Listen to this Post

Introduction:
Operational Technology (OT) security is notoriously opaque—SCADA events flood SIEMs with cryptic signals, and most analysts struggle to separate noise from true incidents. This article extracts the core methodology from an upcoming hands‑on masterclass that teaches you to generate, parse, and detect real SCADA events using Splunk and Labshock, transforming raw OT data into actionable detections without fake cases or dashboard distractions.
Learning Objectives:
- Understand the structure of raw SCADA events and identify which fields are critical for OT threat detection.
- Build a step‑by‑step log flow from SCADA device to Splunk index, including event generation and parsing configuration.
- Create detection rules based on six priority SCADA event types that signal compromise or misoperation in industrial environments.
You Should Know:
- Generating Raw SCADA Events – Emulating Real OT Traffic
Before you can detect, you must know what legitimate and malicious SCADA events look like. Using Labshock (or an open‑source alternative like `smod` orOpenPLC), you can generate realistic Modbus/TCP, DNP3, or IEC 104 traffic. Below is a Linux‑based approach to simulate a SCADA slave device and generate specific event logs.
Step‑by‑step guide:
- Set up a Python virtual environment and install `pyModbus` for Modbus simulation:
python3 -m venv scada_env source scada_env/bin/activate pip install pymodbus
- Create a simple Modbus TCP slave script (
scada_slave.py) that toggles a coil and logs changes:from pymodbus.server import StartTcpServer from pymodbus.datastore import ModbusSlaveContext, ModbusServerContext import logging logging.basicConfig(level=logging.INFO) store = ModbusSlaveContext(zero_mode=True) context = ModbusServerContext(slaves=store, single=True) StartTcpServer(context, address=("0.0.0.0", 5020)) - Run the slave, then use a master script to write to coil 0 every 5 seconds, generating a “value change” event:
from pymodbus.client import ModbusTcpClient import time client = ModbusTcpClient("127.0.0.1", port=5020) client.connect() while True: client.write_coil(0, True) time.sleep(5) client.write_coil(0, False) time.sleep(5) - On Windows, use a pre‑built tool like “Modbus Poll” (free trial) or “CAS Modbus Scanner” to generate read/write events. Log these events to a file or forward them to a syslog collector.
What this does: It creates a repeatable pattern of SCADA write events—each change becomes a raw event that you can forward to Splunk. In a real OT environment, you would collect these from PLCs, RTUs, and HMIs via syslog or native Modbus logging.
- Parsing SCADA Events in Splunk – Breaking Down the Raw Data
Raw SCADA messages (e.g., Modbus TCP) arrive as hex strings or field‑delimited logs. Without proper parsing, a SIEM treats them as generic text. You must extract meaningful fields: function code, unit ID, register address, value, and timestamp.
Step‑by‑step guide (Splunk configuration):
- Define a custom sourcetype, e.g.,
scada_modbus, inprops.conf:[bash] TIME_PREFIX = ^(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}) MAX_TIMESTAMP_LOOKAHEAD = 19 SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) - Create a field extraction regex in `transforms.conf` (or use Splunk’s `rex` command at search time):
^(?P<timestamp>\S+ \S+) src_ip=(?P<src_ip>\S+) dst_ip=(?P<dst_ip>\S+) function=(?P<function_code>\d+) unit=(?P<unit_id>\d+) address=(?P<reg_addr>\d+) value=(?P<reg_value>.+)
- Apply the sourcetype to incoming data via `inputs.conf` on a universal forwarder:
[monitor:///var/log/scada/modbus.log] sourcetype = scada_modbus index = ot_siem
4. Test the parsing with a Splunk search:
index=ot_siem sourcetype=scada_modbus | table _time src_ip function_code unit_id reg_addr reg_value
5. For Windows, use the Splunk Add‑on for Windows to monitor flat log files generated by SCADA simulation tools. Ensure the log format is consistent (e.g., CSV or key‑value pairs).
What this does: It transforms cryptic binary‑like messages into structured fields, enabling pivot tables, alerts, and correlation with IT events.
- Identifying Critical SCADA Events – The Six Must‑Monitor Signals
Not all SCADA traffic is equal. The masterclass highlights six events that directly indicate potential sabotage, misconfiguration, or ongoing attacks. For each, you need a detection rule.
