Dejan/Network-secrity-guide
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
Network-secrity-guide/security-assessment-checklist.sh

513 lines
15 KiB
Bash
Raw Permalink Normal View History

Upload files to "/"
2026-02-16 19:48:24 +00:00
#!/bin/bash
#========================================
# Industrial Network Security Assessment Tool
# Based on IEC 62443 Standards
#========================================
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
echo ""
echo "========================================"
echo "Industrial Network Security Assessment"
echo "Based on IEC 62443 Standards"
echo "========================================"
echo ""
# Initialize counters
TOTAL_CHECKS=0
PASSED=0
FAILED=0
WARNING=0
NA=0
# Function to check and record result
check_item() {
local category=$1
local question=$2
local requirement=$3
echo ""
echo -e "${BLUE}[$category]${NC} $question"
echo "Requirement: $requirement"
echo ""
echo "Status:"
echo " 1) Pass (✓)"
echo " 2) Fail (✗)"
echo " 3) Warning (⚠)"
echo " 4) N/A"
read -p "Enter choice [1-4]: " choice
TOTAL_CHECKS=$((TOTAL_CHECKS + 1))
case $choice in
1)
echo -e "${GREEN}✓ PASS${NC}"
PASSED=$((PASSED + 1))
;;
2)
echo -e "${RED}✗ FAIL${NC}"
FAILED=$((FAILED + 1))
read -p "Enter finding/notes: " notes
echo "FAIL,$category,$question,$notes" >> assessment_findings.csv
;;
3)
echo -e "${YELLOW}⚠ WARNING${NC}"
WARNING=$((WARNING + 1))
read -p "Enter finding/notes: " notes
echo "WARNING,$category,$question,$notes" >> assessment_findings.csv
;;
4)
echo "N/A"
NA=$((NA + 1))
;;
*)
echo "Invalid choice, marking as FAIL"
FAILED=$((FAILED + 1))
;;
esac
}
# Initialize findings file
echo "Severity,Category,Item,Notes" > assessment_findings.csv
echo ""
echo "========================================"
echo "SECTION 1: ASSET INVENTORY"
echo "========================================"
check_item "Asset Inventory" \
"Are all PLCs documented with model, firmware version, and location?" \
"Complete inventory of all control system components per IEC 62443-2-1"
check_item "Asset Inventory" \
"Is network topology documented with current diagrams?" \
"Network architecture diagrams showing all zones and conduits"
check_item "Asset Inventory" \
"Are all communication paths documented?" \
"Data flow diagrams showing all network connections"
check_item "Asset Inventory" \
"Are software versions documented for all SCADA/HMI systems?" \
"Complete software inventory with versions"
echo ""
echo "========================================"
echo "SECTION 2: ACCESS CONTROL"
echo "========================================"
check_item "Access Control" \
"Do all PLCs have password protection enabled?" \
"IEC 62443-3-3 SR 1.1: Password protection on all devices"
check_item "Access Control" \
"Are passwords at least 8 characters with complexity requirements?" \
"IEC 62443-3-3 SR 1.5: Strong password policy"
check_item "Access Control" \
"Are IP Access Control Lists configured on PLCs?" \
"IEC 62443-3-3 SR 1.13: Access control based on IP address"
check_item "Access Control" \
"Is multi-factor authentication (MFA) used for remote access?" \
"IEC 62443-3-3 SR 1.2: Multi-factor authentication for remote access"
check_item "Access Control" \
"Are user accounts reviewed quarterly?" \
"IEC 62443-2-1: Regular access reviews and recertification"
check_item "Access Control" \
"Are default passwords changed on all devices?" \
"IEC 62443-4-2 CR 1.1: No default credentials"
check_item "Access Control" \
"Is role-based access control (RBAC) implemented?" \
"IEC 62443-3-3 SR 1.3: Least privilege principle"
echo ""
echo "========================================"
echo "SECTION 3: NETWORK SEGMENTATION"
