Building an Open Source Operational Technology Pentesting Platform: Lessons from LINICS

Awais Rashid; Joseph Gardiner; Louise Evans

arxiv: 2605.22590 · v1 · pith:4C3TYBY5new · submitted 2026-05-21 · 💻 cs.CR

Building an Open Source Operational Technology Pentesting Platform: Lessons from LINICS

Awais Rashid , Joseph Gardiner , Louise Evans This is my paper

Pith reviewed 2026-05-22 04:49 UTC · model grok-4.3

classification 💻 cs.CR

keywords operational technologypentestingindustrial control systemsopen sourcesecurity platformOT securitycritical infrastructureLINICS

0 comments

The pith

LINICS provides the first open-source platform for pentesting operational technology that controls industrial systems.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows that IT security teams rely on open-source tools like Kali Linux while OT environments that run industrial control systems have no equivalent. The authors describe how they designed, built, and released LINICS to close this gap by adapting pentesting methods to OT constraints. A sympathetic reader would care because these systems manage power, manufacturing, and other critical processes where security failures carry physical risks. The work supplies concrete architectural decisions and release lessons so others can create or extend similar tools. This positions LINICS as a practical starting point rather than a finished product.

Core claim

The authors built and released LINICS as an open-source platform for OT pentesting and security analysis, directly addressing the absence of Kali-like resources for the operational technology that underpins industrial control systems.

What carries the argument

LINICS, the open-source platform that adapts and packages pentesting capabilities specifically for OT environments and industrial control system constraints.

If this is right

Security analysts gain a freely available starting point for testing OT devices and protocols.
Industrial control system operators can perform in-house security assessments using open tools.
Future OT platforms can reuse the reported architecture and avoid documented pitfalls.
Community contributions may expand LINICS coverage of specific industrial protocols.
Critical infrastructure protection improves through wider access to OT-focused pentesting methods.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Widespread use of LINICS could surface common OT vulnerabilities that closed tools have overlooked.
The platform may serve as a testbed for integrating new OT security standards as they emerge.
Real-world deployment feedback could refine the lessons into more general design principles for OT tooling.
Comparison projects between LINICS and proprietary OT solutions would clarify relative strengths.

Load-bearing premise

The architectural choices and lessons from building LINICS will transfer usefully to other OT teams and environments without extra validation or comparison.

What would settle it

A follow-up study or case report in which teams attempting to replicate the LINICS approach produce ineffective tools or report that the published lessons do not apply in their OT settings.

read the original abstract

Information Technology (IT) security professionals have ready access to open-source platforms such as Kali Linux. But no such platform exists for Operational Technology (OT) that underpins Industrial Control Systems. We discuss experiences of architecting, building and releasing LINICS, an open-source platform for OT pentesting and security analysis.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

LINICS introduces a needed open-source OT pentesting platform, but the reported lessons lack quantitative backing or comparisons.

read the letter

This paper is about the authors building LINICS, an open-source platform for pentesting operational technology in industrial control systems, and the lessons they took away from that effort. What is new is the platform itself. IT has things like Kali Linux for a long time, but OT has lacked a comparable integrated open-source environment. The paper walks through the architecture choices, the components they selected, and the practical steps to release it. They do well at explaining why OT needs different handling. Things like supporting specific industrial protocols and dealing with systems that can't tolerate disruption come through clearly. The development story gives a realistic view of the work involved. The main limitation is the lack of hard evidence to back up the lessons. The central claim that this platform and its development experiences will help others rests on the authors' experiences alone. There are no benchmarks for how well it covers OT protocols, no results from testing on standard ICS testbeds, and no comparison showing advantages over combining existing open source tools. Without that, the lessons stay tied to this one project. This is the kind of paper that would interest people building or using tools for critical infrastructure security. A reader working on OT projects might pick up ideas or decide to try the platform. It deserves peer review. The topic matters and the artifact is a contribution, even if the evaluation side needs more work to make the lessons stick.

Referee Report

2 major / 2 minor

Summary. The paper claims that while IT security professionals have access to open-source platforms like Kali Linux, no equivalent exists for Operational Technology (OT) underpinning Industrial Control Systems. It describes the authors' experiences in architecting, building, and releasing LINICS as an open-source OT pentesting and security analysis platform, with the goal of sharing architectural decisions and lessons learned.