Step‑by‑step guide to build detections:
- Unauthorized Coil Write (Modbus function code 5 or 15): Create a Splunk alert for any write command from an IP not in the OT allowlist.
index=ot_siem function_code=5 OR function_code=15 | where NOT match(src_ip, “10.10.10.[0-9]{1,3}”) | stats count by src_ip, unit_id, reg_addr - Holding Register Modification (function code 6 or 16): Detect bulk writes to critical setpoints (e.g., pressure or temperature limits).
index=ot_siem function_code=16 reg_addr>=40001 reg_addr<=40010 | eval threshold_exceeded=if(reg_value > 100, “critical”, “normal”) | where threshold_exceeded=“critical”
- Device Restart or Warm Start (diagnostic events): Parse device status logs (e.g., Modbus diagnostics) for restart counters that increment without a scheduled maintenance.
- Unexpected Protocol Disconnect (TCP FIN or RST bursts): Correlate Splunk network datamodel events for sudden connection drops from a SCADA server.
- Broadcast Ping Sweeps from OT Segment: Use Suricata or Zeek logs in Splunk to detect ICMP echo requests originating from a human‑machine interface (HMI) targeting multiple PLCs.
- Malformed Modbus Frame (exception codes 0x01 or 0x02): Alert on function codes like 0x80 (exception response) that indicate a device rejected a request due to illegal address or data value.
What this does: It moves your OT SIEM from passive logging to active threat hunting. Each detection addresses a specific TTP (technique, tactic, procedure) from frameworks like MITRE ATT&CK for ICS (e.g., T0835 – Modify Parameter).
- Pipelining SCADA Events – From Sensor to Splunk Index
A robust pipeline ensures no event is dropped and timestamps remain accurate. Use lightweight forwarders on historian servers or a dedicated SCADA syslog gateway.
Step‑by‑step guide (Linux syslog‑ng + Splunk UF):
- Configure syslog‑ng to listen for SCADA device logs (often sent via UDP 514 or TCP 601):
/etc/syslog-ng/conf.d/scada.conf source s_scada_udp { udp(ip(0.0.0.0) port(514)); }; destination d_scada_log { file(“/var/log/scada/raw.log” create_dirs(yes)); }; log { source(s_scada_udp); destination(d_scada_log); };
2. Restart syslog‑ng: `sudo systemctl restart syslog-ng`
- Install Splunk Universal Forwarder on the same Linux host:
wget -O splunkforwarder.deb ‘https://www.splunk.com/bin/splunk/DownloadActivity?product=universalforwarder&platform=linux&architecture=x86_64&version=9.0.0’ sudo dpkg -i splunkforwarder.deb sudo /opt/splunkforwarder/bin/splunk enable boot-start
- Configure outputs to your Splunk indexer (Heavy Forwarder or direct):
/opt/splunkforwarder/etc/system/local/outputs.conf [bash] defaultGroup = main_indexer [tcpout:main_indexer] server = 192.168.1.100:9997
5. Monitor the `/var/log/scada/raw.log` file:
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/scada/raw.log -sourcetype scada_modbus -index ot_siem
What this does: Creates a production‑grade pipeline that scales to hundreds of SCADA devices. On Windows, equivalent steps use Winlogbeat or NXLog to forward events to Splunk HTTP Event Collector (HEC).
- Extending Splunk for SCADA – Custom Alerts and Dashboards
Once events flow in, you need real‑time alerting and a hunter’s dashboard that doesn’t hide raw events. The masterclass emphasizes starting from the raw signal, not pre‑built visuals.
Step‑by‑step guide to create a detection dashboard:
- In Splunk, save a search as an alert:
index=ot_siem (function_code=05 OR function_code=06) reg_addr IN (40001,40002,40003) | eval current_value=tonumber(reg_value) | streamstats window=5 last(current_value) as prev_value by reg_addr | where abs(current_value - prev_value) > 10
Schedule it to run every 60 seconds, triggering a notable event.
2. Build a simple dashboard with two panels:
- Raw SCADA Stream – `index=ot_siem | table _time, src_ip, function_code, reg_addr, reg_value`
– Critical Changes (last 1 hour) – `index=ot_siem | where like(reg_value, “%emergency%”) OR function_code=016 | stats count by reg_addr`
3. For Linux/Windows analysts, add alerts to Microsoft Teams or email using Splunk’s webhook integration:POST /services/alerts/webhook { “url”: “https://your-teams-webhook.com”, “payload”: “{ \”text\”: \”SCADA Alert: $result.reg_addr$ modified to $result.reg_value$\” }” }What this does: Turns your Splunk instance into an OT‑specific SIEM that prioritises anomaly detection over vanity charts. The dashboard shows raw events first – exactly what a SOC analyst needs to spot a zero‑day attack.
