TroutTrout
Back to Glossary
Protocol filteringDeep packet inspectionICS protocols

Protocol Filtering (OT)

2 min read

Protocol filtering is the inspection and selective enforcement of industrial protocol traffic at the command level. A protocol-filtering proxy understands the application protocol — not just TCP ports — and applies allow/deny rules to specific function codes, register ranges, or object operations.

Why port-level filtering is not enough

Traditional firewalls filter by 5-tuple: source IP, destination IP, source port, destination port, protocol. This works for HTTPS and SSH. It is insufficient for industrial protocols, where the difference between a read operation and a write operation is a single function-code byte inside the payload.

A Modbus TCP session on port 502 can carry function code 03 (read holding registers) or function code 06 (write single register) in the same packet structure. The firewall cannot distinguish them. An engineer's diagnostic tool and a malicious actor attempting to change a valve setpoint look identical at the port level.

Protocol filtering inspects the payload, identifies the function code, and applies a policy: allow reads from the SCADA historian, deny writes from anything other than the approved engineering workstation during the approved change window.

Protocols commonly filtered

  • Modbus TCP (port 502) — function codes 01–06 cover reads and writes; function codes 08, 16, 23 are frequently restricted.
  • DNP3 (port 20000) — Control Relay Output Block and Analog Output Block operations are typically deny-by-default.
  • EtherNet/IP (port 44818/2222) — CIP services Set Attribute Single and Set Attribute All are restricted.
  • Profinet (port 34962+) — cyclic I/O exchange versus acyclic configuration writes.
  • OPC UA (port 4840) — Write Service and Call Service with attribute-level granularity.
  • BACnet (port 47808) — WriteProperty and WritePropertyMultiple in building automation.

What a protocol-filtering proxy adds

Three things a port-level firewall cannot:

  1. Command-level audit. Every request and response is logged with the function code and parameters, not just bytes transferred.
  2. Per-session role enforcement. A read-only operator account can reach the device over the exact same port as an engineer, but only writes from the engineer are allowed.
  3. Protocol-aware anomaly detection. A sudden burst of write operations outside the change-control window becomes a detectable event.

Related terms

Access Gate connection

Access Gate filters Modbus, DNP3, EtherNet/IP, Profinet, and OPC UA at the command level, enforcing per-session role-based policies that port firewalls cannot express. See Securing Modbus.

Other Terms

Access controlIdentity access management

Access Control

Access Control is a fundamental component of cybersecurity that determines who is allowed to access and interact with resources within a network. In the context of OT/IT cybersecurity, access control...

ACLAccess control list

Access Control List

An Access Control List (ACL) is a set of rules that determines which users or systems are granted or denied access to specific resources within a network. ACLs are crucial for managing permissions and...

Cyber hygieneSecurity hygiene

Advanced Cyber Hygiene

Advanced Cyber Hygiene refers to a comprehensive and proactive approach to maintaining and improving the security posture of an organization by implementing best practices and procedures that go beyon...

News & Insights

Resources & Insights.

Securing Modbus whitepaper
WhitepaperWhitepaper

Securing Modbus in Modern Industrial Environments

Zero Trust OT webinar
WebinarWebinar

Zero Trust for OT Networks

OT network architecture diagram
ArchitectureGuide

Reference Architectures for OT Security

All articles