Significance. If the described architectural choices and lessons generalize, the work could help address a documented tooling gap in OT/ICS security by lowering barriers to pentesting and analysis. The manuscript's value lies in its practical, experience-based guidance rather than novel algorithms or theorems; however, the lack of quantitative benchmarks or comparative evaluations means the significance is primarily as a starting point for community adoption rather than a validated contribution.

major comments (2)

[§3 and §4] §3 (Architecture) and §4 (Implementation): The central claim that LINICS provides a unified platform filling the OT gap rests on specific component selections and integration decisions, yet the manuscript offers no protocol coverage metrics, false-positive rates on standard ICS testbeds (e.g., those referenced in related work), or direct comparisons to ad-hoc tool combinations. This absence makes it difficult to assess whether the choices demonstrably outperform existing approaches.
[§5] §5 (Lessons Learned): The transferable lessons are presented as generalizable insights from the release process, but without adoption metrics, user feedback, or validation against other OT environments, they remain author-specific anecdotes. This is load-bearing for the paper's contribution claim, as the abstract positions the experiences as useful guidance.

minor comments (2)

[Abstract and §1] The abstract and introduction could more explicitly state the scope (e.g., supported protocols and target ICS environments) to help readers assess applicability.
[§3] Figure captions and diagrams in the architecture section would benefit from clearer labeling of data flows and security boundaries to improve readability for practitioners.

Simulated Author's Rebuttal

2 responses · 1 unresolved

Thank you for the referee's constructive report. We address the major comments point by point below, clarifying the scope of the work as an experience report on platform development and release rather than a benchmarked evaluation study. Partial revisions have been incorporated to improve clarity on limitations.

read point-by-point responses

Referee: [§3 and §4] §3 (Architecture) and §4 (Implementation): The central claim that LINICS provides a unified platform filling the OT gap rests on specific component selections and integration decisions, yet the manuscript offers no protocol coverage metrics, false-positive rates on standard ICS testbeds (e.g., those referenced in related work), or direct comparisons to ad-hoc tool combinations. This absence makes it difficult to assess whether the choices demonstrably outperform existing approaches.

Authors: We acknowledge the absence of quantitative metrics such as protocol coverage or false-positive rates. The manuscript's contribution centers on documenting architectural decisions and the open-source release process for an OT platform, analogous to how Kali Linux is presented in the literature, rather than on empirical performance comparisons. Rigorous benchmarking on live ICS testbeds raises substantial safety, access, and ethical barriers that were outside the intended scope. We have added a new limitations paragraph to Section 4 that explicitly discusses these constraints and invites community-driven evaluations on standard testbeds. revision: partial
Referee: [§5] §5 (Lessons Learned): The transferable lessons are presented as generalizable insights from the release process, but without adoption metrics, user feedback, or validation against other OT environments, they remain author-specific anecdotes. This is load-bearing for the paper's contribution claim, as the abstract positions the experiences as useful guidance.

Authors: Section 5 reports lessons derived directly from the authors' experiences during architecture, implementation, and public release. We agree that broader validation would be valuable; however, the platform was only recently made available, so adoption metrics and external user studies are not yet feasible. We have revised Section 5 to frame the lessons more explicitly as preliminary, experience-based guidance, to note their author-specific origin, and to identify collection of community feedback as planned future work. revision: partial

standing simulated objections not resolved

Quantitative adoption metrics and external validation studies, which cannot be supplied until sufficient time has passed since the public release.

Circularity Check

0 steps flagged

No circularity: purely descriptive experience report with no derivations or fitted quantities

full rationale

The manuscript is an experience report on architecting, building, and releasing the LINICS open-source OT pentesting platform. It contains no equations, no parameter fitting, no predictions of new quantities, no uniqueness theorems, and no deductive chain that could reduce to its own inputs by construction. Claims rest on the authors' direct development experiences rather than any self-referential or fitted structure. This matches the default expectation of no significant circularity for non-deductive papers.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

This is an engineering experience report on platform development rather than a theoretical or empirical study; it introduces no free parameters, mathematical axioms, or invented scientific entities.

pith-pipeline@v0.9.0 · 5564 in / 984 out tokens · 46192 ms · 2026-05-22T04:49:34.592491+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

8 extracted references · 8 canonical work pages

[1]

Operational technologies in industrial con- trol system: Cybersecurity: Perspectives and research trends,

H. Gupta, L. D’Agati, F . Longo, A. Puliafito, and G. Merlino, “Operational technologies in industrial con- trol system: Cybersecurity: Perspectives and research trends,” in17th International Conference on Security of Information and Networks, SIN 2024, Sydney , Aus- tralia, December 2-4, 2024. IEEE, 2024, pp. 1–8

work page 2024
[2]

Users are not the enemy,

A. Adams and M. A. Sasse, “Users are not the enemy,” Commun. ACM, vol. 42, no. 12, pp. 40–46, 1999

work page 1999
[3]

Why johnny can’t encrypt: A usability evaluation of PGP 5.0,

A. Whitten and J. D. Tygar, “Why johnny can’t encrypt: A usability evaluation of PGP 5.0,” inProceedings of the 8th USENIX Security Symposium, Washington, DC, USA, August 23-26, 1999, G. W. Treese, Ed. USENIX Association, 1999

work page 1999
[4]