echo "========================================"
check_item "Network Segmentation" \
"Are control networks physically or logically separated from corporate networks?" \
"IEC 62443-3-2: Zones and conduits architecture"
check_item "Network Segmentation" \
"Are firewalls deployed between security zones?" \
"IEC 62443-3-3 SR 3.1: Network segmentation with firewalls"
check_item "Network Segmentation" \
"Are firewall rules based on whitelist (deny by default)?" \
"IEC 62443-3-3 SR 3.1: Default deny policy"
check_item "Network Segmentation" \
"Is a DMZ implemented between IT and OT networks?" \
"Defense-in-depth: DMZ for data exchange"
check_item "Network Segmentation" \
"Are VLANs used for logical network separation?" \
"IEC 62443-3-3 SR 3.1: Network segregation"
check_item "Network Segmentation" \
"Are critical safety systems air-gapped or on separate network?" \
"IEC 62443-3-3 SR 3.1: Critical system isolation"
echo ""
echo "========================================"
echo "SECTION 4: PLC SECURITY CONFIGURATION"
echo "========================================"
check_item "PLC Security" \
"Are unused PLC services disabled (web server, FTP, SNMP)?" \
"IEC 62443-3-3 SR 7.6: Minimize attack surface"
check_item "PLC Security" \
"Is PLC firmware up to date?" \
"IEC 62443-4-1 SR 1.1: Security updates applied"
check_item "PLC Security" \
"Are PLC configuration changes logged?" \
"IEC 62443-3-3 SR 2.9: Audit logging"
check_item "PLC Security" \
"Are PLCs configured to only accept connections from authorized IPs?" \
"IEC 62443-4-2 CR 1.13: Source address validation"
check_item "PLC Security" \
"Is PLC front panel physically secured (S7-1500)?" \
"IEC 62443-3-3 SR 1.11: Physical access control"
check_item "PLC Security" \
"Are PLC communication processors (CPs) using firewalls/VPN?" \
"IEC 62443-3-3 SR 4.1: Encrypted communications"
echo ""
echo "========================================"
echo "SECTION 5: SYSTEM HARDENING"
echo "========================================"
check_item "System Hardening" \
"Are operating systems hardened per vendor guidance?" \
"IEC 62443-4-2 CR 7.6: Operating system hardening"
check_item "System Hardening" \
"Is antivirus/endpoint protection deployed on HMI/SCADA systems?" \
"IEC 62443-3-3 SR 3.2: Malware protection"
check_item "System Hardening" \
"Is application whitelisting implemented?" \
"NIST SP 800-82: Application control"
check_item "System Hardening" \
"Are USB ports disabled or controlled on operator stations?" \
"IEC 62443-3-3 SR 3.2: Removable media control"
check_item "System Hardening" \
"Are security patches applied in timely manner?" \
"IEC 62443-2-1: Patch management process"
check_item "System Hardening" \
"Are unnecessary Windows services disabled?" \
"Defense-in-depth: Minimize attack surface"
echo ""
echo "========================================"
echo "SECTION 6: MONITORING AND LOGGING"
echo "========================================"
check_item "Monitoring" \
"Is network traffic monitored with IDS/IPS?" \
"IEC 62443-3-3 SR 6.1: Network monitoring"
check_item "Monitoring" \
"Are logs centrally collected (SIEM)?" \
"IEC 62443-3-3 SR 2.8: Centralized logging"
check_item "Monitoring" \
"Are critical events alerting in real-time?" \
"IEC 62443-3-3 SR 2.9: Security event alerting"
check_item "Monitoring" \
"Are logs retained for at least 90 days?" \
"IEC 62443-2-1: Audit log retention"
check_item "Monitoring" \
"Are logs reviewed regularly?" \
"IEC 62443-2-1: Log review procedures"
check_item "Monitoring" \
"Is network baseline established and anomalies detected?" \
"IEC 62443-4-2 CR 3.3: Anomaly detection"
echo ""
echo "========================================"
echo "SECTION 7: REMOTE ACCESS"
