OT/ICS Security Scanner

Infrastructurev1.0.0

Passive PCAP analysis for OT/ICS environments with dual scanners covering 7+ industrial protocols and 130+ vendor OUI fingerprints

7+
protocols
130+
vendors
2
scanners
559
loc
OT/ICS Security Scanner — how it works infographic
How OT/ICS Security Scanner works

01Overview

Active network scanning is genuinely dangerous in operational technology. A single unexpected probe can crash a PLC, trip a protection relay, or break a single-master SCADA session and disrupt a live control loop. This project takes the opposite approach: it is a set of purely passive OT/ICS security scanners that never transmit a single packet. Everything is derived offline from captured traffic (PCAP / PCAPNG) collected via TAPs, SPAN ports, or existing IDS/NDR sensors, making it safe to run against production plants, substations, and refineries.

The flagship is the Unified OT Scanner (v2.0, ~22,700 lines) that merges and extends two earlier single-purpose tools into one pipeline. From a capture alone it discovers industrial assets, fingerprints vendors and firmware, decodes 20 industrial protocols, maps the network to the Purdue model, matches known ICS CVEs, detects ICS malware behavior, scores composite risk, and reconstructs multi-hop attack paths from IT entry points to safety-critical devices. Two legacy scanners (PLC-focused and RTU/IED-focused) remain in the repo for reference.

The tool is built for OT/ICS security engineers, SOC analysts covering industrial networks, and asset owners in energy, manufacturing, utilities, and building automation who cannot risk active scanning. Its output is broad and operational: interactive HTML and GraphML topology, SIEM-ready CEF/LEEF/STIX/ECS/Splunk feeds, ServiceNow CMDB import, auto-generated Palo Alto / Fortinet / Cisco firewall policy, and NERC CIP / IEC 62443 / NIST 800-82 compliance reports.

It is notably self-contained and honest about its footprint: stdlib-only Python (only scapy/dpkt/colorama), graceful degradation when optional engines are missing, 76 offline unit tests, and a GitHub Actions matrix across Python 3.8/3.10/3.12. A CISA KEV auto-refresh importer keeps the 'actively exploited' and EPSS data current from authoritative sources instead of hand curation.

02Key Capabilities

Purely passive, offline-safe analysis

Analyzes captured PCAP/PCAPNG traffic without ever sending a packet, so it is safe to run in live SCADA and production control environments.

20 industrial protocol decoders

Parses 17 IP-layer plus 3 Layer-2 ICS protocols including Modbus, S7comm, EtherNet/IP, DNP3, IEC-104, IEC 61850 MMS/GOOSE/SV, OPC-UA, BACnet, MQTT, PROFINET, HART-IP, GE-SRTP, Niagara Fox, and KNXnet/IP.

Vendor and firmware fingerprinting

A 7-step fingerprint pipeline plus a 144-entry OUI database identifies device vendor, model, and firmware, with deep S7comm SZL and DNP3 Group 0 attribute extraction.

29 behavioral vulnerability rules

Detects insecure OT behavior such as unauthenticated DNP3/IEC-104 control, GOOSE without IEC 62351-6, cleartext protocols, and OPC-UA/MQTT without security across four protocol check modules.

ICS CVE matching with EPSS and CISA KEV

Matches devices against 92 curated ICS CVEs enriched with EPSS scores, CISA KEV flags, and exploit maturity, classifying each hit as Now / Next / Never priority.

ICS malware threat detection

Matches observed traffic against 10 ICS malware behavioral signatures (Industroyer, TRITON, Havex, Stuxnet, Pipedream, FrostyGoop, Fuxnet, IOControl, CosmicEnergy, BlackEnergy) mapped to MITRE ATT&CK for ICS.

Purdue model topology mapping

Automatically infers /24 zones, assigns Purdue levels 0-5, detects cross-zone violations, and exports a color-coded GraphML topology for Gephi/yEd/Cytoscape.

Multi-hop attack path analysis

Uses BFS pathfinding to trace routes from IT entry points to crown-jewel OT devices, scoring each path and mapping a per-hop MITRE kill chain with ordered remediation.

Firewall policy generation

Auto-generates segmentation rules from observed flows and exports them as Palo Alto PAN-OS XML, Fortinet CLI, Cisco IOS ACL, or JSON, each mapped to IEC 62443 / NERC CIP / NIST 800-82.

Configuration snapshots and drift detection

Persists device configuration snapshots, marks last-known-good baselines, and raises drift alerts (firmware, module, program, function-code, protocol, peer, risk changes) with MITRE mapping.

