Substation Asset Discovery that Meets NIS2

NIS2’s 2024/2690 implementing regulation turns “asset inventory” into an auditable control, not a spreadsheet ritual. For utilities, meeting it means safe discovery in OT, capturing IEC 61850 semantics, and feeding your SOC with explainable, evidence-ready telemetry. Do that, and audits become paperwork, not fire drills.

KEY TAKEAWAYS

• NIS2 turns OT asset inventory into an auditable, continuously updated control, design it for evidence, not effort.

• Blend passive discovery, safe active checks, and SCL parsing to reconcile “as-designed” with “as-is” safely.

• Capture IEC 61850 semantics and normalise MMS/GOOSE into SOC workflows for actionable, regulator-proof alerts.

Asset inventory obligations under NIS2

NIS2 (Implementing Regulation 2024/2690) requires relevant entities to develop and maintain a complete, accurate, up-to-date and consistent inventory of their assets, recording changes in a traceable manner. For substations, that scope spans IEDs, HMIs, gateways, firmware, datasets, and supporting services. ENISA’s 2025 guidance goes further with practical evidence: history of changes, ownership, location, last patch date, relationships, and logging requirements. The message is clear: your inventory must be provable and continuously maintained, not a quarterly clean-up.

  • Capture attributes: unique ID, model/firmware, zone, criticality, comms interfaces, and dependencies.
  • Keep lineage: who changed what, when, and why backed by tooling.
  • Prefer automated discovery for coverage; fall back to manual only where necessary.

No spreadsheet archaeology. Build a living inventory that supports patching, incident response, and audit narratives because audits now ask for evidence, not intent.

Discovery methods: passive, active-light, and SCL parsing

Start with passive discovery on SPAN/TAP: observe Layer-2/3, identify vendors, ports, and ICS protocols; profile MMS/GOOSE/SV talkers without touching endpoints. Add active-light probes only where safe (read-only queries, maintenance windows, vendor-approved scopes). Finally, leverage SCL parsing: ingest SCD/ICD/CID files to reconstruct the design-time view of IEDs, logical nodes, datasets and control blocks. Combine the three for a reconciled “as-designed vs as-observed” baseline.

  • Passive: fingerprint devices, map zones/links, detect rogue services.
  • Active-light: limited queries to confirm identity/firmware; no blind scans.
  • SCL: parse capabilities and topology from vendor files. Align with field reality.

Touch nothing that trips protection. The goal is continuous visibility with zero operational risk, following CISA’s systematic approach to creating and maintaining an OT asset inventory.

The relevant entities shall develop and maintain a complete, accurate, up-to-date and consistent inventory of their assets.

ENISA, Technical Implementation Guidance on Commission Implementing Regulation (EU) 2024/2690.

EC 61850 semantics to capture: logical nodes and SCL

An inventory that ignores IEC 61850 semantics misses what auditors and engineers need. Capture logical nodes (LNs), data objects/attributes, datasets, and control blocks as first-class fields. Use SCL artefacts ICD/SCD/CID to pull the declared capabilities, naming, and report/GOOSE configurations. Record mappings between physical IEDs and their LNs (e.g., XCBR, PTOC, PTRC), plus which datasets feed reports or GOOSE. This turns “a relay” into an explainable function graph.

  • Index LNs and bind to IED serials, bays, and feeders.
  • Store SCL file hashes and version lineage for audits.
  • Note published/consumed GOOSE and report control blocks; capture SV presence where applicable.

Result: engineers can answer “what function failed, on which IED, with which dataset” in seconds and SOC can correlate events to functions, not just MAC addresses.

Inventory first, then real insight

NIS2 demands auditable OT inventories; combine safe discovery with IEC 61850 semantics to deliver SOC-ready, regulator-proof evidence.

Read more: AOI to Action: LLMs that Explain Defects

SOC integration: from MMS and GOOSE to actionable alerts

Make telemetry SOC-ready. Normalise MMS (associations, reads/writes, reports), GOOSE (publisher/subscriber, event rates, sequence numbers), and configuration changes into structured logs tied to your asset inventory. Alert on policy breaches (unauthorised MMS write), timing anomalies (GOOSE bursts/drops), and drift (SCL vs live config). Route enriched events to SIEM with asset IDs, LN context, zone/criticality, and last-patch data for triage.

  • Build parsers/use-cases: MMS association spikes; GOOSE publisher change; report control edits.
  • Attach “who/what changed” evidence for audit packs.
  • Keep SOC playbooks aligned to NIS2 evidence expectations and your asset-management chapter.

Alarms that can’t be assigned are noise. Tie every alert to an owner, an IED, and a next action or retire it.

FAQ

What does NIS2 expect for substation inventories?

A complete, accurate, up-to-date, consistent inventory with traceable change history and clear ownership/attributes.

How do we discover assets without risking trips?

Use passive capture first, add vendor-approved active-light checks, and parse SCL files to enrich the model.

Which IEC 61850 data should we store?

Logical nodes, datasets, report/GOOSE control blocks, SCL file lineage, and IED-to-function bindings.

What should reach the SOC?

Normalised MMS/GOOSE/SV events linked to inventory IDs, with policies to flag writes, config changes, and timing anomalies.

About the Author

Liam Rose

I founded this site to share concise, actionable guidance. While RFID is my speciality, I cover the wider Industry 4.0 landscape with the same care, from real-world tutorials to case studies and AI-driven use cases.