M. A. Sasse and A. Rashid,The Cyber Security Body of Knowledge v1.1.0, 2021. University of Bristol, 2021, ch. Human Factors, KA Version 1.0.1. [Online]. Available: https://www.cybok.org/

work page 2021
[5]

Developers need support, too: A survey of security advice for software developers,

Y . Acar, C. Stransky, D. Wermke, C. Weir, M. L. Mazurek, and S. Fahl, “Developers need support, too: A survey of security advice for software developers,” inIEEE Cybersecurity Development, SecDev 2017, Cambridge, MA, USA, September 24-26, 2017. IEEE Computer Society, 2017, pp. 22–26

work page 2017
[6]

Rashid,Developer-Centred Security

A. Rashid,Developer-Centred Security. Springer, 2021

work page 2021
[7]

How ready is your ready? assessing the usability of inci- dent response playbook frameworks,

R. Stevens, D. Votipka, J. Dykstra, F . Tomlinson, E. Quartararo, C. Ahern, and M. L. Mazurek, “How ready is your ready? assessing the usability of inci- dent response playbook frameworks,” inCHI ’22: CHI Conference on Human Factors in Computing Systems, New Orleans, LA, USA, 29 April 2022 - 5 May 2022. ACM, 2022, pp. 589:1–589:18

work page 2022
[8]

Usability study of security features in programmable logic con- trollers,

K. Li, K. M. Ramokapane, and A. Rashid, “Usability study of security features in programmable logic con- trollers,” inProceedings of the 2024 European Sym- posium on Usable Security , EuroUSEC 2024, Karlstad Sweden, 30 September 2024 - 1 October 2024. ACM, 2024, pp. 200–219. Awais Rashidis the architect and lead devel- oper of LINICS at Hacktonics Ltd. Co...

work page 2024

[1] [1]

Operational technologies in industrial con- trol system: Cybersecurity: Perspectives and research trends,

H. Gupta, L. D’Agati, F . Longo, A. Puliafito, and G. Merlino, “Operational technologies in industrial con- trol system: Cybersecurity: Perspectives and research trends,” in17th International Conference on Security of Information and Networks, SIN 2024, Sydney , Aus- tralia, December 2-4, 2024. IEEE, 2024, pp. 1–8

work page 2024

[2] [2]

Users are not the enemy,

A. Adams and M. A. Sasse, “Users are not the enemy,” Commun. ACM, vol. 42, no. 12, pp. 40–46, 1999

work page 1999

[3] [3]

Why johnny can’t encrypt: A usability evaluation of PGP 5.0,

A. Whitten and J. D. Tygar, “Why johnny can’t encrypt: A usability evaluation of PGP 5.0,” inProceedings of the 8th USENIX Security Symposium, Washington, DC, USA, August 23-26, 1999, G. W. Treese, Ed. USENIX Association, 1999

work page 1999

[4] [4]

M. A. Sasse and A. Rashid,The Cyber Security Body of Knowledge v1.1.0, 2021. University of Bristol, 2021, ch. Human Factors, KA Version 1.0.1. [Online]. Available: https://www.cybok.org/

work page 2021

[5] [5]

Developers need support, too: A survey of security advice for software developers,

Y . Acar, C. Stransky, D. Wermke, C. Weir, M. L. Mazurek, and S. Fahl, “Developers need support, too: A survey of security advice for software developers,” inIEEE Cybersecurity Development, SecDev 2017, Cambridge, MA, USA, September 24-26, 2017. IEEE Computer Society, 2017, pp. 22–26

work page 2017

[6] [6]

Rashid,Developer-Centred Security

A. Rashid,Developer-Centred Security. Springer, 2021

work page 2021

[7] [7]

How ready is your ready? assessing the usability of inci- dent response playbook frameworks,

R. Stevens, D. Votipka, J. Dykstra, F . Tomlinson, E. Quartararo, C. Ahern, and M. L. Mazurek, “How ready is your ready? assessing the usability of inci- dent response playbook frameworks,” inCHI ’22: CHI Conference on Human Factors in Computing Systems, New Orleans, LA, USA, 29 April 2022 - 5 May 2022. ACM, 2022, pp. 589:1–589:18

work page 2022

[8] [8]

Usability study of security features in programmable logic con- trollers,

K. Li, K. M. Ramokapane, and A. Rashid, “Usability study of security features in programmable logic con- trollers,” inProceedings of the 2024 European Sym- posium on Usable Security , EuroUSEC 2024, Karlstad Sweden, 30 September 2024 - 1 October 2024. ACM, 2024, pp. 200–219. Awais Rashidis the architect and lead devel- oper of LINICS at Hacktonics Ltd. Co...

work page 2024