OT Protocol Command Control
One framework, every protocol. See the command, not just the port.
Command-level inspection and enforcement for industrial protocols – Modbus, DNP3, Siemens S7, Rockwell CIP, PROFINET, OPC UA, IEC 61850, IEC 104, NTCIP, BACnet, and SECS/GEM – inline, agentless, on a single PacketViper appliance.
If a command reaches the device on the right port and speaks the protocol, the device obeys it.
Industrial protocols were built for reliability and determinism on isolated networks, not for a plant floor that touches the enterprise and an enterprise that touches the internet. Almost none of them authenticate the command.
A Modbus write to a register, a Siemens S7 STOP CPU, a DNP3 Operate, a Rockwell CIP Set Attribute, an IEC 104 control command, an NTCIP SET, or a SECS/GEM recipe download is honored the same way whether it came from the engineering workstation that is supposed to send it or from a host that was never authorized to. The protocol carries no notion of who is asking. A firewall can allow or deny a port, but the port is not the policy – the command is. An intrusion detection system can alert after the fact, but it does not stop the command and it buries the operator in noise. The most dangerous actions in an industrial environment – the ones that move a physical process or reprogram a device – are the least governed. That is the gap PacketViper closes, at the command, on the wire, in real time.
Command-level inspection and enforcement, delivered inline, on one appliance
It is not an agent on the device, not a rip-and-replace of your controllers, and not a passive tap that only watches and alerts. It is an inline control point that understands the language your devices speak and acts on it.
Sees the command
Decodes each protocol to the level of the actual operation: the function or service, the target register or object, the value being written, and the source that sent it.
Classifies the intent
Separates reads from writes, monitoring from control, and routine operations from the small set of commands that can stop, restart, reprogram, or reconfigure a device.
Governs the action
Per device, you decide which commands are allowed, which sources may send them, and at what rate. Everything else is flagged or blocked, your choice, scoped to that one device.
Tells the story
Every command becomes context: what was attempted, by whom, to which device, and whether it was allowed. The attempt is the signal, not just the block.
One framework, every protocol
PacketViper does not solve each protocol with a separate product. One command-inspection framework covers every protocol, which is why a single appliance governs a heterogeneous plant with controllers from a dozen different manufacturers. Adding a manufacturer or a protocol is a new module on the same rails, not a new product.
Decode the protocol to command level: operation, target, value, source.
Classify every operation and mark the dangerous set: the commands that write, control, stop, restart, or reprogram.
Inspect the protocol inline through a durable, fail-open path so inspection is always present and never blocks traffic if the inspector is unavailable.
A per-device, or per-group, policy: monitor or enforce, allowed sources, allowed commands, blocked commands, expected parameters, and rate thresholds.
In enforce mode, a command outside policy is dropped at the wire before it reaches the device. In monitor mode, the same command passes but is recorded as an advisory.
Every command is written to the analytics store and surfaced on purpose-built dashboard widgets.
Configure a protocol policy once at the Federation Manager and enforce it across every node that sees that device or class of device.
A per-protocol tab in the asset detail view, with build-time consistency checks that keep every protocol module uniform.
Transparent, inert until you opt in, fail open by design
Transparent, inline, agentless
PacketViper sits in the path as a transparent bridge. No IP to route to, no agent to install on a controller, no change to the devices or the SCADA host. Legacy equipment that cannot run software and cannot tolerate disruption is protected without touching it.
Inert until you opt in
Every protocol module ships inert. Inspection captures nothing and enforces nothing until you enable monitoring for a specific device or group. There is no global switch that suddenly starts dropping industrial traffic.
Fail open by design
The capture path is fail open. If the inspection engine is not running, protocol traffic passes normally. Enforcement is a decision you make deliberately, per device, never an accident of a service state.
Reading a value is not writing one. Writing a setpoint is not stopping a controller.
For every protocol, PacketViper classifies operations and marks the small set that can move a physical process or change a device program – the dangerous set.
Modbus
Write single and multiple coils and registers, especially to safety and control points.
DNP3
Operate, Direct Operate, and Cold or Warm Restart.
Siemens S7
PLC Stop, program block download, and write to control variables.
Rockwell EtherNet/IP (CIP)
Set Attribute, Forward Open to control classes, and Start or Stop.
IEC 60870-5-104
Single, double, and regulating step control commands.
IEC 61850 MMS
Select With Value and Operate on control blocks.
NTCIP
SET operations that change a displayed message, a message slot, or a signal parameter.
PROFINET DCP
Device set and reset.
BACnet
Write property and command operations against controllers.
Omron FINS & Mitsubishi MELSEC
Memory and device writes, remote run and stop.
SECS/GEM
Process program (recipe) downloads, remote commands, and equipment constant changes to fab tools.
