IDS monitors, IPS blocks
IDS sits out-of-band and alerts. IPS sits inline and actively drops suspicious traffic. In OT, configure the IPS to pass traffic when inoperable.
6.2 IDS and IPS
Firewalls block unauthorized connections. Firewalls do not detect attacks hidden inside permitted traffic. Intrusion detection and prevention systems fill this role.
IDS and IPS
Section titled “IDS and IPS”An IDS (Intrusion Detection System) monitors traffic and generates alerts when the system detects suspicious patterns. An IPS (Intrusion Prevention System) sits inline and actively blocks suspicious traffic.
Placement and Modes of Operation
Section titled “Placement and Modes of Operation”| Feature | IDS | IPS |
|---|---|---|
| Position | Out-of-band (TAP or SPAN port) | Inline (in the traffic path) |
| Action | Alerts only | Blocks and alerts |
| Latency impact | None | Adds microseconds to milliseconds |
| Mode when inoperable | Network unaffected | Bypass mode or network down |
An IPS that becomes inoperable in closed mode drops all traffic (safe but disruptive). An IPS that becomes inoperable in open mode passes all traffic uninspected (available but less secure). In OT networks, configure the IPS to operate in open mode when inoperable. A false positive that blocks a legitimate PLC command poses a greater threat than a missed alert.
Detection Methods
Section titled “Detection Methods”Signature-based detection compares traffic against a database of known attack patterns. Signature-based detection catches known attacks with low false positives but misses novel attacks. Update signatures on a regular schedule.
Anomaly-based detection establishes a baseline of normal behavior (traffic volume, protocol distribution, connection patterns) and alerts on deviations. Anomaly-based detection catches novel attacks but generates more false positives. In OT networks, the baseline is stable (the same PLCs talk to the same SCADA servers on the same schedule). This stability makes anomaly detection effective.
The False Positive Challenge in OT
Section titled “The False Positive Challenge in OT”A legitimate PLC firmware update looks like a write to multiple registers in rapid succession. A signature designed to detect “mass register writes” flags the update as an attack. In OT, false positives erode trust in the alerting system. Operators start ignoring alerts, and real attacks go unnoticed.
Mitigate false positives by tuning detection rules to the specific OT environment. Whitelist known maintenance activities. Use OT-specific IDS tools (Claroty, Nozomi Networks, Dragos) that understand industrial protocol semantics.
Detecting Anomalous Modbus Traffic with Scapy
Section titled “Detecting Anomalous Modbus Traffic with Scapy”The following script monitors Modbus TCP traffic and alerts when the script detects function codes that write to registers (FC 5, 6, 15, 16) from unexpected source IPs. In a stable OT environment, only the SCADA server and engineering workstations write to PLCs.
from scapy.all import sniff, IP, TCP, Raw
ALLOWED_WRITERS = {"192.168.10.50", "192.168.10.51"} # SCADA, eng workstationWRITE_FCS = {5: "Write Single Coil", 6: "Write Single Register", 15: "Write Multiple Coils", 16: "Write Multiple Registers"}
def check_modbus(pkt): if not (pkt.haslayer(TCP) and pkt.haslayer(Raw) and pkt[TCP].dport == 502): return payload = bytes(pkt[Raw].load) if len(payload) < 8: return # Modbus TCP: 7-byte header (TID, PID, Len, UID) then function code fc = payload[7] src = pkt[IP].src if fc in WRITE_FCS and src not in ALLOWED_WRITERS: print(f"ALERT: {src} sent {WRITE_FCS[fc]} (FC {fc}) to {pkt[IP].dst}")
sniff(iface="eth0", filter="tcp port 502", prn=check_modbus, store=False)Any write command from an IP outside the allowed list triggers an alert. The script catches both compromised devices and misconfigured systems attempting unauthorized writes.
Key Takeaways
Section titled “Key Takeaways”Anomaly detection works well in OT
OT traffic patterns are stable and predictable. Deviations from the baseline are meaningful signals.
Tune rules to reduce false positives
Whitelist known maintenance activities. Use OT-specific IDS tools that understand industrial protocol semantics.
What Comes Next
Section titled “What Comes Next”IDS and IPS handle security. The next page covers load balancers and proxies — the appliances that distribute traffic efficiently across multiple servers.
References
Section titled “References”- CompTIA Network+ N10-009 Exam Objectives, Domain 1: Networking Concepts