Broad SIEM and CMDB integration

Exports 11 formats including CEF, LEEF, STIX 2.1, Splunk HEC, Elastic ECS, ServiceNow CMDB, and generic webhooks for downstream SOC and asset-management tooling.

Offline project-file asset discovery

Parses Siemens TIA Portal, Rockwell L5X, Schneider XEF, CSV, and JSON engineering files to enrich the inventory with ground-truth devices that bypass fingerprinting.

OT/ICS Security Scanner — features diagram

03Architecture

A single PCAP-analysis engine (PCAPAnalyzer in core.py) reads frames through a dual scapy/dpkt backend, dispatches them to Layer-2 and IP protocol analyzers, and builds a per-device registry and communication-flow table. A finalization pipeline then runs fingerprinting, vulnerability checks, CVE matching, topology mapping, risk scoring, threat detection, and access auditing before nine analysis engines and a reporting/export layer render the results. Every sub-engine is loaded via try/except ImportError for graceful degradation.

1
Capture ingestion (core.py)
Dual scapy/dpkt packet reader that separates Layer-2 frames from IP/TCP/UDP packets and populates the OTDevice registry and CommFlow table.
2
Protocol analyzers (protocols/)
18 protocol-decoder modules covering 20 industrial protocols, plus an IT protocol detector (36+ protocols) and a DPI behavior tracker, all subclassing BaseProtocolAnalyzer/BaseL2Analyzer.
3
Fingerprint pipeline (fingerprint/)
7-step vendor identification backed by a 144-entry OUI database and protocol-specific device attributes.
4
Vulnerability & CVE engines (vuln/, cvedb/)
29 behavioral rules across four check modules plus a 92-CVE matcher with EPSS/KEV boosting and Now/Next/Never prioritization.
5
Analysis engines (risk/, threat/, attack/, access/, config/, policy/, topology/, project_files/)
Nine engines covering composite risk, ICS malware detection, attack paths, secure-access audit, config drift, firewall policy, Purdue topology, and project-file parsing.
6
Reporting & export (report/, export/, compliance/, delta/)
Renders JSON/CSV/HTML/GraphML reports, 11 SIEM/CMDB export formats, 35-control compliance assessment, and baseline delta analysis.
OT/ICS Security Scanner — architecture diagram

04Project Structure

ot_scanner/Flagship Unified OT Scanner v2.0 (~22,700 lines) - primary tool with all engines.
ot_scanner/ot_scanner.pyCLI entry point and argument parsing (~750 lines).
ot_scanner/scanner/core.pyPCAPAnalyzer - unified PCAP engine with dual scapy/dpkt backend and finalization pipeline.
ot_scanner/scanner/protocols/22 files: 18 protocol-decoder modules (covering 20 ICS protocols) plus the IT detector, DPI behavior tracker, and base classes.
ot_scanner/scanner/vuln/29 behavioral vulnerability rules across DNP3, IEC-104, IEC 61850, and general/convergence check modules.
ot_scanner/scanner/cvedb/92 ICS CVEs with EPSS/KEV, the Now/Next/Never matcher, and the CISA KEV auto-refresh importer.
ot_scanner/scanner/threat/ThreatDetectionEngine plus 10 ICS malware behavioral signatures with MITRE ATT&CK mapping.
ot_scanner/tests/76 offline unit tests across 11 files covering all engines and the new protocol analyzers.
plc_passive_scanner/Legacy v1.0 PLC device-identification scanner (7 protocols), superseded by v2.0.
rtu_passive_scanner/Legacy v1.0 RTU/IED vulnerability scanner (9 protocols, 21 rules, GOOSE/MMS), superseded by v2.0.
.github/workflows/ci.ymlGitHub Actions CI running the test suite on Python 3.8, 3.10, and 3.12.
CLAUDE.mdDetailed architecture, module map, data flow, and development conventions.

