#!/bin/bash #======================================== # Industrial Network Security Assessment Tool # Based on IEC 62443 Standards #======================================== # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' # No Color echo "" echo "========================================" echo "Industrial Network Security Assessment" echo "Based on IEC 62443 Standards" echo "========================================" echo "" # Initialize counters TOTAL_CHECKS=0 PASSED=0 FAILED=0 WARNING=0 NA=0 # Function to check and record result check_item() { local category=$1 local question=$2 local requirement=$3 echo "" echo -e "${BLUE}[$category]${NC} $question" echo "Requirement: $requirement" echo "" echo "Status:" echo " 1) Pass (✓)" echo " 2) Fail (✗)" echo " 3) Warning (⚠)" echo " 4) N/A" read -p "Enter choice [1-4]: " choice TOTAL_CHECKS=$((TOTAL_CHECKS + 1)) case $choice in 1) echo -e "${GREEN}✓ PASS${NC}" PASSED=$((PASSED + 1)) ;; 2) echo -e "${RED}✗ FAIL${NC}" FAILED=$((FAILED + 1)) read -p "Enter finding/notes: " notes echo "FAIL,$category,$question,$notes" >> assessment_findings.csv ;; 3) echo -e "${YELLOW}⚠ WARNING${NC}" WARNING=$((WARNING + 1)) read -p "Enter finding/notes: " notes echo "WARNING,$category,$question,$notes" >> assessment_findings.csv ;; 4) echo "N/A" NA=$((NA + 1)) ;; *) echo "Invalid choice, marking as FAIL" FAILED=$((FAILED + 1)) ;; esac } # Initialize findings file echo "Severity,Category,Item,Notes" > assessment_findings.csv echo "" echo "========================================" echo "SECTION 1: ASSET INVENTORY" echo "========================================" check_item "Asset Inventory" \ "Are all PLCs documented with model, firmware version, and location?" \ "Complete inventory of all control system components per IEC 62443-2-1" check_item "Asset Inventory" \ "Is network topology documented with current diagrams?" \ "Network architecture diagrams showing all zones and conduits" check_item "Asset Inventory" \ "Are all communication paths documented?" \ "Data flow diagrams showing all network connections" check_item "Asset Inventory" \ "Are software versions documented for all SCADA/HMI systems?" \ "Complete software inventory with versions" echo "" echo "========================================" echo "SECTION 2: ACCESS CONTROL" echo "========================================" check_item "Access Control" \ "Do all PLCs have password protection enabled?" \ "IEC 62443-3-3 SR 1.1: Password protection on all devices" check_item "Access Control" \ "Are passwords at least 8 characters with complexity requirements?" \ "IEC 62443-3-3 SR 1.5: Strong password policy" check_item "Access Control" \ "Are IP Access Control Lists configured on PLCs?" \ "IEC 62443-3-3 SR 1.13: Access control based on IP address" check_item "Access Control" \ "Is multi-factor authentication (MFA) used for remote access?" \ "IEC 62443-3-3 SR 1.2: Multi-factor authentication for remote access" check_item "Access Control" \ "Are user accounts reviewed quarterly?" \ "IEC 62443-2-1: Regular access reviews and recertification" check_item "Access Control" \ "Are default passwords changed on all devices?" \ "IEC 62443-4-2 CR 1.1: No default credentials" check_item "Access Control" \ "Is role-based access control (RBAC) implemented?" \ "IEC 62443-3-3 SR 1.3: Least privilege principle" echo "" echo "========================================" echo "SECTION 3: NETWORK SEGMENTATION" echo "========================================" check_item "Network Segmentation" \ "Are control networks physically or logically separated from corporate networks?" \ "IEC 62443-3-2: Zones and conduits architecture" check_item "Network Segmentation" \ "Are firewalls deployed between security zones?" \ "IEC 62443-3-3 SR 3.1: Network segmentation with firewalls" check_item "Network Segmentation" \ "Are firewall rules based on whitelist (deny by default)?" \ "IEC 62443-3-3 SR 3.1: Default deny policy" check_item "Network Segmentation" \ "Is a DMZ implemented between IT and OT networks?" \ "Defense-in-depth: DMZ for data exchange" check_item "Network Segmentation" \ "Are VLANs used for logical network separation?" \ "IEC 62443-3-3 SR 3.1: Network