OT/ICSJanuary 202513 min read

OT/ICS Security with DKTrace — Purdue Model Monitoring Without Disruption

How DKTrace monitors Modbus, DNP3, and IEC 61850 industrial protocols without sending a single packet to a PLC — with hardcoded safety rules that prevent automated isolation of life-critical assets.

T0801 T0816 T0886

DKTrace Research Team

Security Engineering · Threat Research

OT Security Is Different

A misconfigured firewall rule in IT means a service outage. A misconfigured isolation command in OT can mean a gas explosion, power blackout, or a failed surgical system mid-procedure. DKTrace treats OT security with extreme caution.

Critical Safety Rule (Hardcoded — Cannot Be Overridden)

Any asset tagged with:

life_critical = true

safety_system = true

ot_device_type IN (PLC, RTU, SIS, ESD, SCADA_HMI)

Will NEVER be subject to automated isolation, shutdown, or configuration change.

The maximum action any AUTO-tier playbook can perform on these assets is alert. MANAGER tier can add enhanced monitoring. Any actual action requires:

1CISO written approval

2Secondary sign-off from plant operations manager (configurable)

3Maintenance window coordination

This rule is hardcoded in the response-orchestrator and cannot be disabled via configuration.

Passive Monitoring — Zero Impact

DKTrace's ot-monitor (port 8112) uses:

SPAN/mirror ports on the OT network switch — read-only copy of all traffic

Industrial protocol parsers for: Modbus TCP, DNP3, IEC 61850 GOOSE/MMS, BACnet, OPC-UA, PROFINET, EtherNet/IP

DKTrace never transmits to the OT network. Zero packets sent to any PLC, RTU, or safety system.

Purdue Zone Enforcement

Purdue Level	Zone	DKTrace Monitoring	Automated Actions
0–1	Field / Control	Alert on ANY unexpected cross-zone traffic	Alert only
2	Supervisory (SCADA)	Alert on IT→OT connections	Alert only
3	Site Operations	Full monitoring	MANAGER approval required
3.5	DMZ	Standard monitoring	Full SOAR capabilities
4–5	IT Network	Standard IT monitoring	Full SOAR capabilities

OT-Specific Anomaly Detection

Modbus Function Code Abuse

FC 6 (Write Single Register) from an unexpected source IP → alert

FC 15/16 (Write Multiple Coils/Registers) outside maintenance window → alert

FC 8 (Diagnostics) with subfunction 0x0001 (Restart Communications) → immediate P1

DNP3 Anomalies

Unsolicited responses to unknown masters

Control operations (Function Code 3/4) from non-whitelisted sources

Time synchronisation from unexpected source

IEC 61850 GOOSE Message Anomalies

GOOSE message replay (identical stNum and sqNum, different data)

GOOSE from unexpected publisher MAC address

Control block reference modification

Rogue Engineering Workstation

Direct Modbus/DNP3 connection to PLC from a workstation not in the engineering whitelist

Unscheduled EWS connection during non-maintenance hours → immediate alert

See It Live

Watch DKTrace detect this threat in your environment

Our engineers will run a live detection simulation against a sample of your log telemetry — no agents, no commitment.

Request a Live Demo

Cloud Misconfiguration to Breach — An S3 Case Study