Parsing

Overview

Parsing is a dependency analysis tool that appears across ot security workflows in this knowledge base. It is referenced as part of higher-level security analysis, investigation, monitoring, or validation activity rather than as an end in itself.

What It Is

Parsing is best understood as a ot-security tool in this knowledge base. Its role is conceptual and system-facing rather than procedural: it gives analysts or defenders a structured way to examine evidence, model system behavior, or reason about security state.

How It Works

Parsing works by turning technical inputs into more interpretable outputs at the system level. Across the source skills, it appears as part of larger analysis, investigation, monitoring, or validation loops rather than as a standalone end state.

Core Concepts

• SBOM
• CycloneDX
• SPDX
• NVD
• CVE
• supply chain
• dependency analysis
• syft
• grype
• supply chain security
• Modbus TCP
• SCADA

Typical Workflow

• syft alpine:latest -o cyclonedx-json > sbom-cyclonedx.json
• syft dir:/path/to/project -o spdx-json > sbom-spdx.json
• syft docker:my-app-container -o cyclonedx-json > sbom.json
• Syft supports over 30 package ecosystems including npm, PyPI, Maven, Go modules, apt, apk, and RPM. The generated SBOM includes package names, versions, licenses, CPE identifiers, and PURL (Package URL) references.
• CycloneDX JSON Structure:
• Configure network tap: Position the monitoring interface on the SPAN port mirroring the VLAN carrying Modbus TCP traffic between HMI/SCADA servers and PLCs. Verify bidirectional traffic capture with tcpdump -i eth0 port 502 -c 100 -w modbus_capture.pcap.
• Transaction Identifier (2 bytes): Matches requests to responses
• Protocol Identifier (2 bytes): Always 0x0000 for Modbus
• Length (2 bytes): Number of following bytes including Unit ID
• Unit Identifier (1 byte): Slave device address (0-247)

Use Cases

• A new regulatory requirement (EO 14028, EU CRA) mandates SBOM analysis for software deliveries
• Security team needs to assess third-party risk by scanning vendor-provided SBOMs
• CI/CD pipeline requires automated vulnerability checks against generated SBOMs
• Incident response needs to determine if a newly disclosed CVE affects deployed software
• Procurement team requires supply chain risk assessment for a software acquisition
• Vendor SBOMs may be incomplete, missing shaded/bundled JAR files that embed log4j
• SPDX and CycloneDX version differences may affect parser compatibility
• NVD API rate limits can slow analysis when scanning hundreds of components without an API key
• Monitoring OT/ICS networks for unauthorized Modbus commands targeting PLCs, RTUs, or HMIs
• Detecting reconnaissance activity such as Modbus device enumeration (function code 43, Read Device Identification)

Limitations

• Output still depends on context, data quality, and surrounding analysis.
• The tool should be interpreted as part of a broader workflow, not as a complete answer by itself.
• Capabilities and visibility vary depending on environment, integrations, and available inputs.

Related Tools

• And ASCII Modes. Used For Building Custom Modbus Clients, And Exception Responses., And Exporting Specific Fields For Analysis., And Historian. Used For Testing Detection Rules Against Realistic SCADA Traffic., And Object Retrieval, And Policy Enforcement, And Register Data In Captured Packets., And Simulating Master Slave Communication In Test Environments.

Sources

• analyzing-sbom-for-supply-chain-vulnerabilities
• monitoring-scada-modbus-traffic-anomalies
• processing-stix-taxii-feeds