0xPlant

ICS/OT/IoT Infrastructure Management
Demo Credentials
admin / Plant@2025 Click to auto-fill

0xPlant

v1.0
Overview
Dashboard
Infrastructure
Inventory
Topology
Protocols
Purdue Zones
Operations
Events
Change Tracking
Alerts
Task Center
Security
Vulnerabilities
Compliance
Audit Log
Enterprise
Users & RBAC
Backups
Reports
Integrations
Settings
GitHub · @SiteQ8
Ali AlEnezi · MIT License
Dashboard
● Connected — 2,461 assets
2,461
Total Assets
↑ 12 this week
2,318
Online
94.2% availability
67
Vulnerabilities
↑ 3 new this week
23
Open Alerts
↓ 5 from last week
Asset Distribution by Type
TypeCountOnlineAlerts
PLC48798%3
RTU15695%1
HMI31297%4
DCS89100%0
SIS24100%0
Switch/Router23491%8
IoT Sensor84789%5
Server15699%2
Firewall12100%0
Other14493%0
Recent Activity
2 min ago
PLC-047 — Unauthorized write blocked
Modbus FC 0x06 from 10.10.8.99
14 min ago
SW-003 — Config change detected
VLAN 120 modified by ot-admin-2
28 min ago
IOT-094 — Onboarded successfully
Temperature sensor, Zone L0, MQTT
1 hour ago
SRV-001 — Patch applied
AVEVA SCADA 2023.1 → 2023.2
2 hours ago
FW-001 — Rule review completed
4 stale rules removed, 2 updated
3 hours ago
Backup completed — all critical assets
Configuration backup for 47 PLCs, 12 RTUs

Asset Inventory

Complete infrastructure inventory — passively discovered and manually registered assets

Asset IDNameTypeVendor / ModelFirmwareProtocolZoneIP AddressStatus
PLC-001Main Process ControllerPLCSiemens S7-1500V2.9.7S7comm+L110.10.1.10ONLINE
PLC-002Water Treatment PLCPLCAllen-Bradley CLXV33.011EtherNet/IPL110.10.1.11VULN
SIS-001Safety SystemSISTriconex 3008V10.6TriStationL110.10.1.100ONLINE
DCS-001CENTUM VPDCSYokogawaR6.09OPC UAL110.10.1.200ONLINE
RTU-001Substation RTURTUGE D400V8.1DNP3L110.10.2.20ONLINE
HMI-001Operator Station 1HMIAVEVA InTouch2023 R1OPC UAL210.10.3.30PATCH
EWS-001Engineering WSEWSSiemens TIA PortalV18S7comm+L310.10.4.40ONLINE
SRV-001SCADA ServerServerAVEVA2023.2ModbusL310.10.4.41ONLINE
SRV-002HistorianServerOSIsoft PI2023 SP1OPC UAL3.510.10.5.50ONLINE
FW-001OT FirewallFirewallPalo Alto PA-3260PAN-OS 11.1DMZ10.10.5.1ONLINE
SW-001Industrial SwitchSwitchHirschmann RS20V9.4.2SNMPL210.10.3.1PATCH
IOT-001MQTT BrokerBrokerMosquittoV2.0.18MQTTL310.10.9.10MONITOR

Network Topology

Auto-discovered network map with Purdue levels, protocols, and connection paths

Protocol Connection Map
ProtocolPortConnectionsUnique PairsZonesStatus
Modbus/TCP50248723L1↔L2, L2↔L3Normal
S7comm+1021568L1↔L2Normal
OPC UA484023418L2↔L3, L3↔DMZNormal
EtherNet/IP4481831214L1↔L2Normal
DNP320000486L1↔L2Normal
MQTT188384794L0↔L3TLS missing (12)
BACnet/IP47808648L2Normal
SMBv144532L2↔L3Unauthorized

Protocol Analysis

ICS/OT protocol reference and real-time traffic analysis

Modbus/TCP
:502 — IEC 61158
487 active · 23 PLCs/RTUs · Normal baseline
S7comm+
:102 — Siemens
156 active · 8 S7-1500s · Normal baseline
OPC UA
:4840 — IEC 62541
234 active · 18 pairs · Encrypted
EtherNet/IP
:44818 — IEC 61158
312 active · 14 Allen-Bradley · Normal
DNP3
:20000 — IEEE 1815
48 active · 6 substations · SA enabled
MQTT
:1883 — ISO 20922
847 active · 94 IoT sensors · ⚠ 12 unencrypted
BACnet/IP
:47808 — ISO 16484-5
64 active · 8 BMS controllers
IEC 60870-5-104
:2404 — IEC 60870
24 active · Power grid SCADA
TriStation
:1502 — Schneider
2 active · Safety systems · Isolated

