commit 46161ab05726739c5b7513c4aee5fc4718dbd8cc Author: Dejan Date: Mon Feb 16 19:48:24 2026 +0000 Upload files to "/" diff --git a/industrial-network-security-guide.md b/industrial-network-security-guide.md new file mode 100644 index 0000000..2f08eec --- /dev/null +++ b/industrial-network-security-guide.md @@ -0,0 +1,1483 @@ +# Industrial Network Security Best Practices Guide +## Comprehensive Security for PLC and SCADA Systems + +**Based on IEC 62443 Standards and Defense-in-Depth Principles** + +--- + +## Table of Contents + +1. [Introduction](#introduction) +2. [Security Frameworks and Standards](#security-frameworks-and-standards) +3. [Defense-in-Depth Strategy](#defense-in-depth-strategy) +4. [Network Segmentation (Zones and Conduits)](#network-segmentation) +5. [Siemens S7 PLC Specific Security](#siemens-s7-security) +6. [Implementation Checklist](#implementation-checklist) +7. [Security Assessment Procedures](#security-assessment) +8. [Ongoing Monitoring and Maintenance](#ongoing-monitoring) +9. [Incident Response](#incident-response) +10. [Compliance and Documentation](#compliance) + +--- + +## 1. Introduction + +### Why Industrial Network Security Matters + +Industrial Control Systems (ICS) and Operational Technology (OT) environments face unique cybersecurity challenges: + +- **Safety Critical**: Cyber attacks can cause physical harm, environmental damage, or loss of life +- **High Availability Requirements**: Production systems require 24/7 uptime +- **Long Lifecycles**: Equipment may operate for 20+ years with outdated software +- **Convergence of IT/OT**: Increasing connectivity exposes OT to IT-based threats +- **Targeted Attacks**: Nation-states and cybercriminals specifically target critical infrastructure + +### Real-World Consequences + +**Stuxnet (2010)**: Destroyed Iranian nuclear centrifuges via compromised Siemens S7 PLCs +**Ukraine Power Grid (2015)**: BlackEnergy malware caused blackouts affecting 230,000 people +**Triton/Trisis (2017)**: Targeted safety systems in petrochemical plant +**Colonial Pipeline (2021)**: Ransomware caused major fuel shortage in US + +--- + +## 2. Security Frameworks and Standards + +### IEC 62443 - The Gold Standard for Industrial Cybersecurity + +IEC 62443 is the international standard specifically designed for Industrial Automation and Control Systems (IACS) security. + +#### IEC 62443 Structure + +The standard is divided into 4 main categories: + +**1. General (IEC 62443-1-x)** +- Terminology, concepts, and models +- Foundation for the entire standard +- Defines security levels and zones + +**2. Policies and Procedures (IEC 62443-2-x)** +- Cybersecurity management system requirements +- Risk assessment methodology +- Patch management and incident response + +**3. System (IEC 62443-3-x)** +- System-level security requirements +- Network segmentation (zones and conduits) +- Security risk assessment for systems + +**4. Component (IEC 62443-4-x)** +- Product development lifecycle requirements +- Component technical security requirements +- Secure coding and vulnerability management + +#### Security Levels (SL) in IEC 62443 + +The standard defines 4 security levels based on threat capability: + +| Security Level | Threat Type | Attacker Profile | +|----------------|-------------|------------------| +| **SL 0** | No special requirement | None | +| **SL 1** | Protection against casual or coincidental violation | Unskilled individual using simple means | +| **SL 2** | Protection against intentional violation using simple means | Skilled individual using simple means with low resources | +| **SL 3** | Protection against intentional violation using sophisticated means | Skilled individual with moderate resources and IACS-specific skills | +| **SL 4** | Protection against intentional violation using sophisticated means with extended resources | Highly skilled and motivated organization with extensive resources | + +**Typical Target Levels:** +- Critical Infrastructure: SL 2-3 +- High-Risk Facilities: SL 3-4 +- Standard Industrial Plants: SL 1-2 + +### Other Relevant Standards + +**NIST SP 800-82**: Guide to Industrial Control Systems (ICS) Security +**NIST Cybersecurity Framework (CSF)**: Identify, Protect, Detect, Respond, Recover +**ISO/IEC 27001**: Information Security Management Systems +**IEC 61511**: Safety Instrumented Systems (SIS) security + +--- + +## 3. Defense-in-Depth Strategy + +Defense-in-Depth applies **multiple layers of security controls** throughout the industrial network, ensuring that if one layer fails, others continue to provide protection. + +### Core Principles + +1. **Layered Security**: No single point of failure +2. **Diversity**: Use different types of security controls +3. **Fail-Safe Design**: Systems fail to a secure state +4. **Least Privilege**: Minimum access necessary +5. **Separation of Duties**: No single person has complete control + +### The Seven Layers of Defense + +``` +Layer 7: Policies, Procedures & Awareness + ↓ +Layer 6: Physical Security + ↓ +Layer 5: Perimeter Security (Firewalls, DMZ) + ↓ +Layer 4: Network Security (Segmentation, VLANs, IDS) + ↓ +Layer 3: Host Security (Hardening, Antivirus, Patching) + ↓ +Layer 2: Application Security (Authentication, Encryption) + ↓ +Layer 1: Data Security (Encryption, Backup, Integrity) +``` + +### Implementation Strategy + +**Physical Layer:** +- Locked server rooms and control cabinets +- Access control systems (badge readers) +- CCTV monitoring +- Tamper-evident seals on critical equipment + +**Network Layer:** +- Firewalls between zones +- Network segmentation (VLANs) +- Intrusion Detection Systems (IDS) +- Data diodes for one-way communication + +**System Layer:** +- Operating system hardening +- Disable unnecessary services +- Application whitelisting +- Regular security updates and patches + +**Application Layer:** +- Strong authentication (passwords, 2FA) +- Role-based access control (RBAC) +- Secure coding practices +- Input validation + +**Data Layer:** +- Encryption at rest and in transit +- Regular backups (3-2-1 rule) +- Data integrity checks +- Secure data destruction + +**People Layer:** +- Security awareness training +- Background checks for critical roles +- Documented security policies +- Incident response procedures + +--- + +## 4. Network Segmentation (Zones and Conduits) + +### The Purdue Model + +The Purdue Enterprise Reference Architecture (PERA) is the foundation for ICS network segmentation: + +``` +Level 5: Enterprise Network (ERP, Email, Internet) + ↓ DMZ / Firewall +Level 4: Business Planning & Logistics (MES, Historian) + ↓ DMZ / Firewall +Level 3: Operations Management (SCADA, HMI) + ↓ Industrial Firewall +Level 2: Area Supervisory Control (PLC, DCS) + ↓ Industrial Switch +Level 1: Basic Control (PLC, RTU, Field Devices) + ↓ Field Network +Level 0: Process (Sensors, Actuators, Motors) +``` + +### Zones and Conduits (IEC 62443-3-2) + +**Zone**: A grouping of logical or physical assets that share common security requirements +**Conduit**: A logical grouping of communication channels connecting two or more zones + +#### Example Zone Structure + +**Zone 1: Enterprise Network** +- Business systems (ERP, email, file servers) +- Internet connectivity +- Office workstations + +**Zone 2: DMZ (Demilitarized Zone)** +- Historian servers +- Data diodes +- Application servers accessible from both enterprise and control + +**Zone 3: Control Network (Level 3)** +- SCADA servers +- HMI workstations +- Engineering workstations + +**Zone 4: Process Control Network (Level 2)** +- PLCs (Siemens S7-1200/1500) +- DCS controllers +- Safety systems (SIS) + +**Zone 5: Field Device Network (Level 1-0)** +- I/O modules +- Remote I/O +- Sensors and actuators + +#### Conduit Security Requirements + +Each conduit between zones must implement appropriate security controls: + +| Conduit | Source Zone | Dest Zone | Security Requirements | +|---------|-------------|-----------|----------------------| +| C1 | Enterprise | DMZ | Corporate Firewall, VPN, Authentication | +| C2 | DMZ | Control Network | Industrial Firewall, Unidirectional Gateway | +| C3 | Control Network | Process Network | Industrial Switch with ACLs, Port Security | +| C4 | Process Network | Field Devices | Encrypted protocols (if supported), Physical isolation | + +### Network Segmentation Best Practices + +1. **Air-Gap Critical Systems**: Physically separate safety-critical systems +2. **Use Industrial Firewalls**: Commercial IT firewalls are not sufficient +3. **Implement Data Diodes**: For one-way data transfer from OT to IT +4. **VLANs for Logical Separation**: When physical separation isn't possible +5. **Limit Communication Paths**: Only allow necessary connections +6. **Monitor All Boundaries**: IDS/IPS at each zone boundary + +--- + +## 5. Siemens S7 PLC Specific Security + +### S7-1200/1500 Security Features + +#### 1. Access Protection (Password Protection) + +**Protection Levels:** +- **No Protection**: Full read/write access +- **Write Protection**: Read-only access without password +- **Read/Write Protection**: Password required for all access +- **Complete Protection + Integrity**: Strongest protection including know-how protection + +**Configuration in TIA