Abstract: A method includes holding multiple primitives of a communication protocol, which is used for managing a controller that controls one or more field devices in an industrial control network. Multiple scenarios are defined, each corresponding to one or more respective sequences of primitives exchanged with the controller over the industrial control network for achieving a respective user-level operation. Multiple parsing rules for deriving the sequences of primitives from the respective scenarios are further defined. A sequence of primitives that were exchanged with the controller over the industrial control network is intercepted. An attempt to reconstruct from the intercepted sequence of primitives, using the parsing rules, one or more scenarios that each corresponds to the intercepted sequence of primitives is carried out, and, in response to succeeding in reconstructing one or more scenarios, extracting user-level information from the reconstructed scenarios.

Abstract: An apparatus includes a memory and a processor. The memory is configured to store one or more backup images of code of one or more controllers that control field devices in an industrial control network, the controllers support a transaction type that returns a backup image to an engineering station. The processor is configured to communicate with the engineering station by emulating toward the engineering station a dummy controller that controls no field devices, to receive from the engineering station a request, in accordance with the transaction type, to provide a given backup image of a given controller selected from among the controllers in the industrial control network, and in response to the request, to send the given backup image to the engineering station in accordance with the transaction type.

Abstract: A method includes requesting a controller, which controls one or more field devices in an industrial control network, to report code currently used by the controller for controlling the field devices. The code reported by the controller is compared with a stored baseline version of the code, and a notification is issued upon detecting a discrepancy between the code reported by the controller and the baseline version.