ICS / SCADA / OT#
Reference of industrial control systems: protocols, vendors, PLC families, the Purdue model, and the standards governing operational-technology security. ICS / SCADA gear runs power plants, refineries, water utilities, factories, pipelines, and rail, the cyber-physical edge of critical infrastructure. For sector mapping, see Critical Infrastructure. For threat actors targeting OT, see Hacker Groups.
Test only on equipment you own or have written authorization for. ICS gear has limited fault tolerance; misuse can cause real-world physical damage and human casualties.
Purdue model (ISA-95 / IEC 62264)#
┌──────────────────────────────────────────────────────────────────┐
│ Level 5 Enterprise / corporate IT │
│ ERP, email, web, business systems │
├──────────────────────────────────────────────────────────────────┤
│ Level 4 Site business planning + logistics │
│ plant scheduling, inventory │
├══════════════════════════════════════════════════════════════════┤ ← IT/OT DMZ
│ Level 3 Operations / control │
│ Historian, MES, batch, asset mgmt │
├──────────────────────────────────────────────────────────────────┤
│ Level 2 Supervisory │
│ HMI, SCADA servers, engineering workstation │
├──────────────────────────────────────────────────────────────────┤
│ Level 1 Basic control │
│ PLCs, RTUs, IEDs, controllers │
├──────────────────────────────────────────────────────────────────┤
│ Level 0 Process / physical │
│ Sensors, actuators, motors, valves │
└──────────────────────────────────────────────────────────────────┘
Safety Instrumented Systems (SIS) often sit alongside Level 1
on a separate, isolated network (per IEC 61511).
OT protocols#
Protocol |
Layer |
Default port |
Notes |
|---|---|---|---|
Modbus RTU |
Serial |
n/a |
RS-485 / 232; master/slave; 16-bit registers; no auth. |
Modbus TCP |
TCP/IP |
502 |
Modbus over TCP; no auth; trivially spoofable. |
Modbus over UDP |
UDP |
502 |
Same; rarer. |
DNP3 |
TCP/IP |
20000 |
Distributed Network Protocol; SCADA/RTU; secure variant DNP3-SA (IEC 62351-5). |
IEC 60870-5-101 |
Serial |
n/a |
European telecontrol; balanced/unbalanced. |
IEC 60870-5-104 |
TCP/IP |
2404 |
104 = 101 over TCP/IP. |
IEC 61850 MMS |
TCP/IP |
102 |
Substation automation (manufacturing message spec). |
IEC 61850 GOOSE |
L2 multicast |
EtherType 0x88 |
B 8 Generic Object Oriented Sub-Station Event; sub-4ms. |
IEC 61850 SV |
L2 multicast |
EtherType 0x88 |
B A Sampled Values; CT/PT data. |
PROFINET / IO |
Ethernet |
TCP 102 / RT |
Siemens; Profibus successor. |
PROFIBUS DP |
Serial |
n/a |
Process Field Bus; RS-485. |
EtherNet/IP |
TCP/IP |
44818 (TCP) / 2 |
222 (UDP) ODVA; CIP-based. |
CIP |
over EIP/PROFI |
Common Industrial Protocol. |
|
HART / WirelessHART |
4-20 mA / 2.4 |
2.4 GHz |
Highway Addressable Remote Transducer; legacy + wireless. |
ISA-100.11a |
2.4 GHz |
Wireless industrial. |
|
EtherCAT |
EtherType |
0x88A4 |
Beckhoff; very low jitter. |
POWERLINK |
Ethernet |
B&R; deterministic. |
|
SERCOS III |
Ethernet |
Servo control. |
|
Foundation Fieldbus |
H1 / HSE |
Process automation. |
|
BACnet |
IP / MS-TP |
47808 / RS-48 |
5 Building automation. |
LonWorks |
EIA-709 |
Building automation. |
|
KNX |
TP/RF/IP |
3671 / 6720 |
EU building bus. |
M-Bus / wM-Bus |
Serial / RF |
Metering. |
|
OPC DA |
DCOM |
135 + dynamic |
Legacy OPC; firewall-hostile. |
OPC UA |
TCP/IP |
4840 |
Modern OPC; auth + encryption. |
MQTT |
TCP/IP |
1883 / 8883 |
IoT / IIoT broker; popular OT-edge. |
MQTT Sparkplug B |
MQTT |
IIoT topic / payload spec. |
|
CIP-Sec / DNP3-SA / V IEC 62351 arious |
Authenticated/e |
ncrypted variants of the above. |
|
HSCG / Modbus Sec |
TCP/IP |