05Security Controls

OT vulnerability rules
29 behavioral rules: 7 DNP3 (no Secure Authentication, unauthenticated control, Direct Operate bypass, restart/file-transfer, multi-master, UDP transport), 5 IEC 60870-5-104, 6 IEC 61850 (GOOSE without IEC 62351-6, simulation-flag abuse, TTL/confRev drift, MMS without TLS), plus 7 cross-protocol/OPC-UA/MQTT and 5 IT/OT convergence rules.
ICS CVE intelligence
92 curated CVEs across 19 vendor groups (Siemens, Rockwell, Schneider, ABB, GE, SEL, Omron, Mitsubishi, Honeywell, Yokogawa and more) with EPSS scores, CISA KEV flags, exploit maturity, and Now/Next/Never prioritization.
ICS malware detection
10 malware behavioral signatures (Industroyer/CrashOverride, TRITON, Havex, BlackEnergy, Pipedream, Stuxnet, FrostyGoop, Fuxnet, IOControl, CosmicEnergy) plus unauthorized-command, reconnaissance, and baseline-anomaly detection.
MITRE ATT&CK for ICS
14 ATT&CK for ICS techniques mapped across threat, attack-path, and config-drift findings (T0816, T0831, T0836, T0839, T0842, T0843, T0845, T0846, T0855, T0858, T0859, T0869, T0882, T0886).
Purdue zone enforcement
Automatic Purdue level 0-5 assignment with 5 zone-violation rules enforcing IEC 62443-3-3 SR 5.1 and NERC CIP-005 segmentation.
Attack path analysis
BFS multi-hop pathfinding (6-hop limit) from IT entry points to crown-jewel OT devices, scored 0-100 on hop count, auth/encryption gaps, Purdue span, and CVE exploitability, with per-hop kill chain and remediation.
Secure access audit
Detects RDP/SSH/VNC/TeamViewer/AnyDesk/OpenVPN/IPsec sessions, identifies jump servers, and rates each against 5 NERC CIP-005-6 R2 compliance rules.
Configuration drift detection
Persistent snapshots with last-known-good baselines and 7 drift rules (firmware, module, program event, function-code shift, new protocol, peer change, risk escalation).
Composite risk scoring
0-100 score fusing vulnerability severity, CVE CVSS, EPSS and CISA KEV boosts, asset criticality multipliers (1.5x safety), and Purdue exposure multipliers, offset by detected compensating controls.
Firewall policy generation
6-stage segmentation rule generation (safety isolation through implicit deny) exported to Palo Alto, Fortinet, Cisco, and JSON, each mapped to IEC 62443-3-3, NERC CIP-005/007, and NIST 800-82.

06Technology Stack

Language
Python 3.8+ (stdlib-only core)
Packet parsing
scapy >= 2.5.0 (primary) or dpkt >= 1.9.8 (fallback backend)
Optional
colorama >= 0.4.6 for colored terminal output
Data modeling
Python dataclasses (20+ domain types with to_dict())
Testing
pytest >= 7.0 - 76 offline unit tests across 11 files
CI
GitHub Actions matrix on Python 3.8, 3.10, 3.12
Reporting
Self-contained HTML (Catppuccin Mocha), GraphML, CSV, JSON
License
MIT

07Quick Start

$ cd ot_scanner && pip install -r requirements.txt
$ python ot_scanner.py capture.pcap -o reports/ -f all
$ python ot_scanner.py capture.pcap --project-dir /path/to/tia_projects/ -o reports/
$ python ot_scanner.py capture.pcap --policy policies/
$ python ot_scanner.py capture.pcap --splunk-hec events.ndjson --elastic-ecs ecs.ndjson
$ python ot_scanner.py capture.pcap -v --severity high   # exit code 1 on CRITICAL/HIGH for CI gating

08Compliance & Frameworks

NERC CIP (v5-7)
15 controls spanning CIP-002 through CIP-013, including CIP-005 R2 remote-access enforcement.
IEC 62443-3-3
12 controls from SR 1.1 through SR 7.7, including SR 5.1 zone segmentation used in violation detection.
NIST SP 800-82 Rev 3
8 controls across sections 5.1 through 6.3.4 for ICS security guidance.
MITRE ATT&CK for ICS
14 techniques mapped across malware, attack-path, and drift detections.
CISA KEV catalog
Auto-refresh importer converts the authoritative CISA Known Exploited Vulnerabilities catalog (plus EPSS) into scanner CVE entries.
OT/ICS Security Scanner — compliance diagram

09Integrations & Outputs

PCAP / PCAPNG captures from TAPs, SPAN/port mirroring, or IDS/NDR sensorsSplunk (CEF + HEC NDJSON)IBM QRadar (LEEF)Elastic / Kibana (ECS NDJSON)STIX 2.1 bundles for ISACs / TAXIIServiceNow CMDB Import Set APIPalo Alto / Fortinet / Cisco firewall policy exportGeneric webhooks (Slack, Teams, PagerDuty)

Explore OT/ICS Security Scanner

Full source, documentation, and deployment guides live on GitHub.