ICS Anomaly Detection is a skill that gives AI agents a structured framework for assessing, designing, and validating anomaly detection in industrial control system environments. It is built for cyber defenders working across SCADA, PLC, and IIoT deployments where generic IT security advice can introduce physical safety risks.
The skill supports protocol-level analysis of Modbus, DNP3, OPC UA, S7, and BACnet traffic, enabling an agent to identify function code outliers, timing anomalies, and behavioral deviations from established baselines. It applies a passive-first methodology, meaning analysis and recommendations are designed to avoid disrupting live production environments.
A core function is baseline validation: the skill helps differentiate legitimate maintenance windows from suspicious lateral movement, grounding each finding in observable network evidence rather than generic threat patterns. It works with any OT monitoring platform, PCAP exports, or Historian data, so it is not tied to a specific vendor stack.
The skill produces structured output including findings registers and detection design documents intended for both SOC analysts and operational engineering stakeholders. This makes it suitable for preparing deliverables that bridge the gap between network security teams and plant engineers.
It is not appropriate for environments requiring active scanning or direct interaction with live plant systems, nor for general IT network security tasks where OT-specific protocol knowledge is unnecessary.