Ics Anomaly Detection

Design and analyze industrial control system anomaly detection logic for safe, protocol-aware OT security monitoring.

Install
cmdop skills install agensi-ics-anomaly-detection

ICS Anomaly Detection is a skill that gives AI agents a structured framework for assessing, designing, and validating anomaly detection in industrial control system environments. It is built for cyber defenders working across SCADA, PLC, and IIoT deployments where generic IT security advice can introduce physical safety risks.

The skill supports protocol-level analysis of Modbus, DNP3, OPC UA, S7, and BACnet traffic, enabling an agent to identify function code outliers, timing anomalies, and behavioral deviations from established baselines. It applies a passive-first methodology, meaning analysis and recommendations are designed to avoid disrupting live production environments.

A core function is baseline validation: the skill helps differentiate legitimate maintenance windows from suspicious lateral movement, grounding each finding in observable network evidence rather than generic threat patterns. It works with any OT monitoring platform, PCAP exports, or Historian data, so it is not tied to a specific vendor stack.

The skill produces structured output including findings registers and detection design documents intended for both SOC analysts and operational engineering stakeholders. This makes it suitable for preparing deliverables that bridge the gap between network security teams and plant engineers.

It is not appropriate for environments requiring active scanning or direct interaction with live plant systems, nor for general IT network security tasks where OT-specific protocol knowledge is unnecessary.

Use cases

  • Analyze PCAP exports for Modbus or DNP3 function code anomalies in an OT network
  • Design a behavioral baseline for PLC communications to distinguish normal from suspicious traffic
  • Generate a structured anomaly findings register for SOC and engineering review
  • Investigate protocol-specific timing deviations in BACnet or OPC UA traffic
  • Produce a detection design plan that maps ICS network behavior to operational risk
  • Differentiate maintenance window activity from potential lateral movement in SCADA environments

When to use it

  • Assessing anomaly detection coverage across SCADA or PLC infrastructure
  • Building detection logic for IIoT environments where passive monitoring is required
  • Producing documentation-grade findings for both security and engineering stakeholders
  • Investigating protocol-level deviations in Modbus, DNP3, S7, OPC UA, or BACnet traffic
  • Validating behavioral baselines against historical Historian or PCAP data

When not to use it

  • Active network scanning or direct interaction with live industrial control systems is needed
  • The environment is a standard IT network with no OT or industrial protocol traffic
  • A packaged detection tool or SIEM integration is required rather than analytical guidance
  • The task involves IT-only protocols with no ICS relevance