Inferensys

Glossary

Function Code Inspection

Function code inspection is the deep analysis of the specific operational command embedded within an industrial protocol packet to ensure it aligns with authorized operational parameters.
Command center environment coordinating high-volume workflows across multiple systems.
OT PROTOCOL SECURITY

What is Function Code Inspection?

A deep-packet analysis technique that validates the operational command within an industrial protocol packet against authorized parameters to prevent malicious control of physical processes.

Function code inspection is the deep analysis of the specific operational command embedded within an industrial protocol packet—such as a Modbus write request or DNP3 operate command—to ensure it aligns strictly with authorized operational parameters. Unlike simple header filtering, this technique parses the application-layer payload to validate the semantic intent of the message before it reaches a physical controller.

In a secure OT architecture, function code inspection acts as a deterministic gatekeeper, blocking unauthorized commands like a write to a protected coil or a firmware upload to a safety relay. By enforcing a protocol whitelisting policy at the function code level, operators prevent both accidental misconfigurations and targeted cyber-physical attacks that could cause equipment damage or safety shutdowns.

DEEP PROTOCOL ANALYSIS

Core Characteristics of Function Code Inspection

Function code inspection is the deep analysis of the specific operational command embedded within an industrial protocol packet to ensure it aligns with authorized operational parameters. This technique moves beyond simple header analysis to validate the semantic intent of every command.

01

Semantic Command Validation

Unlike simple port-based filtering, function code inspection parses the application-layer payload to understand the exact operation being requested. For example, it distinguishes between a Modbus Read Coils (FC01) request, which is passive, and a Write Single Coil (FC05) request, which actively changes a physical state. This allows a firewall to enforce a policy that permits a specific PLC to read data from a remote terminal unit but explicitly blocks any write commands from that same source, preventing unauthorized actuation.

02

Stateful Protocol Tracking

Advanced inspection engines maintain a state machine for each industrial session. This tracks the expected sequence of commands. A critical alert is generated if a Function Code 8 (Diagnostics) sub-function is sent to a controller that is currently in a 'Run' state, as this combination is a known technique for denial-of-service attacks against PLCs. The system understands that certain diagnostic commands are only legitimate during a maintenance window or 'Stop' mode, enforcing a temporal and state-based security policy.

03

Range and Threshold Enforcement

This technique validates the data payload associated with a write command. For a DNP3 Direct Operate (FC05) command, the system inspects the output point index and the value being written. A rule can be defined to block any command that attempts to set an analog output value outside a pre-defined safe operating range, such as a pressure setpoint exceeding a physical safety limit. This prevents malicious manipulation that stays within the correct protocol syntax but violates the physics of the industrial process.

04

Deep Packet Inspection (DPI) Engines

The core technology relies on protocol dissectors that fully decode serial-based protocols encapsulated in TCP/IP. The engine must reassemble fragmented packets and extract specific byte offsets to identify the function code. For Modbus TCP, this involves stripping the MBAP header to find the Protocol Data Unit (PDU). The inspection engine then compares the extracted function code against a dynamic whitelist, generating a Zeek conn.log entry with the specific function code metadata for threat hunting.

05

Whitelist vs. Blacklist Logic

In OT environments, a default-deny whitelist approach is standard. The inspection engine is configured with a finite list of authorized function codes per device pair. For instance, an engineering workstation may be authorized to send Code 0x2B (Read Device Identification) to a relay, but a historian server is only authorized for Code 0x01 (Read Coils). Any function code not on the explicit whitelist is blocked and flagged as an anomaly, providing immediate protection against zero-day exploits that use obscure or vendor-proprietary function codes.

06

Sub-Function Code Granularity

Mature inspection goes beyond the primary function code to analyze sub-function codes. A Modbus FC 08 (Diagnostics) command has over a dozen sub-codes. Sub-code 0x000A (Clear Counters and Diagnostic Register) is purely informational, while sub-code 0x0001 (Restart Communications Option) forces a logic re-initialization. The inspection engine must parse these two bytes to differentiate a benign status query from a disruptive command that could cause a loss of view for operators.

FUNCTION CODE INSPECTION

Frequently Asked Questions

Deep-dive answers to the most critical questions about analyzing industrial protocol commands to secure operational technology networks.

Function code inspection is the deep packet analysis technique that extracts and validates the specific operational command embedded within an industrial protocol data unit, such as a Modbus function code or DNP3 application control field. Unlike standard IT deep packet inspection that focuses on ports and payloads, this method parses the operational semantics of the packet. For example, a Modbus packet with function code 06 (Write Single Register) is inspected to verify that the target register address and the value being written fall within the authorized operational envelope for that specific asset. This context-aware validation ensures that even if a communication originates from a trusted IP address, it cannot execute a dangerous or unauthorized physical operation, such as disabling a safety interlock or modifying a critical setpoint outside of safe parameters.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.