SINEC Security Monitor OPC UA Plugin

Development of a Zeek-based plugin for Siemens SINEC Security Monitor to inspect OPC UA traffic, generate event-specific logs, and support OT-focused detection logic for industrial network monitoring.

>> _

All_Projects Zeek_Docs OPC_UA_Spec

Protocol Decoding

Break down OPC UA traffic into structured protocol fields such as secure channel setup, service requests, service responses, access behavior, node targets, and status conditions.

Plugin Integration

Develop the Zeek-based plugin so decoded OPC UA behavior can be surfaced inside Siemens SINEC Security Monitor as event-specific telemetry for industrial security monitoring.

Detection Logic

Implement custom checks around service behavior, certificate handling, access-level validation, and write-response conditions so the plugin can support targeted OT detection use cases.

Project Context

SINEC Security Monitor is Siemens' platform for passive, continuous OT security monitoring during production, giving visibility into industrial assets, communication topologies, potential threats, and network intrusions without disrupting operations.

Within that environment, the work focused on researching OPC UA behavior in an R&D lab using PLCs, generated traffic, Wireshark, and UAExpert, then translating those findings into a Zeek-based plugin that could parse protocol activity and emit logs useful for OT monitoring and detection engineering.

Metadata

Domain:: OT / Industrial Cybersecurity
Protocol:: OPC UA
Platform:: SINEC Security Monitor / Zeek
Language:: C++
Focus:: Parsing / Logging / Detection Logic

Development Workflow

Packet Capture Review

Review generated OPC UA traffic in Wireshark and UAExpert sessions to identify message boundaries, secure-channel behavior, service types, and protocol fields worth elevating into monitoring telemetry.

wireshark + uaexpert + plc traffic generation

Plugin Buildout

Build the Zeek-based plugin structure in C++, define the parser flow, and prepare the analyzer to inspect OPC UA traffic inside the SINEC Security Monitor pipeline.

plugin registration -> parsing -> event hooks

Behavior Mapping

Track protocol state so requests, responses, service mappings, status conditions, and communication behavior can be associated correctly and turned into meaningful events.

request -> service -> validation -> response

Detection Validation

Define attack procedures and generate test-data scenarios to validate how the plugin logs protocol events, certificate handling, access-level checks, and suspicious write behavior.

test scenarios -> log review -> detection tuning

Technical Focus Areas

OPC UA Message Structure

The plugin work starts with understanding OPC UA transport framing, secure channel negotiation, service identifiers, request handles, response status codes, and how these appear in actual PLC communication.

SINEC Monitoring Integration

The analyzer is built so decoded protocol behavior can be surfaced in Siemens SINEC Security Monitor as structured, OT-relevant telemetry rather than raw packet data alone.

Behavior-Aware Analysis

Because OPC UA relies on request and response flows, the plugin needs enough state to associate responses with earlier actions and distinguish ordinary industrial behavior from unusual or security-relevant activity.

Detection-Oriented Output

Rather than only dumping decoded fields, the output is shaped around monitoring questions: what service was used, what node was targeted, what validation condition was triggered, whether the write or access behavior succeeded, and whether the sequence looks suspicious.

Conclusion

The result is a protocol-aware monitoring component that connects low-level OPC UA traffic with higher-level OT security visibility inside Siemens' SINEC Security Monitor workflow.

Final Thoughts

This work deepened protocol analysis, Zeek plugin development, OT lab validation, and detection engineering skills while producing a practical foundation for custom OPC UA monitoring in industrial environments.