ICS / SCADA / OT#

Reference of industrial control systems: protocols, vendors, PLC families, the Purdue model, and the standards governing operational-technology security. ICS / SCADA gear runs power plants, refineries, water utilities, factories, pipelines, and rail, the cyber-physical edge of critical infrastructure. For sector mapping, see Critical Infrastructure. For threat actors targeting OT, see Hacker Groups.

Test only on equipment you own or have written authorization for. ICS gear has limited fault tolerance; misuse can cause real-world physical damage and human casualties.

Purdue model (ISA-95 / IEC 62264)#

┌──────────────────────────────────────────────────────────────────┐
│ Level 5  Enterprise / corporate IT                               │
│           ERP, email, web, business systems                      │
├──────────────────────────────────────────────────────────────────┤
│ Level 4  Site business planning + logistics                      │
│           plant scheduling, inventory                            │
├══════════════════════════════════════════════════════════════════┤  ← IT/OT DMZ
│ Level 3  Operations / control                                    │
│           Historian, MES, batch, asset mgmt                      │
├──────────────────────────────────────────────────────────────────┤
│ Level 2  Supervisory                                             │
│           HMI, SCADA servers, engineering workstation            │
├──────────────────────────────────────────────────────────────────┤
│ Level 1  Basic control                                           │
│           PLCs, RTUs, IEDs, controllers                          │
├──────────────────────────────────────────────────────────────────┤
│ Level 0  Process / physical                                      │
│           Sensors, actuators, motors, valves                     │
└──────────────────────────────────────────────────────────────────┘
Safety Instrumented Systems (SIS) often sit alongside Level 1
on a separate, isolated network (per IEC 61511).

OT protocols#

Protocol

Layer

Default port

Notes

Modbus RTU

Serial

n/a

RS-485 / 232; master/slave; 16-bit registers; no auth.

Modbus TCP

TCP/IP

502

Modbus over TCP; no auth; trivially spoofable.

Modbus over UDP

UDP

502

Same; rarer.

DNP3

TCP/IP

20000

Distributed Network Protocol; SCADA/RTU; secure variant DNP3-SA (IEC 62351-5).

IEC 60870-5-101

Serial

n/a

European telecontrol; balanced/unbalanced.

IEC 60870-5-104

TCP/IP

2404

104 = 101 over TCP/IP.

IEC 61850 MMS

TCP/IP

102

Substation automation (manufacturing message spec).

IEC 61850 GOOSE

L2 multicast

EtherType 0x88

B 8 Generic Object Oriented Sub-Station Event; sub-4ms.

IEC 61850 SV

L2 multicast

EtherType 0x88

B A Sampled Values; CT/PT data.

PROFINET / IO

Ethernet

TCP 102 / RT

Siemens; Profibus successor.

PROFIBUS DP

Serial

n/a

Process Field Bus; RS-485.

EtherNet/IP

TCP/IP

44818 (TCP) / 2

222 (UDP) ODVA; CIP-based.

CIP

over EIP/PROFI

Common Industrial Protocol.

HART / WirelessHART

4-20 mA / 2.4

2.4 GHz

Highway Addressable Remote Transducer; legacy + wireless.

ISA-100.11a

2.4 GHz

Wireless industrial.

EtherCAT

EtherType

0x88A4

Beckhoff; very low jitter.

POWERLINK

Ethernet

B&R; deterministic.

SERCOS III

Ethernet

Servo control.

Foundation Fieldbus

H1 / HSE

Process automation.

BACnet

IP / MS-TP

47808 / RS-48

5 Building automation.

LonWorks

EIA-709

Building automation.

KNX

TP/RF/IP

3671 / 6720

EU building bus.

M-Bus / wM-Bus

Serial / RF

Metering.

OPC DA

DCOM

135 + dynamic

Legacy OPC; firewall-hostile.

OPC UA

TCP/IP

4840

Modern OPC; auth + encryption.

MQTT

TCP/IP

1883 / 8883

IoT / IIoT broker; popular OT-edge.

MQTT Sparkplug B

MQTT

IIoT topic / payload spec.

CIP-Sec / DNP3-SA / V IEC 62351 arious

Authenticated/e

ncrypted variants of the above.

HSCG / Modbus Sec

TCP/IP

802

Secure Modbus (IEC 62351-3 + RFC).

