Why OT attacks don't (usually) have signatures
Signature-based detection is simple and effective — against threats someone has already seen, named, and written a rule for. That covers a lot of commodity IT malware. It covers a lot less of what actually hurts an industrial network.
What signatures catch
Some OT attacks do have signatures. The most infamous ICS malware — TRITON/TRISIS, Industroyer, PIPEDREAM — has been analysed, and rules exist to spot it. If your only worry were known malware, signatures would take you a long way.
What they miss
The trouble is that the attacks most likely to cause an outage rarely look like known malware:
- Novel and zero-day attacks — by definition, no signature exists yet.
- Insider misuse — an engineer, or a compromised workstation, doing something it’s technically allowed to do, at the wrong time or in the wrong place.
- Legitimate commands used maliciously — a perfectly valid Modbus write or S7 command, issued by a device that should never issue it. There’s nothing malformed to match.
And even for known threats, no signature library keeps pace with thousands of bespoke control networks — each with its own equipment, vintages, and quirks.
A different question
Behavioural detection asks a different question. Instead of “have I seen this exact attack before?”, it asks “is this normal for this network?” — and “is this what a healthy OT network should look like?”
That’s the approach Maigadi takes: it learns your network’s normal, applies what a well-run OT network should look like, and flags what doesn’t fit — with the evidence to back every alert. No rule to write. No signature to wait for.