802 |
Secure Modbus (IEC 62351-3 + RFC). |
Major ICS/PLC vendors#
Vendor |
Country |
Notes |
|---|---|---|
Siemens |
Germany |
SIMATIC S7-1200 / S7-1500 / S7-300 / S7-400; PROFINET; WinCC; STEP7; TIA Portal. |
Rockwell Automation |
USA |
ControlLogix / CompactLogix / MicroLogix; FactoryTalk; Studio 5000; CIP / EtherNet/IP. |
ABB |
Switzerland |
800xA DCS, AC500 PLC; substation gear (RED / RTU500). |
Schneider Electric |
France |
Modicon (M580 / M340 / M221); Quantum; Vijeo Citect HMI; Foxboro DCS; Triconex SIS. |
Mitsubishi Electric |
Japan |
MELSEC iQ-R / iQ-F / Q / FX series; GX Works. |
OMRON |
Japan |
Sysmac / NJ / NX series. |
Honeywell |
USA |
Experion DCS; Safety Manager; ControlEdge. |
Yokogawa |
Japan |
CENTUM CS3000 / VP DCS; ProSafe-RS SIS. |
Emerson |
USA |
DeltaV DCS; Ovation; AMS. |
GE Digital |
USA |
Mark VI/VIe (turbines); Predix; Cimplicity HMI; PACSystems RX3i / RX7i. |
Hitachi |
Japan |
HISEC; rail. |
Bosch Rexroth |
Germany |
IndraWorks; servo + motion. |
B&R Industrial Auto. |
Austria |
Automation Studio; X20 controllers. |
Beckhoff |
Germany |
TwinCAT; EtherCAT. |
WAGO |
Germany |
750 series PLC. |
Phoenix Contact |
Germany |
AXC / ILC controllers. |
Pilz |
Germany |
Safety controllers. |
Pepperl+Fuchs |
Germany |
Sensors + remote IO. |
Eaton |
USA |
SmartWire; Cooper distribution. |
Schweitzer Eng. Lab |
USA |
SEL relays / RTAC (substation). |
ABB / SEL / GE |
Multiple |
Protective relays. |
ICONICS |
USA |
GENESIS HMI / SCADA. |
Wonderware (AVEVA) |
UK |
InTouch HMI / System Platform / Historian. |
Inductive Automation |
USA |
Ignition SCADA platform. |
Iconics / GE Cimplici |
ty Multiple |
HMI/SCADA. |
SIPROTEC (Siemens) |
Germany |
Protective relays. |
RTU vendors |
Multiple |
SEL, ABB, GE, Siemens, Schweitzer. |
DCS / SCADA platforms#
Product |
Vendor |
Notes |
|---|---|---|
DeltaV |
Emerson |
Process DCS; refining / chemicals. |
Experion |
Honeywell |
Process DCS. |
Ovation |
Emerson |
Power-gen DCS. |
ABB 800xA |
ABB |
Multi-industry DCS. |
CENTUM VP |
Yokogawa |
Process DCS. |
PCS 7 |
Siemens |
DCS layered on SIMATIC. |
Foxboro Evo |
Schneider |
DCS. |
Triconex |
Schneider |
Safety Instrumented Systems (target of TRITON 2017). |
ProSafe-RS |
Yokogawa |
SIS. |
SIMATIC PCS neo |
Siemens |
Cloud-ready DCS. |
WinCC |
Siemens |
SCADA / HMI. |
Wonderware InTouch |
AVEVA |
HMI. |
FactoryTalk View |
Rockwell |
HMI. |
Cimplicity |
GE |
SCADA / HMI. |
iFix |
GE |
SCADA / HMI. |
Ignition |
Inductive Aut. |
Modern SCADA; Java; OPC UA. |
ClearSCADA |
Schneider |
SCADA for utilities. |
Survalent |
Survalent |
Utility SCADA. |
PI System |
AVEVA / OSIso |
ft Operations Historian; the dominant data historian. |
ICS-specific malware (historical)#
Malware |
Year |
Notes |
|---|---|---|
Stuxnet |
2010 |
Siemens S7-300/-400 + Step7 + PROFIBUS; nuclear-centrifuge sabotage; first widely-known ICS-targeted weapon. |
Havex / Dragonfly |
2013-14 |
Energy-sector RAT; OPC enumeration. |
BlackEnergy 3 |
2015 / Ukraine |
Power-grid; pre-cursor of Industroyer. |
Industroyer / CRASH |
2016 / Ukraine |
IEC 61850 / IEC 60870 / OPC DA modules; substation |
OVERRIDE |
o |
utages. |
TRITON / TRISIS |
2017 / Saudi Arabia |
Targeted Schneider Triconex SIS; first known SIS attack. |
Industroyer2 |
2022 / Ukraine |
IEC 60870-5-104 module; targeted high-voltage. |
PIPEDREAM / INCONTRO |
2022 |
CHERNOVITE (Dragos); cross-vendor toolkit |
LLER |
( |
Modbus, OPC UA, CODESYS). |
FrostyGoop |
2024 / Ukraine |
Modbus TCP module; municipal heating. |
Standards / frameworks#
Standard |
Notes |
|---|---|
IEC 62443 (ISA/IEC) |
ICS cybersecurity series; -1-1 concepts, -2-1 program, |
3-2 risk, -3-3 SR, -4-2 component requirements. |