Portal:** +``` +1. Open PLC properties +2. Go to "Protection & Security" +3. Set "Protection level" +4. Enter strong password (min. 8 characters) +5. Enable "Copy protection" for intellectual property +``` + +**Best Practice**: Use Read/Write Protection or Complete Protection for production PLCs + +#### 2. IP Access Control Lists (ACLs) + +Restrict which devices can communicate with the PLC by IP address. + +**Configuration:** +``` +1. PLC Properties → Protection & Security → Connection mechanisms +2. Enable "Permit access only for the following IP addresses/subnets" +3. Add authorized IPs: + - Engineering station: 192.168.10.50/32 + - HMI: 192.168.10.60/32 + - SCADA server: 192.168.10.70/32 +4. Deny all other connections +``` + +#### 3. Communication Encryption + +**CP 1543-1 Communication Processor:** +- Built-in VPN functionality (IPsec) +- Integrated firewall +- Supports encrypted S7 communication + +**Configuration Steps:** +1. Install CP 1543-1 module in PLC +2. Configure VPN tunnel in TIA Portal +3. Set up IPsec parameters (AES-256 encryption) +4. Configure firewall rules + +#### 4. Firmware Updates and Patch Management + +**Check Current Firmware:** +``` +TIA Portal → Online & Diagnostics → Device Information → Firmware Version +``` + +**Update Process:** +1. Download firmware from Siemens Support Portal +2. Verify firmware signature +3. Test in non-production environment first +4. Schedule maintenance window +5. Backup PLC program before updating +6. Update via TIA Portal → Online Tools → Firmware Update + +**Subscribe to Siemens ProductCERT:** +- URL: https://www.siemens.com/cert +- Receive security advisories for vulnerabilities +- CSAF format for automated processing + +#### 5. Disable Unused Services + +**Services to Disable (if not needed):** +- Web Server (HTTP/HTTPS) +- FTP Server +- SNMP +- Modbus TCP (if using only S7 communication) +- OPC UA (if not required) + +**Configuration:** +``` +Device Properties → System and Clock Memory → Web server +□ Enable web server (uncheck if not needed) +``` + +#### 6. Secure Physical Access + +**S7-1500 Front Flap Lock:** +- Prevents unauthorized access to: + - SIMATIC memory card + - Mode selector + - Display and buttons + +**Configuration:** +1. Insert locking latch into front flap +2. Physical key required to open +3. Document key location in security procedures + +#### 7. Network Services Security + +**Default Ports Used by S7-1200/1500:** +| Port | Protocol | Service | Security Action | +|------|----------|---------|----------------| +| 102 | TCP | S7 Communication | Firewall, ACLs | +| 80 | TCP | HTTP Web Server | Disable or use HTTPS only | +| 443 | TCP | HTTPS Web Server | Enable with certificates | +| 161 | UDP | SNMP | Disable if not needed | +| 20000 | TCP | PN DCP | Limit to local segment | + +**Firewall Rules Example (iptables):** +```bash +# Allow S7 communication only from authorized IPs +iptables -A INPUT -p tcp --dport 102 -s 192.168.10.50 -j ACCEPT +iptables -A INPUT -p tcp --dport 102 -s 192.168.10.60 -j ACCEPT +iptables -A INPUT -p tcp --dport 102 -j DROP + +# Block web server from external access +iptables -A INPUT -p tcp --dport 80 -s 192.168.10.0/24 -j ACCEPT +iptables -A INPUT -p tcp --dport 80 -j DROP +``` + +### Common S7 Vulnerabilities and Mitigations + +#### CVE-2016-9159: Credential Disclosure +**Affected**: S7-300, S7-400 (older firmware) +**Risk**: Password can be extracted via network access to port 102 +**Mitigation**: +1. Update to latest firmware +2. Implement network segmentation +3. Use CP modules with firewall +4. Monitor port 102 access + +#### CVE-2019-13945: Denial of Service +**Affected**: S7-1200, S7-1500 (certain firmware versions) +**Risk**: Specially crafted packets can crash PLC +**Mitigation**: +1. Update firmware to latest version +2. Implement IDS to detect malformed packets +3. Firewall rules to filter suspicious traffic + +#### Lack of Native Authentication +**Issue**: S7 protocol doesn't require authentication by default +**Mitigation**: +1. Use IP Access Control Lists +2. Network segmentation +3. VPN for remote access +4. Consider CP modules with VPN/firewall + +--- + +## 6. Implementation Checklist + +### Phase 1: Assessment and Planning (Weeks 1-4) + +#### Week 1: Asset Inventory +- [ ] Document all PLCs (model, firmware version, location) +- [ ] Map network topology (create network diagrams) +- [ ] Identify all communication paths +- [ ] List all access points (local and remote) +- [ ] Document current security measures + +**Tools:** +- Nmap for network discovery +- Siemens SINEC NMS for asset management +- Network documentation software (Visio, Lucidchart) + +#### Week 2: Risk Assessment +- [ ] Identify critical assets and processes +- [ ] Evaluate potential threats (insider, external, accidental) +- [ ] Assess current vulnerabilities +- [ ] Determine Security Level targets (SL-T) per IEC 62443 +- [ ] Prioritize risks (high/medium/low) + +**Risk Assessment Matrix:** +``` +Impact vs. Likelihood: + Low Medium High +High | Med | High | Critical +Medium | Low | Med | High +Low | Low | Low | Med +``` + +#### Week 3: Gap Analysis +- [ ] Compare current state to IEC 62443 requirements +- [ ] Identify missing security controls +- [ ] Document technical debt +- [ ] Estimate remediation effort and cost +- [ ] Create prioritized remediation plan + +#### Week 4: Policy and Procedure Development +- [ ] Write/update cybersecurity policy +- [ ] Define roles and responsibilities +- [ ] Create access control procedures +- [ ] Develop incident response plan +- [ ] Establish change management process + +### Phase 2: Quick Wins (Weeks 5-8) + +#### Immediate Actions (No Downtime Required) +- [ ] Enable PLC password protection (all PLCs) +- [ ] Configure IP Access Control Lists +- [ ] Disable unused PLC services +- [ ] Change all default passwords +- [ ] Enable logging on network devices +- [ ] Document all changes + +#### Low-Risk Improvements +- [ ] Install antivirus on HMI/SCADA systems +- [ ] Enable Windows Firewall on operator stations +- [ ] Implement USB device controls +- [ ] Create baseline configurations for all systems +- [ ] Set up centralized log collection + +### Phase 3: Network Segmentation (Weeks 9-16) + +#### Design Phase +- [ ] Design zone and conduit architecture +- [ ] Plan VLAN structure +- [ ] Select firewall/switch hardware +- [ ] Create detailed implementation plan +- [ ] Schedule maintenance windows + +#### Implementation Phase +- [ ] Install firewalls between zones +- [ ] Configure VLANs on switches +- [ ] Set up firewall rules (whitelist approach) +- [ ] Install IDS/IPS sensors +- [ ] Test all communication paths +- [ ] Document new architecture + +**Firewall Rule Template:** +``` +Source Zone: Level 3 (SCADA) +Dest Zone: Level 2 (PLCs) +Protocol: TCP +Port: 102 +Action: ALLOW +Log: Yes +``` + +### Phase 4: Advanced Security Controls (Weeks 17-24) + +#### System Hardening +- [ ] Harden all Windows systems (CIS benchmarks) +- [ ] Implement application whitelisting +- [ ] Deploy endpoint protection +- [ ] Configure secure logging (SIEM) +- [ ] Enable file integrity monitoring + +#### Access Control +- [ ] Implement multi-factor authentication (MFA) +- [ ] Deploy jump servers for remote access +- [ ] Configure VPN with strong encryption +- [ ] Establish privileged access management (PAM) +- [ ] Create audit trails for all access + +#### Monitoring and Detection +- [ ] Deploy network monitoring (IDS/IPS) +- [ ] Configure SIEM alerts +- [ ] Establish baseline behavior +- [ ] Create detection use cases +- [ ] Set up automated alerting + +### Phase 5: Testing and Validation (Weeks 25-28) + +#### Security Testing +- [ ] Vulnerability scanning (authenticated scans only) +- [ ] Penetration testing (with extreme caution) +- [ ] Firewall rule testing +- [ ] Incident response tabletop exercise +- [ ] Disaster recovery test +- [ ] User awareness testing (phishing simulation) + +**IMPORTANT**: Never perform aggressive testing on production OT systems + +#### Validation Checklist +- [ ] All PLCs have password protection +- [ ] IP ACLs configured on all PLCs +- [ ] Unnecessary services disabled +- [ ] Firewalls between all zones +- [ ] Remote access requires VPN + MFA +- [ ] All systems logging to SIEM +- [ ] Backup and recovery tested +- [ ] Incident response plan tested + +### Phase 6: Continuous Improvement (Ongoing) + +#### Monthly Tasks +- [ ] Review firewall logs +- [ ] Check for firmware updates +- [ ] Review access logs +- [ ] Update asset inventory +- [ ] Security awareness training reminder + +#### Quarterly Tasks +- [ ] Vulnerability assessment +- [ ] Review and update policies +- [ ] Access rights review (recertification) +- [ ] Test backups +- [ ] Review IDS/IPS alerts + +#### Annual Tasks +- [ ] Full security audit +- [ ] Penetration test (controlled environment) +- [ ] Update risk assessment +- [ ] Incident response drill +- [ ] Review and update BCP/DR plans +- [ ] Security awareness training (full program) + +--- + +## 7. Security Assessment Procedures + +### Pre-Assessment Preparation + +#### Safety First +**CRITICAL**: OT security assessments can disrupt operations or cause safety issues. + +**Before Any Assessment:** +1. Obtain written approval