- Hardening the OT SIEM Pipeline – Security Controls for Cloud and On‑Prem
SCADA data is sensitive; an exposed SIEM pipeline can become an attacker’s reconnaissance tool. Apply these hardening steps to both Linux forwarders and Windows collectors.
Step‑by‑step guide (cloud/on‑prem mitigation):
- Encrypt forwarder traffic: Enable Splunk’s SSL/TLS for forwarder‑to‑indexer communication. On the forwarder:
/opt/splunkforwarder/bin/splunk add forward-server 192.168.1.100:9997 -ssl
- Restrict access to SCADA logs using Linux ACLs:
sudo setfacl -m u:splunk:r-x /var/log/scada sudo setfacl -m g:ot_team:r-x /var/log/scada
- On Windows, use Group Policy to limit who can read the SCADA log files. Apply audit policies (SACL) to log any unauthorised access attempt to the event collector.
- Deploy a jump host for any cloud‑based SCADA monitoring (AWS, Azure). All SCADA traffic must enter via a VPC with strict security groups (allow only UDP/514 from known OT subnets).
- Mitigate Log Injection Attacks – ensure your syslog parser rejects newline characters injected into SCADA values:
In props.conf – sanitize input SEDCMD-strip_newlines = s/[\r\n]+/ /g
What this does: Protects the availability and integrity of your OT logs. A compromised SIEM pipeline can be used to delete evidence or inject false events, so these steps are non‑negotiable for regulated industries (energy, water, manufacturing).
-
Hands‑On SCADA Event Analysis – A Real‑World Example
Let’s walk through a multi‑stage attack: an adversary scans for Modbus devices, writes a high value to a pressure register, then issues a coil stop command. Using the pipeline above, you can trace each step.
Step‑by‑step incident investigation:
- Initial scan detection: Search for multiple connection attempts from a single IP to port 502 across several SCADA slaves.
index=ot_siem sourcetype=scada_modbus | stats dc(dst_ip) as distinct_slaves by src_ip | where distinct_slaves > 3
- Abnormal write event: Look for a write to holding register 40085 (pressure setpoint) that exceeds 85% of maximum.
index=ot_siem function_code=16 reg_addr=40085 | eval delta=abs(reg_value - 850) | where delta < 10
- Coil stop command: Identify function code 05 (write single coil) to coil 1 (pump enable) with value 0 (false).
index=ot_siem function_code=05 reg_addr=1 reg_value=0
- Correlate timeline: Use `transaction` or `stats` to group events by src_ip within 5 minutes.
index=ot_siem (function_code=16 AND reg_addr=40085) OR (function_code=05 AND reg_addr=1) | transaction src_ip maxspan=5m | table src_ip, eventcount, start, duration
- Response action: Create an automated Splunk playbook that calls a script to block the offending IP on the OT firewall (e.g., via Checkpoint or Palo Alto API).
What this does: Demonstrates a complete investigation loop from raw event to containment. The same method works for ransomware that manipulates SCADA values or for insider threats making unauthorised changes.
What Undercode Say:
- Raw events beat polished dashboards. The masterclass’s insistence on starting from the raw signal—instead of pre‑aggregated charts—is crucial. In OT, subtle anomalies hide in single packet changes; a dashboard that smooths data will miss them.
- Simulation is your only safe training ground. Using Labshock or open‑source tools to generate realistic SCADA events allows you to build detections without risking physical equipment. This approach democratises OT security training.
The gap between IT and OT security is not technical—it’s a mindset shift. IT SIEM analysts expect neat logs with clear field names; OT devices often broadcast sparse, binary streams. By learning to break down SCADA events step by step, you gain the ability to hunt threats that bypass signature‑based tools. The six events outlined (unauthorised coil writes, register modifications, restarts, disconnects, ping sweeps, malformed frames) represent 80% of real‑world ICS incidents according to recent Dragos reports. Automate detection for these, and you’ve already raised your security posture significantly.
Prediction:
Within 18 months, OT‑specific SIEM features will become standard in major cloud SIEMs (Microsoft Sentinel, Google Chronicle), but the biggest demand will be for analysts who can hand‑parse raw SCADA protocols. The shift toward “OT detection engineering” as a distinct career track will accelerate, with certifications like the upcoming GIAC ICS‑SIEM (proposed) gaining rapid adoption. Masterclasses like this one—free, practical, and focused on raw data—are the blueprint for upskilling the next generation of industrial defenders.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Zakharb 2nd – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


