References and resources¶

Tools, documentation, and lab material to support research and hands-on analysis in the context of Anvil. This page prioritises practical investigation of OT/ICS devices, protocols, and environments over abstract compliance or vendor marketing.

Binary and firmware analysis¶

Tools for dissecting executables, firmware images, protocol handlers, and embedded artefacts. These are foundational and reused across all later stages.

• Ghidra: full reverse-engineering suite with decompiler

• radare2: low-level reverse engineering and analysis framework

• Cutter: graphical frontend for radare2

• ImHex: hex editor with pattern language for binary formats

• binspector: binary structure and filesystem inspection

Industrial protocol specifications and references¶

Authoritative protocol documentation used to understand wire formats, state machines, and implementation assumptions.

• Modbus protocol specifications

• IEC 61850 standard hub

• IEC 60870 SCADA telecontrol overview

• DNP3 protocol overview

• MQTT protocol specification

• OPC UA specifications

Cross-protocol tool collections¶

Curated collections of tools, scripts, PCAPs, and research material spanning multiple protocols and vendors. These are useful as starting points and comparison baselines.

• Awesome Industrial Protocols

• Alhasawi ICS/OT Security resources

• ICS Pentesting Tools

• Awesome ICS Security

• Awesome Industrial Control System Security

Protocol-specific tooling¶

Libraries, scanners, and test tools focused on individual OT/ICS protocols. Useful for both benign experimentation and hostile interaction.

Modbus¶

• pymodbus

• modbus-cli

Siemens S7¶

• snap7

• s7scan

OPC UA¶

• open62541

• opcua-asyncio

IEC 60870-5-104¶

• lib60870

• iec104 tools

DNP3¶

• opendnp3

MQTT¶

• mosquitto

• mqtt-pwn

Sandboxes, simulators, and testbeds¶

Controlled environments for experimentation without touching real infrastructure. These support protocol interaction, fault injection, and attack simulation.

• MiniCPS article and MiniCPS code: CPS/ICS network emulation

• ICSSIM framework article and ICSSIM code: modular ICS security simulation

• LICSTER low-cost ICS testbed article and LICSTER code– reproducible educational testbed

Operational labs, honeypots, and deception¶

Tools that model or expose realistic industrial services, often used to observe attacker behaviour or test detection logic.

• Conpot: multi-protocol ICS honeypot

• GasPot: gas station honeypot

• GridPot: power grid honeypot

• OpenPLC: open PLC runtime for lab environments

• PLCBlaster article: PLC protocol stress and test framework

Traffic captures and empirical data¶

Realistic protocol traffic is essential for understanding baseline behaviour and deviations.

• ICS protocol PCAPs and dissections

Analysis, context, and comparative reading¶

Background material that connects protocols, implementations, and real-world usage patterns.

• ICS Digest Review of industrial protocols

• INCIBE ICS protocol and network security guide (PDF)

• OPC UA security analysis (academic)