protocols

ICS Protocols

Developed as a community asset

General / Miscellaneous Releases

• ICS System Ports List - This is a list of common ICS tcp/udp ports.
• PoC 2013 SCADA Release - Power of Community 2013 conference special release of ICS/SCADA toolkit
• Industrial Control Systems Network Protocol Parsers (ICSNPP) - DHS CISA Industrial Control Systems protocol parsers plugins for the Zeek network security monitoring framework

AMI

• Termineter - c1218 powermeter emulator

BACnet

• BACpypes - BACpypes provides a BACnet application layer and network layer written in Python for daemons, scripting, and graphical interfaces.
• zeek plugin bacnet - BACnet Zeek Plugin from Amazon
• yet another zeek plugin bacnet - BACnet Zeek Plugin by Aaron Heller + SANS whitepaper
• ICSNPP Bacnet for Zeek - DHS CISA Bacnet parser for Zeek

Bristol Standard Asynchronous Protocol (BSAP)

• ICSNPP BSAP IP for Zeek - DHS CISA BSAP over IP plugin for Zeek
• ICSNPP BSAP Serial for Zeek - DHS CISA BSAP over Serial plugin for Zeek

DNP3

Protocol Implementation

• OpenDNP3 - Opendnp3 is the de facto reference implementation of IEEE-1815 (DNP3) provided under the Apache License.
• DNP3 Simulator - Graphical DNP3 Master/Outstation simulator
• PIFaceRTU - Opendnp3 running on a Raspberry Pi with Piface I/O board
• LangSec DNP3 Parser - Parsing DNP3 using parser combinators in C.
• Proxyd - TCP Proxy for testing hammer based parsers (such as the DNP3 parser above)
• ICSNPP DNP3 for Zeek - DHS CISA DNP3 logging extensions to Zeek

Traffic Generation

• DNP3 Traffic Generation - OpenDNP3-based traffic generation that can take a profile of traffic, apply scriptable variation, and result in output of DNP3 traffic matching that profile.

Fuzzing

• AEGIS Fuzzer - Aegis™ is a smart fuzzing framework for a growing number of protocols that can identify robustness and security issues in communications software before it is deployed in a production system. [commercial] Early Open Source version is mirrored here: Open-Source.

Ethernet/IP and CIP

• EtherNet/IP+CIP dissector for Scapy - a Python library which can be used to interact with components of a network using ENIP (Ethernet/IP) and CIP (Common Industrial Protocol) protocols. It uses scapy to implement packet dissectors which are able to decode a part of the network traffic. These dissectors can also be used to craft packets, which allows directly communicating with the PLCs (Programmable Logic Controllers) of the network. Use case
• Scapy implementation of DLR (Device Level Ring) protocol
• Zeek implementation for ethernet/ip - This repository contains the necessary files in order to inspect Ethernet/IP and Common Industrial Protocol packets with Zeek.
• CPPPO - Communications Protocol Python Parser and Originator (EtherNet/IP CIP implementation) - Cpppo is used to implement binary communications protocol parsers. The protocol’s communication elements are described in terms of state machines which change state in response to input events, collecting the data and producing output data artifacts.
• pycomm - pycomm is a package that includes a collection of modules used to communicate with PLCs. At the moment the first module in the package is ab_comm. ab_comm is a module that contains a set of classes used to interface Rockwell PLCs using Ethernet/IP protocol. The "clx" class can be used to communicate with Compactlogix, Controllogix PLCs The "slc" can be used to communicate with Micrologix or SLC PLCs
• pyCIP - CIP protocol implementation in Python3
• zeek plugin enip - EthernetIP Zeek Plugin from Amazon
• ICSNPP ENIP and CIP for Zeek - DHS CISA ENIP and CIP plugin for Zeek

IEC 104

• IEC Server - Software to simulate server side of systems using a telecontrol message Protocol specified in the IEC 60870-5. Original website http://area-x1.lima-city.de is down, so this has been mirrored.
• OpenMRTS - MRTS is an attempt to create open source IEC 870-5-101/104 based components for telecontrol and supervisory systems and to become a complete solution in future.
• QTester104 - This software implements the IEC60870-5-104 protocol (client side) for substation data acquisition and control via tcp/ip network using the QT UI Framework. It can be compiled on Linux and Windows platforms. It's possible to poll and view data from the substation system (RTU/concentrator) and also send commands.
• lib60870 - Implements IEC 60870-5-104 protocol.

IEC 61850

Protocol Implementation

• libIEC61850 - open source library for IEC 61850.
• rapid61850 - Rapid-prototyping protection and control schemes with IEC 61850

Tools

• IEDScout - IEDScout provides access to 61850-based IEDs and can simulate entire Ed. {1,2} IEDs. Specifically, IEDScout lets you look inside the IED and at its communication. All data modeled and exchanged becomes visible and accessible. Additionally, IEDScout serves numerous useful tasks, which could otherwise only be performed with dedicated engineering tools or even a functioning master station. IEDScout shows an overview representing the typical workflow of commissioning, but also provides detailed information upon request. [commercial] Free 30 day evaluation license.

Traffic Generation

• IEC 61850 Toolchain - This toolchain aims to enable users (e.g., power grid operators) to easily create customized datasets for the validation of cybersecurity solutions for IEC 61850 communication-based substations. This toolchain processes different inputs (e.g., substation configurations, attack configurations, and simulation settings) and carries out the necessary processing steps needed for generating the customized datasets. This toolchain is basing on an open source project libIEC61850.

