Intrusion detection systems (IDS) are commonly categorized into misuse based, anomaly based and specification based IDS. Both misuse based IDS and anomaly based IDS are extensively researched in academia and industry. However, as critical infrastructures including smart grids (SG) may often face sophisticated unknown attacks in the near future, misuse based attack detection techniques will mostly miss their targets. Despite the fact that anomaly based IDS can detect novel attacks, they are not often deployed in industry, mainly owing to high false positive rate and lack of interpretability of trained models. With misuse based IDS' inability to detect unknown attacks and requirement for frequently manually crafting and updating signatures and with anomaly based IDS' bad reputation for high false alarm rate, specification based IDS can be regarded as the most suitable detection engine for cyber-physical systems (CPS) including SG. We argue that specification based IDS especially using rule learning could prove to be the most promising IDS for SG. Intrusion detection rules are learned through rule learning techniques and periodically automatically updated to accommodate dynamic system behaviors in SG. Fortunately, rule learning based IDS can not only detect previously unknown attacks but also achieve higher interpretability, due to symbolic representation of learned rules. It can thus be considered more "trustworthy" from human perspective and further assist human in the loop security operation. The present work provides a systematic and deep analysis of rule learning techniques and their suitability for IDS in SG. Besides, it concludes the most important criteria for learning intrusion detection rules and assessing their quality. This work serves not only as a guide to a number of important rule learning techniques but also as the first survey on their applications in IDS, which indicates their potential opportunities in SG security.