Abstract:Cyber threat indicators (CTIs) refer to the information necessary to describe or identify cybersecurity threats in cyberspace. Effective CTIs that represent and depict attack behaviors are the foundation for ensuring cybersecurity. Compared with general information systems, the intensity and capability level of attacks that substation monitoring and control systems need to address exhibit significant differences. Organized attacks carried out by individuals with professional knowledge can infiltrate production control areas through supply chain attacks, bypass identity and access management restrictions, and may not necessarily trigger security alerts. Therefore, using CTIs designed for general information systems is inadequate for accurately detecting highly concealed cyber attacks specifically targeted at substation monitoring and control systems. To address this, the traditional CTIs of general information systems are first summarized, and then the existing CTIs designed in conjunction with the characteristics of substation monitoring and control systems are analyzed. Based on this, in response to the challenge of detecting highly concealed security threats, the design and extraction of substation-based CTIs focusing on compliance are anticipated, considering aspects such as the execution of tasks by various business systems in the substation monitoring and control system according to established process rules, and the strong coupling between the primary system status and the communication and alerting of the secondary system. This approach is expected to accurately characterize highly concealed security threats that do not trigger alerts but violate business rules, laying the groundwork for further enhancing security protection capabilities.