monitoring-scada-modbus-traffic-anomalies

# Monitoring SCADA Modbus Traffic Anomalies ## When to Use - Monitoring OT/ICS networks for unauthorized Modbus commands targeting PLCs, RTUs, or HMIs - Detecting reconnaissance activity such as Modbus device enumeration (function code 43, Read Device Identification) - Identifying unauthorized write operations (function codes 05, 06, 15, 16) to coils and holding registers that could alter physical process parameters - Baselining normal Modbus communication patterns and alerting on deviations in function code distribution, register access ranges, or timing intervals - Investigating suspected sabotage or insider threats manipulating SCADA process values through Modbus register writes **Do not use** on networks without authorization from the asset owner, for active injection or fuzzing against production SCADA systems, or as a replacement for safety-instrumented systems (SIS) that provide physical process protection. ## Prerequisites - Network tap or SPAN port on the OT network segment carrying Modbus TCP traffic (port 502) - Python 3.9+ with pymodbus (>=3.6), scapy (>=2.5), and pandas for traffic analysis - Zeek (formerly Bro) installed with the Modbus protocol analyzer enabled for passive traffic logging - Wireshark or tshark for initial packet capture and validation of Modbus frame structure - A baseline period of normal operations (minimum 48-72 hours) to establish communication profiles per device pair - Network diagram identifying Modbus master-slave relationships, de...