segregation" check_item "Network Segmentation" \ "Are critical safety systems air-gapped or on separate network?" \ "IEC 62443-3-3 SR 3.1: Critical system isolation" echo "" echo "========================================" echo "SECTION 4: PLC SECURITY CONFIGURATION" echo "========================================" check_item "PLC Security" \ "Are unused PLC services disabled (web server, FTP, SNMP)?" \ "IEC 62443-3-3 SR 7.6: Minimize attack surface" check_item "PLC Security" \ "Is PLC firmware up to date?" \ "IEC 62443-4-1 SR 1.1: Security updates applied" check_item "PLC Security" \ "Are PLC configuration changes logged?" \ "IEC 62443-3-3 SR 2.9: Audit logging" check_item "PLC Security" \ "Are PLCs configured to only accept connections from authorized IPs?" \ "IEC 62443-4-2 CR 1.13: Source address validation" check_item "PLC Security" \ "Is PLC front panel physically secured (S7-1500)?" \ "IEC 62443-3-3 SR 1.11: Physical access control" check_item "PLC Security" \ "Are PLC communication processors (CPs) using firewalls/VPN?" \ "IEC 62443-3-3 SR 4.1: Encrypted communications" echo "" echo "========================================" echo "SECTION 5: SYSTEM HARDENING" echo "========================================" check_item "System Hardening" \ "Are operating systems hardened per vendor guidance?" \ "IEC 62443-4-2 CR 7.6: Operating system hardening" check_item "System Hardening" \ "Is antivirus/endpoint protection deployed on HMI/SCADA systems?" \ "IEC 62443-3-3 SR 3.2: Malware protection" check_item "System Hardening" \ "Is application whitelisting implemented?" \ "NIST SP 800-82: Application control" check_item "System Hardening" \ "Are USB ports disabled or controlled on operator stations?" \ "IEC 62443-3-3 SR 3.2: Removable media control" check_item "System Hardening" \ "Are security patches applied in timely manner?" \ "IEC 62443-2-1: Patch management process" check_item "System Hardening" \ "Are unnecessary Windows services disabled?" \ "Defense-in-depth: Minimize attack surface" echo "" echo "========================================" echo "SECTION 6: MONITORING AND LOGGING" echo "========================================" check_item "Monitoring" \ "Is network traffic monitored with IDS/IPS?" \ "IEC 62443-3-3 SR 6.1: Network monitoring" check_item "Monitoring" \ "Are logs centrally collected (SIEM)?" \ "IEC 62443-3-3 SR 2.8: Centralized logging" check_item "Monitoring" \ "Are critical events alerting in real-time?" \ "IEC 62443-3-3 SR 2.9: Security event alerting" check_item "Monitoring" \ "Are logs retained for at least 90 days?" \ "IEC 62443-2-1: Audit log retention" check_item "Monitoring" \ "Are logs reviewed regularly?" \ "IEC 62443-2-1: Log review procedures" check_item "Monitoring" \ "Is network baseline established and anomalies detected?" \ "IEC 62443-4-2 CR 3.3: Anomaly detection" echo "" echo "========================================" echo "SECTION 7: REMOTE ACCESS" echo "========================================" check_item "Remote Access" \ "Is VPN required for all remote access?" \ "IEC 62443-3-3 SR 4.1: Encrypted remote access" check_item "Remote Access" \ "Is MFA required for VPN access?" \ "IEC 62443-3-3 SR 1.2: Multi-factor authentication" check_item "Remote Access" \ "Are vendor remote access sessions monitored and time-limited?" \ "CISA: Vendor remote access controls" check_item "Remote Access" \ "Is remote access logged and reviewed?" \ "IEC 62443-3-3 SR 2.9: Remote access auditing" check_item "Remote Access" \ "Are jump servers/bastion hosts used for remote access?" \ "Defense-in-depth: Controlled access points" echo "" echo "========================================" echo "SECTION 8: PHYSICAL SECURITY" echo "========================================" check_item "Physical Security" \ "Are control rooms and server rooms physically secured?" \ "IEC 62443-3-3 SR 1.11: Physical access control" check_item "Physical Security" \ "Is access to control rooms logged (badge system)?" \ "IEC 62443-3-3 SR 1.11: Physical access auditing" check_item "Physical Security" \ "Are network cabinets locked?" \ "IEC 62443-3-3 SR 1.11: Equipment physical protection" check_item "Physical Security" \ "Is CCTV monitoring