Press Enter to search or Esc to close

Secure Control Layer Series · OT Protocol Command Control

OT Protocol Command Control

One framework, every protocol. See the command, not just the port.

Command-level inspection and enforcement for industrial protocols – Modbus, DNP3, Siemens S7, Rockwell CIP, PROFINET, OPC UA, IEC 61850, IEC 104, NTCIP, BACnet, and SECS/GEM – inline, agentless, on a single PacketViper appliance.

The Problem: OT Protocols Are Trust By Default

If a command reaches the device on the right port and speaks the protocol, the device obeys it.

Industrial protocols were built for reliability and determinism on isolated networks, not for a plant floor that touches the enterprise and an enterprise that touches the internet. Almost none of them authenticate the command.

A Modbus write to a register, a Siemens S7 STOP CPU, a DNP3 Operate, a Rockwell CIP Set Attribute, an IEC 104 control command, an NTCIP SET, or a SECS/GEM recipe download is honored the same way whether it came from the engineering workstation that is supposed to send it or from a host that was never authorized to. The protocol carries no notion of who is asking. A firewall can allow or deny a port, but the port is not the policy – the command is. An intrusion detection system can alert after the fact, but it does not stop the command and it buries the operator in noise. The most dangerous actions in an industrial environment – the ones that move a physical process or reprogram a device – are the least governed. That is the gap PacketViper closes, at the command, on the wire, in real time.

What It Is

Command-level inspection and enforcement, delivered inline, on one appliance

It is not an agent on the device, not a rip-and-replace of your controllers, and not a passive tap that only watches and alerts. It is an inline control point that understands the language your devices speak and acts on it.

Sees the command

Decodes each protocol to the level of the actual operation: the function or service, the target register or object, the value being written, and the source that sent it.

Classifies the intent

Separates reads from writes, monitoring from control, and routine operations from the small set of commands that can stop, restart, reprogram, or reconfigure a device.

Governs the action

Per device, you decide which commands are allowed, which sources may send them, and at what rate. Everything else is flagged or blocked, your choice, scoped to that one device.

Tells the story

Every command becomes context: what was attempted, by whom, to which device, and whether it was allowed. The attempt is the signal, not just the block.

The Architecture

One framework, every protocol

PacketViper does not solve each protocol with a separate product. One command-inspection framework covers every protocol, which is why a single appliance governs a heterogeneous plant with controllers from a dozen different manufacturers. Adding a manufacturer or a protocol is a new module on the same rails, not a new product.

Parser

Decode the protocol to command level: operation, target, value, source.

Command taxonomy

Classify every operation and mark the dangerous set: the commands that write, control, stop, restart, or reprogram.

Capture

Inspect the protocol inline through a durable, fail-open path so inspection is always present and never blocks traffic if the inspector is unavailable.

Policy

A per-device, or per-group, policy: monitor or enforce, allowed sources, allowed commands, blocked commands, expected parameters, and rate thresholds.

Enforcement

In enforce mode, a command outside policy is dropped at the wire before it reaches the device. In monitor mode, the same command passes but is recorded as an advisory.

Telemetry

Every command is written to the analytics store and surfaced on purpose-built dashboard widgets.

Federation

Configure a protocol policy once at the Federation Manager and enforce it across every node that sees that device or class of device.

Configuration

A per-protocol tab in the asset detail view, with build-time consistency checks that keep every protocol module uniform.

Built For OT

Transparent, inert until you opt in, fail open by design

Transparent, inline, agentless

PacketViper sits in the path as a transparent bridge. No IP to route to, no agent to install on a controller, no change to the devices or the SCADA host. Legacy equipment that cannot run software and cannot tolerate disruption is protected without touching it.

Inert until you opt in

Every protocol module ships inert. Inspection captures nothing and enforces nothing until you enable monitoring for a specific device or group. There is no global switch that suddenly starts dropping industrial traffic.

Fail open by design

The capture path is fail open. If the inspection engine is not running, protocol traffic passes normally. Enforcement is a decision you make deliberately, per device, never an accident of a service state.

What PacketViper Understands

Reading a value is not writing one. Writing a setpoint is not stopping a controller.

For every protocol, PacketViper classifies operations and marks the small set that can move a physical process or change a device program – the dangerous set.

Modbus

Write single and multiple coils and registers, especially to safety and control points.

DNP3

Operate, Direct Operate, and Cold or Warm Restart.

Siemens S7

PLC Stop, program block download, and write to control variables.

Rockwell EtherNet/IP (CIP)

Set Attribute, Forward Open to control classes, and Start or Stop.

IEC 60870-5-104

Single, double, and regulating step control commands.

IEC 61850 MMS

Select With Value and Operate on control blocks.

NTCIP

SET operations that change a displayed message, a message slot, or a signal parameter.

PROFINET DCP

Device set and reset.

BACnet

Write property and command operations against controllers.

Omron FINS & Mitsubishi MELSEC

Memory and device writes, remote run and stop.

