Function code inspection is the deep analysis of the specific operational command embedded within an industrial protocol packet—such as a Modbus write request or DNP3 operate command—to ensure it aligns strictly with authorized operational parameters. Unlike simple header filtering, this technique parses the application-layer payload to validate the semantic intent of the message before it reaches a physical controller.
Glossary
Function Code Inspection

What is Function Code Inspection?
A deep-packet analysis technique that validates the operational command within an industrial protocol packet against authorized parameters to prevent malicious control of physical processes.
In a secure OT architecture, function code inspection acts as a deterministic gatekeeper, blocking unauthorized commands like a write to a protected coil or a firmware upload to a safety relay. By enforcing a protocol whitelisting policy at the function code level, operators prevent both accidental misconfigurations and targeted cyber-physical attacks that could cause equipment damage or safety shutdowns.
Core Characteristics of Function Code Inspection
Function code inspection is the deep analysis of the specific operational command embedded within an industrial protocol packet to ensure it aligns with authorized operational parameters. This technique moves beyond simple header analysis to validate the semantic intent of every command.
Semantic Command Validation
Unlike simple port-based filtering, function code inspection parses the application-layer payload to understand the exact operation being requested. For example, it distinguishes between a Modbus Read Coils (FC01) request, which is passive, and a Write Single Coil (FC05) request, which actively changes a physical state. This allows a firewall to enforce a policy that permits a specific PLC to read data from a remote terminal unit but explicitly blocks any write commands from that same source, preventing unauthorized actuation.
Stateful Protocol Tracking
Advanced inspection engines maintain a state machine for each industrial session. This tracks the expected sequence of commands. A critical alert is generated if a Function Code 8 (Diagnostics) sub-function is sent to a controller that is currently in a 'Run' state, as this combination is a known technique for denial-of-service attacks against PLCs. The system understands that certain diagnostic commands are only legitimate during a maintenance window or 'Stop' mode, enforcing a temporal and state-based security policy.
Range and Threshold Enforcement
This technique validates the data payload associated with a write command. For a DNP3 Direct Operate (FC05) command, the system inspects the output point index and the value being written. A rule can be defined to block any command that attempts to set an analog output value outside a pre-defined safe operating range, such as a pressure setpoint exceeding a physical safety limit. This prevents malicious manipulation that stays within the correct protocol syntax but violates the physics of the industrial process.
Deep Packet Inspection (DPI) Engines
The core technology relies on protocol dissectors that fully decode serial-based protocols encapsulated in TCP/IP. The engine must reassemble fragmented packets and extract specific byte offsets to identify the function code. For Modbus TCP, this involves stripping the MBAP header to find the Protocol Data Unit (PDU). The inspection engine then compares the extracted function code against a dynamic whitelist, generating a Zeek conn.log entry with the specific function code metadata for threat hunting.
Whitelist vs. Blacklist Logic
In OT environments, a default-deny whitelist approach is standard. The inspection engine is configured with a finite list of authorized function codes per device pair. For instance, an engineering workstation may be authorized to send Code 0x2B (Read Device Identification) to a relay, but a historian server is only authorized for Code 0x01 (Read Coils). Any function code not on the explicit whitelist is blocked and flagged as an anomaly, providing immediate protection against zero-day exploits that use obscure or vendor-proprietary function codes.
Sub-Function Code Granularity
Mature inspection goes beyond the primary function code to analyze sub-function codes. A Modbus FC 08 (Diagnostics) command has over a dozen sub-codes. Sub-code 0x000A (Clear Counters and Diagnostic Register) is purely informational, while sub-code 0x0001 (Restart Communications Option) forces a logic re-initialization. The inspection engine must parse these two bytes to differentiate a benign status query from a disruptive command that could cause a loss of view for operators.
Frequently Asked Questions
Deep-dive answers to the most critical questions about analyzing industrial protocol commands to secure operational technology networks.
Function code inspection is the deep packet analysis technique that extracts and validates the specific operational command embedded within an industrial protocol data unit, such as a Modbus function code or DNP3 application control field. Unlike standard IT deep packet inspection that focuses on ports and payloads, this method parses the operational semantics of the packet. For example, a Modbus packet with function code 06 (Write Single Register) is inspected to verify that the target register address and the value being written fall within the authorized operational envelope for that specific asset. This context-aware validation ensures that even if a communication originates from a trusted IP address, it cannot execute a dangerous or unauthorized physical operation, such as disabling a safety interlock or modifying a critical setpoint outside of safe parameters.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Function code inspection relies on a stack of complementary technologies to capture, parse, and validate industrial protocol commands. These related concepts form the foundation of OT protocol security.
Protocol Whitelisting
A security enforcement model that defines an explicit allowlist of permitted function codes for each device pair in the ICS network. For example, a Human-Machine Interface (HMI) may be authorized to issue Read Holding Registers (03) but blocked from executing Write Multiple Coils (15) to a PLC. Whitelisting operates on the principle of default-deny, blocking any command not explicitly authorized, which catches zero-day exploits that signature-based systems miss.
Stateful Whitelisting
An advanced evolution of protocol whitelisting that validates commands against the current operational state of the industrial process. A Write Single Register (06) command to start a pump may be permitted during normal operation but blocked if the system is in emergency stop or maintenance mode. This context-aware inspection prevents valid function codes from being exploited at dangerous moments, correlating network commands with the physical process state.
Behavioral Baseline
A statistical model of normal function code patterns established by observing ICS traffic over weeks or months. The baseline captures typical sequences—such as a PLC polling cycle that alternates between Read Discrete Inputs (02) and Read Input Registers (04) every 500ms. Deviations like an unexpected Force Single Coil (05) command or a sudden burst of write operations trigger anomaly alerts, enabling detection of compromised engineering workstations.
LSTM Sequence Models
Recurrent neural networks trained to predict the next expected function code in a SCADA communication sequence. By learning the temporal dependencies between commands—such as a Read Holding Registers (03) typically preceding a Preset Multiple Registers (16) during setpoint changes—the model flags out-of-sequence commands as potential replay attacks or unauthorized control actions. LSTMs capture long-range patterns that simple threshold-based detectors miss.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us