IEEE C37.118

Protocol Implementation

• C37.118-2005 Spec -- C37.118-2005 (deprecated). Note, this is a paid IEEE spec
• C37.118-2011 Spec -- C37.118-2011 (current). Note, this is a paid IEEE spec
• pyMU - Python C37.118-2011 parser
• pyPMU - WIP Python implementation
• Wireshark Dissector - Implemented C37.118 wireshark dissector
• Grid Solutions Framework C37.118 - GSF implementation (.net)
• LangSec C37.118 Parser - LangSec based C37.118 parser

Tools

• pyMU - Python C37.118-2011 parser
• pyPMU - WIP Python implementation
• PMU Connection Tester - Full fledged PMU connection tester, speaking c37.118 amongst many other synchrophasor protocols

LoRaWAN

Tools

• chirpotle - A LoRaWAN Securiy Evaluation Framework

Modbus

Protocol Implementation

• pyModBus - A full modbus protocol written in python.
• Modbus for Go - Fault-tolerant implementation of modbus protocol in Go (golang)
• ModbusPal - ModbusPal is a MODBUS slave simulator. Its purpose is to offer an easy to use interface with the capabilities to reproduce complex and realistic MODBUS environments. Mirror available here.
• SMOD - MODBUS Penetration Testing Framework. smod is a modular framework with every kind of diagnostic and offensive feature you could need in order to pentest modbus protocol. It is a full Modbus protocol implementation using Python and Scapy. (mirrored as original source is now gone)
• mbtget - A simple modbus/TCP client write in pure Perl.
• ICSNPP Modbus for Zeek - DHS CISA Modbus extensions to logging for Zeek

Traffic Generation

• Modbus Traffic Generation - pyModbus-based traffic generation that can take a profile of traffic, apply scriptable variation, and result in output of Modbus traffic matching that profile.

Fuzzing

• AEGIS Fuzzer - Aegis™ is a smart fuzzing framework for a growing number of protocols that can identify robustness and security issues in communications software before it is deployed in a production system. [commercial] Early Open Source version is mirrored here: Open-Source.

OPC UA

Protocol Implementation

• OPC UA .Net Standard - Official OPC UA .Net Standard Stack and Samples from the OPC Foundation
• OPC UA Client GUI - A simple OPC-UA GUI client.
• OPC UA Server Simulator - Simulate real-time and historical data using OPC UA Server Simulator.
• OPC UA Server and Client C++ Libraries - LGPL OPC-UA server and client library written in C++ and with a lot of code auto-generated from xml specification using python.

OpenADR

Protocol Implementation / Tools

• OpenADR 2.0a VEN Python - EnerNOC Open Source Python OpenADR 2.0a VEN client implementation
• EPRI OpenADR VTN Implementation - OpenADR 2.0 Profile Specification B Profile for virtual top node implementation.
• OpenADR Java Implementation - OpenADR minimal VEN / VTN 2.0a / 2.0b skeleton implementations in Java
• Node-Red Implementation - Node-Red OADR2 VEN Implementation w/ HTTP transport

PROFINET

Protocol Implementation

• Profinet - Python - Simple PROFINET implementation in python
• Profinet - C - PROFINET implementation in C
• Profinet Explorer - Simple PROFINET explorer written in C#
• zeek plugin Profinet - PROFINET Zeek Plugin from Amazon

Fuzzing

• ProFuzz - Simple PROFINET fuzzer based on Scapy

SEL Fast Message

• Wireshark Dissector - SEL Fast Message - Wireshark Dissector for SEL Fast Message
• Grid Solutions Framework SEL Fast Message - GSF implementation (.net)
• SEL Applications Guides - Look up AG95-10 and AG2002-14 product codes.
• SELProtoPy - Schweitzer Engineering Laboratories (SEL) Protocol Bindings in Python. Implements SEL Fast Meter, Fast Message, and Fast Operate.

Siemens S7

• Snap7 - open source Siemens S7 communication library.
• LibNoDave - Another (less complete) open source communication library for the S7 protocol.
• S7comm - open source Wireshark dissector plugin for the Siemens S7 protocol.
• Python Snap7 Wrapper - A Python wrapper for the snap7 PLC communication library
• Zeek-IDS S7 Protocol Parser - S7 protocol parser for Zeek IDS
• zeek plugin s7 - S7 Zeek Plugin from Amazon
• SPPA S7 Data port dissector - SPPA-T3000 Automation server (PLC) dissector + whitepaper by Kaspersky Security Services team

SSP21

• SSP21 - Specification - SSP21 specification
• SSP21 - C++ - SSP21 reference implementation in C++
• SSP21 - Rust - SSP21 core library in Rust

TriStation

• FireEye TriStation Wireshark Dissector - reverse engineered wireshark dissector from Mandiant/FireEye team after Triton discovery.
• Nozomi TriStation Wireshark Dissector - another TriStation dissector, this time from Nozomi, also incldues pcap, and basic honeypot simulator.

Zigbee

• Killerbee - IEEE 802.15.4/ZigBee Security Research Toolkit.

General Protocol Fuzzing

• AFL - American fuzzy lop is a security-oriented fuzzer that employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary.

• WinAFL - AFL that works for Windows binaries.

(creative commons license)