What is Protocol Filtering?
Protocol Filtering is a security technique in which network traffic is checked and filtered based on the protocol used, the commands and the content. In OT networks, protocol filtering is used to block unwanted or malicious traffic on industrial protocols such as Modbus, OPC UA, S7 and DNP3.
Protocol Filtering provides fine-grained control over industrial communication, in contrast to traditional firewall rules that only filter IP/port.
🧠 How does protocol filtering work?
- Inspection at layer 7 (the application layer)
- The firewall or industrial IDS analyses network traffic at protocol level
- Recognises commands such as “write”, “read”, “reset”, “firmware update”, etc.
- Defining detailed rules
- For example:
- Allow only “read” on Modbus registers 0-99
- Block all S7 functions except status requests
- Permit OPC UA only with encrypted sessions
- Responding to anomalies
- Traffic that deviates from the allowed profiles is blocked or logged
- Potential triggers for anomaly detection or a SIEM alert
🏭 Use in OT environments
| Protocol | Risk without filtering | Filtering action |
|---|---|---|
| Modbus | Anyone can overwrite registers | Allow read-only commands |
| S7 | Programming and reset functions are possible | Allow only status requests |
| OPC UA | Unencrypted connections are possible | Allow only encrypted sessions |
| DNP3 | Vulnerable to replay and injection attacks | Restrict commands to a pre-approved set |
Protocol Filtering protects against the misuse of legitimate protocols — a common attack vector in OT.
🔐 Relationship with other security measures
- Refines the operation of an Industrial Firewall or Next-Gen Firewall
- Complements Access Control, the zone-and-conduits model and Defense in Depth
- Part of IEC 62443 requirement SR 3.1: “Use of communication control”
✅ Benefits
- Restricts communication to what is strictly necessary
- Protects against misconfigurations, insider misuse and malware
- Improves visibility at protocol level
- Forms a powerful combination with anomaly detection and network monitoring
⚠️ Considerations
- Requires knowledge of industrial protocols and process data
- Incorrect filters can block legitimate communication (risk of downtime)
- Not every protocol can be filtered effectively without specialist equipment
📌 In summary
Protocol Filtering provides in-depth security for industrial networks by allowing only authorised commands per protocol. It is an indispensable element of modern OT security and aligns with the principle of Least Privilege.