SECS/GEM

Process program (recipe) downloads, remote commands, and equipment constant changes to fab tools.

Monitoring, polling, and status reads are the routine background of an OT network. Control is the exception, and control is what PacketViper puts under governance. You do not have to choose between blocking everything and blocking nothing – you govern the operations that actually carry risk.

The Enforcement Model

Start open, narrow in, stay surgical

A firewall starts closed and you open holes. PacketViper starts open and you narrow in. In an environment where a wrong block can stop production, this ordering is the difference between a tool operators trust and a tool they turn off.

Observe

Enable monitoring on a device. PacketViper records every command, source, and value while touching nothing. You learn the real traffic.

Profile

The recorded traffic becomes the baseline. Normal sources and normal operations become visible, and so do the ones that do not belong.

Narrow

Turn on enforcement for the operations that carry risk: block control from unauthorized sources, block the dangerous set, hold the rate. Routine traffic keeps flowing.

Refine

Every blocked or flagged attempt is an investigation, not a closed case: a misconfigured device, an unknown setting, or a genuine threat. The policy gets sharper.

The block is never the end of the story. The attempt is the beginning of one.

Visibility

Right information, right time, right people

An OT operator does not need more data. PacketViper turns every governed command into situational awareness rather than log volume. AI in PacketViper is decision support, not decision making – it consolidates, contextualizes, and spotlights what deserves attention, and the human pulls the trigger.

Command feeds

Per protocol: what was attempted, source, device, operation, value, and verdict.

Enforcement widgets

What was blocked, and what would have been blocked in monitor mode, so you can validate a policy before you commit to enforcement.

Source and rate views

Surface the talkers that do not belong and the ones sending too much.

Protocol-specific insight

The operations that matter for that protocol – sign state and conflict for NTCIP, control and restart for DNP3, recipe source for SECS/GEM.

Asset view

Ties each device to its protocol activity, its policy, and its history, so the device, not the packet, is the unit of understanding.

Configure Once, Enforced Everywhere

Federation makes protocol policy a single decision

In a distributed environment, a class of device may exist at dozens or hundreds of sites. PacketViper federation makes protocol policy a single decision.

  • Author a protocol policy once at the Federation Manager
  • Push it to every node that protects that device or device class
  • Every node enforces the same policy uniformly, and drift is reconciled automatically

One policy, enforced everywhere, whether you protect one plant or a national network of substations, pumping stations, or field cabinets.

Single Box, Complete Solution

What competitors need multiple products to do

Command-level inspection and enforcement, deception, sensors, discovery, and the SCADA gateway are one solution on one box. That is architecture, not limitation.

  • Agentless – nothing installed on controllers or SCADA hosts
  • Transparent – an inline bridge with no IP in the data path
  • Non-disruptive – inert until opt in, observation before enforcement, fail open
  • Legacy friendly – protects equipment that cannot be patched, cannot run agents, and cannot tolerate downtime
Market Differentiation

Others detect and alert. PacketViper understands and enforces.

The OT security market is crowded with tools that see. Very few act, at the command, inline, on one box, without an agent. This is the line that separates PacketViper.

Passive OT visibility & detection platforms

Claroty, Nozomi Networks, Dragos, Tenable OT Security, Armis, Forescout, Cisco Cyber Vision. Built to discover assets and detect anomalies, largely passive by design, and when they enforce, they typically hand an instruction to a separate firewall. Detection tells you a bad command happened; PacketViper stops the command before it reaches the device, inline, itself.

IT firewalls with OT signatures

Palo Alto Networks, Fortinet, Cisco. Deep packet inspection and port control on IT-first platforms adapted to OT, requiring multiple products to approach the full picture. PacketViper is OT-native by design.

Unidirectional gateways & data diodes

Powerful for one-way isolation, but rigid, and they do not govern the content of bidirectional control that a live process requires. PacketViper governs the commands on a working, bidirectional link.

OT-native inline IPS suites

TXOne Networks deploys inline and filters industrial protocols, closer to PacketViper than passive platforms. Its network defense is signature and allowlist based – a static surface an attacker can map, and false positives train operators to switch security off. Its broader coverage is a suite of separate products: a network IPS, a host agent, a handheld scanner, and an orchestration layer. PacketViper governs the dangerous command by intent, adds Automated Moving Target Defense and deception a signature model has no equivalent for, unifies OT and IT asset management, and delivers it on one appliance.

The PacketViper difference, in one line: others detect and alert, PacketViper understands and enforces – at command level, inline, agentless, transparent, on a single appliance, as one layer of Automated Moving Target Defense.

Protocol Coverage

The full protocol coverage matrix

Coverage is command-level. PacketViper does not merely allow or deny a port – it understands the operations inside the protocol and the manufacturers that speak it, across industrial, process, utility, transportation, building, and semiconductor manufacturing environments.

