- What Is Domain 2 and Why Detection Matters in ICS
- Core Detection Concepts Every GRID Candidate Must Master
- ICS-Specific Detection Challenges and Protocol Awareness
- Detection Tools, Signatures, and Anomaly-Based Approaches
- How Domain 2 Connects to the Other Six GRID Domains
- Scheduling Domain 2 Into Your GRID Prep Timeline
- GRID Exam Mechanics You Must Know Before Test Day
- Frequently Asked Questions
- Domain 2 focuses on detection specific to ICS/OT environments, not generic IT network detection - know the difference cold.
- The GRID exam is 75 questions in 2 hours with a 74% passing threshold; open hardcopy notes are allowed, internet is not.
- Detection knowledge overlaps heavily with Domain 4 (Monitoring) and Domain 5 (Threat Hunting) - study them as a cluster.
- ICS protocol behavior - Modbus, DNP3, EtherNet/IP - is a direct detection source; you must understand normal to find abnormal.
What Is Domain 2 and Why Detection Matters in ICS
Among the seven domains tested on the GIAC Response and Industrial Defense (GRID) certification, Domain 2 - Detection in an ICS Environment - sits at the operational heart of the exam. Detection is the discipline that bridges passive monitoring and active response: you cannot defend what you cannot see, and you cannot respond to what you never detected.
What makes this domain genuinely difficult is the same thing that makes ICS security a specialized field. Industrial control systems were designed for reliability and uptime, not detection-friendly logging or network visibility. Many ICS protocols lack authentication, produce minimal logging, and operate on proprietary communication patterns that generic SIEM rules will never flag. A GRID candidate who approaches Domain 2 from a pure IT security background will consistently miss the nuance the exam rewards.
GIAC does not publish domain weighting percentages, so it would be misleading to assign a specific score percentage to Domain 2. What the exam structure makes clear, however, is that detection capability is inseparable from the other tested disciplines. Detection informs incident response (Domain 3), feeds monitoring (Domain 4), enables threat hunting (Domain 5), and applies intelligence outputs (Domain 6). If your detection fundamentals are weak, you will feel that weakness ripple across every section of the 75-question exam.
If you want a broader map of how Domain 2 fits alongside all seven tested areas, the GRID Exam Domains 2026: Complete Guide to All 7 Content Areas provides that context before you drill into this domain's specifics.
Core Detection Concepts Every GRID Candidate Must Master
Signature-Based vs. Anomaly-Based Detection in OT
Both detection paradigms appear in GRID exam questions, and the exam rewards candidates who understand when each approach is appropriate in an ICS context - not just what the terms mean.
Signature-based detection in ICS typically involves writing Snort or Suricata rules tuned to specific ICS protocols, known exploit payloads (like those observed in campaigns against PLCs), or malformed function codes in Modbus or DNP3 traffic. The advantage is precision; the limitation is that it cannot catch novel behavior or legitimate-looking but malicious commands.
Anomaly-based detection requires an established baseline of normal process behavior. In ICS, this baseline is unusually stable - a legitimate PLC controlling a pump does not suddenly poll a new register at 3 AM. That stability is an advantage for anomaly detection, but building an accurate baseline requires deep knowledge of the specific process being monitored.
Domain 2: Key Detection Knowledge Areas
Candidates must demonstrate working knowledge of how to detect threats at multiple points within ICS architectures.
- Identifying malicious traffic within ICS protocol communications
- Recognizing unauthorized engineering workstation connections to field devices
- Detecting lateral movement across the Purdue model zone boundaries
- Identifying covert channel use within legitimate ICS protocol traffic
- Recognizing indicators of reconnaissance and enumeration targeting PLCs and RTUs
- Understanding the role of DMZ architectures in enabling detection points
- Applying YARA rules and network signatures to OT-specific threats
Understanding Normal to Detect Abnormal
This principle sounds simple but is the single most frequently tested concept in detection-oriented GRID questions. You cannot write a meaningful detection rule for a Modbus read coil request without knowing what normal Modbus polling cycles look like, which master stations are authorized to query which slave devices, and what register ranges are in use for that specific process.
Study the functional code structure of at least Modbus, DNP3, and EtherNet/IP. Know what a legitimate session looks like. Know what a scanning tool or an attacker probing PLC function code ranges looks like by comparison. The exam will present you with traffic descriptions or scenarios where this distinction determines the correct answer.
ICS-Specific Detection Challenges and Protocol Awareness
Why Conventional SIEM Rules Fail in OT Environments
Enterprise SIEM platforms are built around log formats that ICS devices often cannot produce. Many PLCs and RTUs generate no event logs whatsoever, or generate logs in proprietary vendor formats that require middleware to translate. A GRID candidate must understand this structural gap and know the architectural workarounds: passive network monitoring taps, industrial-grade IDS platforms (like Dragos, Claroty, or Nozomi Networks - understand their detection methodology even if the exam does not test specific vendor UIs), and historians as indirect behavioral sources.
