The security of System Control and Data Acquisition (SCADA) systems is one of the most pressing subjects in industrial systems, particularly for those installations actively using the public network in order to provide new features and services. In this paper, we present an innovative approach to the design of filtering systems based on the state analysis of the system being monitored. The aim is to detect attacks composed of a set of “SCADA” commands that, while licit when considered in isolation on a single-packet basis, can disrupt the correct behavior of the system when executed in particular operating states. The proposed firewall detects these complex attacks thanks to an internal representation of the controlled SCADA system. Furthermore, we detail the design of the architecture of the firewall for systems that use the ModBus and DNP3 protocols, and the implementation of a prototype, providing experimental comparative results that confirm the validity of the proposed approach.