Monitoring, polling, and status reads are the routine background of an OT network. Control is the exception, and control is what PacketViper puts under governance. You do not have to choose between blocking everything and blocking nothing – you govern the operations that actually carry risk.
Start open, narrow in, stay surgical
A firewall starts closed and you open holes. PacketViper starts open and you narrow in. In an environment where a wrong block can stop production, this ordering is the difference between a tool operators trust and a tool they turn off.
Observe
Enable monitoring on a device. PacketViper records every command, source, and value while touching nothing. You learn the real traffic.
Profile
The recorded traffic becomes the baseline. Normal sources and normal operations become visible, and so do the ones that do not belong.
Narrow
Turn on enforcement for the operations that carry risk: block control from unauthorized sources, block the dangerous set, hold the rate. Routine traffic keeps flowing.
Refine
Every blocked or flagged attempt is an investigation, not a closed case: a misconfigured device, an unknown setting, or a genuine threat. The policy gets sharper.
The block is never the end of the story. The attempt is the beginning of one.
Right information, right time, right people
An OT operator does not need more data. PacketViper turns every governed command into situational awareness rather than log volume. AI in PacketViper is decision support, not decision making – it consolidates, contextualizes, and spotlights what deserves attention, and the human pulls the trigger.
Command feeds
Per protocol: what was attempted, source, device, operation, value, and verdict.
Enforcement widgets
What was blocked, and what would have been blocked in monitor mode, so you can validate a policy before you commit to enforcement.
Source and rate views
Surface the talkers that do not belong and the ones sending too much.
Protocol-specific insight
The operations that matter for that protocol – sign state and conflict for NTCIP, control and restart for DNP3, recipe source for SECS/GEM.
Asset view
Ties each device to its protocol activity, its policy, and its history, so the device, not the packet, is the unit of understanding.
Federation makes protocol policy a single decision
In a distributed environment, a class of device may exist at dozens or hundreds of sites. PacketViper federation makes protocol policy a single decision.
- Author a protocol policy once at the Federation Manager
- Push it to every node that protects that device or device class
- Every node enforces the same policy uniformly, and drift is reconciled automatically
One policy, enforced everywhere, whether you protect one plant or a national network of substations, pumping stations, or field cabinets.
What competitors need multiple products to do
Command-level inspection and enforcement, deception, sensors, discovery, and the SCADA gateway are one solution on one box. That is architecture, not limitation.
- Agentless – nothing installed on controllers or SCADA hosts
- Transparent – an inline bridge with no IP in the data path
- Non-disruptive – inert until opt in, observation before enforcement, fail open
- Legacy friendly – protects equipment that cannot be patched, cannot run agents, and cannot tolerate downtime
Others detect and alert. PacketViper understands and enforces.
The OT security market is crowded with tools that see. Very few act, at the command, inline, on one box, without an agent. This is the line that separates PacketViper.
Passive OT visibility & detection platforms
Claroty, Nozomi Networks, Dragos, Tenable OT Security, Armis, Forescout, Cisco Cyber Vision. Built to discover assets and detect anomalies, largely passive by design, and when they enforce, they typically hand an instruction to a separate firewall. Detection tells you a bad command happened; PacketViper stops the command before it reaches the device, inline, itself.
IT firewalls with OT signatures
Palo Alto Networks, Fortinet, Cisco. Deep packet inspection and port control on IT-first platforms adapted to OT, requiring multiple products to approach the full picture. PacketViper is OT-native by design.
Unidirectional gateways & data diodes
Powerful for one-way isolation, but rigid, and they do not govern the content of bidirectional control that a live process requires. PacketViper governs the commands on a working, bidirectional link.
OT-native inline IPS suites
TXOne Networks deploys inline and filters industrial protocols, closer to PacketViper than passive platforms. Its network defense is signature and allowlist based – a static surface an attacker can map, and false positives train operators to switch security off. Its broader coverage is a suite of separate products: a network IPS, a host agent, a handheld scanner, and an orchestration layer. PacketViper governs the dangerous command by intent, adds Automated Moving Target Defense and deception a signature model has no equivalent for, unifies OT and IT asset management, and delivers it on one appliance.
The PacketViper difference, in one line: others detect and alert, PacketViper understands and enforces – at command level, inline, agentless, transparent, on a single appliance, as one layer of Automated Moving Target Defense.