Purdue Zones

ISA/IEC 62443 zone and conduit model — asset distribution and security status

L5 — Enterprise Network
142 assets · 3 conduits · 2 findings
Healthy
L4 — Site Business Planning
89 assets · 4 conduits · 5 findings
Warning
L3.5 — Industrial DMZ
24 assets · 6 conduits · 1 finding — Jump host, patch relay, unidirectional GW
Healthy
L3 — Site Manufacturing Operations
156 assets · 8 conduits · 8 findings — SCADA, Historian, EWS
Warning
L2 — Area Supervisory Control
312 assets · 7 conduits · 4 findings — HMIs, Area PLCs, Switches
Healthy
L1 — Basic Control
487 assets · 4 conduits · 12 findings — PLCs, RTUs, DCS, SIS
Critical
L0 — Physical Process
1,251 assets · 2 conduits · 3 findings — Sensors, actuators, VFDs
Healthy

Event Log

Real-time events from all OT/ICS/IoT infrastructure

14:23:41 UTC
SECURITY — Unauthorized Modbus write blocked on PLC-047
Source: 10.10.8.99 → Dest: 10.10.1.47 · FC 0x06 · Blocked by IDS rule #247
14:21:08 UTC
SECURITY — S7comm auth failure on PLC-001 (5 attempts)
Source: EWS-001 (10.10.4.40) · Account locked for 30 minutes
14:09:22 UTC
CONFIG — Golden image mismatch on HMI-003
12 registry changes detected · Unauthorized software: TeamViewer.exe
13:45:11 UTC
NETWORK — Rogue device on VLAN 120 (L2)
MAC: 00:1A:2B:3C:4D:5E · Not in asset inventory · Port disabled
13:30:00 UTC
REMOTE — JIT vendor session started (Siemens)
User: siemens-support → PLC-001 · Approved by OT-Admin-1 · Session recorded
12:00:00 UTC
PATCH — AVEVA SCADA updated on SRV-001
Version: 2023.1 → 2023.2 · Verified · CVE-2023-34360 remediated
11:00:00 UTC
BACKUP — Configuration backup completed
47 PLCs, 12 RTUs, 8 switches · All golden images updated

Change Tracking

Configuration changes, firmware updates, and policy modifications

TimeAssetChange TypeUserDetailsApproved
14:09 UTCHMI-003UNAUTHORIZEDUnknown12 registry changes, TeamViewer installed✗ No
13:45 UTCSW-003CONFIGot-admin-2VLAN 120 modified — added port 24✓ CAB-2024-187
12:00 UTCSRV-001PATCHit-admin-1AVEVA SCADA 2023.1 → 2023.2✓ CAB-2024-186
11:00 UTC47 PLCsBACKUPSystemScheduled configuration backup✓ Automated
YesterdayFW-001CONFIGnetsec-14 stale rules removed, 2 updated✓ CAB-2024-185

Alerts

Active alerts across all monitored infrastructure

3
Critical
8
Warning
12
Info
19
Resolved (7d)
SeverityAssetAlertTimeStatus
CRITICALPLC-047Unauthorized Modbus write attempt14:23 UTCActive
CRITICALPLC-001S7comm authentication brute-force14:21 UTCActive
CRITICALHMI-003Golden image mismatch — unauthorized software14:09 UTCActive
WARNINGVLAN 120Rogue device detected — MAC not in inventory13:45 UTCInvestigating
WARNINGSW-001Firmware V9.4.2 — CVE-2021-33541 unpatched12:00 UTCScheduled
WARNING12 MQTTMQTT connections without TLS encryption08:00 UTCUnder review

Task Center

Scheduled maintenance, patching, and operational tasks

TaskAsset(s)AssignedDuePriorityStatus
Patch Siemens S7-1500 (CVE-2023-28489)PLC-001, PLC-003, PLC-012ot-eng-1Mar 15P1Scheduled
Upgrade Hirschmann switch firmwareSW-001, SW-003, SW-005net-adminMar 18P2Testing
Investigate HMI-003 golden image driftHMI-003soc-analystMar 11P1In Progress
Enable TLS on MQTT IoT sensors12 IoT sensorsiot-teamMar 20P2Planning
Quarterly firewall rule reviewFW-001, FW-002netsec-1Mar 30P3Not Started
Annual penetration test — OT environmentAll zonesExternal vendorApr 15P3Contracted

