Skip to main content

Operational Characteristics

First Watch® PLCGuard is a deep-packet inspection and network flow monitoring and filtering engine that observes industrial control network activity and drops packets based on policy. This technology was purposely built for the unique characteristics of industrial control systems.

PLCGuard is specifically designed to detect control layer events in SCADA communications by analysing protocols such as CIP, Modbus, and S7CommPlus.

Capabilities

Real-Time Visibility into Operational Network Activity

PLCGuard provides in-depth, real-time visibility into all activities performed over the operational network. These activities include code downloads/uploads, firmware changes, PLC setting modifications, hardware configuration changes, and tag read/write commands. As a result, industrial security engineers and asset owners can receive detailed, real-time alarms and mitigate security events before damage occurs.

Comprehensive Event Logging

All observed network activity is recorded in a comprehensive event log that can be used for forensic investigations, audit compliance, and operational review.

Network Traffic Monitoring and Filtering

PLCGuard allows monitoring or filtering of traffic flows and recognises modern network protocols such as DNS, SSH, HTTP/S, and others. The operational team can immediately detect unauthorised communications or usage of unknown and unauthorised network protocols — for example, a disallowed connection of an industrial device from a host connected to the Internet.

Native Asset Discovery

PLCGuard natively discovers all devices on the OT network, including PLCs, and provides essential information about the device's attributes. Attributes include vendor, controller model, installed firmware version, serial number, product codes, and more.

Industrial Firewall with Deep Packet Inspection

PLCGuard can be configured as an industrial firewall inspecting industrial network traffic with DPI (Deep Packet Inspection), stopping unauthorised actions — including code downloads/uploads, firmware changes, PLC setting modifications, hardware configuration changes, and tag read/write commands. Industrial security engineers and asset owners receive detailed alarms in real time, enabling them to mitigate security events before damage occurs.

Policy Language and Regular Expressions

Policies can be written either in First Watch native syntax or through regular expressions for deep packet inspection rules. This provides flexibility for both straightforward policy definitions and advanced pattern-based detection logic.

Prevention and Response Actions

PLCGuard supports two levels of enforcement:

  • Traffic drop (prevention) — individual packets matching a prohibited pattern are dropped before reaching the target device
  • Session drop (response) — an entire communication session can be terminated when suspicious or unauthorised activity is detected

Industrial Protocol Support

PLCGuard provides out-of-the-box support for industrial protocols used by major controller manufacturers:

  • Rockwell Automation (CIP/EtherNet/IP)
  • Siemens (S7CommPlus)
  • Schneider Electric (Modbus)
  • OMRON

The supported controller base is constantly growing, with new protocol support added through platform updates.

Mesh VPN Foundation

PLCGuard serves as the foundation for a distributed, secure mesh VPN, providing an additional security layer that makes critical OT assets invisible to unauthorised users and systems on the network.