The full protocol coverage matrix
Coverage is command-level. PacketViper does not merely allow or deny a port – it understands the operations inside the protocol and the manufacturers that speak it, across industrial, process, utility, transportation, building, and semiconductor manufacturing environments.
| Protocol | Port | Domain | Primary manufacturers | Governed operations |
|---|---|---|---|---|
| Modbus TCP / RTU | 502 | Industrial | Schneider (Modicon), universal | Read/write coils and registers, function codes, unit IDs, sources |
| DNP3 | 20000 | Utilities | GE, SEL, ABB | Read, Write, Operate, Direct Operate, Restart |
| Siemens S7comm / S7comm-Plus | 102 | Industrial | Siemens SIMATIC | Read/Write Var, Stop/Start, block upload/download |
| Rockwell EtherNet/IP (CIP) | 44818 / 2222 | Industrial | Rockwell, Allen-Bradley, Omron | Get/Set Attribute, Forward Open, Start/Stop |
| PROFINET | RT / DCP | Industrial | Siemens, Phoenix Contact | DCP set/reset, real-time governance |
| OPC UA | 4840 | Process / cross-sector | Emerson, Honeywell, Yokogawa, ABB, Kepware | Write/Call/method, endpoint and source policy |
| OPC Classic (DA / DCOM) | dynamic RPC | Process / legacy | Kepware, Matrikon, DCS historians | Endpoint and source policy |
| IEC 61850 (MMS / GOOSE) | 102 / L2 | Power | ABB, Siemens, GE, SEL, Schneider | MMS Select/Operate, GOOSE integrity |
| IEC 60870-5-104 | 2404 | Power | Siemens, ABB, GE | Control commands (single/double/step) |
| NTCIP (over SNMP) | 161 | Transportation | Econolite, McCain, Siemens, Q-Free, SWARCO | SET/GET, OID/value, slot control, sign verification, conflict |
| BACnet (IP and MS/TP) | 47808 | Building | Johnson Controls, Honeywell, Siemens, Schneider, Trane, Automated Logic | Write property, command operations |
| Omron FINS | 9600 | Industrial | Omron | Memory read/write, run/stop |
| Mitsubishi MELSEC (SLMP/MC) | 5007 | Industrial | Mitsubishi Electric | Device read/write, run/stop |
| DF1 / PCCC | over EtherNet/IP, serial | Industrial | Legacy Rockwell, Allen-Bradley | Command classification |
| SECS/GEM | over HSMS | Semiconductor manufacturing | SEMI ecosystem fab equipment manufacturers | Process program (recipe) downloads, remote commands, equipment constant changes, by source |
The audit trail is a byproduct of operating the system
Because every governed command is recorded with source, target, operation, and verdict, the evidence these frameworks require is generated by operating the system, not by a separate evidence-gathering project.
IEC 62443
Zone and conduit enforcement, least functionality, and control of the commands that cross a conduit.
NIST SP 800-82
Protocol-aware monitoring and control of industrial communications.
NERC CIP
Electronic access control and monitoring for control commands to cyber assets in the bulk electric system.
NIST CSF & SP 800-53
Protect, detect, and respond functions, and least privilege and access enforcement, applied at the protocol layer.
TSA Security Directives & AWIA
Access control, segmentation, and monitoring for operational technology in pipeline, rail, water, and wastewater.
NIS2
Risk management and control measures for essential and important entities in the European Union.
OT Protocol Command Control – common questions
No. PacketViper is agentless and inline. Nothing is installed on your devices.
No. Every protocol module is inert until you enable it, defaults to observation, and fails open on the capture path. You choose the device and you choose when to enforce.
No. The capture path is fail open. Traffic passes if inspection is unavailable. Enforcement is a deliberate, per-device decision.
Where a protocol is plaintext, PacketViper inspects to the command. Where it is encrypted, PacketViper governs by endpoint, source, and metadata, and inspects any plaintext negotiation. Each protocol module documents its inspection depth.
No. Control is surgical and per device. You govern the specific operations and sources that carry risk and leave routine traffic untouched.
Those platforms are built to discover assets and detect anomalies, and they are largely passive. PacketViper understands the command and stops it inline, itself, before it reaches the device, on the same box that also delivers deception, sensors, and discovery.
An IT firewall adapted to OT does port control and signature inspection and needs multiple products to approach the full picture. PacketViper is an OT-native, transparent, agentless, single-box appliance that starts open, narrows in, and enforces at command level.
Yes. Author a policy once at the Federation Manager and enforce it uniformly across every node in the fleet.
The mainstream proprietary OT set across industrial, process, utility, transportation, building automation, and semiconductor manufacturing, spanning Siemens, Rockwell and Allen-Bradley, Schneider Electric, Omron, Mitsubishi, GE, ABB, Emerson, Honeywell, Yokogawa, the SEMI fab-equipment ecosystem, and the transportation and building vendors. See the coverage matrix above.
Govern the commands that control your OT devices.
Start in Monitor mode for immediate visibility, then enforce on your highest-risk devices. Book a demo and we’ll show command-level control across your protocol landscape.