Industrial Control Systems (ICS) speak protocols designed in the 1970s-90s when the network was assumed isolated. Many of those protocols are now exposed to IP networks — and they were never designed with authentication, encryption, or integrity in mind. This module covers the major ICS protocols, what they expose, and the patterns of attack and defense.

The protocols that matter

Modbus (TCP / RTU) — most common ICS protocol; simple register-read/write. No auth, no encryption
DNP3 — used heavily in electric utilities, water; some authenticated extensions exist (Secure Authentication v5) but rarely deployed
OPC-UA — modern, designed with security; certificates, signed messages, encryption. Widely adopted in new installations
OPC Classic (DA, HDA, A&E) — older OPC; built on DCOM; no native security
S7Comm / S7CommPlus — Siemens SIMATIC PLCs; widely used in manufacturing
EtherNet/IP (CIP) — Allen-Bradley / Rockwell PLCs; widely used in North America
Profinet — Siemens; deterministic real-time on Ethernet
BACnet — building automation (HVAC, lighting); often internet-exposed
IEC 60870-5-104 — power utilities, SCADA telemetry
IEC 61850 (MMS, GOOSE, SV) — substation automation

Modbus — the demonstration target

Modbus TCP runs on port 502. A request specifies a function code (read holding register, write coil, etc.), a register address, and data. No authentication. No encryption. Anyone with network access can read or write any register.

# Reading registers from a Modbus TCP device
python3 -c "
from pymodbus.client import ModbusTcpClient
c = ModbusTcpClient('192.168.1.50', port=502)
c.connect()
result = c.read_holding_registers(0, 10, slave=1)
print(result.registers)
c.close()
"

# Writing a register (could change a setpoint, open a valve, etc.)
# DO NOT RUN IN PRODUCTION WITHOUT AUTHORIZATION

If a Modbus device is exposed to the internet (and Shodan finds tens of thousands), anyone can interact with it. This is why segmentation matters.

OPC-UA — the modern standard

OPC-UA done right has:

X.509 certificates for client and server
Multiple security policies (Basic128Rsa15, Basic256Sha256, None)
Sign + Encrypt message security
User authentication (anonymous, username/password, certificate, JWT)

OPC-UA done wrong has:

SecurityPolicy = None — no signing or encryption
Anonymous user authentication enabled
Self-signed certs without proper trust list management
Default deployment with empty user store

Test: connect with anonymous + None security; if it succeeds, that’s a finding. Use UA Expert or open62541 client for testing.

S7Comm and the PLC-direct attack surface

Siemens S7-300 and S7-400 PLCs use S7Comm (port 102). Newer S7-1200/1500 use S7CommPlus with some authentication. S7Comm allows reading/writing memory, downloading code blocks, putting the CPU in STOP mode.

🔐 Intermediate Module · Basic Tier

Continue reading with Basic tier (₹499/month)

You've read 25% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.

99+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

9 more sections locked below

Module 3 · Industrial Control Protocols 🔒

The protocols that matter

Modbus — the demonstration target

OPC-UA — the modern standard

S7Comm and the PLC-direct attack surface

Continue reading with Basic tier (₹499/month)

Other modules in this track

Module 5 · IoT/OT Lab Walkthrough <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 1 · IoT & OT Security Fundamentals <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 4 · OT Security Testing Methodology <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>