Skip to content

Tools OT

Jump to bottom
Melvin PETIT edited this page Jun 17, 2026 · 1 revision

Tools, OT / Industrial Security

5 tools for passive industrial network monitoring, ICS/SCADA asset mapping and OT vulnerability scanning.

Deploy with ./medusa.sh deploy <name> or the interactive menu (option 4).

Tool Type Role
malcolm cli OT network traffic analysis, industrial protocols (CISA)
grfics vm SCADA/ICS simulation lab
nmap cli Network mapping and industrial NSE scripts
openvas docker Network vulnerability scanner (Greenbone)
grassmarlin vm Passive ICS/SCADA network mapping (NSA)

malcolm

CISA's network traffic analysis suite, bundling Suricata, Zeek and Arkime, with parsers for industrial protocols (Modbus, DNP3, BACnet, EtherNet/IP, S7comm).

Registered as a cli tool: Medusa clones the cisagov/Malcolm repository and installs its Python dependencies, then you drive Malcolm's own scripts:

  • Configure: python3 <dir>/scripts/install.py
  • Start: python3 <dir>/scripts/start.py

<dir> is the tool directory inside the active environment. Malcolm itself runs a large Docker stack once configured.

grfics

vm type. GRFICSv2, a virtualized ICS/SCADA simulation lab for training and red/blue exercises. Medusa prints manual installation instructions (VM import), there is no automated deployment. Upstream: Fortiphyd/GRFICSv2.

nmap

cli. Network mapping with industrial NSE scripts. Installed via the system package manager (apt-get/yum/dnf).

  • Command: nmap
  • Examples: nmap -sV -sC <target>, nmap --script modbus-discover <target>
  • A guided sub-menu (run_nmap) offers common scan profiles.

openvas

Greenbone Community Edition vulnerability scanner. Medusa writes a multi-service compose file (gvmd, gsa, ospd-openvas, notus-scanner, redis, PostgreSQL, plus the community feed data containers).

  • URL: http://localhost:9392 — user admin, password admin (change it)
  • The feed data images intentionally track latest and the services track stable, this is Greenbone's recommended community configuration; pinning the data images would freeze the vulnerability feed. See Security.
  • First start is slow: the vulnerability feed must sync before scans return results.

grassmarlin

vm type. NSA's passive ICS/SCADA network mapper (Java application). Medusa prints manual installation instructions, no automated deployment. Upstream: nsacyber/GRASSMARLIN.

Next: Ports-Reference · Troubleshooting

Repository · Issues · Security policy · MIT License

Medusa

Get running

Concepts

Tool catalog

Reference

Develop

Clone this wiki locally