OT / ICS Passive Network Scanner

Purely passive, offline security scanners for Operational Technology & Industrial Control Systems
_{Asset discovery · Vulnerability detection · Purdue zone mapping · Compliance assessment · Threat detection · Attack path analysis · SIEM integration}

Version Protocols Rules CVEs Malware Sigs Compliance Exports License

A collection of purely passive OT/ICS security scanners that analyse captured network traffic (PCAP / PCAPNG) to discover industrial devices, detect vulnerabilities, map network topology to the Purdue model, and assess compliance against ICS security frameworks. No packets are ever sent to the network -- all analysis is offline, making these tools safe for use in live production environments where active scanning can trip protection relays or disrupt SCADA control loops.

The project includes a unified scanner (v2.0) that merges and extends two earlier single-purpose scanners, adding 9 advanced analysis modules: deep asset profiling, ICS project file parsing, firewall policy generation, composite risk scoring, ICS malware threat detection, multi-platform SIEM integration, secure access auditing, configuration snapshot management, and attack path analysis.

cd ot_scanner
pip install -r requirements.txt
python ot_scanner.py capture.pcap -o reports/ -f all

13 IP-layer protocols + 3 Layer-2 protocols, plus detection of 36+ IT/enterprise protocols for convergence risk assessment.

IT protocol detection (36+ protocols): HTTP/S, SSH, Telnet, RDP, VNC, TeamViewer, AnyDesk, Radmin, X11, IKE/IPsec, OpenVPN, PPTP, SMB, FTP, TFTP, DNS, DHCP, NTP, SNMP, Syslog, MSSQL, MySQL, PostgreSQL, Oracle, Redis, SMTP, POP3, IMAP, AMQP, and more.

Enhanced device identification beyond basic protocol detection:

• S7comm SZL parsing -- Structured block extraction from SZL ID 0x0011 (Module Identification) and 0x001C (Component Identification) for order numbers, firmware versions, serial numbers, CPU families, and I/O module inventories
• DNP3 Group 0 attributes -- Device description (var 241), product model (var 242), firmware version (var 243), hardware version (var 244), vendor name (var 245)
• Asset criticality inference -- Auto-classifies devices as safety_system, process_control, monitoring, or support based on CIP Safety types, GOOSE trip keywords, safety vendor names, protocol write/control ratios, and device role
• Communication profiles -- Per-device master/slave/peer classification with control ratios, read/write ratios, byte volumes, and peer counts

Offline asset discovery from engineering project files (no network traffic required):

Project file devices receive vendor_confidence = "ground_truth" and bypass fingerprinting. Use --project-dir DIR to load.

29 behavioral vulnerability rules across 4 protocol-specific check modules, plus 5 zone violation rules.

90 curated CVEs across 19 vendor groups with EPSS scores, CISA KEV flags, and exploit maturity ratings. Each matched CVE receives a Now / Next / Never priority classification.

Composite risk scoring (0-100) combining multiple intelligence sources:

9 ICS malware behavioral signatures matched against observed traffic patterns:

4 detection modules: unauthorized command detection, malware signature matching, reconnaissance detection, behavioral baseline anomalies. 14 MITRE ATT&CK for ICS techniques mapped.

Multi-hop attack path discovery from IT entry points to crown jewel OT devices:

• Crown jewel identification -- safety systems, critical PLCs/RTUs, historians, KEV-exploitable devices
• Entry point identification -- remote access sessions, jump servers, gateways, IT/OT bridging devices
• BFS pathfinding -- multi-hop with 6-hop limit, bidirectional reachability graph
• Path scoring (0-100) -- hop count, auth gaps, encryption gaps, Purdue span, target value, CVE exploitability
• MITRE ATT&CK kill chain -- per-hop technique mapping (T0886, T0859, T0855, T0836, T0839, T0843)
• Remediation generation -- ordered mitigation steps per path (segmentation, auth, encryption, patching)

Remote access detection and NERC CIP-005-6 R2 compliance:

• Protocol detection: RDP, SSH, VNC, TeamViewer, AnyDesk, Radmin, X11, IKE/IPsec, OpenVPN, PPTP
• Jump server identification: Automatic from traffic pattern (inbound remote + outbound OT)
• Compliance classification: Each session rated compliant / non-compliant / review_required
• 5 compliance rules: encrypted transport, VPN DMZ termination, no direct L0-1 access, no safety system access, jump server required

Persistent device configuration tracking and drift detection:

• Snapshot capture: firmware, modules, function code profiles, program state, protocols, peers, risk
• Persistent storage: JSON files in --snapshot-dir with index metadata
• Baseline management: --set-baseline marks scan as "last known good" (LKG)
• 7 drift detection rules: firmware_change, module_change, program_event, function_code_shift, new_protocol, peer_change, risk_escalation
• MITRE ATT&CK mapping: T0839, T0843, T0836, T0855, T0869, T0886

Auto-generate firewall segmentation rules from observed traffic patterns:

6 rule generation strategies: safety system isolation (P10-49), control traffic (P50-99), flow-based allows (P100-499), DMZ enforcement (P500-599), zone segmentation (P600-799), implicit deny (P9999). Each rule maps to IEC 62443-3-3, NERC CIP-005/007, and NIST 800-82.