Protocol-Level Detection Knowledge
The GRID exam expects you to work at the protocol level. This is non-negotiable for Domain 2. The following table summarizes detection-relevant characteristics of the most commonly tested ICS protocols.
| Protocol | Authentication | Key Detection Indicator | Common Attacker Abuse |
|---|---|---|---|
| Modbus TCP | None | Unexpected function codes or register ranges | Unauthorized write commands to coils/registers |
| DNP3 | Optional (SAv5) | Unsolicited responses, unexpected data link addresses | Replay attacks, spoofed master station requests |
| EtherNet/IP | None (standard) | CIP service codes outside expected operational range | Implicit messaging abuse, logic download attempts |
| OPC (DA/UA) | UA has security profiles | Unauthorized browse or read of OPC namespace | Data exfiltration via legitimate historian polling |
| IEC 61850 (GOOSE) | None for GOOSE | Spoofed GOOSE messages on substation LAN | False tripping of protection relays |
Spend real time with these protocols in a lab or capture analysis environment. Wireshark dissectors exist for all of them, and working through packet captures is far more effective than re-reading definitions.
Detection Across the Purdue Model
Domain 2 questions are frequently anchored to specific Purdue Model zones - Level 0 through Level 4. Detection strategies differ meaningfully across zones. At Level 0 and Level 1 (field devices and basic control), detection is primarily passive network monitoring because active scanning can disrupt process operations. At Level 2 and Level 3 (supervisory and site operations), detection can incorporate more active elements including endpoint monitoring on HMIs and engineering workstations. At Level 3.5 (the industrial DMZ) and Level 4 (enterprise), detection strategy begins to resemble traditional IT security more closely.
Knowing where a specific detection technique is appropriate - and why it would be dangerous in a different zone - is the kind of applied question Domain 2 favors.
Detection Tools, Signatures, and Anomaly-Based Approaches
Industrial IDS and Passive Monitoring Architecture
Because active scanning of ICS networks can interrupt real-time control loops, passive monitoring is the dominant detection architecture at the field device level. Candidates should understand tap placement, span port configuration on managed switches, and how traffic capture at Level 2 and Level 3 boundaries provides the highest detection value for lateral movement scenarios.
Know how to position a sensor to see traffic between the DMZ and the control network, traffic between HMI workstations and PLCs, and traffic crossing the historian connection. Each position catches different attacker behaviors, and the exam may ask you to select the optimal sensor placement for a described scenario.
YARA Rules and Custom Signatures for ICS Malware
YARA rules designed for ICS threats like Industroyer, TRITON/TRISIS, and Crashoverride are a legitimate Domain 2 topic. The exam will not ask you to write a rule from scratch in a multiple-choice format, but it will expect you to recognize what a YARA rule targeting ICS-specific artifacts (specific DLL names, protocol handler patterns, PLC project file signatures) would contain and why those artifacts are significant.
Key Takeaway
Domain 2 does not test detection in the abstract. It tests your ability to map specific attacker techniques - reconnaissance, lateral movement, command injection - to specific detection mechanisms, sensor placements, and protocol artifacts within the ICS architecture. Practice applying each detection concept to a described scenario, not just defining it.
Windows Event Logging on ICS Engineering Workstations
Engineering workstations (EWS) represent one of the highest-value detection points in an ICS environment. They are Windows-based, they have direct protocol-level access to PLCs and RTUs, and they are frequent lateral movement targets. GRID Domain 2 expects candidates to know which Windows event IDs are most relevant in this context: process creation events (4688), logon events (4624/4625), PowerShell execution logging, and WMI activity - all interpreted through the lens of what legitimate EWS activity looks like versus attacker behavior.
How Domain 2 Connects to the Other Six GRID Domains
One of the structural features of GRID as an exam is that its domains are genuinely interdependent. A question nominally about detection may hinge on knowledge from another domain. Understanding these connections prevents tunnel vision during study and during the actual exam.
Domain 2 connects most directly to three other domains:
- Domain 4 (Monitoring): Monitoring provides the continuous data stream; detection is the analysis layer that generates alerts from that stream. See the GRID Domain 4: Monitoring in an ICS Environment - Complete Study Guide 2026 for the complementary knowledge set.
- Domain 5 (Threat Hunting): Threat hunting is proactive detection - using the same protocol knowledge and behavioral baselines but in a hypothesis-driven mode rather than alert-driven. The GRID Domain 5: Threat Hunting and Analysis in an ICS Environment - Complete Study Guide 2026 extends Domain 2 concepts into active investigation.
- Domain 3 (Incident Response): Detections trigger responses. A weak understanding of what a detection actually confirms versus what it merely suggests leads to poor IR decisions. Cross-study with GRID Domain 3: Incident Response in an ICS Environment - Complete Study Guide 2026.
You should also understand how Domain 1 (Active Defense) feeds detection - active defense techniques like deception technologies and honeypots are detection mechanisms as much as defensive ones. The GRID Domain 1: Active Defense in an ICS Environment - Complete Study Guide 2026 covers those detection-adjacent concepts in depth.
