Most industrial networks aren’t taken down by ransomware. They fall because no one’s watching the protocols that matter—the ENIP chatter between PLCs, the CIP commands altering logic, the silent changes that don’t set off antivirus, but still shut down production.
That’s why Critical Path Security built its Managed Security Operations Center (MSOC) offering around one principle: You can't defend what you can't see.
And now, powered by the Léargas Security platform, our MSOC provides not just visibility—but AI-enriched analytics, real-time behavioral monitoring, and a purpose-built MDR stack designed specifically for OT and ICS environments.
Real Detection in the Field: AI + ACID in Action
Last week, our team caught what others missed.
During our real-time analysis of a mid-sized manufacturing client, our MSOC detected an unauthorized CIP Write Request (0x4D)—a command type typically reserved for changes to programmable logic.
Detection wasn’t luck. It was a combination of three key layers:
-
Parsing deep protocol telemetry
-
Behavioural Detections, flagging protocol misuse
-
Léargas AI, correlating the anomaly against known behavioural baselines
Detection Time: May 29, 2025 – 20:44:17 UTC
Event Type: CIP Write Request
Source: 192.168.168.92
Target: 172.16.125.78
Command: Write Tag Service (0x4D)
Severity: High
No malware. No brute force. Just a subtle command that didn’t belong—quiet, precise, and potentially devastating.
Why This Matters for OT Environments
Industrial networks are full of “normal-looking” traffic. But sometimes, what looks normal is actually a threat.
In this case:
-
The CIP Write came from a device that typically only reads.
-
There were no failed attempts, indicating a likely intentional misuse.
-
The target system was a known critical asset.
If left unchecked, this could have reprogrammed a PLC, altered manufacturing output, or created unsafe conditions—all without a single alarm from traditional systems.
What Makes Our MSOC Different
Critical Path Security’s MSOC isn’t just built for security—it’s built for industrial operations. We leverage the Léargas platform to provide:
-
Native protocol visibility (CIP, ENIP, Modbus, DNP3, more)
-
Integrated ACID scripts from CISA for early detection
-
AI-based behavioural analytics—baseline what’s normal, flag what’s not
-
MDR services backed by analysts who understand OT, not just IT
-
Rapid deployment and flexible integration with existing infrastructure
Post-Incident Response:
After the alert, Critical Path Security initiated the following actions:
-
Isolated and forensically analyzed the source system (192.168.168.92)
-
Verified configuration integrity of the affected PLC (172.16.125.78)
-
Provided protocol-layer recommendations including:
-
Restricting write operations
-
Alerting on rare CIP commands
-
Simulating attack patterns to validate segmentation
-
This wasn’t just a playbook execution—it was real-time incident handling, built into our MSOC service.
The Bigger Picture: OT Needs More Than Alerts
This incident reinforces a hard truth: firewalls and antivirus won’t catch protocol-level abuse.
It takes layered detection.
It takes behavioral intelligence.
It takes people who know what ENIP should look like—and what it shouldn’t.
That’s what Critical Path Security delivers through our MSOC.
That’s what Léargas Security enables with the technology.
Together, we’re making sure ICS threats don’t hide in the noise.
Final Thought
Most platforms can detect known malware. Few can tell when a CIP command just rewrote your future.
If your current OT monitoring doesn’t understand the difference between a read and a write—or between a handshake and a hijack—it’s time to upgrade.
With Léargas as the platform and Critical Path Security as the operator, our MSOC delivers real-time, OT-specific protection.
Not just alerts—answers.
Not just dashboards—action.