Vulnerability Management

ICS-CERT advisory correlation with asset inventory

23
Critical (CVSS 9+)
44
High (CVSS 7-8.9)
142
Medium (CVSS 4-6.9)
89%
Patched within SLA
CVEProductCVSSAssetsPatchStatus
CVE-2023-28489Siemens S7-15009.83V3.0.1Scheduled — Mar 15
CVE-2022-1159Rockwell CompactLogix8.67V34.011Testing in staging
CVE-2023-34360AVEVA SCADA8.122023.2Patched
CVE-2021-33541Hirschmann RS207.58V9.5.0Deploying next week
CVE-2023-0955JCI BMS Controller6.54V4.4Compensating control
CVE-2023-28366Eclipse Mosquitto5.31V2.0.19Patched

Settings

Platform configuration and preferences

Discovery
Passive discovery (SPAN/TAP)
Continuously discover assets from network traffic
Auto-classify Purdue zone
Automatically assign Purdue level based on traffic patterns
Rogue device alerts
Alert when unknown MAC addresses appear on OT VLANs
Active probing (maintenance only)
Enable active scanning during approved windows
Alerts & Notifications
Email alerts for critical events
Send email to CISO and SOC team
Syslog forwarding (SIEM)
Forward events to SIEM at 10.10.5.100
Golden image drift alerts
Alert when HMI/server config diverges from baseline
Unauthorized protocol alerts
Alert on protocols not in zone policy baseline

Compliance Management

Multi-framework compliance tracking and gap analysis

71.5%
Overall Score
↑ 3.2% this quarter
892
Controls Implemented
of 1,247 total
23
Critical Gaps
↓ 4 from last quarter
6
Frameworks Tracked
Framework Compliance Status
FrameworkVersionScoreImplementedGapsNext AuditStatus
ISA/IEC 62443201868%204 / 30096Apr 2026In Progress
NIST SP 800-82Rev 375%188 / 25062Jun 2026In Progress
NERC CIPv782%164 / 20036Mar 2026Audit Due
MITRE ATT&CK ICSv1484%47 / 569Active
CIS Controlsv8.174%133 / 18047Sep 2026In Progress
CISA ICS Baseline202465%156 / 24084Jul 2026In Progress
Top Critical Gaps
GapFrameworkRiskOwnerTarget Date
No network segmentation between L2 and L1 for BACnetIEC 62443CriticalNetSec-1Mar 30
Missing MFA on 3 engineering workstationsNIST 800-82CriticalOT-AdminMar 15
No incident response plan for SIS compromiseIEC 62443CriticalCISOApr 1
SNMP v1/v2c on 8 managed switchesCIS ControlsHighNet-AdminMar 20
No SBOM for 4 vendor-supplied applicationsCISA BaselineHighProcurementApr 15

Audit Log

Immutable record of all platform actions, configuration changes, and access events

14,823
Events (30 days)
12
Active Users
47
Denied Actions
365 days
Retention
TimestampUserActionTargetResultIP
14:23:41 UTCsystemBLOCKPLC-047 (Modbus write)Denied10.10.8.99
14:21:08 UTCunknownAUTH_FAIL x5PLC-001 (S7comm)Locked10.10.4.40
13:45:11 UTCot-admin-2CONFIG_CHANGESW-003 (VLAN 120)Approved10.10.4.50
13:30:00 UTCsiemens-supportREMOTE_SESSIONPLC-001Active203.0.113.50
12:00:00 UTCit-admin-1PATCH_DEPLOYSRV-001 (AVEVA)Success10.10.4.60
11:00:00 UTCsystemBACKUP47 PLCs, 12 RTUsComplete10.10.5.100
09:00:00 UTCadminLOGIN0xPlant ConsoleSuccess10.10.4.50
08:45:00 UTCsoc-analyst-1REPORT_EXPORTWeekly vulnerability reportSuccess10.10.5.80