Automatic Purdue model zone classification:

1. Subnet inference -- groups devices into /24 zones
2. Purdue level assignment -- Level 0 (Process) through Level 5 (Internet/Cloud)
3. Criticality overrides -- safety systems forced to L0, process control to L1
4. Edge aggregation -- directed graph with control/cross-zone annotations
5. Zone violation detection -- 5 rules enforcing IEC 62443-3-3 SR 5.1 and NERC CIP-005
6. GraphML export -- Gephi/yEd/Cytoscape with Purdue-level colour coding

35 controls across 3 frameworks:

11 export formats for SIEM, CMDB, threat intelligence, and notification platforms:

Plus: --compliance FILE (NERC CIP + IEC 62443 + NIST 800-82), --delta FILE (baseline comparison), --policy DIR (firewall rules), --snapshot-dir DIR (config snapshots).

# Full scan with all outputs
python ot_scanner.py capture.pcap -o reports/ -f all
# With project file enrichment
python ot_scanner.py capture.pcap --project-dir /path/to/tia_projects/ -o reports/
# Generate firewall policies
python ot_scanner.py capture.pcap --policy policies/
# Configuration snapshot with baseline
python ot_scanner.py capture.pcap --snapshot-dir snapshots/ --set-baseline
# SIEM integration
python ot_scanner.py capture.pcap --splunk-hec events.ndjson --elastic-ecs ecs.ndjson
# ServiceNow CMDB export
python ot_scanner.py capture.pcap --servicenow cmdb_import.json
# Webhook notification
python ot_scanner.py capture.pcap --webhook alert_payload.json
# Delta analysis against baseline
python ot_scanner.py capture.pcap --delta baseline.json --json current.json
# Compliance audit
python ot_scanner.py capture.pcap --compliance audit.txt
# Verbose, filter high+ severity
python ot_scanner.py capture.pcap -v --severity high

Exit codes: 1 if CRITICAL or HIGH findings detected (CI/CD pipeline gating), 0 otherwise.

ot_scanner/
├── ot_scanner.py CLI entry point + argument parsing
├── requirements.txt scapy, dpkt, colorama
└── scanner/
 ├── core.py Unified PCAP analysis engine
 ├── models.py 20+ data types (dataclasses)
 ├── protocols/ 16 industrial protocol analyzers
 │ ├── modbus.py, s7comm.py, enip.py, dnp3.py, fins.py, melsec.py
 │ ├── iec104.py, iec61850_mms.py, sel_protocol.py
 │ ├── opcua.py, bacnet.py, mqtt.py, profinet.py, goose.py
 │ ├── it_detect.py IT protocol detector (36+ protocols)
 │ └── behavior.py Deep packet inspection statistics
 ├── fingerprint/ 7-step vendor fingerprinting pipeline
 ├── vuln/ 29 vulnerability rules (4 check modules)
 ├── topology/ Purdue zones, violations, GraphML
 ├── cvedb/ 90 ICS CVEs with EPSS + CISA KEV
 ├── risk/ Composite risk scoring (0-100)
 ├── threat/ 9 ICS malware sigs + anomaly baselines
 ├── attack/ Multi-hop attack path analysis
 ├── access/ Secure access audit (CIP-005 R2)
 ├── config/ Configuration snapshots + drift detection
 ├── policy/ Firewall rule generation (4 formats)
 ├── project_files/ ICS project file parsers (5 formats)
 ├── export/ CEF, LEEF, STIX, ServiceNow, Splunk, Elastic, Webhook
 ├── compliance/ 35 controls (NERC CIP + IEC 62443 + NIST)
 ├── delta/ Baseline diff analysis
 └── report/ JSON, CSV, HTML, GraphML reports

The unified OT scanner (v2.0) supersedes both legacy scanners. They remain in the repository for reference.

Device-identification-focused scanner for industrial PLCs (7 protocols). Outputs device inventory with vendor, model, firmware, and risk scoring.

Vulnerability-detection-focused scanner for RTUs, FRTUs, and IEDs (9 protocols, 21 vulnerability checks, Layer-2 GOOSE/SV).

Active network scanners are dangerous in OT environments: unexpected packets can crash PLCs, trip protection relays, disrupt real-time control loops, and break single-master SCADA sessions. Passive scanning from a PCAP eliminates all of these risks.

Captures can be collected via network TAPs, port mirroring (SPAN), dedicated sensors, or existing IDS/NDR appliances.

57 unit tests covering all 9 analysis engines, running in < 0.2 seconds with no PCAP dependencies.

cd ot_scanner
pip install -r requirements-dev.txt
python -m pytest tests/ -v

GitHub Actions CI runs on every push and PR against Python 3.8, 3.10, and 3.12.

• Python 3.8+
• scapy >= 2.5.0 (recommended) or dpkt >= 1.9.8 (fallback)
• Optional: colorama >= 0.4.6 (coloured terminal output)
• Dev: pytest >= 7.0 (testing only)

pip install scapy dpkt colorama

MIT -- see LICENSE for details.