from operations manager +2. Schedule during planned maintenance window +3. Have control system engineers on-site +4. Test all procedures in non-production environment first +5. Prepare rollback plan +6. Brief safety personnel + +### Assessment Levels + +#### Level 1: Passive Assessment (No Risk) +**Activities:** +- Document review +- Architecture review +- Policy and procedure review +- Interviews with staff +- Review of logs and reports + +**Tools**: None (manual review) + +#### Level 2: Network Monitoring (Minimal Risk) +**Activities:** +- Passive network traffic capture +- Protocol analysis +- Device discovery (passive) +- Baseline establishment + +**Tools**: +- Wireshark +- Nozomi Networks +- Claroty +- Dragos Platform + +#### Level 3: Active Scanning (Low Risk) +**Activities:** +- Network discovery (active) +- Service enumeration +- OS fingerprinting +- Credential validation + +**Tools** (use with caution): +- Nmap (with rate limiting) +- Siemens SINEC NMS +- Tenable.sc (ICS profile) + +**Configuration Example (Safe Nmap Scan):** +```bash +# Safe, slow scan for S7 PLCs +nmap -sT -T1 --max-rate 10 -p 102 --script s7-info 192.168.10.0/24 + +# Explanation: +# -sT: TCP connect scan (not SYN scan) +# -T1: Slowest timing template +# --max-rate 10: Max 10 packets/second +# -p 102: Only S7 port +# --script s7-info: Siemens-specific enumeration +``` + +#### Level 4: Vulnerability Scanning (Medium Risk) +**Activities:** +- Authenticated vulnerability scans +- Configuration compliance checks +- Missing patch identification + +**Tools**: +- Tenable.sc with ICS plugin +- Rapid7 Nexpose +- Qualys VM + +**CRITICAL Requirements:** +1. Test in lab environment first +2. Use ICS-specific scan profiles +3. Schedule during maintenance window +4. Have control engineers present +5. Start with single device +6. Monitor PLC scan time and CPU load + +#### Level 5: Penetration Testing (High Risk) +**ONLY in isolated test environment or with extreme caution** + +**Activities:** +- Exploit validation +- Privilege escalation +- Lateral movement testing +- Data exfiltration simulation + +**Requirements:** +- Dedicated test network +- Replica of production environment +- Experienced ICS penetration testers +- 24/7 on-site support +- Detailed test plan approved by all stakeholders + +### Step-by-Step Security Assessment + +#### Step 1: Information Gathering (Passive) + +**Objective**: Understand the environment without touching systems + +**Tasks:** +1. Review network diagrams +2. Document all PLCs and versions +3. Identify communication protocols +4. Map data flows +5. Review existing security controls +6. Identify critical assets + +**Deliverable**: Asset inventory and network map + +#### Step 2: Vulnerability Identification + +**2a. Configuration Review** +```bash +# Check for common misconfigurations + +# PLC Password Protection +✓ Is password protection enabled? +✓ Password meets complexity requirements? (min 8 chars) +✓ Password documented in secure location? + +# Network Access +✓ Are IP ACLs configured? +✓ Is web server disabled (if not needed)? +✓ Are unused protocols disabled? + +# Firmware +✓ Firmware version documented? +✓ Firmware up to date? +✓ Update process documented? +``` + +**2b. Network Vulnerability Scan** +```bash +# Use Nmap safely for S7 PLCs +nmap -sT -T1 -p 102,80,443,161 --max-rate 5 192.168.10.100 + +# Check results for: +# - Open ports (should only be 102 if others disabled) +# - Service versions +# - Banner information +``` + +**2c. Known Vulnerability Check** +- Check Siemens ProductCERT advisories +- Compare firmware version to CVE database +- Review CISA ICS-CERT advisories + +#### Step 3: Risk Evaluation + +**Risk Scoring:** +``` +Risk = Likelihood × Impact × Exploitability + +Likelihood (1-5): +1 = Very unlikely +3 = Possible +5 = Very likely + +Impact (1-5): +1 = Minimal +3 = Moderate (production delay) +5 = Critical (safety hazard) + +Exploitability (1-5): +1 = Very difficult (requires insider access) +3 = Moderate (requires some skill) +5 = Easy (public exploit available) +``` + +**Example:** +- Finding: PLC has no password protection +- Likelihood: 4 (network accessible) +- Impact: 5 (controls safety system) +- Exploitability: 5 (trivial to access) +- Risk Score: 4 × 5 × 5 = 100 (CRITICAL) + +#### Step 4: Reporting + +**Report Structure:** +1. Executive Summary +2. Scope and Methodology +3. Asset Inventory +4. Findings (organized by severity) +5. Risk Assessment +6. Recommendations (prioritized) +7. Remediation Plan + +**Finding Template:** +``` +FINDING ID: VUL-001 +SEVERITY: Critical +TITLE: PLC Password Protection Disabled +DESCRIPTION: S7-1200 at 192.168.10.100 has no password protection +IMPACT: Unauthorized user can read/modify PLC program, causing safety hazard +LIKELIHOOD: High (network accessible from control network) +EXPLOITABILITY: High (no authentication required) +AFFECTED SYSTEMS: PLC-REACTOR-01 (192.168.10.100) +RECOMMENDATION: Enable Read/Write Protection with strong password +EFFORT: Low (15 minutes per PLC) +PRIORITY: 1 (Critical - remediate within 24 hours) +``` + +--- + +## 8. Ongoing Monitoring and Maintenance + +### Continuous Monitoring Strategy + +#### What to Monitor + +**Network Level:** +- Firewall rule violations +- Unauthorized connection attempts +- Protocol anomalies +- Bandwidth utilization +- New devices on network + +**System Level:** +- Login attempts (successful and failed) +- Configuration changes +- Firmware updates +- Service start/stop +- Antivirus alerts + +**Application Level:** +- PLC mode changes (RUN/STOP) +- Program uploads/downloads +- Recipe changes +- Setpoint modifications +- Alarm patterns + +**Physical Level:** +- Door access events +- CCTV events +- Environmental sensors (temperature, humidity) + +### Monitoring Tools + +#### Network IDS/IPS for OT + +**Commercial Solutions:** +- Nozomi Networks Guardian +- Claroty +- Dragos Platform +- Fortinet FortiGate (OT-specific) +- Cisco Cyber Vision + +**Open Source:** +- Snort (with OT rules) +- Suricata (with ICS signatures) +- Zeek (formerly Bro) with S7Comm analyzer + +#### SIEM Integration + +**Popular SIEM Solutions:** +- Splunk (with ICS apps) +- IBM QRadar +- ArcSight +- LogRhythm + +**Key Log Sources:** +1. Firewall logs +2. IDS/IPS alerts +3. Windows Event Logs (HMI, Engineering stations) +4. PLC audit logs (if available) +5. Switch logs (MAC address changes, port security) +6. VPN access logs +7. Physical access control logs + +### Alert Configuration + +#### Critical Alerts (Immediate Response) + +``` +1. PLC Program Download + - Trigger: S7 WRITE command to program blocks + - Action: Page on-call engineer, log event + +2. PLC Mode Change (RUN → STOP) + - Trigger: PLC state change + - Action: Alert operations, investigate + +3. Unauthorized IP Connection + - Trigger: Connection from IP not in whitelist + - Action: Block IP, alert security team + +4. Multiple Failed Login Attempts + - Trigger: 3 failed logins within 5 minutes + - Action: Lock account, alert security + +5. New Device on Control Network + - Trigger: New MAC address detected + - Action: Alert network admin, investigate +``` + +#### Warning Alerts (Review Within 24h) + +``` +1. Configuration Change +2. Firmware Update +3. New user account created +4. Privilege escalation +5. Anomalous protocol usage +``` + +### Patch Management + +#### Siemens S7 Patch Process + +**1. Monitor for Updates** +- Subscribe to Siemens ProductCERT: https://www.siemens.com/cert +- Check TIA Portal updates monthly +- Review security advisories + +**2. Evaluate Patches** +``` +For each patch, assess: +- Severity: Critical / High / Medium / Low +- Applicability: Does it affect our systems? +- Impact: Will it affect production? +- Prerequisites: Required firmware version? +- Testing: Can we test in lab first? +``` + +**3. Test in Non-Production** +- Apply patch to lab PLC +- Run full functional tests +- Monitor for 48 hours +- Document any issues + +**4. Schedule Production Update** +- Coordinate with operations +- Schedule maintenance window +- Prepare rollback plan +- Notify all stakeholders + +**5. Apply and Verify** +``` +Pre-Update: +- Backup PLC program +- Document current firmware version +- Take screenshot of diagnostics + +Update: +- Apply firmware update +- Verify version number +- Run functional tests + +Post-Update: +- Monitor for 24 hours +- Document completion +- Update asset inventory +``` + +**6. Document** +- Update change log +- Record in CMDB +- Update network diagram if needed + +#### Patch Priority Matrix + +| Severity | Affected Systems | Priority | Timeline | +|----------|-----------------|----------|----------| +| Critical | Safety Systems | P1 | 7 days | +| Critical | Production Systems | P2 | 30 days | +| High | Safety Systems | P2 | 30 days | +| High | Production Systems | P3 | 90 days | +| Medium | Any | P4 | Next maintenance window | +| Low | Any | P5 | Annual review | + +### Backup and Recovery + +#### PLC Backup Strategy + +**What to Backup:** +- PLC program (complete project) +- Configuration (IP address, parameters) +- Firmware version (document for reinstall) +- Hardware configuration +- Documentation (I/O lists, functional specs) + +**Backup Frequency:** +- After any program