echo "========================================"
check_item "Remote Access" \
"Is VPN required for all remote access?" \
"IEC 62443-3-3 SR 4.1: Encrypted remote access"
check_item "Remote Access" \
"Is MFA required for VPN access?" \
"IEC 62443-3-3 SR 1.2: Multi-factor authentication"
check_item "Remote Access" \
"Are vendor remote access sessions monitored and time-limited?" \
"CISA: Vendor remote access controls"
check_item "Remote Access" \
"Is remote access logged and reviewed?" \
"IEC 62443-3-3 SR 2.9: Remote access auditing"
check_item "Remote Access" \
"Are jump servers/bastion hosts used for remote access?" \
"Defense-in-depth: Controlled access points"
echo ""
echo "========================================"
echo "SECTION 8: PHYSICAL SECURITY"
echo "========================================"
check_item "Physical Security" \
"Are control rooms and server rooms physically secured?" \
"IEC 62443-3-3 SR 1.11: Physical access control"
check_item "Physical Security" \
"Is access to control rooms logged (badge system)?" \
"IEC 62443-3-3 SR 1.11: Physical access auditing"
check_item "Physical Security" \
"Are network cabinets locked?" \
"IEC 62443-3-3 SR 1.11: Equipment physical protection"
check_item "Physical Security" \
"Is CCTV monitoring implemented for critical areas?" \
"Defense-in-depth: Video surveillance"
check_item "Physical Security" \
"Are visitor access procedures documented and followed?" \
"IEC 62443-2-1: Visitor management"
echo ""
echo "========================================"
echo "SECTION 9: BACKUP AND RECOVERY"
echo "========================================"
check_item "Backup/Recovery" \
"Are PLC programs backed up after every change?" \
"IEC 62443-2-1: Configuration management"
check_item "Backup/Recovery" \
"Are backups stored offline or off-site?" \
"Defense-in-depth: 3-2-1 backup rule"
check_item "Backup/Recovery" \
"Are backup integrity checks performed?" \
"IEC 62443-3-3 SR 7.3: Backup verification"
check_item "Backup/Recovery" \
"Is recovery tested at least quarterly?" \
"IEC 62443-2-1: Disaster recovery testing"
check_item "Backup/Recovery" \
"Are Recovery Time Objectives (RTO) documented?" \
"Business continuity planning"
echo ""
echo "========================================"
echo "SECTION 10: INCIDENT RESPONSE"
echo "========================================"
check_item "Incident Response" \
"Is an incident response plan documented?" \
"IEC 62443-2-1: Incident management"
check_item "Incident Response" \
"Is incident response team identified with roles assigned?" \
"IEC 62443-2-1: IR team structure"
check_item "Incident Response" \
"Are incident response procedures tested annually?" \
"IEC 62443-2-1: Tabletop exercises"
check_item "Incident Response" \
"Are incidents documented and lessons learned captured?" \
"IEC 62443-2-1: Continuous improvement"
check_item "Incident Response" \
"Is there a communication plan for incidents?" \
"IEC 62443-2-1: Stakeholder communication"
echo ""
echo "========================================"
echo "SECTION 11: POLICIES AND PROCEDURES"
echo "========================================"
check_item "Policies" \
"Is a cybersecurity policy documented and approved?" \
"IEC 62443-2-1: Cybersecurity policy"
check_item "Policies" \
"Are change management procedures documented and followed?" \
"IEC 62443-2-1: Change control"
check_item "Policies" \
"Is patch management process documented?" \
"IEC 62443-2-1: Security update management"
check_item "Policies" \
"Are security roles and responsibilities documented?" \
"IEC 62443-2-1: Governance structure"
check_item "Policies" \
"Is security awareness training conducted annually?" \
"IEC 62443-2-1: Personnel security awareness"
