Caver
← All docs
caver-industrial · OT / ICS deep dive

One SIEM for the plant floor and the SOC.

caver-industrial extends the Caver lakehouse SIEM into operational technology. Passive protocol decoders build device identity from OT telemetry, normalize it to OCSF, and land it in one lake beside your IT events. An intrusion that crosses from the corporate network to a PLC reads as a single timeline, not two disconnected tools.

7
Passive decoders
0
Active OT probes
1
Lake, IT + OT
Air-gap
Deploy model

caver-industrial ships as a plugin on the same Caver stack, with per-deployment pricing. It does not stand up a second silo. The same collector, the same OCSF lake, and the same query languages and detection engine that cover your IT estate also cover the industrial network, so OT visibility becomes an extension of the SOC rather than a separate program bolted onto the side.

Industrial protocol decode

Seven passive deep-packet decoders read the industrial protocols directly off the wire. Each one turns raw control traffic into structured, OCSF-shaped events: what device spoke, to whom, with which function code, and whether that behavior matches its baseline.

ProtocolEnvironmentWhat Caver decodes and watches
Modbus TCPPLCs, sensors, actuatorsCoil and register writes, abnormal function codes, unit IDs
DNP3SCADA, electric gridUnauthorised control messages, abnormal polling, station IDs
EtherNet/IPRockwell / Allen-Bradley CIPTag read/write anomalies, unexpected I/O scanner sessions
S7commSiemens S7-300/400/1200/1500Firmware read attempts, unauthorised CPU state changes
BACnet/IPBuilding automation, HVACAnomalous read/write to building and access systems
IEC 60870-5-104European power infrastructureControl commands issued from unexpected sources
OPC-UACross-vendor industrial middlewareSession, node, and subscription anomalies

The decoders run inside caver-collector on the OT side, so the industrial network never has to reach out to anything.

Passive device-identity decode

OT networks cannot tolerate active scanning: a stray probe can knock a fragile PLC offline. caver-industrial never scans. It builds asset identity from observed traffic alone, extracting device fingerprints from Modbus, DNP3, EtherNet/IP, and S7comm exchanges: vendor, model, firmware revision, unit and station IDs, and function-code behavior. The result is an inventory of what is actually on the wire, plus a baseline of normal control activity to detect deviations against.

Passive, not intrusive
Identity comes from traffic Caver already sees. No probes, no polling of fragile controllers. Safe to run on live OT segments.
Asset inventory plus baseline
Every decoded device lands as an OCSF asset with vendor, model, and firmware. Deviations from its normal function-code pattern become detections.

One lake: IT and OT correlation

Decoded OT events normalize to OCSF and route into the industrial CLASS index, with each protocol preserved as a sourcetype (industrial_modbus, industrial_dnp3, industrial_s7comm, and the rest). That index sits in the same lake as the endpoint, network, and identity CLASS indexes that hold your IT telemetry, so one query language spans both halves.

OT protocol trafficModbus, DNP3, S7comm
caver-collectorpassive decode
OCSF normalizenested schema
industrial indexbeside IT data
SLAMIT + OT timeline

The it_ot_correlation and scada_windows content packs stitch the two halves together, tying Windows event logs from engineering workstations to protocol anomalies on the same segment. An attacker moving from the IT perimeter to a SCADA workstation to a PLC surfaces as one correlated timeline in SLAM, not three unrelated alerts in three tools.

ATT&CK for ICS and framework alignment

Industrial detections are mapped to MITRE ATT&CK for ICS, the OT-specific matrix covering tactics like Inhibit Response Function and Impair Process Control, so plant-floor activity is triaged in the same threat-model vocabulary as the enterprise ATT&CK content. Shipped content aligns to NIST 800-82 and IEC 62443, with NERC CIP content on the roadmap. Curated industrial threat-intel feeds track OT CVEs and adversary TTPs, refreshed daily through the Caver content pipeline rather than on a quarterly cycle.

Air-gap and on-prem fit

Caver is a self-hosted lakehouse, which is what makes it deployable where OT actually lives. The collector runs on the industrial side, storage and analytics run on the IT side, and the whole stack runs air-gapped with no outbound dependency. Because everything is stored as Parquet on object storage, the cost ceiling that caps most historians at 90 days does not apply: keep years of control-network history for incident forensics without the per-GB SIEM tax. See how the lake works for the storage and query mechanics.

One stack, not a separate OT silo

Pure-play OT platforms like Dragos are the established answer for OT-only buyers: a decade of industrial focus, mature protocol depth, and named-threat research. caver-industrial answers a different procurement question, do you want one stack that covers IT and OT, or two? Caver is an IT SIEM that also covers OT, so there is no second query language, no second analytics tier, and no second license to reconcile during an investigation that crosses the boundary.

Pure-play OT toolcaver-industrial
Buyer focusOT-only specialistIT and OT in one stack
IT-side coverageIntegrates with a separate IT SIEMNative, Caver is the IT SIEM
CorrelationOT events in an OT toolIT + OT in one query, one timeline
DeploymentAppliance and virtual sensorAir-gap-friendly lakehouse, per-deployment license

The contrast is depth of OT versus breadth of coverage. A pure-play tool is deeper on OT specifically; Caver is broader across IT, OT, and AI security in one place. Caver also ships a native Dragos receiver, so shops already invested in an OT platform can pull its asset inventory and detections into the unified OCSF lake rather than choosing.