|
NIST SP 800-82r3 |
Guide to OT Security. |
NIST SP 800-53 |
General controls; tailored for OT in 800-82. |
NERC CIP |
v5+; mandatory for North American bulk electric system. |
IEC 61511 / 61508 |
Functional safety / SIL. |
ISA-95 / IEC 62264 |
Enterprise / control integration model. |
ISA-101 |
HMI design. |
ANSSI / BSI ICS guide |
s Country-specific guidance. |
ENISA OT good prac. |
EU agency guidance. |
TSA Pipeline Sec Dire |
ct ives US TSA pipeline directives (post-Colonial). |
EO 14028 / EO 14117 |
US executive orders affecting OT. |
MITRE ATT&CK for ICS |
ICS-specific tactic / technique catalog. |
ICS-CERT / CISA ICS |
Advisory feed (ICSA-, ICSMA-). |
Defensive tooling#
Tool |
Vendor |
Notes |
|---|---|---|
Dragos Platform |
Dragos |
OT detection + response; also rich ICS threat intel. |
Claroty xDome / CTD |
Claroty |
OT visibility + segmentation. |
Nozomi Vantage |
Nozomi |
OT IDS + asset inventory. |
Forescout Silent Defe nse |
Forescout |
Network-based OT visibility. |
Tenable OT (Indegy) |
Tenable |
OT vulnerability + monitoring. |
ARMIS |
Armis |
IoT/OT visibility. |
Microsoft Defender fo IoT r |
Microsoft |
CyberX-acquired; OT visibility. |
Cisco Cyber Vision |
Cisco |
OT visibility on switches. |
Industrial Detection |
K it Various |
Open-source: Snort/Suricata + ICS rules. |
Snort / Suricata + Qu |
ic kdraw Open |
Open IDS with ICS protocol rules. |
Wireshark + ICS disse |
c tors Open |
Free OT protocol analysis. |
Modbus2MQTT / Node-RE D |
Open |
Bridging utilities. |
Open / research tooling#
Tool |
Org |
Notes |
|---|---|---|
ISF (ICS Sec Framewo |
rk) GRIMM |
OT vulnerability framework. |
PyModbus |
Open |
Python Modbus client/server library. |
PLCinject |
Open |
Siemens S7 inject (research). |
OpenPLC |
Autonomy Logic |
Open-source PLC runtime + IEC 61131-3 IDE. |
CODESYS V3 |
CODESYS |
Common runtime used by 400+ vendors. |
Snap7 |
Open |
S7 protocol library. |
Modbus-cli |
Open |
CLI Modbus. |
Conpot |
Open |
ICS honeypot (Modbus, S7, BACnet, IPMI). |
GasPot |
Open |
Gas-tank-monitor honeypot. |
ICS Honeynet |
Open |
Multi-protocol honeynet. |
Shodan / Censys ICS searches |
Multiple |
Find exposed ICS via banner. |
GRASSMARLIN |
NSA |
Passive OT mapping. |
ICSREF |
Open |
Reverse engineering CODESYS binaries. |
Ghidra ICS plugins |
Open |
Modbus, S7, etc. dissectors. |
ICSCorsair / ScadaPas |
Various |
Old research tools. |
Project Basecamp |
Digital Bond |
OT vulnerability research project. |
Operator notes#
Authority, ICS gear in production rarely tolerates active scanning; default to passive collection (network taps, SPAN ports). Active testing requires explicit authorization, change windows, and maintenance-mode.
Safety, a misconfigured PLC can cause physical harm. When in doubt, talk to the controls engineer.
Air-gap myth, supposedly air-gapped networks usually have a USB / vendor-VPN / engineering-laptop pivot. Map the data diode and the IT/OT DMZ.
Default credentials, many PLCs ship with documented defaults (siemens / 100, admin / admin); CISA published a list of “Top 10 Routinely Exploited” defaults.
Patching cadence, OT patches require maintenance windows, vendor sign-off, and HAZOP review; expect multi-month lag.
Engineering tools are the keys, TIA Portal, Studio 5000, Vijeo, Citect, etc. let an attacker rewrite logic without an exploit. Treat the engineering workstation as Tier-0.
SIS isolation, Safety Instrumented Systems must stay isolated from BPCS per IEC 61511; TRITON taught the industry the cost of crossing that boundary.
Historian leakage, the PI / Wonderware historian often spans the IT/OT DMZ and is a high-value pivot point.