6.2 IDS and IPS

Firewalls block unauthorized connections, but they do not detect attacks hidden inside permitted traffic. That is the role of intrusion detection and prevention systems.

IDS and IPS

An IDS (Intrusion Detection System) monitors traffic and generates alerts when it detects suspicious patterns. An IPS (Intrusion Prevention System) sits inline and actively blocks suspicious traffic.

Placement and Failure Modes

Feature	IDS	IPS
Position	Out-of-band (TAP or SPAN port)	Inline (in the traffic path)
Action	Alerts only	Blocks and alerts
Latency impact	None	Adds microseconds to milliseconds
Failure mode	Network unaffected	Bypass mode or network down

An IPS that fails in closed mode drops all traffic (safe but disruptive). An IPS that fails in open mode passes all traffic uninspected (available but insecure). In OT networks, configure IPS to fail open. A false positive that blocks a legitimate PLC command is more dangerous than a missed alert.

Detection Methods

Signature-based detection compares traffic against a database of known attack patterns. It catches known attacks with low false positives but misses novel attacks. Update signatures regularly.

Anomaly-based detection establishes a baseline of normal behavior (traffic volume, protocol distribution, connection patterns) and alerts on deviations. It catches novel attacks but generates more false positives. In OT networks, the baseline is stable (the same PLCs talk to the same SCADA servers on the same schedule), which makes anomaly detection effective.

The False Positive Problem in OT

A legitimate PLC firmware update looks like a write to multiple registers in rapid succession. A signature designed to detect “mass register writes” flags this as an attack. In OT, false positives are dangerous because they erode trust in the alerting system. Operators start ignoring alerts, and real attacks go unnoticed.

Mitigate false positives by tuning detection rules to the specific OT environment, whitelisting known maintenance activities, and using OT-specific IDS tools (Claroty, Nozomi Networks, Dragos) that understand industrial protocol semantics.

Detecting Anomalous Modbus Traffic with Scapy

The following script monitors Modbus TCP traffic and alerts when it detects function codes that write to registers (FC 5, 6, 15, 16) from unexpected source IPs. In a stable OT environment, only the SCADA server and engineering workstations write to PLCs.

from scapy.all import sniff, IP, TCP, Raw

ALLOWED_WRITERS = {"192.168.10.50", "192.168.10.51"}  # SCADA, eng workstation
WRITE_FCS = {5: "Write Single Coil", 6: "Write Single Register",
             15: "Write Multiple Coils", 16: "Write Multiple Registers"}

def check_modbus(pkt):
    if not (pkt.haslayer(TCP) and pkt.haslayer(Raw) and pkt[TCP].dport == 502):
        return
    payload = bytes(pkt[Raw].load)
    if len(payload) < 8:
        return
    # Modbus TCP: 7-byte header (TID, PID, Len, UID) then function code
    fc = payload[7]
    src = pkt[IP].src
    if fc in WRITE_FCS and src not in ALLOWED_WRITERS:
        print(f"ALERT: {src} sent {WRITE_FCS[fc]} (FC {fc}) to {pkt[IP].dst}")

sniff(iface="eth0", filter="tcp port 502", prn=check_modbus, store=False)

Any write command from an IP not in the allowed list triggers an alert. This catches both compromised devices and misconfigured systems attempting unauthorized writes.

Key Takeaways

IDS monitors, IPS blocks

IDS sits out-of-band and alerts. IPS sits inline and actively drops suspicious traffic. In OT, configure IPS to fail open.

Anomaly detection works well in OT

OT traffic patterns are stable and predictable. Deviations from the baseline are meaningful signals.

Tune rules to reduce false positives

Whitelist known maintenance activities. Use OT-specific IDS tools that understand industrial protocol semantics.

What Comes Next

IDS and IPS handle security. The next page covers load balancers and proxies, the appliances that distribute traffic efficiently across multiple servers.

References

• CompTIA Network+ N10-009 Exam Objectives, Domain 1: Networking Concepts