ProtocolPortDomainPrimary manufacturersGoverned operations
Modbus TCP / RTU502IndustrialSchneider (Modicon), universalRead/write coils and registers, function codes, unit IDs, sources
DNP320000UtilitiesGE, SEL, ABBRead, Write, Operate, Direct Operate, Restart
Siemens S7comm / S7comm-Plus102IndustrialSiemens SIMATICRead/Write Var, Stop/Start, block upload/download
Rockwell EtherNet/IP (CIP)44818 / 2222IndustrialRockwell, Allen-Bradley, OmronGet/Set Attribute, Forward Open, Start/Stop
PROFINETRT / DCPIndustrialSiemens, Phoenix ContactDCP set/reset, real-time governance
OPC UA4840Process / cross-sectorEmerson, Honeywell, Yokogawa, ABB, KepwareWrite/Call/method, endpoint and source policy
OPC Classic (DA / DCOM)dynamic RPCProcess / legacyKepware, Matrikon, DCS historiansEndpoint and source policy
IEC 61850 (MMS / GOOSE)102 / L2PowerABB, Siemens, GE, SEL, SchneiderMMS Select/Operate, GOOSE integrity
IEC 60870-5-1042404PowerSiemens, ABB, GEControl commands (single/double/step)
NTCIP (over SNMP)161TransportationEconolite, McCain, Siemens, Q-Free, SWARCOSET/GET, OID/value, slot control, sign verification, conflict
BACnet (IP and MS/TP)47808BuildingJohnson Controls, Honeywell, Siemens, Schneider, Trane, Automated LogicWrite property, command operations
Omron FINS9600IndustrialOmronMemory read/write, run/stop
Mitsubishi MELSEC (SLMP/MC)5007IndustrialMitsubishi ElectricDevice read/write, run/stop
DF1 / PCCCover EtherNet/IP, serialIndustrialLegacy Rockwell, Allen-BradleyCommand classification
SECS/GEMover HSMSSemiconductor manufacturingSEMI ecosystem fab equipment manufacturersProcess program (recipe) downloads, remote commands, equipment constant changes, by source
Compliance Alignment

The audit trail is a byproduct of operating the system

Because every governed command is recorded with source, target, operation, and verdict, the evidence these frameworks require is generated by operating the system, not by a separate evidence-gathering project.

IEC 62443

Zone and conduit enforcement, least functionality, and control of the commands that cross a conduit.

NIST SP 800-82

Protocol-aware monitoring and control of industrial communications.

NERC CIP

Electronic access control and monitoring for control commands to cyber assets in the bulk electric system.

NIST CSF & SP 800-53

Protect, detect, and respond functions, and least privilege and access enforcement, applied at the protocol layer.

TSA Security Directives & AWIA

Access control, segmentation, and monitoring for operational technology in pipeline, rail, water, and wastewater.

NIS2

Risk management and control measures for essential and important entities in the European Union.

FAQ

OT Protocol Command Control – common questions

Does this require an agent on my PLC or SCADA host?

No. PacketViper is agentless and inline. Nothing is installed on your devices.

Will turning this on disrupt my process?

No. Every protocol module is inert until you enable it, defaults to observation, and fails open on the capture path. You choose the device and you choose when to enforce.

Does it block traffic if the appliance or inspection engine fails?

No. The capture path is fail open. Traffic passes if inspection is unavailable. Enforcement is a deliberate, per-device decision.

Can it inspect encrypted protocols?

Where a protocol is plaintext, PacketViper inspects to the command. Where it is encrypted, PacketViper governs by endpoint, source, and metadata, and inspects any plaintext negotiation. Each protocol module documents its inspection depth.

Do I have to block everything or nothing?

No. Control is surgical and per device. You govern the specific operations and sources that carry risk and leave routine traffic untouched.

How is this different from Claroty, Nozomi, or Dragos?

Those platforms are built to discover assets and detect anomalies, and they are largely passive. PacketViper understands the command and stops it inline, itself, before it reaches the device, on the same box that also delivers deception, sensors, and discovery.

How is this different from a Palo Alto or Fortinet firewall?

An IT firewall adapted to OT does port control and signature inspection and needs multiple products to approach the full picture. PacketViper is an OT-native, transparent, agentless, single-box appliance that starts open, narrows in, and enforces at command level.

Can I manage this across many sites?

Yes. Author a policy once at the Federation Manager and enforce it uniformly across every node in the fleet.

Which protocols and manufacturers are supported?

The mainstream proprietary OT set across industrial, process, utility, transportation, building automation, and semiconductor manufacturing, spanning Siemens, Rockwell and Allen-Bradley, Schneider Electric, Omron, Mitsubishi, GE, ABB, Emerson, Honeywell, Yokogawa, the SEMI fab-equipment ecosystem, and the transportation and building vendors. See the coverage matrix above.

Get Started

Govern the commands that control your OT devices.

Start in Monitor mode for immediate visibility, then enforce on your highest-risk devices. Book a demo and we’ll show command-level control across your protocol landscape.