change (immediate) +- Weekly (automated if possible) +- Before firmware updates +- Before major maintenance + +**Backup Storage:** +- Primary: Network location (secured) +- Secondary: External hard drive (offline) +- Tertiary: Off-site (cloud or remote facility) +- Follow 3-2-1 rule: 3 copies, 2 media types, 1 off-site + +**TIA Portal Backup Process:** +``` +1. Open project in TIA Portal +2. Project → Archive... +3. Select "Create archive with all files" +4. Name with date: "PLC_REACTOR_2026-02-16.zap" +5. Save to secure network location +6. Verify archive integrity +7. Document in backup log +``` + +**Recovery Testing:** +- Test recovery quarterly +- Document recovery time objective (RTO) +- Practice in lab environment +- Train multiple personnel on recovery + +--- + +## 9. Incident Response + +### Incident Response Plan + +#### Phase 1: Preparation + +**Pre-Incident Checklist:** +- [ ] Incident response team identified (roles assigned) +- [ ] Contact list maintained (on-call rotation) +- [ ] Communication plan established +- [ ] Forensic tools prepared +- [ ] Backup systems verified +- [ ] Tabletop exercises conducted (annually) + +**IR Team Roles:** +- **Incident Commander**: Overall response coordination +- **Operations Lead**: Production continuity +- **Safety Lead**: Safety assessment and procedures +- **Technical Lead**: System investigation and remediation +- **Communications Lead**: Internal and external communications +- **Legal/Compliance**: Regulatory requirements + +#### Phase 2: Detection and Analysis + +**Detection Methods:** +1. SIEM alerts +2. IDS/IPS alarms +3. Operator reports +4. Anomaly detection +5. External notification (vendor, CERT) + +**Initial Response (First 15 minutes):** +``` +1. Alert incident commander +2. Assess safety impact +3. Isolate affected systems (if safe to do so) +4. Preserve evidence +5. Begin documentation +``` + +**Incident Classification:** + +| Severity | Definition | Response Time | Escalation | +|----------|-----------|---------------|------------| +| **Critical** | Safety impact or major production loss | Immediate | Executive team, authorities | +| **High** | Production impact but no safety concern | Within 1 hour | Management, legal | +| **Medium** | Limited impact, contained | Within 4 hours | IR team only | +| **Low** | No operational impact | Next business day | Technical team | + +#### Phase 3: Containment + +**Short-Term Containment:** +- Isolate affected network segment +- Disconnect from external networks +- Change credentials +- Block malicious IPs +- Switch to backup systems (if available) + +**Long-Term Containment:** +- Rebuild compromised systems +- Implement additional controls +- Enhanced monitoring +- Forensic analysis + +**Containment Decision Matrix:** + +For PLC Compromise: +``` +Question 1: Is safety at risk? +→ YES: Immediately switch to manual control / shutdown +→ NO: Proceed to Q2 + +Question 2: Is production at risk? +→ YES: Isolate PLC, switch to backup if available +→ NO: Proceed to Q3 + +Question 3: Can we contain without interruption? +→ YES: Isolate network segment, monitor +→ NO: Schedule emergency maintenance +``` + +#### Phase 4: Eradication + +**Steps:** +1. Identify root cause +2. Remove malware/backdoors +3. Close vulnerability +4. Patch systems +5. Validate removal +6. Restore from clean backup + +**For Compromised PLC:** +``` +1. Disconnect PLC from network +2. Clear PLC memory (factory reset if needed) +3. Update firmware to latest version +4. Restore program from verified clean backup +5. Change all passwords +6. Reconfigure IP ACLs +7. Validate against known-good configuration +8. Test offline before reconnecting +``` + +#### Phase 5: Recovery + +**Recovery Checklist:** +- [ ] Affected systems rebuilt/restored +- [ ] Security controls verified +- [ ] Monitoring enhanced +- [ ] Credentials rotated +- [ ] Communications to stakeholders +- [ ] Operations returned to normal +- [ ] Increased monitoring period (48-72 hours) + +#### Phase 6: Post-Incident Activities + +**Lessons Learned Meeting (within 2 weeks):** +1. Timeline review +2. What went well? +3. What could be improved? +4. Action items (assign owners and due dates) + +**Incident Report Contents:** +1. Executive summary +2. Incident timeline +3. Root cause analysis +4. Impact assessment (financial, operational, safety) +5. Response actions taken +6. Lessons learned +7. Recommendations +8. Action plan + +**Follow-Up Actions:** +- Update incident response plan +- Update detection rules +- Implement preventive controls +- Training for staff +- Share findings (anonymized) with industry + +### Reporting Requirements + +#### Internal Reporting +- Immediate: Safety/operations management +- Within 24h: Executive team +- Within 1 week: Complete incident report + +#### External Reporting + +**Regulatory (if applicable):** +- NERC CIP (electric sector): Within 1 hour for critical incidents +- TSA (pipelines/rail): Within 24 hours +- EPA (water): Within requirements +- OSHA (safety incident): Within 8 hours for fatality/hospitalization + +**Industry Sharing:** +- ICS-CERT (CISA): Voluntary but recommended +- Information Sharing and Analysis Centers (ISACs) +- Local law enforcement (if criminal) + +--- + +## 10. Compliance and Documentation + +### Documentation Requirements + +#### Security Documentation Repository + +**1. Policies and Standards** +- Information Security Policy +- Acceptable Use Policy +- Password Policy +- Change Management Policy +- Incident Response Policy +- Access Control Policy + +**2. Procedures** +- System Hardening Procedures +- Backup and Recovery Procedures +- Patch Management Procedures +- User Access Provisioning/Deprovisioning +- Vendor Access Procedures +- Incident Response Procedures + +**3. Technical Documentation** +- Network Architecture Diagrams +- Asset Inventory (with security controls) +- Firewall Configurations and Rule Sets +- PLC Configurations (baseline) +- System Baseline Configurations +- Data Flow Diagrams + +**4. Risk Management** +- Risk Assessment Results +- Risk Register (tracking all identified risks) +- Risk Treatment Plans +- Security Control Matrices +- Compliance Gap Analysis + +**5. Operations** +- Change Logs +- Incident Logs +- Access Logs Reviews +- Audit Reports +- Test Results (vulnerability scans, penetration tests) +- Training Records + +### Audit and Compliance + +#### Internal Audits + +**Quarterly Audit Checklist:** + +**Access Control:** +- [ ] User access reviews completed +- [ ] Privileged access reviewed +- [ ] Terminated user accounts disabled +- [ ] Password policy compliance +- [ ] MFA enabled for remote access + +**Change Management:** +- [ ] All changes documented in change log +- [ ] Changes approved before implementation +- [ ] Testing performed per requirements +- [ ] Rollback plans documented + +**Patch Management:** +- [ ] Patch inventory current +- [ ] Critical patches applied per timeline +- [ ] Patch testing documented +- [ ] Exceptions documented and approved + +**Backup/Recovery:** +- [ ] Backups performed per schedule +- [ ] Backup integrity verified +- [ ] Recovery test performed (quarterly) +- [ ] Off-site backup verified + +**Security Controls:** +- [ ] Antivirus definitions current +- [ ] Firewall rules reviewed +- [ ] IDS/IPS signatures updated +- [ ] Log collection verified +- [ ] Physical security controls verified + +**Training and Awareness:** +- [ ] Annual security training completed +- [ ] Phishing simulations performed +- [ ] Incident response training conducted +- [ ] New employee orientation completed + +#### External Audits + +**Preparation:** +1. Gather all required documentation +2. Review previous audit findings +3. Verify all action items completed +4. Conduct pre-audit self-assessment +5. Assign audit coordinator + +**Common Audit Frameworks:** +- IEC 62443 (ISASecure certification) +- NERC CIP (electric sector) +- NIST CSF +- ISO 27001 +- SOC 2 Type II + +**Audit Evidence Examples:** +- Screenshots of configurations +- Log excerpts +- Access control lists +- Change management tickets +- Training completion records +- Incident response logs + +### Regulatory Compliance + +#### Industry-Specific Requirements + +**Critical Manufacturing:** +- CISA guidelines +- State-specific requirements + +**Electric Sector:** +- NERC CIP (Critical Infrastructure Protection) +- FERC regulations + +**Water/Wastewater:** +- EPA regulations +- America's Water Infrastructure Act (AWIA) + +**Chemical:** +- CFATS (Chemical Facility Anti-Terrorism Standards) +- Process Safety Management (PSM) + +**Oil and Gas:** +- TSA pipeline security +- API standards + +--- + +## Appendices + +### Appendix A: Useful Commands and Scripts + +#### Network Discovery (Safe for OT) +```bash +# Passive network monitoring +tcpdump -i eth0 -w capture.pcap 'port 102' + +# Safe Nmap scan for S7 PLCs +nmap -sT -T1 --max-rate 5 -p 102 --script s7-info + +# Check specific PLC +nmap -sT -p 102,80,443 192.168.10.100 +``` + +#### Firewall Rule Examples + +**IPTables (Linux):** +```bash +# Allow S7 communication from HMI only +iptables -A FORWARD -s 192.168.10.50 -d 192.168.10.100 -p tcp --dport 102 -j ACCEPT +iptables -A FORWARD -d 192.168.10.100 -p tcp --dport 102 -j LOG --log-prefix "BLOCKED_S7: " +iptables -A FORWARD -d 192.168.10.100 -p tcp --dport 102 -j DROP + +# Block all traffic between IT and OT zones except via DMZ +iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.10.0/24 -j DROP +``` + +**Cisco ASA:** +``` +! Allow S7 from SCADA to PLC network +access-list SCADA_TO_PLC extended permit tcp object SCADA_NETWORK object PLC_NETWORK eq 102 +access-list SCADA_TO_PLC extended deny ip any any log + +! Apply to interface +access-group SCADA_TO_PLC in interface inside +``` + +### Appendix B: Security Assessment Template + +```markdown +# Security Assessment Report + +## Executive Summary +- Assessment Date: _______________ +- Scope: _________________________ +- Overall Risk Rating: ____________ + +## Findings Summary +- Critical: ___ +- High: ___ +- Medium: ___ +- Low: ___ + +## Top 5 Risks +1. [Finding ID] [Title] - [Risk Score] +2. [Finding ID] [Title] - [Risk Score] +3. [Finding ID] [Title] - [Risk Score] +4. [Finding ID] [Title] - [Risk Score] +5. [Finding ID] [Title] - [Risk Score] + +## Detailed Findings + +### Finding 1: [Title] +- **Severity**: Critical/High/Medium/Low +- **Risk Score**: ___ +- **Affected Systems**: ___ +- **Description**: ___ +- **Impact**: ___ +- **Recommendation**: ___ +- **Priority**: ___ +- **Estimated Effort**: ___ + +[Repeat for each finding] + +## Remediation Plan +[Prioritized list of remediation actions with timeline] +``` + +### Appendix C: Emergency Contact List Template + +``` +INCIDENT RESPONSE TEAM + +Incident Commander: +Name: _______________ +Phone: _______________ +Email: _______________ + +Operations Lead: +Name: _______________ +Phone: _______________ +Email: _______________ + +Technical Lead: +Name: _______________ +Phone: _______________ +Email: _______________ + +Safety Lead: +Name: _______________ +Phone: _______________ +Email: _______________ + +EXTERNAL CONTACTS + +Siemens Support: 1-800-XXX-XXXX +Local FBI Cyber: _______________ +CISA (ICS-CERT): 888-282-0870 / ics-cert@cisa.dhs.gov +Local Law Enforcement: 911 +``` + +### Appendix D: Training Resources + +**Free Training:** +- CISA ICS Training: https://www.cisa.gov/ics-training-catalog +- SANS ICS Security: https://www.sans.org/cyber-security-courses/ics-scada-cyber-security/ +- Siemens Learning Portal: https://support.industry.siemens.com/tf/ww/en/ + +**Certifications:** +- GICSP (Global Industrial Cyber Security Professional) - SANS +- GRID (Response and Industrial Defense) - SANS +- Certified ICS Security Specialist - Various providers + +**Industry Organizations:** +- ICS-CERT (CISA) +- SANS ICS +- ISA (International Society of Automation) +- ISAGCA (ISA Global Cybersecurity Alliance) + +### Appendix E: Vendor Security Questionnaire + +Use this when evaluating control system vendors or integrators: + +``` +1. Do you follow IEC 62443 development lifecycle? +2. Do you have ISASecure certification for your products? +3. How do you handle vulnerability disclosure? +4. What is your patch release timeline for critical vulnerabilities? +5. Do you provide security advisories? +6. Are default passwords required to be changed? +7. Do you support encrypted communications? +8. Do you provide security hardening guides? +9. What logging and auditing capabilities exist? +10. Do you require/offer security training for your products? +``` + +--- + +## Quick Reference Card + +### Daily Security Checks (5 minutes) +1. Review critical SIEM alerts +2. Check firewall logs for violations +3. Verify backup completion + +### Weekly Security Tasks (30 minutes) +1. Review all SIEM alerts +2. Check for Siemens security advisories +3. Review access logs +4. Update asset inventory (if changes) + +### Monthly Security Tasks (2-4 hours) +1. User access review/recertification +2. Review and update firewall rules +3. Vulnerability scan (safe profile) +4. Security awareness reminder +5. Review incident log + +### Quarterly Security Tasks (1-2 days) +1. Full vulnerability assessment +2. Test backup/recovery +3. Review and update policies +4. Physical security inspection +5. Internal audit +6. Tabletop exercise + +### Annual Security Tasks (1-2 weeks) +1. Full security audit +2. Penetration testing (test environment) +3. Risk assessment update +4. All policies and procedures review +5. Disaster recovery test +6. Security training (all staff) +7. Contract/vendor reviews + +--- + +## Glossary + +**ACL (Access Control List)**: List of permissions attached to an object +**DMZ (Demilitarized Zone)**: Network segment that sits between internal and external networks +**ICS (Industrial Control System)**: Generic term for control systems including SCADA, DCS, PLC +**IDS (Intrusion Detection System)**: Monitors network traffic for suspicious activity +**IPS (Intrusion Prevention System)**: IDS that can also block threats +**OT (Operational Technology)**: Hardware and software controlling physical processes +**PLC (Programmable Logic Controller)**: Digital computer for automation +**SCADA (Supervisory Control and Data Acquisition)**: System for remote monitoring and control +**SIEM (Security Information and Event Management)**: Centralized logging and analysis +**SL (Security Level)**: IEC 62443 measure of protection against threats +**VPN (Virtual Private Network)**: Encrypted connection over public network + +--- + +**Document Version**: 1.0 +**Last Updated**: February 16, 2026 +**Based On**: IEC 62443, NIST SP 800-82, CISA Guidelines +**Intended Audience**: Control System Engineers, ICS Security Professionals, Plant Managers diff --git a/security-assessment-checklist.sh b/security-assessment-checklist.sh new file mode 100644 index 0000000..341b1ea --- /dev/null +++ b/security-assessment-checklist.sh @@ -0,0 +1,512 @@ +#!/bin/bash + +#======================================== +# Industrial Network Security Assessment Tool +# Based on IEC 62443 Standards +#======================================== + +# Colors +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +BLUE='\033[0;34m' +NC='\033[0m' # No Color + +echo "" +echo "========================================" +echo "Industrial Network Security Assessment" +echo "Based on IEC 62443 Standards" +echo "========================================" +echo "" + +# Initialize counters +TOTAL_CHECKS=0 +PASSED=0 +FAILED=0 +WARNING=0 +NA=0 + +# Function to check and record result +check_item() { + local category=$1 + local question=$2 + local requirement=$3 + + echo "" + echo -e "${BLUE}[$category]${NC} $question" + echo "Requirement: $requirement" + echo "" + echo "Status:" + echo " 1) Pass (✓)" + echo " 2) Fail (✗)" + echo " 3) Warning (⚠)" + echo " 4) N/A" + read -p "Enter choice [1-4]: " choice + + TOTAL_CHECKS=$((TOTAL_CHECKS + 1)) + + case $choice in + 1) + echo -e "${GREEN}✓ PASS${NC}" + PASSED=$((PASSED + 1)) + ;; + 2) + echo -e "${RED}✗ FAIL${NC}" + FAILED=$((FAILED + 1)) + read -p "Enter finding/notes: " notes + echo "FAIL,$category,$question,$notes" >> assessment_findings.csv + ;; + 3) + echo -e "${YELLOW}⚠ WARNING${NC}" + WARNING=$((WARNING + 1)) + read -p "Enter finding/notes: " notes + echo "WARNING,$category,$question,$notes" >> assessment_findings.csv + ;; + 4) + echo "N/A" + NA=$((NA + 1)) + ;; + *) + echo "Invalid choice, marking as FAIL" + FAILED=$((FAILED + 1)) + ;; + esac +} + +# Initialize findings file +echo "Severity,Category,Item,Notes" > assessment_findings.csv + +echo "" +echo "========================================" +echo "SECTION 1: ASSET INVENTORY" +echo "========================================" + +check_item "Asset Inventory" \ + "Are all PLCs documented with model, firmware version, and location?" \ + "Complete inventory of all control system components per IEC 62443-2-1" + +check_item "Asset Inventory" \ + "Is network topology documented with current diagrams?" \ + "Network architecture diagrams showing all zones and conduits" + +check_item "Asset Inventory" \ + "Are all communication paths documented?" \ + "Data flow diagrams showing all network connections" + +check_item "Asset Inventory" \ + "Are software versions documented for all SCADA/HMI systems?" \ + "Complete software inventory with versions" + +echo "" +echo "========================================" +echo "SECTION 2: ACCESS CONTROL" +echo "========================================" + +check_item "Access Control" \ + "Do all PLCs have password protection enabled?" \ + "IEC 62443-3-3 SR 1.1: Password protection on all devices" + +check_item "Access Control" \ + "Are passwords at least 8 characters with complexity requirements?" \ + "IEC 62443-3-3 SR 1.5: Strong password policy" + +check_item "Access Control" \ + "Are IP Access Control Lists configured on PLCs?" \ + "IEC 62443-3-3 SR 1.13: Access control based on IP address" + +check_item "Access Control" \ + "Is multi-factor authentication (MFA) used for remote access?" \ + "IEC 62443-3-3 SR 1.2: Multi-factor authentication for remote access" + +check_item "Access Control" \ + "Are user accounts reviewed quarterly?" \ + "IEC 62443-2-1: Regular access reviews and recertification" + +check_item "Access Control" \ + "Are default passwords changed on all devices?" \ + "IEC 62443-4-2 CR 1.1: No default credentials" + +check_item "Access Control" \ + "Is role-based access control (RBAC) implemented?" \ + "IEC 62443-3-3 SR 1.3: Least privilege principle" + +echo "" +echo "========================================" +echo "SECTION 3: NETWORK SEGMENTATION" +echo "========================================" + +check_item "Network Segmentation" \ + "Are control networks physically or logically separated from corporate networks?" \ + "IEC 62443-3-2: Zones and conduits architecture" + +check_item "Network Segmentation" \ + "Are firewalls deployed between security zones?" \ + "IEC 62443-3-3 SR 3.1: Network segmentation with firewalls" + +check_item "Network Segmentation" \ + "Are firewall rules based on whitelist (deny by default)?" \ + "IEC 62443-3-3 SR 3.1: Default deny policy" + +check_item "Network Segmentation" \ + "Is a DMZ implemented between IT and OT networks?" \ + "Defense-in-depth: DMZ for data exchange" + +check_item "Network Segmentation" \ + "Are VLANs used for logical network separation?" \ + "IEC 62443-3-3 SR 3.1: Network segregation" + +check_item "Network Segmentation" \ + "Are critical safety systems air-gapped or on separate network?" \ + "IEC 62443-3-3 SR 3.1: Critical system isolation" + +echo "" +echo "========================================" +echo "SECTION 4: PLC SECURITY CONFIGURATION" +echo "========================================" + +check_item "PLC Security" \ + "Are unused PLC services disabled (web server, FTP, SNMP)?" \ + "IEC 62443-3-3 SR 7.6: Minimize attack surface" + +check_item "PLC Security" \ + "Is PLC firmware up to date?" \ + "IEC 62443-4-1 SR 1.1: Security updates applied" + +check_item "PLC Security" \ + "Are PLC configuration changes logged?" \ + "IEC 62443-3-3 SR 2.9: Audit logging" + +check_item "PLC Security" \ + "Are PLCs configured to only accept connections from authorized IPs?" \ + "IEC 62443-4-2 CR 1.13: Source address validation" + +check_item "PLC Security" \ + "Is PLC front panel physically secured (S7-1500)?" \ + "IEC 62443-3-3 SR 1.11: Physical access control" + +check_item "PLC Security" \ + "Are PLC communication processors (CPs) using firewalls/VPN?" \ + "IEC 62443-3-3 SR 4.1: Encrypted communications" + +echo "" +echo "========================================" +echo "SECTION 5: SYSTEM HARDENING" +echo "========================================" + +check_item "System Hardening" \ + "Are operating systems hardened per vendor guidance?" \ + "IEC 62443-4-2 CR 7.6: Operating system hardening" + +check_item "System Hardening" \ + "Is antivirus/endpoint protection deployed on HMI/SCADA systems?" \ + "IEC 62443-3-3 SR 3.2: Malware protection" + +check_item "System Hardening" \ + "Is application whitelisting implemented?" \ + "NIST SP 800-82: Application control" + +check_item "System Hardening" \ + "Are USB ports disabled or controlled on operator stations?" \ + "IEC 62443-3-3 SR 3.2: Removable media control" + +check_item "System Hardening" \ + "Are security patches applied in timely manner?" \ + "IEC 62443-2-1: Patch management process" + +check_item "System Hardening" \ + "Are unnecessary Windows services disabled?" \ + "Defense-in-depth: Minimize attack surface" + +echo "" +echo "========================================" +echo "SECTION 6: MONITORING AND LOGGING" +echo "========================================" + +check_item "Monitoring" \ + "Is network traffic monitored with IDS/IPS?" \ + "IEC 62443-3-3 SR 6.1: Network monitoring" + +check_item "Monitoring" \ + "Are logs centrally collected (SIEM)?" \ + "IEC 62443-3-3 SR 2.8: Centralized logging" + +check_item "Monitoring" \ + "Are critical events alerting in real-time?" \ + "IEC 62443-3-3 SR 2.9: Security event alerting" + +check_item "Monitoring" \ + "Are logs retained for at least 90 days?" \ + "IEC 62443-2-1: Audit log retention" + +check_item "Monitoring" \ + "Are logs reviewed regularly?" \ + "IEC 62443-2-1: Log review procedures" + +check_item "Monitoring" \ + "Is network baseline established and anomalies detected?" \ + "IEC 62443-4-2 CR 3.3: Anomaly detection" + +echo "" +echo "========================================" +echo "SECTION 7: REMOTE ACCESS" +echo "========================================" + +check_item "Remote Access" \ + "Is VPN required for all remote access?" \ + "IEC 62443-3-3 SR 4.1: Encrypted remote access" + +check_item "Remote Access" \ + "Is MFA required for VPN access?" \ + "IEC 62443-3-3 SR 1.2: Multi-factor authentication" + +check_item "Remote Access" \ + "Are vendor remote access sessions monitored and time-limited?" \ + "CISA: Vendor remote access controls" + +check_item "Remote Access" \ + "Is remote access logged and reviewed?" \ + "IEC 62443-3-3 SR 2.9: Remote access auditing" + +check_item "Remote Access" \ + "Are jump servers/bastion hosts used for remote access?" \ + "Defense-in-depth: Controlled access points" + +echo "" +echo "========================================" +echo "SECTION 8: PHYSICAL SECURITY" +echo "========================================" + +check_item "Physical Security" \ + "Are control rooms and server rooms physically secured?" \ + "IEC 62443-3-3 SR 1.11: Physical access control" + +check_item "Physical Security" \ + "Is access to control rooms logged (badge system)?" \ + "IEC 62443-3-3 SR 1.11: Physical access auditing" + +check_item "Physical Security" \ + "Are network cabinets locked?" \ + "IEC 62443-3-3 SR 1.11: Equipment physical protection" + +check_item "Physical Security" \ + "Is CCTV monitoring implemented for critical areas?" \ + "Defense-in-depth: Video surveillance" + +check_item "Physical Security" \ + "Are visitor access procedures documented and followed?" \ + "IEC 62443-2-1: Visitor management" + +echo "" +echo "========================================" +echo "SECTION 9: BACKUP AND RECOVERY" +echo "========================================" + +check_item "Backup/Recovery" \ + "Are PLC programs backed up after every change?" \ + "IEC 62443-2-1: Configuration management" + +check_item "Backup/Recovery" \ + "Are backups stored offline or off-site?" \ + "Defense-in-depth: 3-2-1 backup rule" + +check_item "Backup/Recovery" \ + "Are backup integrity checks performed?" \ + "IEC 62443-3-3 SR 7.3: Backup verification" + +check_item "Backup/Recovery" \ + "Is recovery tested at least quarterly?" \ + "IEC 62443-2-1: Disaster recovery testing" + +check_item "Backup/Recovery" \ + "Are Recovery Time Objectives (RTO) documented?" \ + "Business continuity planning" + +echo "" +echo "========================================" +echo "SECTION 10: INCIDENT RESPONSE" +echo "========================================" + +check_item "Incident Response" \ + "Is an incident response plan documented?" \ + "IEC 62443-2-1: Incident management" + +check_item "Incident Response" \ + "Is incident response team identified with roles assigned?" \ + "IEC 62443-2-1: IR team structure" + +check_item "Incident Response" \ + "Are incident response procedures tested annually?" \ + "IEC 62443-2-1: Tabletop exercises" + +check_item "Incident Response" \ + "Are incidents documented and lessons learned captured?" \ + "IEC 62443-2-1: Continuous improvement" + +check_item "Incident Response" \ + "Is there a communication plan for incidents?" \ + "IEC 62443-2-1: Stakeholder communication" + +echo "" +echo "========================================" +echo "SECTION 11: POLICIES AND PROCEDURES" +echo "========================================" + +check_item "Policies" \ + "Is a cybersecurity policy documented and approved?" \ + "IEC 62443-2-1: Cybersecurity policy" + +check_item "Policies" \ + "Are change management procedures documented and followed?" \ + "IEC 62443-2-1: Change control" + +check_item "Policies" \ + "Is patch management process documented?" \ + "IEC 62443-2-1: Security update management" + +check_item "Policies" \ + "Are security roles and responsibilities documented?" \ + "IEC 62443-2-1: Governance structure" + +check_item "Policies" \ + "Is security awareness training conducted annually?" \ + "IEC 62443-2-1: Personnel security awareness" + +echo "" +echo "========================================" +echo "SECTION 12: RISK MANAGEMENT" +echo "========================================" + +check_item "Risk Management" \ + "Has a security risk assessment been conducted?" \ + "IEC 62443-3-2: Security risk assessment" + +check_item "Risk Management" \ + "Are risk assessment results documented?" \ + "IEC 62443-3-2: Risk documentation" + +check_item "Risk Management" \ + "Are target security levels (SL-T) defined for each zone?" \ + "IEC 62443-3-2: Security level targets" + +check_item "Risk Management" \ + "Is risk assessment updated annually or after major changes?" \ + "IEC 62443-2-1: Risk assessment review" + +check_item "Risk Management" \ + "Are residual risks accepted by management?" \ + "IEC 62443-2-1: Risk acceptance" + +#======================================== +# Generate Report +#======================================== + +echo "" +echo "========================================" +echo "ASSESSMENT COMPLETE" +echo "========================================" +echo "" + +# Calculate percentages +COMPLIANCE_ITEMS=$((TOTAL_CHECKS - NA)) +if [ $COMPLIANCE_ITEMS -gt 0 ]; then + COMPLIANCE_PCT=$((PASSED * 100 / COMPLIANCE_ITEMS)) +else + COMPLIANCE_PCT=0 +fi + +echo "Assessment Summary:" +echo "-------------------" +echo "Total Checks: $TOTAL_CHECKS" +echo "Passed: $PASSED" +echo "Failed: $FAILED" +echo "Warnings: $WARNING" +echo "Not Applicable: $NA" +echo "" +echo "Compliance Rate: $COMPLIANCE_PCT% (excluding N/A)" +echo "" + +# Risk Rating +if [ $COMPLIANCE_PCT -ge 90 ]; then + RISK_LEVEL="${GREEN}LOW RISK${NC}" +elif [ $COMPLIANCE_PCT -ge 70 ]; then + RISK_LEVEL="${YELLOW}MEDIUM RISK${NC}" +elif [ $COMPLIANCE_PCT -ge 50 ]; then + RISK_LEVEL="${YELLOW}HIGH RISK${NC}" +else + RISK_LEVEL="${RED}CRITICAL RISK${NC}" +fi + +echo -e "Overall Risk Level: $RISK_LEVEL" +echo "" + +# Save summary to file +cat > assessment_summary.txt <> assessment_summary.txt +fi + +if [ $WARNING -gt 0 ]; then + echo "2. Review and remediate WARNING items (High Priority)" >> assessment_summary.txt +fi + +if [ $COMPLIANCE_PCT -lt 90 ]; then + echo "3. Develop remediation plan to achieve 90%+ compliance" >> assessment_summary.txt +fi + +echo "4. Schedule next assessment in 6 months" >> assessment_summary.txt +echo "" >> assessment_summary.txt + +echo "Files Generated:" +echo "----------------" +echo "1. assessment_findings.csv - Detailed findings list" +echo "2. assessment_summary.txt - Summary report" +echo "" + +# Show top findings +if [ -f assessment_findings.csv ]; then + echo "Top Findings:" + echo "-------------" + grep "^FAIL" assessment_findings.csv | head -5 + echo "" + grep "^WARNING" assessment_findings.csv | head -3 + echo "" +fi + +echo "========================================" +echo "Next Steps:" +echo "========================================" +echo "1. Review findings in assessment_findings.csv" +echo "2. Prioritize remediation actions" +echo "3. Create remediation plan with timeline" +echo "4. Assign owners to each finding" +echo "5. Track progress and re-assess" +echo "" +echo "For detailed guidance, see:" +echo " - industrial-network-security-guide.md" +echo " - IEC 62443 standards documentation" +echo "" diff --git a/security-implementation-roadmap.md b/security-implementation-roadmap.md new file mode 100644 index 0000000..a8b4cf7 --- /dev/null +++ b/security-implementation-roadmap.md @@ -0,0 +1,722 @@ +# Industrial Network Security Implementation Roadmap +## 90-Day Quick Start Guide + +This document provides a practical, step-by-step roadmap for implementing industrial network security in 90 days. + +--- + +## Overview + +This roadmap is designed for organizations that need to implement basic industrial cybersecurity quickly while working toward full IEC 62443 compliance. + +**Timeline**: 90 days (can be adjusted based on resources) +**Goal**: Achieve 70-80% compliance with critical security controls +**Based On**: IEC 62443, NIST SP 800-82, CISA Guidelines + +--- + +## Week 1-2: Quick Assessment + +### Day 1-3: Inventory and Discovery +``` +✓ List all PLCs (model, IP, firmware, location) +✓ Create basic network diagram +✓ Document who has access (local and remote) +✓ List all HMI/SCADA systems +✓ Identify critical production systems +``` + +**Deliverable**: Asset inventory spreadsheet + network diagram + +### Day 4-7: Quick Risk Assessment +``` +✓ Identify top 5 critical assets +✓ Rate each asset: Impact (1-5), Likelihood (1-5) +✓ Calculate risk scores +✓ Prioritize based on risk score +``` + +**Risk Matrix Template:** +| Asset | Impact | Likelihood | Risk Score | Priority | +|-------|--------|-----------|-----------|----------| +| PLC-REACTOR-01 | 5 (Safety) | 4 | 20 | P1 | +| HMI-CONTROL-01 | 4 | 3 | 12 | P2 | + +### Day 8-10: Gap Analysis +``` +✓ Check current security controls +✓ Compare against critical requirements +✓ Create quick-win list (no downtime needed) +``` + +**Critical Requirements Checklist:** +- [ ] PLC password protection +- [ ] IP access control +- [ ] Firewall between IT/OT +- [ ] Remote access controls +- [ ] Backup procedures +- [ ] Logging enabled + +--- + +## Week 3-4: Quick Wins (No Downtime) + +### Tasks That Can Be Done Immediately + +#### 1. Enable PLC Password Protection +``` +Time: 15 minutes per PLC +Risk: None +Impact: HIGH + +Steps: +1. Open TIA Portal +2. PLC Properties → Protection +3. Set "Read/Write Protection" +4. Create strong password (min 8 chars) +5. Document in password vault +6. Download to PLC +``` + +**Password Requirements:** +- Minimum 8 characters +- Mix of uppercase, lowercase, numbers +- Store in secure password manager +- Change every 90 days + +#### 2. Configure IP Access Control Lists +``` +Time: 10 minutes per PLC +Risk: None (tested before applying) +Impact: HIGH + +Steps: +1. List authorized IPs (HMI, Engineering station) +2. PLC Properties → Connection mechanisms +3. Enable "Permit access only for..." +4. Add authorized IPs +5. Test from authorized station +6. Download to PLC +``` + +**Example ACL:** +``` +Allowed IPs: +- 192.168.10.50 (Engineering Station) +- 192.168.10.60 (HMI-01) +- 192.168.10.70 (SCADA Server) +``` + +#### 3. Disable Unused PLC Services +``` +Time: 5 minutes per PLC +Risk: Low (test first) +Impact: MEDIUM + +Disable if not needed: +- [ ] Web Server (HTTP/HTTPS) +- [ ] FTP Server +- [ ] SNMP +- [ ] Modbus TCP +``` + +#### 4. Change Default Passwords +``` +Time: Varies +Risk: None +Impact: HIGH + +Change passwords on: +- [ ] HMI systems +- [ ] SCADA servers +- [ ] Network switches +- [ ] Firewalls +- [ ] Routers +``` + +#### 5. Enable Logging +``` +Time: 30 minutes +Risk: None +Impact: MEDIUM + +Enable logs on: +- [ ] PLCs (if supported) +- [ ] Firewalls +- [ ] Switches +- [ ] HMI/SCADA systems +- [ ] Engineering stations +``` + +#### 6. Create Baseline Backups +``` +Time: 1 hour +Risk: None +Impact: HIGH + +Backup: +- [ ] All PLC programs +- [ ] HMI projects +- [ ] SCADA configurations +- [ ] Network device configs +- Store in 3 locations (network, external drive, off-site) +``` + +**End of Week 4 Status Check:** +- [ ] All PLCs have passwords +- [ ] IP ACLs configured +- [ ] Unused services disabled +- [ ] Default passwords changed +- [ ] Logging enabled +- [ ] Backups created + +**Expected Compliance: ~40%** + +--- + +## Week 5-6: Basic Network Security + +### Task 1: Install Firewall Between IT and OT +``` +Time: 2-4 hours (includes planning) +Risk: Medium (requires downtime) +Impact: CRITICAL + +Steps: +1. Purchase industrial firewall (or use existing) +2. Design firewall rules (whitelist only) +3. Schedule maintenance window +4. Install firewall +5. Configure and test rules +6. Document configuration +``` + +**Basic Firewall Rules:** +``` +ALLOW: +- SCADA → PLCs (port 102, S7 protocol) +- HMI → PLCs (port 102) +- Engineering Station → PLCs (port 102) +- Historian → PLCs (read-only) + +DENY: +- All other traffic +``` + +### Task 2: Segment Network with VLANs +``` +Time: 4-8 hours +Risk: Medium (test thoroughly) +Impact: HIGH + +VLAN Structure: +- VLAN 10: Control Network (PLCs) +- VLAN 20: Supervisory (SCADA/HMI) +- VLAN 30: Engineering +- VLAN 40: DMZ (Historian) +``` + +### Task 3: Secure Remote Access +``` +Time: 4 hours +Risk: Low +Impact: HIGH + +Implementation: +1. Set up VPN server +2. Configure VPN client access +3. Require strong authentication +4. Implement VPN logging +5. Document procedures +``` + +**Remote Access Requirements:** +- VPN required for all external access +- Strong passwords (12+ characters) +- MFA if possible +- Session timeout: 4 hours +- All sessions logged + +**End of Week 6 Status Check:** +- [ ] Firewall installed and configured +- [ ] VLANs implemented +- [ ] VPN for remote access +- [ ] Firewall rules documented + +**Expected Compliance: ~55%** + +--- + +## Week 7-8: System Hardening + +### Task 1: Harden Windows Systems +``` +Time: 2 hours per system +Risk: Low +Impact: MEDIUM + +Apply to: HMI, SCADA, Engineering Stations + +Hardening Steps: +1. Install latest Windows updates +2. Enable Windows Firewall +3. Disable unnecessary services +4. Remove unused software +5. Configure User Account Control (UAC) +6. Enable BitLocker encryption (if available) +``` + +**Windows Hardening Checklist:** +- [ ] Windows Firewall: Enabled +- [ ] Windows Update: Enabled (with control) +- [ ] SMBv1: Disabled +- [ ] RDP: Disabled (unless needed) +- [ ] Guest account: Disabled +- [ ] Autorun: Disabled +- [ ] Screen lock: 15 minutes + +### Task 2: Deploy Antivirus +``` +Time: 1 hour per system +Risk: Medium (test for false positives) +Impact: MEDIUM + +Steps: +1. Choose industrial-friendly AV +2. Test in non-production first +3. Configure exclusions for control apps +4. Deploy to all Windows systems +5. Enable centralized management +``` + +**Important**: Some AV can interfere with real-time control systems. Test thoroughly! + +### Task 3: USB Device Control +``` +Time: 2 hours total +Risk: Low +Impact: MEDIUM + +Options: +A) Group Policy: Disable USB storage +B) Third-party tool: Whitelist approved USB devices +C) Physical: USB port locks +``` + +**End of Week 8 Status Check:** +- [ ] All Windows systems hardened +- [ ] Antivirus deployed +- [ ] USB controls implemented + +**Expected Compliance: ~65%** + +--- + +## Week 9-10: Monitoring and Documentation + +### Task 1: Set Up Basic Monitoring +``` +Time: 8 hours +Risk: Low +Impact: HIGH + +Implement: +1. Centralized log collection (syslog server) +2. Basic SIEM or log analysis tool +3. Critical alerts (email/SMS) +``` + +**Minimum Alerts:** +- PLC