Major ICS/PLC vendors#

Vendor

Country

Notes

Siemens

Germany

SIMATIC S7-1200 / S7-1500 / S7-300 / S7-400; PROFINET; WinCC; STEP7; TIA Portal.

Rockwell Automation

USA

ControlLogix / CompactLogix / MicroLogix; FactoryTalk; Studio 5000; CIP / EtherNet/IP.

ABB

Switzerland

800xA DCS, AC500 PLC; substation gear (RED / RTU500).

Schneider Electric

France

Modicon (M580 / M340 / M221); Quantum; Vijeo Citect HMI; Foxboro DCS; Triconex SIS.

Mitsubishi Electric

Japan

MELSEC iQ-R / iQ-F / Q / FX series; GX Works.

OMRON

Japan

Sysmac / NJ / NX series.

Honeywell

USA

Experion DCS; Safety Manager; ControlEdge.

Yokogawa

Japan

CENTUM CS3000 / VP DCS; ProSafe-RS SIS.

Emerson

USA

DeltaV DCS; Ovation; AMS.

GE Digital

USA

Mark VI/VIe (turbines); Predix; Cimplicity HMI; PACSystems RX3i / RX7i.

Hitachi

Japan

HISEC; rail.

Bosch Rexroth

Germany

IndraWorks; servo + motion.

B&R Industrial Auto.

Austria

Automation Studio; X20 controllers.

Beckhoff

Germany

TwinCAT; EtherCAT.

WAGO

Germany

750 series PLC.

Phoenix Contact

Germany

AXC / ILC controllers.

Pilz

Germany

Safety controllers.

Pepperl+Fuchs

Germany

Sensors + remote IO.

Eaton

USA

SmartWire; Cooper distribution.

Schweitzer Eng. Lab

USA

SEL relays / RTAC (substation).

ABB / SEL / GE

Multiple

Protective relays.

ICONICS

USA

GENESIS HMI / SCADA.

Wonderware (AVEVA)

UK

InTouch HMI / System Platform / Historian.

Inductive Automation

USA

Ignition SCADA platform.

Iconics / GE Cimplici

ty Multiple

HMI/SCADA.

SIPROTEC (Siemens)

Germany

Protective relays.

RTU vendors

Multiple

SEL, ABB, GE, Siemens, Schweitzer.

DCS / SCADA platforms#

Product

Vendor

Notes

DeltaV

Emerson

Process DCS; refining / chemicals.

Experion

Honeywell

Process DCS.

Ovation

Emerson

Power-gen DCS.

ABB 800xA

ABB

Multi-industry DCS.

CENTUM VP

Yokogawa

Process DCS.

PCS 7

Siemens

DCS layered on SIMATIC.

Foxboro Evo

Schneider

DCS.

Triconex

Schneider

Safety Instrumented Systems (target of TRITON 2017).

ProSafe-RS

Yokogawa

SIS.

SIMATIC PCS neo

Siemens

Cloud-ready DCS.

WinCC

Siemens

SCADA / HMI.

Wonderware InTouch

AVEVA

HMI.

FactoryTalk View

Rockwell

HMI.

Cimplicity

GE

SCADA / HMI.

iFix

GE

SCADA / HMI.

Ignition

Inductive Aut.

Modern SCADA; Java; OPC UA.

ClearSCADA

Schneider

SCADA for utilities.

Survalent

Survalent

Utility SCADA.

PI System

AVEVA / OSIso

ft Operations Historian; the dominant data historian.

ICS-specific malware (historical)#

Malware

Year

Notes

Stuxnet

2010

Siemens S7-300/-400 + Step7 + PROFIBUS; nuclear-centrifuge sabotage; first widely-known ICS-targeted weapon.

Havex / Dragonfly

2013-14

Energy-sector RAT; OPC enumeration.

BlackEnergy 3

2015 / Ukraine

Power-grid; pre-cursor of Industroyer.

Industroyer / CRASH

2016 / Ukraine

IEC 61850 / IEC 60870 / OPC DA modules; substation

OVERRIDE

o

utages.

TRITON / TRISIS

2017 / Saudi Arabia

Targeted Schneider Triconex SIS; first known SIS attack.

Industroyer2

2022 / Ukraine

IEC 60870-5-104 module; targeted high-voltage.

PIPEDREAM / INCONTRO

2022

CHERNOVITE (Dragos); cross-vendor toolkit

LLER

(

Modbus, OPC UA, CODESYS).

