even when the HMI is spoofed.
Targeting the circuit breakers protection devices
Circuit breakers are tripped, causing supply lines to be disconnected
Power outage in the grid, resulting in a large-scaled blackout
Deliberate interference with generator excitation system.
Disorders in reactive power causing the system to shutdown.
Power outage, no power is supplied to the grid.
The solution suite provides the earliest alerts during the expression phase of an evolving OT cyber-attack.
It supports the entire Incident Response process by offering process attack simulation for team preparation, real-time threat detection and classification, and critical decision support for containment and recovery.
New York Power Authority: Proving Level 0 Monitoring in a 345 kv Substation Environment
High-voltage substations can be vulnerable to cyber-physical manipulation where attackers alter field-level behavior while reporting normal values to PLCs, RTUs, HMIs, or SCADA systems.
NYPA needed a way to detect changes in the physical process that would not appear in controller or network data.
SigaGuard was deployed in a simulated high-voltage substation to monitor Level 0 electrical signals independently of the control system.
Engineers ran targeted cyber-physical attack scenarios to test SigaGuard’s ability to detect hidden changes in process behavior
SigaGuard detected all simulated attacks in under one second, including manipulations that did not appear in PLC, RTU, HMI, or SCADA values.
Parallel Reference Monitoring triggered multiple detection models for each event, and Level 0 signal logs enabled detailed forensic reconstruction.
“The results showed promise in helping seal our infrastructures from any cyber threat, at Level 0 of any machinery, equipment or process”
Our comprehensive, multi-level OT cybersecurity suite, comprising three standalone cybersecurity solutions:
The physical foundation. An out-of-band hardware sensor that captures raw electrical signals to establish uncompromised "Physical Truth".
The analytical engine. Advanced software that correlates Level 0-4 data to identify False Data Injection and stealth attacks in real-time.
A simulator that safely injects software-based anomalies to train teams on real attack patterns without risking live equipment.
Detects physical impact during the exploitation phase, before processes are compromised.
Distinguishes genuine cyber incidents from operational faults using physical validation.
Provides the forensic evidence needed for NERC, NIS2, and CIRCIA reporting.
Fully non-intrusive, out-of-band architecture with no impact on live equipment.
Energy infrastructure faces an evolving regulatory landscape where maintaining the integrity and continuity of services is now a legal requirement. SigaML² provides the verifiable, process-level evidence that supports compliance with the following global standards:
Supports Internal Network Security Monitoring (INSM) objectives by providing continuous, out-of-band verification of the physical state of Bulk Electric System (BES) assets.
Assists in implementing appropriate and proportionate technical measures for incident detection and the protection of essential service continuity.
Provides high-resolution, forensics-ready records of physical equipment behavior, facilitating the accurate verification required for strict incident reporting timelines.
Learn how Multi-Level visibility provides an uncompromised source of truth for OT cybersecurity.
Most energy grids rely on legacy assets designed decades ago without native security controls. Because these systems cannot be patched or updated to validate commands, attackers can spoof data or modify logic without detection by traditional network tools.
SIGA addresses this by shifting observation to Level 0 of the Purdue Model. By monitoring raw electrical signals (I/O) directly from the physical equipment, SIGA creates an out-of-band "source of truth." This data remains trustworthy and unfiltered, even if the upper network layers are compromised.
How does SIGA distinguish between a cyberattack and a routine electrical fault? SIGA identifies discrepancies by comparing what the digital control system claims is happening against the raw physical reality at Level 0.
While a routine electrical fault follows known physical patterns, a cyberattack often involves unauthorized changes to process logic or the "masking" of malicious activity.
By capturing high-resolution data at the moment an event manifests, SIGA allows operators to see the gap between reported values and actual equipment behavior, exposing threats that traditional cybersecurity tools miss.
SigaML² strengthens the "burden of proof" by providing a forensics-ready telemetry record that is independent of the primary control network.
The new CIP-015-1 standard requires Internal Network Security Monitoring (INSM) to detect and retain data on anomalous activity. SigaML² complements INSM by allowing operators to correlate network anomalies with independent process signals. This improves incident reconstruction and ensures audit evidence remains defensible, even if control-layer logs are incomplete or have been tampered with.
Is it necessary to monitor every single I/O point across a power plant or substation? No. To achieve comprehensive process visibility, you only need to monitor a strategic subset of critical signals typically, just 3–10% of total I/O.
