One SIEM for the plant floor and the SOC.
caver-industrial extends the Caver lakehouse SIEM into operational technology. Passive protocol decoders build device identity from OT telemetry, normalize it to OCSF, and land it in one lake beside your IT events. An intrusion that crosses from the corporate network to a PLC reads as a single timeline, not two disconnected tools.
caver-industrial ships as a plugin on the same Caver stack, with per-deployment pricing. It does not stand up a second silo. The same collector, the same OCSF lake, and the same query languages and detection engine that cover your IT estate also cover the industrial network, so OT visibility becomes an extension of the SOC rather than a separate program bolted onto the side.
Industrial protocol decode
Seven passive deep-packet decoders read the industrial protocols directly off the wire. Each one turns raw control traffic into structured, OCSF-shaped events: what device spoke, to whom, with which function code, and whether that behavior matches its baseline.
| Protocol | Environment | What Caver decodes and watches |
|---|---|---|
Modbus TCP | PLCs, sensors, actuators | Coil and register writes, abnormal function codes, unit IDs |
DNP3 | SCADA, electric grid | Unauthorised control messages, abnormal polling, station IDs |
EtherNet/IP | Rockwell / Allen-Bradley CIP | Tag read/write anomalies, unexpected I/O scanner sessions |
S7comm | Siemens S7-300/400/1200/1500 | Firmware read attempts, unauthorised CPU state changes |
BACnet/IP | Building automation, HVAC | Anomalous read/write to building and access systems |
IEC 60870-5-104 | European power infrastructure | Control commands issued from unexpected sources |
OPC-UA | Cross-vendor industrial middleware | Session, node, and subscription anomalies |
The decoders run inside caver-collector on the OT side, so the industrial network never has to reach out to anything.
Passive device-identity decode
OT networks cannot tolerate active scanning: a stray probe can knock a fragile PLC offline. caver-industrial never scans. It builds asset identity from observed traffic alone, extracting device fingerprints from Modbus, DNP3, EtherNet/IP, and S7comm exchanges: vendor, model, firmware revision, unit and station IDs, and function-code behavior. The result is an inventory of what is actually on the wire, plus a baseline of normal control activity to detect deviations against.
One lake: IT and OT correlation
Decoded OT events normalize to OCSF and route into the industrial CLASS index, with each protocol preserved as a sourcetype (industrial_modbus, industrial_dnp3, industrial_s7comm, and the rest). That index sits in the same lake as the endpoint, network, and identity CLASS indexes that hold your IT telemetry, so one query language spans both halves.
industrial indexbeside IT dataThe it_ot_correlation and scada_windows content packs stitch the two halves together, tying Windows event logs from engineering workstations to protocol anomalies on the same segment. An attacker moving from the IT perimeter to a SCADA workstation to a PLC surfaces as one correlated timeline in SLAM, not three unrelated alerts in three tools.
ATT&CK for ICS and framework alignment
Industrial detections are mapped to MITRE ATT&CK for ICS, the OT-specific matrix covering tactics like Inhibit Response Function and Impair Process Control, so plant-floor activity is triaged in the same threat-model vocabulary as the enterprise ATT&CK content. Shipped content aligns to NIST 800-82 and IEC 62443, with NERC CIP content on the roadmap. Curated industrial threat-intel feeds track OT CVEs and adversary TTPs, refreshed daily through the Caver content pipeline rather than on a quarterly cycle.
Air-gap and on-prem fit
Caver is a self-hosted lakehouse, which is what makes it deployable where OT actually lives. The collector runs on the industrial side, storage and analytics run on the IT side, and the whole stack runs air-gapped with no outbound dependency. Because everything is stored as Parquet on object storage, the cost ceiling that caps most historians at 90 days does not apply: keep years of control-network history for incident forensics without the per-GB SIEM tax. See how the lake works for the storage and query mechanics.
One stack, not a separate OT silo
Pure-play OT platforms like Dragos are the established answer for OT-only buyers: a decade of industrial focus, mature protocol depth, and named-threat research. caver-industrial answers a different procurement question, do you want one stack that covers IT and OT, or two? Caver is an IT SIEM that also covers OT, so there is no second query language, no second analytics tier, and no second license to reconcile during an investigation that crosses the boundary.
| Pure-play OT tool | caver-industrial | |
|---|---|---|
| Buyer focus | OT-only specialist | IT and OT in one stack |
| IT-side coverage | Integrates with a separate IT SIEM | Native, Caver is the IT SIEM |
| Correlation | OT events in an OT tool | IT + OT in one query, one timeline |
| Deployment | Appliance and virtual sensor | Air-gap-friendly lakehouse, per-deployment license |
The contrast is depth of OT versus breadth of coverage. A pure-play tool is deeper on OT specifically; Caver is broader across IT, OT, and AI security in one place. Caver also ships a native Dragos receiver, so shops already invested in an OT platform can pull its asset inventory and detections into the unified OCSF lake rather than choosing.