Industrial Control System(ICS) protocols are often neglected in the realm of network security monitoring. Detecting, parsing, and finding malicious activity can be frustrating and time consuming. In this session we will share our learning experiences building detections and protocol parsers in Zeek. We will discuss how ICS protocols can be parsed by using Zeek network security monitor to hunt for malicious patterns and generate detections for your Security Information and Event Management(SIEM) tools. This talk is for those that have ICS protocols in their environments and want greater insight into ICS network traffic.