Blog
Jori VanAntwerp
For over two decades, Jori has enabled industrial and IT organizations to be successful in reducing risk, increasing compliance, and improving their overall security efforts. He has had the pleasure of working with companies such as Gravwell, Dragos, CrowdStrike, FireEye, McAfee, and is now CEO & Founder at EmberOT, a cybersecurity startup focused on making security a reality for critical infrastructure.
What you keep in your OT toolbox is incredibly important. One of the lesser-discussed aspects of OT/ICS defense is how important the correct tool stack is for preventing downtime and keeping operations secure.
Given the wide variance across sites, systems, and operational environments, finding the right tool for specific needs is more challenging than one might think.
The good news is that, from the helpdesk to developers, operators, and defenders, we all share the same challenges of keeping our systems up, efficient, healthy, and safe. So it’s no surprise that a plethora of open-source tools have been designed to address these common challenges.
The bad news is… There are a plethora of free, open source tools designed to specifically address these challenges, and it can be difficult to understand which tool to use when or which tool best fits your needs.
Fortunately, we are here to help ignite the path. It is dangerous to go alone, so take this. A curated set of community open source tools that help you see what is actually happening in your environment and start breaking through challenges.
Every OT environment is unique. Each one is purpose-built, shaped by real operational needs, and engineered to keep critical processes running. Because of that, no single tool will be the perfect fit for everyone. The good news is that community open source gives you room to adjust and adapt many of these tools so they support your workflow as you learn.
To make things easy, we’ve grouped everything into three categories. Each one includes a quick note on the experience level usually needed, so you can choose the right place to begin and build from there.
How to Use This Guide
You do not need to learn every tool in this list. Start with one or two that match your comfort level and the challenge in front of you. Use the difficulty and OS columns as quick filters.
Whenever possible, begin in a lab, test network, or low-risk segment. Capturing and analyzing traffic is usually safe, but generating or replaying traffic can affect sensitive systems. When in doubt, check with your OT or operations team before testing new tools in production.
Tool Categories
These tools help you understand what is happening across your environment. From network activity to system behavior and defensive insight, they give you a clearer view of assets, protocols, operational patterns, and environmental interactions across your environment, no matter the Purdue level.
Reading the Table
- Difficulty
- 🟢Beginner: Good starting point if you are new to OT, networking, or security
- 🟡Intermediate: Best if you have used basic command-line tools or similar utilities
- 🔴Advanced: For users comfortable with deeper analysis, scripting, or more complex workflows
- OS shows where the tool is most commonly used
- 🔥Indicates EmberOT Approved. We regularly use these tools ourselves.
Network, System, and Defensive Insight Tools
These tools will give you a clearer view of assets, protocols, operational patterns, and their interactions across your environment(s). They help you break down network traffic, identify behavior, and observe the signals that shape both operational and defensive decisions.
| Tool | 🧠 Difficulty | 💻 OS | Description & Use Case |
|---|---|---|---|
| 🔥 Security Onion | 🟡 Intermediate | Linux | A full-fledged Linux distro for network security monitoring. Bundles Zeek, Suricata, Wazuh, and the Elastic stack in one ready-to-deploy package, great for serious analysts and lab builders. |
| 🔥 Wireshark | 🟡 Intermediate | Windows, macOS, Linux | The go-to packet analyzer. Helps you dive deep into protocol behavior, decode industrial traffic, and see exactly what your PLCs and HMIs are saying. |
| Grass Marlin | 🟢 Beginner | Windows | DHS tool for passively mapping and visualizing ICS networks. It’s older but still awesome for understanding segmentation and asset layouts. |
| Malcom | 🔴 Advanced | Linux | Network traffic analysis framework built by INL. Wraps Zeek, Suricata, and Elasticsearch into an intuitive web interface, excellent for analyzing ICS captures. |
| 🔥 tcpdump | 🟡 Intermediate | Linux, macOS | Lightweight command-line tool for capturing packets. Perfect for scripting or quick captures in production networks. |
| 🔥 tcpreplay | 🟡 Intermediate | Linux, macOS | Lets you safely replay recorded traffic for testing or validating detection rules, great for lab simulations. |
| 🔥 NetworkMiner | 🟢 Beginner | Windows, Linux | Extracts files, credentials, and host data from packet captures. Easy to use and surprisingly powerful for digital forensics and quick triage. |
| 🔥 OT PCAP Analyzer | 🟢 Beginner | Windows, macOS, Linux | Built for the OT community, this free EmberOT tool turns PCAPs into instant insights. Identify devices, protocols, and flows, no install headaches, no cost. |
| 🔥 Gravwell Community Edition | 🟡 Intermediate | Linux | Data analytics and log platform that can ingest PCAPs or Zeek logs. Great for creating dashboards or timeline reconstructions. |
| Kali Linux | 🔴 Advanced | Linux | A full penetration testing OS with hundreds of tools preloaded. Best used in isolated lab environments for ethical testing and training. |
| ICSNPP | 🔴 Advanced | Linux | CISA’s ICS protocol dissectors for Zeek. Extends Zeek to support Modbus, DNP3, S7, and more, making it perfect for deep OT traffic analysis. |
| Brim Data | 🟢 Beginner | Windows, macOS, Linux | GUI for Zeek logs and PCAPs that makes data exploration approachable. Great bridge tool for those new to packet analysis. |
| Arkime | 🔴 Advanced | Linux | High-performance full-packet capture and indexing system. Ideal for large-scale OT monitoring and forensic investigations. |
| Zeek (Core) | 🔴 Advanced | Linux, macOS | The backbone of modern network monitoring. Transforms raw packets into structured, human-readable events, widely used in both IT and OT environments. |
| Suricata | 🔴 Advanced | Linux, macOS, Windows | Network intrusion detection and monitoring engine. Ideal for rule-based alerting and integration with Security Onion or Zeek. |
| Zeek ATT&CK-Based Indicators | 🟡 Intermediate | Linux | Zeek package that maps ICS activity to ATT&CK tactics. Excellent for learning how adversary behaviors translate into observable network data. |
System & File Analysis Tools
These tools help you explore the inner workings of devices, logs, and file structures. They support troubleshooting, learning, and investigative work as you deepen your understanding of OT systems. Use these for forensics, vulnerability checks, and evaluating your OT environment’s security posture.