FrostyGoop

2024 / Ukraine

Modbus TCP module; municipal heating.

Standards / frameworks#

Standard

Notes

IEC 62443 (ISA/IEC)

ICS cybersecurity series; -1-1 concepts, -2-1 program,

3-2 risk, -3-3 SR, -4-2 component requirements.

NIST SP 800-82r3

Guide to OT Security.

NIST SP 800-53

General controls; tailored for OT in 800-82.

NERC CIP

v5+; mandatory for North American bulk electric system.

IEC 61511 / 61508

Functional safety / SIL.

ISA-95 / IEC 62264

Enterprise / control integration model.

ISA-101

HMI design.

ANSSI / BSI ICS guide

s Country-specific guidance.

ENISA OT good prac.

EU agency guidance.

TSA Pipeline Sec Dire

ct ives US TSA pipeline directives (post-Colonial).

EO 14028 / EO 14117

US executive orders affecting OT.

MITRE ATT&CK for ICS

ICS-specific tactic / technique catalog.

ICS-CERT / CISA ICS

Advisory feed (ICSA-, ICSMA-).

Defensive tooling#

Tool

Vendor

Notes

Dragos Platform

Dragos

OT detection + response; also rich ICS threat intel.

Claroty xDome / CTD

Claroty

OT visibility + segmentation.

Nozomi Vantage

Nozomi

OT IDS + asset inventory.

Forescout Silent Defe nse

Forescout

Network-based OT visibility.

Tenable OT (Indegy)

Tenable

OT vulnerability + monitoring.

ARMIS

Armis

IoT/OT visibility.

Microsoft Defender fo IoT r

Microsoft

CyberX-acquired; OT visibility.

Cisco Cyber Vision

Cisco

OT visibility on switches.

Industrial Detection

K it Various

Open-source: Snort/Suricata + ICS rules.

Snort / Suricata + Qu

ic kdraw Open

Open IDS with ICS protocol rules.

Wireshark + ICS disse

c tors Open

Free OT protocol analysis.

Modbus2MQTT / Node-RE D

Open

Bridging utilities.

Open / research tooling#

Tool

Org

Notes

ISF (ICS Sec Framewo

rk) GRIMM

OT vulnerability framework.

PyModbus

Open

Python Modbus client/server library.

PLCinject

Open

Siemens S7 inject (research).

OpenPLC

Autonomy Logic

Open-source PLC runtime + IEC 61131-3 IDE.

CODESYS V3

CODESYS

Common runtime used by 400+ vendors.

Snap7

Open

S7 protocol library.

Modbus-cli

Open

CLI Modbus.

Conpot

Open

ICS honeypot (Modbus, S7, BACnet, IPMI).

GasPot

Open

Gas-tank-monitor honeypot.

ICS Honeynet

Open

Multi-protocol honeynet.

Shodan / Censys ICS searches

Multiple

Find exposed ICS via banner.

GRASSMARLIN

NSA

Passive OT mapping.

ICSREF

Open

Reverse engineering CODESYS binaries.

Ghidra ICS plugins

Open

Modbus, S7, etc. dissectors.

ICSCorsair / ScadaPas

Various

Old research tools.

Project Basecamp

Digital Bond

OT vulnerability research project.

Operator notes#

  • Authority, ICS gear in production rarely tolerates active scanning; default to passive collection (network taps, SPAN ports). Active testing requires explicit authorization, change windows, and maintenance-mode.

  • Safety, a misconfigured PLC can cause physical harm. When in doubt, talk to the controls engineer.

  • Air-gap myth, supposedly air-gapped networks usually have a USB / vendor-VPN / engineering-laptop pivot. Map the data diode and the IT/OT DMZ.

  • Default credentials, many PLCs ship with documented defaults (siemens / 100, admin / admin); CISA published a list of “Top 10 Routinely Exploited” defaults.

  • Patching cadence, OT patches require maintenance windows, vendor sign-off, and HAZOP review; expect multi-month lag.

  • Engineering tools are the keys, TIA Portal, Studio 5000, Vijeo, Citect, etc. let an attacker rewrite logic without an exploit. Treat the engineering workstation as Tier-0.

  • SIS isolation, Safety Instrumented Systems must stay isolated from BPCS per IEC 61511; TRITON taught the industry the cost of crossing that boundary.

  • Historian leakage, the PI / Wonderware historian often spans the IT/OT DMZ and is a high-value pivot point.

References#