echo ""
echo "========================================"
echo "SECTION 12: RISK MANAGEMENT"
echo "========================================"
check_item "Risk Management" \
"Has a security risk assessment been conducted?" \
"IEC 62443-3-2: Security risk assessment"
check_item "Risk Management" \
"Are risk assessment results documented?" \
"IEC 62443-3-2: Risk documentation"
check_item "Risk Management" \
"Are target security levels (SL-T) defined for each zone?" \
"IEC 62443-3-2: Security level targets"
check_item "Risk Management" \
"Is risk assessment updated annually or after major changes?" \
"IEC 62443-2-1: Risk assessment review"
check_item "Risk Management" \
"Are residual risks accepted by management?" \
"IEC 62443-2-1: Risk acceptance"
#========================================
# Generate Report
#========================================
echo ""
echo "========================================"
echo "ASSESSMENT COMPLETE"
echo "========================================"
echo ""
# Calculate percentages
COMPLIANCE_ITEMS=$((TOTAL_CHECKS - NA))
if [ $COMPLIANCE_ITEMS -gt 0 ]; then
COMPLIANCE_PCT=$((PASSED * 100 / COMPLIANCE_ITEMS))
else
COMPLIANCE_PCT=0
fi
echo "Assessment Summary:"
echo "-------------------"
echo "Total Checks: $TOTAL_CHECKS"
echo "Passed: $PASSED"
echo "Failed: $FAILED"
echo "Warnings: $WARNING"
echo "Not Applicable: $NA"
echo ""
echo "Compliance Rate: $COMPLIANCE_PCT% (excluding N/A)"
echo ""
# Risk Rating
if [ $COMPLIANCE_PCT -ge 90 ]; then
RISK_LEVEL="${GREEN}LOW RISK${NC}"
elif [ $COMPLIANCE_PCT -ge 70 ]; then
RISK_LEVEL="${YELLOW}MEDIUM RISK${NC}"
elif [ $COMPLIANCE_PCT -ge 50 ]; then
RISK_LEVEL="${YELLOW}HIGH RISK${NC}"
else
RISK_LEVEL="${RED}CRITICAL RISK${NC}"
fi
echo -e "Overall Risk Level: $RISK_LEVEL"
echo ""
# Save summary to file
cat > assessment_summary.txt <<EOF
INDUSTRIAL NETWORK SECURITY ASSESSMENT SUMMARY
==============================================
Date: $(date)
Assessor: $USER
RESULTS:
--------
Total Checks: $TOTAL_CHECKS
Passed: $PASSED (${GREEN}${NC})
Failed: $FAILED (${RED}${NC})
Warnings: $WARNING (${YELLOW}${NC})
Not Applicable: $NA
Compliance Rate: $COMPLIANCE_PCT%
Overall Risk: $RISK_LEVEL
FINDINGS:
---------
See assessment_findings.csv for detailed findings.
RECOMMENDATIONS:
----------------
EOF
if [ $FAILED -gt 0 ]; then
echo "1. Address all FAILED items immediately (Critical Priority)" >> assessment_summary.txt
fi
if [ $WARNING -gt 0 ]; then
echo "2. Review and remediate WARNING items (High Priority)" >> assessment_summary.txt
fi
if [ $COMPLIANCE_PCT -lt 90 ]; then
echo "3. Develop remediation plan to achieve 90%+ compliance" >> assessment_summary.txt
fi
echo "4. Schedule next assessment in 6 months" >> assessment_summary.txt
echo "" >> assessment_summary.txt
echo "Files Generated:"
echo "----------------"
echo "1. assessment_findings.csv - Detailed findings list"
echo "2. assessment_summary.txt - Summary report"
echo ""
# Show top findings
if [ -f assessment_findings.csv ]; then
echo "Top Findings:"
echo "-------------"
grep "^FAIL" assessment_findings.csv | head -5
echo ""
grep "^WARNING" assessment_findings.csv | head -3
echo ""
fi
echo "========================================"
echo "Next Steps:"
echo "========================================"
echo "1. Review findings in assessment_findings.csv"
echo "2. Prioritize remediation actions"
echo "3. Create remediation plan with timeline"
echo "4. Assign owners to each finding"
echo "5. Track progress and re-assess"
echo ""
echo "For detailed guidance, see:"
echo " - industrial-network-security-guide.md"
echo " - IEC 62443 standards documentation"
echo ""
Reference in a new issue Copy permalink