program download +- PLC mode change (RUN/STOP) +- Failed login attempts (5 within 1 hour) +- Firewall rule violations +- Antivirus detections + +### Task 2: Document Everything +``` +Time: 4-8 hours +Risk: None +Impact: MEDIUM + +Create documentation: +1. Network architecture diagram (updated) +2. Asset inventory (complete) +3. Security configuration baselines +4. Access control matrix (who has access to what) +5. Incident response procedures (basic) +6. Backup and recovery procedures +``` + +**Document Templates in Appendix** + +**End of Week 10 Status Check:** +- [ ] Log collection working +- [ ] Critical alerts configured +- [ ] Documentation complete + +**Expected Compliance: ~70%** + +--- + +## Week 11-12: Policies and Training + +### Task 1: Create Security Policies +``` +Time: 8-16 hours +Risk: None +Impact: MEDIUM + +Minimum required policies: +1. Cybersecurity Policy (overall) +2. Access Control Policy +3. Password Policy +4. Remote Access Policy +5. Change Management Policy +6. Incident Response Policy +``` + +**Policy Template Structure:** +``` +1. Purpose +2. Scope +3. Responsibilities +4. Requirements +5. Procedures +6. Exceptions +7. Enforcement +``` + +### Task 2: Conduct Security Awareness Training +``` +Time: 2-4 hours +Risk: None +Impact: HIGH + +Training topics: +1. Why security matters in OT +2. Password security +3. Phishing awareness +4. Physical security +5. Incident reporting +6. USB and removable media risks +``` + +### Task 3: Create Incident Response Plan +``` +Time: 4-8 hours +Risk: None +Impact: HIGH + +Plan components: +1. IR team contact list +2. Incident classification +3. Response procedures +4. Communication plan +5. Escalation matrix +``` + +**End of Week 12 Status Check:** +- [ ] Security policies documented +- [ ] Staff training completed +- [ ] Incident response plan ready + +**Expected Compliance: ~75%** + +--- + +## Post-90 Days: Continuous Improvement + +### Immediate Next Steps (Days 91-180) + +#### 1. Advanced Monitoring +- Deploy IDS/IPS for OT networks +- Implement behavior-based anomaly detection +- Set up SIEM with custom use cases + +#### 2. Advanced Access Control +- Implement multi-factor authentication +- Deploy privileged access management +- Set up jump servers for remote access + +#### 3. Compliance and Audit +- Conduct formal security assessment +- Address remaining gaps +- Prepare for external audit + +#### 4. Advanced Network Security +- Implement data diodes for one-way communication +- Deploy industrial firewalls at zone boundaries +- Consider zero-trust architecture + +### Long-Term Roadmap (6-12 months) + +**Month 6:** +- Full IEC 62443 gap assessment +- Penetration testing (test environment) +- Update all documentation + +**Month 9:** +- Achieve 90% compliance +- ISASecure certification preparation +- Advanced threat hunting capabilities + +**Month 12:** +- External security audit +- Full IEC 62443 compliance +- Mature security operations center (SOC) + +--- + +## Budget Estimates + +### Minimal Budget ($5K-$15K) +- Basic firewall: $2K-$5K +- VPN server/licenses: $1K-$3K +- Syslog server (can be free) +- Training (internal) +- Documentation (internal time) + +### Recommended Budget ($25K-$50K) +- Industrial firewall: $10K-$20K +- SIEM/Log management: $5K-$10K +- Managed switch with VLANs: $3K-$5K +- Antivirus licenses: $2K-$5K +- Training (external): $3K-$5K +- Consulting support: $2K-$5K + +### Full Implementation ($100K+) +- Industrial firewalls (multiple): $30K-$50K +- IDS/IPS for OT: $20K-$40K +- SIEM platform: $20K-$40K +- Network upgrades: $10K-$20K +- Professional services: $20K-$50K +- Training and certification: $5K-$10K + +--- + +## Success Metrics + +### Week-by-Week Targets + +| Week | Target | Compliance % | +|------|--------|--------------| +| 2 | Assessment complete | 0% | +| 4 | Quick wins done | 40% | +| 6 | Network security | 55% | +| 8 | System hardening | 65% | +| 10 | Monitoring active | 70% | +| 12 | Policies and training | 75% | + +### Key Performance Indicators (KPIs) + +**Security Posture:** +- % of PLCs with password protection +- % of PLCs with IP ACLs +- Number of security zones +- Firewall rule compliance + +**Operational:** +- Mean time to detect (MTTD) incidents +- Mean time to respond (MTTR) incidents +- % of systems with current patches +- Backup success rate + +**Compliance:** +- % of IEC 62443 requirements met +- Number of open findings +- Time to remediate findings +- Training completion rate + +--- + +## Common Pitfalls to Avoid + +### 1. Not Testing in Lab First +**Problem**: Changes break production +**Solution**: Always test in non-production environment + +### 2. Inadequate Communication +**Problem**: Operations surprised by changes +**Solution**: Involve ops team from day 1 + +### 3. Weak Passwords +**Problem**: Easy to guess or crack +**Solution**: Enforce 8+ chars, complexity, password manager + +### 4. No Backup Before Changes +**Problem**: Can't rollback if needed +**Solution**: Backup everything before changes + +### 5. Overly Complex Rules +**Problem**: Firewall rules break production +**Solution**: Start simple, iterate + +### 6. Ignoring Legacy Systems +**Problem**: Old PLCs can't be secured +**Solution**: Extra network controls around legacy + +### 7. Documentation Neglect +**Problem**: Changes not documented +**Solution**: Make documentation part of change process + +### 8. Set and Forget +**Problem**: Security degrades over time +**Solution**: Regular reviews and updates + +--- + +## Resource Requirements + +### Personnel + +**Week 1-4 (Quick Wins):** +- Control engineer: 40 hours +- IT security: 20 hours +- Management: 5 hours + +**Week 5-8 (Network Security):** +- Network engineer: 40 hours +- Control engineer: 20 hours +- IT security: 30 hours + +**Week 9-12 (Monitoring & Policies):** +- IT security: 40 hours +- Control engineer: 20 hours +- HR/Training: 10 hours +- Management: 10 hours + +### Tools and Software + +**Essential (Free/Low Cost):** +- [ ] TIA Portal (for PLC configuration) +- [ ] Network mapping tool (e.g., Nmap) +- [ ] Syslog server (e.g., syslog-ng) +- [ ] Password manager +- [ ] Documentation tool (e.g., Markdown) + +**Recommended (Paid):** +- [ ] Industrial firewall +- [ ] VPN server +- [ ] SIEM platform +- [ ] Antivirus for OT +- [ ] Network monitoring tool + +--- + +## Appendices + +### Appendix A: Critical Controls Quick Reference + +**Top 10 Critical Controls (Do These First):** + +1. **Enable PLC passwords** - Prevents unauthorized access +2. **Configure IP ACLs** - Limits who can connect +3. **Install firewall** - Separates IT from OT +4. **Change default passwords** - Eliminates easy targets +5. **Create backups** - Enables recovery +6. **Enable logging** - Provides visibility +7. **Disable unused services** - Reduces attack surface +8. **Implement VPN** - Secures remote access +9. **Deploy antivirus** - Protects Windows systems +10. **Train staff** - Human firewall + +### Appendix B: Weekly Checklist Template + +```markdown +## Weekly Security Checklist + +Date: __________ +Completed by: __________ + +### Access Control +- [ ] No new unauthorized users found +- [ ] All remote access via VPN +- [ ] No password violations detected + +### Monitoring +- [ ] Reviewed critical alerts +- [ ] Checked firewall logs +- [ ] Verified backup completion + +### System Health +- [ ] No unauthorized changes detected +- [ ] Antivirus definitions current +- [ ] System performance normal + +### Physical Security +- [ ] Control room access log reviewed +- [ ] No unauthorized access detected +- [ ] Equipment cabinets secured + +Notes: +__________________________________________ +``` + +### Appendix C: Emergency Contact Card + +``` +┌─────────────────────────────────────┐ +│ CYBERSECURITY INCIDENT │ +│ EMERGENCY CONTACT CARD │ +├─────────────────────────────────────┤ +│ INCIDENT COMMANDER: │ +│ Name: ____________________________ │ +│ Phone: ___________________________ │ +│ │ +│ TECHNICAL LEAD: │ +│ Name: ____________________________ │ +│ Phone: ___________________________ │ +│ │ +│ OPERATIONS: │ +│ Name: ____________________________ │ +│ Phone: ___________________________ │ +│ │ +│ VENDOR SUPPORT: │ +│ Siemens: 1-800-________ │ +│ Firewall: ____________________ │ +│ │ +│ EXTERNAL: │ +│ ICS-CERT: 888-282-0870 │ +│ FBI Cyber: ___________________ │ +└─────────────────────────────────────┘ +``` + +### Appendix D: Pre-Change Checklist + +Before making any security changes: + +``` +CHANGE: _________________________________ +DATE: ___________________________________ + +PRE-CHANGE: +[ ] Change documented and approved +[ ] Tested in lab/non-production +[ ] Backup created and verified +[ ] Operations notified +[ ] Maintenance window scheduled +[ ] Rollback plan ready +[ ] On-call support arranged + +DURING CHANGE: +[ ] Follow documented procedure +[ ] Document any deviations +[ ] Test functionality after each step + +POST-CHANGE: +[ ] Verify system functionality +[ ] Update documentation +[ ] Monitor for 24 hours +[ ] Close change ticket + +Sign-off: +Engineer: __________ Date: __________ +Approver: __________ Date: __________ +``` + +--- + +**Document Version**: 1.0 +**Last Updated**: February 16, 2026 +**For Use With**: industrial-network-security-guide.md