Scheduling Domain 2 Into Your GRID Prep Timeline
Because Domain 2 has the strongest knowledge dependencies on Domains 4 and 5, the most effective preparation sequence is to study Detection, Monitoring, and Threat Hunting as a cluster rather than treating each domain as an isolated block. The following timeline assumes six weeks of preparation for a candidate with existing ICS or OT security experience.
ICS Protocol Foundations
- Study Modbus, DNP3, EtherNet/IP functional behavior and packet structure
- Work through Wireshark captures of ICS protocol traffic
- Build your first reference sheet of normal vs. abnormal protocol indicators
Domain 2 Core: Detection Concepts
- Signature-based vs. anomaly-based detection applied to OT scenarios
- Purdue Model zone-specific detection strategies
- Passive monitoring architecture, tap placement, sensor positioning
Domains 4 and 5 Cluster Study
- Continuous monitoring architectures and data collection pipelines
- Threat hunting hypothesis development using ICS behavioral baselines
- Correlate monitoring and hunting techniques back to Domain 2 detection rules
Remaining Domains and Integration
- Cover Domains 1, 3, 6, and 7 with cross-reference to detection impacts
- Practice scenario-based questions spanning multiple domains
- Take timed practice exams at gridexam.com to identify weak areas
Final Consolidation and Notes Organization
- Finalize and organize all hardcopy notes for exam day use
- Complete a full timed mock exam (75 questions, 2 hours)
- Review all flagged questions and reinforce protocol-level detection concepts
For a full preparation strategy that integrates all seven domains, the GRID Study Guide 2026: How to Pass on Your First Attempt provides the comprehensive roadmap. The How Hard Is the GRID Exam? Complete Difficulty Guide 2026 is also worth reading before you finalize your timeline - understanding where most candidates struggle helps you allocate study time more precisely.
GRID Exam Mechanics You Must Know Before Test Day
Domain 2 knowledge is tested within the structure of an exam that has very specific mechanics. Knowing those mechanics is not optional preparation - it affects your test strategy directly.
- Format: 75 multiple-choice questions delivered via GIAC's web-based proctored platform, available through remote proctoring or onsite at a Pearson VUE testing center.
- Duration: 2 hours. This averages to approximately 96 seconds per question, which is enough time if you are not researching from scratch during the exam.
- Passing score: 74%. You need to answer approximately 56 of 75 questions correctly.
- Open materials: Hardcopy books and notes are permitted. Internet access, digital devices, and computer resources are not. This makes your physical notes a genuine strategic asset - organize them around Domain 2 protocol tables, detection rule logic, and scenario decision trees.
- Cost: $999 for your first attempt. Retakes are $899. If you pass, renewal is required every four years for $499 plus continuing education credits.
The open-book format does not make Domain 2 easy. The 75-question count and 2-hour window mean you cannot look up every answer - you must know the material well enough that notes serve as confirmation, not as primary learning during the exam. Candidates who over-rely on notes consistently run out of time.
For complete cost planning including training options, the GRID Certification Cost 2026: Complete Pricing Breakdown breaks down what the full investment looks like beyond the exam fee itself.
Frequently Asked Questions
GIAC does not publish percentage weights for any GRID domain, so no specific figure can be cited. What is clear from the domain structure is that detection knowledge is foundational across the full exam - it directly supports Monitoring (Domain 4), Threat Hunting (Domain 5), and Incident Response (Domain 3). Weak detection fundamentals will affect your performance across multiple question sets, not just those explicitly tagged to Domain 2.
Hands-on experience with ICS protocol traffic - even through Wireshark captures or simulation environments - is strongly advantageous. The exam presents scenario-based questions where you must apply protocol knowledge to identify malicious behavior. Candidates who have only read about Modbus or DNP3 without analyzing real or simulated traffic consistently struggle with the applied questions that Domain 2 emphasizes.
Yes. The GRID exam permits hardcopy books and notes. Digital devices, computers, and internet resources are not permitted. This makes well-organized physical notes a legitimate exam strategy. For Domain 2, build protocol reference tables, detection indicator checklists, and Windows event ID summaries that you can locate quickly under time pressure.
Monitoring provides the continuous data collection infrastructure; detection is the analytical process that converts collected data into actionable alerts. In practice, you cannot study one effectively in isolation from the other. Domain 4 covers what data is collected and how; Domain 2 covers how that data is analyzed to identify threats. Plan to study them in the same preparation block for the strongest cross-domain retention.
Focus on malware designed specifically for ICS environments, including Industroyer (Crashoverride), TRITON/TRISIS (targeting safety instrumented systems), Stuxnet (PLC logic manipulation), and BlackEnergy ICS components. For each, understand the detection artifacts - specific protocol behaviors, file system indicators, and network signatures - that would allow detection at various points in the ICS network architecture. The exam rewards understanding of detection technique, not just malware naming.
Ready to Start Practicing?
Test your Domain 2 detection knowledge with timed GRID practice questions designed to match the exam's scenario-based format. Identify your weak spots before your $999 attempt - not during it.
Start Free Practice Test