Protocol-level monitoring can detect attacks that network-based monitoring misses. A PLC executing an unauthorized command sequence leaves no network trace visible to firewalls or IDS tools—but the protocol interaction itself is anomalous. The challenge is that legitimate maintenance and engineering activity also appears anomalous, making false positives inevitable without sophisticated baselining.
Effective protocol anomaly detection requires understanding the baseline behavior of your specific devices and control logic. A valid command sequence in one deployment may be impossible in another. Generic rules based on protocol specifications will fire constantly. Effective rules are specific to your environment.
Baselining Approaches for Protocol Anomalies
Record and analyze a representative period of normal operations for each control system. Document which command sequences are issued, in what order, and at what frequency. Note seasonal variations, shift differences, and maintenance windows where behavior changes legitimately. Once a baseline is established, rules can be built to detect deviations from that baseline rather than deviations from theoretical protocol specifications.
Machine learning approaches can accelerate baselining by automatically identifying normal patterns, but they require substantial data and careful tuning. Simpler statistical approaches—learning common sequences and flagging rare ones—often work as well with less complexity.
Practical Detection Approach
- Command sequence baselining: Record normal command sequences for each controller. Alert when new sequences appear that do not match the baseline.
- Timing anomalies: Establish baseline timing for repetitive commands. Alert when commands are issued at unusual intervals or in unusual volumes.
- Permission violations: Detect when commands are issued by users or systems not normally authorized to issue them.
- State violations: Alert when commands would result in system states that are impossible given prior command history.
Scaling Without Fatigue
Start with a single control system. Baseline it thoroughly. Build rules that fire with high confidence. Once you understand the system deeply, expand to similar controllers. Resist the urge to deploy aggressive detection across all devices simultaneously—the result is alert fatigue that ultimately blinds your team. If you'd like to discuss protocol-level detection, baselining methodology, or anomaly detection tuning for your facility, reach out.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.