From my engineering practice and the real needs of industry, I developed my own tool: a portable, purely passive appliance you attach to a plant network for security and compliance audits. It automatically discovers all devices, monitors industrial traffic, reports anomalies in plain language — and delivers the finished audit evidence. Entirely on-premise, no cloud.
In consulting, I keep seeing the same fundamental problem: before anyone can talk about measures, compliance or architecture, the foundation is missing — a complete, reliable picture of what actually exists in the OT network and what communicates with what. Classic IT tools don't fit, because they can cause damage in a production plant. So, as an engineer, I built my own tool that closes exactly this gap.
Active scans are taboo in OT — any intervention in the network can disrupt a controller or trigger a plant shutdown. At the same time, IEC 62443 and NIS2 require a complete asset inventory and demonstrable risk management. Many companies face exactly this contradiction: they're expected to create visibility but must not touch the plant while doing so.
An appliance that only listens — a copy of the network traffic via a SPAN port and the log messages from firewalls, switches and servers. From this pure listening it builds a complete operational picture: devices, communication relationships, vulnerabilities, anomalies. It sends nothing into the OT network itself and technically cannot disrupt production.
The box only listens and never sends packets into the OT network. It technically cannot disrupt, block or trigger production — the most important principle in any plant.
No cloud backend, no phone-home. All data stays in the plant. Internet is only optional, to update vulnerability and threat lists — and even that works offline.
One automatic inventory, one finished PDF report, targeted audit preparation — usable for IEC 62443, NIS2, TISAX and other frameworks at the same time.
Presentable evidence at the push of a button: executive summary, incidents, critical alerts, MITRE overview and zone status — instead of days of manual work in Excel.
Understands the industrial language of machines (Modbus, S7, EtherNet/IP, DNP3 …), detects process anomalies and maps every device to the Purdue model — not just the surrounding IT traffic.
Not a competitor to existing security systems, but the OT supplier: the box forwards its findings to the central SIEM via Syslog, CEF, LEEF or webhook.
Every single observation passes through the same chain. That's the core: a raw event becomes, step by step, an understandable, classified incident — enriched with asset role, open vulnerabilities and threat context.
Different log formats are translated into a unified event (normalization).
Baseline (what's normal?), rules (what's forbidden?) and process anomalies check every event.
Anything notable becomes an alert — with asset role, vulnerabilities, threat matches and priority.
Related alerts are bundled into an incident and mapped to MITRE ATT&CK for ICS.
The appliance bundles several specialized modules — each a distinct perspective on the same passively captured data.
The automatic register of all devices on the network — the basis of every audit. Devices are detected and added from every event, manageable with zone, criticality and owner.
An interactive map: who talks to whom? Switchable to the Purdue model view. Forbidden zone crossings are instantly highlighted in red — the classic in any OT audit.
The view into the industrial language of machines. Detects protocols and function codes — such as read versus write commands to a controller, or program downloads on the network.
OT-specific anomalies directly at the production process: sudden standstill, slow drift, activity outside shift hours or a reading outside the permitted range.
Detected products are matched against the official CVE database and the "actively exploited" list (CISA KEV) — prioritized by actual risk.
The finished evidence as a PDF at the push of a button — with executive summary, incidents, MITRE overview and zone status. Deliberately contains only substantiated facts, no estimates.
OT networks produce enormous amounts of data — but hardly any plant can (or wants to) capture everywhere. Deep visibility across every switch, every controller and every protocol means expensive sensors, elaborate deep packet inspection and intervention in the plant. Reality looks different: one site has a firewall, the next only a switch, the third a few NetFlow exporters. What remains are blind spots — and the question "what is this device, really, and what does this connection do?" goes unanswered. FlowSR turns this around: instead of demanding more data, the model extracts from the coarse, widely available information — bytes, duration, direction, port, MAC, hostname — exactly the properties you'd otherwise only see with expensive deep analysis.
The principle: maximum from minimum. Tangible value from the very first data source — and the leverage is greatest exactly where the least is available.
Is this a PLC, an HMI, a historian, an engineering workstation or a network device? — recognized by its communication fingerprint.
Does a connection probably read, write, download a program or send a control command?
Cyclic control, bulk transfer, request/response or data stream — independent of the port used.
Is there an automated process behind a connection, or a human at the keyboard?
A bare connection becomes an understandable classification — e.g. "probably engineering workstation → PLC, program download, manual, outside shift hours — worth checking". Without new hardware, without cloud, without intervention in production.
FlowSR makes everything existing smarter. The appliance's baseline, rule and process-anomaly engines know what's normal and what's suspicious — FlowSR adds the missing semantic layer on top and says what a device is and what a flow does. So "a connection is unusual" becomes a prioritizable "write access to a suspected PLC".
It enriches the network map by role, adds context and blast radius to alerts and incidents, and enables role-aware baselining — for instance when a PLC that normally only responds suddenly starts initiating connections itself. Same ingest, opt-in, no additional infrastructure.
In short: FlowSR turns what you already capture anyway into a complete operational picture — cheap to start, immediately useful, and better with every confirmation.
A box that sits in the sensitive OT network must itself meet the highest standards. That was part of the design from the start.
The box never sends packets into the OT network and technically cannot disrupt production.
No cloud backend, no phone-home. All data stays entirely in the plant.
Role-based login (RBAC), API tokens and a complete audit log of every single action.
Learned estimates are clearly marked, trigger no alarms and don't appear in the report.
I'd be glad to show the appliance in a live demonstration and discuss how passive OT visibility translates concretely to your environment.
/* The appliance is an ongoing in-house development and demonstrates my technical approach to OT security. It does not replace an established platform product but embodies the principles — passive, on-premise, transparent — that underpin my consulting. */