| Tool | 🧠 Difficulty | 💻 OS | Description & Use Case |
|---|---|---|---|
| Volatility3 | 🔴 Advanced | Windows, Linux, macOS | What some call the gold standard for memory forensics. Analyze HMI or engineering workstation memory dumps to spot malware or unexpected processes. |
| Autopsy | 🟡 Intermediate | Windows, Linux, macOS | A GUI for The Sleuth Kit that helps you dig into file systems, logs, and timelines. Great for those new to digital forensics. |
| CSET (Cyber Security Evaluation Tool) | 🟢 Beginner | Windows | DHS tool that walks you through self-assessment of your ICS/OT posture against frameworks like NIST or IEC 62443. Widely used by utilities and co-ops. |
| 🔥 ICSAP Vulnerabilities | 🟡 Intermediate | Windows, Linux | Community-driven dataset and tooling for identifying known ICS protocol and asset vulnerabilities. Useful for contextualizing risk across device types. |
Emulation & Testbed Tools
These tools let you practice, experiment, and learn in a safe space. You can model devices, simulate traffic, replay scenarios, and build intuition without touching production systems or even virtually.
| Tool | 🧠 Difficulty | 💻 OS | Description & Use Case |
|---|---|---|---|
| 🔥 OpenPLC | 🟢 Beginner | Windows, Linux | An open-source PLC emulator for learning ladder logic and industrial control basics. Perfect for students and lab builders. |
| MiniCPS | 🔴 Advanced | Linux | Framework for simulating cyber-physical systems. Great for researchers modeling industrial networks and process behavior. |
| GRFICS v2 | 🟡 Intermediate | Windows, Linux | Realistic ICS cyber range built on virtual machines. Lets you safely simulate attacks and defenses. |
| ICSSIM | 🟡 Intermediate | Linux | Lightweight simulation tool for control systems and network behaviors. Excellent for teaching and security research. |
| CALDERA for OT | 🔴 Advanced | Linux, macOS | MITRE’s framework for adversary emulation. Includes OT-focused plugins to safely simulate real-world attacks. |
| 🔥 Labshock | 🟡 Intermediate | Linux | Open-source OT lab automation environment for testing network security tools and responses. |
| Conpot | 🟢 Beginner | Linux | ICS/SCADA honeypot that emulates industrial devices. Fantastic for studying attacker behavior or building deception labs. |
| s7comm-fuzzer / Modbus-TCP-honeypot | 🟡 Intermediate | Linux | Protocol-specific honeypots for Modbus and Siemens S7. Great for focused detection and response testing. |
| 🔥 Industrial Security Sandbox | 🔴 Advanced | Linux | Modular research environment for cyber-physical experimentation. Useful for advanced users exploring cross-domain attacks. |
| ATT&CK Evaluations for ICS | 🟢 Beginner | Any | Framework and resources from MITRE for understanding adversary behavior in ICS. Pairs well with CALDERA or GRFICS for practice. |
Putting Your OT Toolbox to Work
The OT, technology, and security world runs on community. People who build, fix, operate, and protect systems and operations that keep everything moving. These open source tools come straight from that spirit. They are created by practitioners who face the same challenges you do and share the same drive to keep things running strong.
Explore them. Experiment with them. See what sparks new ideas as you grow your skills. And if you end up improving one or building something of your own, we would love to hear about it.
* This list will evolve over time as the community discovers new projects and improves existing ones. If you rely on a tool that belongs here, or you are building something you want others to try, share it with us and we may add it to a future update.
Become a Subscriber
EMBEROT WILL NEVER SELL, RENT, LOAN, OR DISTRIBUTE YOUR EMAIL ADDRESS TO ANY THIRD PARTY. THAT’S JUST PLAIN RUDE.