Users & Access Control

Role-based access control, MFA enforcement, and session management

24
Total Users
12
Active Now
100%
MFA Enforced
2
Locked Accounts
User Accounts
UserRoleZone AccessMFALast LoginStatus
adminPlant AdminAll Zones✓ TOTP09:00 UTC todayActive
ot-engineer-1OT EngineerL1-L3✓ TOTP08:30 UTC todayActive
ot-engineer-2OT EngineerL1-L3✓ FIDO213:45 UTC todayActive
soc-analyst-1SOC AnalystRead-only All✓ TOTP08:45 UTC todayActive
operator-1OperatorL2 HMI Only✓ TOTP06:00 UTC todayActive
netsec-1Network SecL3-DMZ✓ FIDO2YesterdayActive
vendor-siemensVendorPLC-001 Only✓ TOTP13:30 UTC todaySession Active
failed-userOT Engineer14:21 UTC todayLocked (5 fails)
Role Permissions Matrix
PermissionAdminEngineerSOCOperatorVendor
View all assetsZoneAsset
Modify configurations✓ + CABScoped
Deploy patches✓ + CAB
Manage users
View audit log
Export reports
Remote access (JIT)✓ + Approval✓ + Recorded
Kill remote session

Configuration Backups

Automated and manual backups for PLC programs, switch configs, server images, and golden baselines

1,247
Configs Backed Up
Daily
Backup Schedule
100%
Last Backup Success
Encrypted
AES-256 + Offsite
Recent Backup Jobs
TimeTypeScopeSizeDurationVerifiedStatus
11:00 UTC todayScheduled47 PLCs — program logic + parameters2.3 GB18 min✓ ChecksumComplete
11:05 UTC todayScheduled12 RTUs — configuration + firmware890 MB8 min✓ ChecksumComplete
11:10 UTC todayScheduled8 switches — running config12 MB2 min✓ ChecksumComplete
11:15 UTC todayScheduledGolden images — 6 HMIs, 4 servers48 GB45 min✓ ChecksumComplete
12:00 UTC yesterdayManualSRV-001 pre-patch snapshot8 GB5 min✓ ChecksumComplete
11:00 UTC yesterdayScheduledFull daily backup (all assets)62 GB78 min✓ ChecksumComplete
Backup Policy
3-2-1 Rule
3 copies, 2 media types, 1 offsite
Enforced
Encryption
AES-256 for all backup archives
Active
Restore Testing
Quarterly validation with documented results
Last: Feb 28
Air-gapped Copy
Immutable backup isolated from network
Active
Retention
Daily: 30 days · Weekly: 12 weeks · Monthly: 12 months
Enforced
Restore History
DateAssetReasonRTOResult
Feb 28PLC-012Quarterly restore test12 minSuccess
Feb 28SRV-002Quarterly restore test22 minSuccess
Jan 15HMI-005Ransomware recovery45 minSuccess

Reports

Scheduled and on-demand reports for compliance audits, executive summaries, and operational reviews

Scheduled Reports
ReportFrequencyRecipientsLast GeneratedFormatStatus
Executive Security SummaryWeeklyCISO, CTO, Plant ManagerMar 10PDFDelivered
Vulnerability Status ReportWeeklySOC Team, OT EngineersMar 10PDF + CSVDelivered
Compliance Gap ReportMonthlyCISO, Compliance OfficerMar 1PDFDelivered
Asset Inventory ReportMonthlyIT Director, OT ManagerMar 1PDF + XLSXDelivered
Remote Access AuditMonthlyCISO, HRMar 1PDFDelivered
Patch Compliance ReportBi-weeklyOT Engineers, IT InfraMar 8PDF + CSVDelivered
IEC 62443 Audit PackageQuarterlyExternal AuditorJan 15PDF (encrypted)Next: Apr 15
Incident Response SummaryMonthlyCISO, LegalMar 1PDFDelivered

Integrations

API-first integration with enterprise security and IT service management platforms

Connected Platforms
PlatformTypeProtocolStatusLast Sync
Splunk EnterpriseSIEMSyslog + HECConnectedReal-time
ServiceNow ITSMTicketingREST APIConnected5 min ago
CrowdStrike FalconEDRREST APIConnectedReal-time
Azure Active DirectoryIAM / SSOSAML 2.0ConnectedReal-time
Palo Alto PanoramaFirewall MgmtREST APIConnected15 min ago
Tenable.otVuln ScannerREST APIDegraded2 hours ago
PagerDutyAlertingEvents API v2ConnectedReal-time
JiraTask TrackingREST APIConnected10 min ago
API Access
REST API
https://api.0xplant.local/v1 — OpenAPI 3.0 spec
Active
Syslog Forwarding
UDP/TCP/TLS to 10.10.5.100:514
Active
SNMP Traps
SNMPv3 traps to NMS at 10.10.5.101
Active
Webhook Notifications
Critical alerts → Slack #ot-security + PagerDuty
Active
SAML SSO
Azure AD federation — all users
Active
LDAP Sync
Hourly sync from corp AD for user provisioning
Active