Skip to main content

Active Protection

The primary aim of PLC Guard™ is to protect PLC controllers from unauthorised changes. This principle addresses the majority of cyber attacks and unintentional harmful actions in industrial environments.

By enforcing deterministic, policy-driven control at the network level, PLC Guard ensures that only authorised communications reach critical control devices — and that every interaction is visible, governed, and traceable.

Typical Plant Protection Offering

Authorised Communication Control

  • Allows only authorised hosts to communicate with PLCs
  • Allows only authorised commands and setpoints through DPI (Deep Packet Inspection)
  • Controls remote access to PLCs — when, who, why, what, where
  • Prevents unauthorised upgrades of firmware and software on PLCs
  • Stops unauthorised traffic from the Enterprise network to SCADA, Engineering stations, and PLCs

Threat and Vulnerability Detection

PLC Guard detects threats and vulnerabilities inside the network traffic, including:

  • Outdated PLC firmware — First Watch® detects all PLCs connected to the network passively from the traffic, identifies firmware revisions, and detects vulnerabilities
  • Outdated devices, machinery, controllers, and software — these components are seriously vulnerable and can be harmed by modern technologies; all monitoring methods must be discussed before the actual implementation is started
  • Unclear separation of IT and OT networks — traffic between production hosts and the rest of the world is carefully monitored, and unauthorised connections are detected
  • Lack of network access control — new devices connected to the network are detected
  • Lack of encryption — detailed analysis detects plaintext passwords in the traffic
  • Insecure protocols — insecure protocols are detected and reported
  • Insecure connections to devices and machinery — all insecure connections, such as HTTP connections to PLCs, are detected
  • Operational activities with PLCs and specialised equipment — sensitive operations such as firmware updates, software download/upload, setpoint read/write, stop/start, and elevated connections are detected and reported
  • Internet connection from/to OT environment
  • Network scanning from an unauthorised IP address
  • Malformed packets
  • Unusual IP addresses
  • New device connected to the network
  • TCP SYN flood attacks detected through failed network connections