implemented for critical areas?" \ "Defense-in-depth: Video surveillance" check_item "Physical Security" \ "Are visitor access procedures documented and followed?" \ "IEC 62443-2-1: Visitor management" echo "" echo "========================================" echo "SECTION 9: BACKUP AND RECOVERY" echo "========================================" check_item "Backup/Recovery" \ "Are PLC programs backed up after every change?" \ "IEC 62443-2-1: Configuration management" check_item "Backup/Recovery" \ "Are backups stored offline or off-site?" \ "Defense-in-depth: 3-2-1 backup rule" check_item "Backup/Recovery" \ "Are backup integrity checks performed?" \ "IEC 62443-3-3 SR 7.3: Backup verification" check_item "Backup/Recovery" \ "Is recovery tested at least quarterly?" \ "IEC 62443-2-1: Disaster recovery testing" check_item "Backup/Recovery" \ "Are Recovery Time Objectives (RTO) documented?" \ "Business continuity planning" echo "" echo "========================================" echo "SECTION 10: INCIDENT RESPONSE" echo "========================================" check_item "Incident Response" \ "Is an incident response plan documented?" \ "IEC 62443-2-1: Incident management" check_item "Incident Response" \ "Is incident response team identified with roles assigned?" \ "IEC 62443-2-1: IR team structure" check_item "Incident Response" \ "Are incident response procedures tested annually?" \ "IEC 62443-2-1: Tabletop exercises" check_item "Incident Response" \ "Are incidents documented and lessons learned captured?" \ "IEC 62443-2-1: Continuous improvement" check_item "Incident Response" \ "Is there a communication plan for incidents?" \ "IEC 62443-2-1: Stakeholder communication" echo "" echo "========================================" echo "SECTION 11: POLICIES AND PROCEDURES" echo "========================================" check_item "Policies" \ "Is a cybersecurity policy documented and approved?" \ "IEC 62443-2-1: Cybersecurity policy" check_item "Policies" \ "Are change management procedures documented and followed?" \ "IEC 62443-2-1: Change control" check_item "Policies" \ "Is patch management process documented?" \ "IEC 62443-2-1: Security update management" check_item "Policies" \ "Are security roles and responsibilities documented?" \ "IEC 62443-2-1: Governance structure" check_item "Policies" \ "Is security awareness training conducted annually?" \ "IEC 62443-2-1: Personnel security awareness" echo "" echo "========================================" echo "SECTION 12: RISK MANAGEMENT" echo "========================================" check_item "Risk Management" \ "Has a security risk assessment been conducted?" \ "IEC 62443-3-2: Security risk assessment" check_item "Risk Management" \ "Are risk assessment results documented?" \ "IEC 62443-3-2: Risk documentation" check_item "Risk Management" \ "Are target security levels (SL-T) defined for each zone?" \ "IEC 62443-3-2: Security level targets" check_item "Risk Management" \ "Is risk assessment updated annually or after major changes?" \ "IEC 62443-2-1: Risk assessment review" check_item "Risk Management" \ "Are residual risks accepted by management?" \ "IEC 62443-2-1: Risk acceptance" #======================================== # Generate Report #======================================== echo "" echo "========================================" echo "ASSESSMENT COMPLETE" echo "========================================" echo "" # Calculate percentages COMPLIANCE_ITEMS=$((TOTAL_CHECKS - NA)) if [ $COMPLIANCE_ITEMS -gt 0 ]; then COMPLIANCE_PCT=$((PASSED * 100 / COMPLIANCE_ITEMS)) else COMPLIANCE_PCT=0 fi echo "Assessment Summary:" echo "-------------------" echo "Total Checks: $TOTAL_CHECKS" echo "Passed: $PASSED" echo "Failed: $FAILED" echo "Warnings: $WARNING" echo "Not Applicable: $NA" echo "" echo "Compliance Rate: $COMPLIANCE_PCT% (excluding N/A)" echo "" # Risk Rating if [ $COMPLIANCE_PCT -ge 90 ]; then RISK_LEVEL="${GREEN}LOW RISK${NC}" elif [ $COMPLIANCE_PCT -ge 70 ]; then RISK_LEVEL="${YELLOW}MEDIUM RISK${NC}" elif [ $COMPLIANCE_PCT -ge 50 ]; then RISK_LEVEL="${YELLOW}HIGH RISK${NC}" else RISK_LEVEL="${RED}CRITICAL RISK${NC}" fi echo -e "Overall Risk Level: $RISK_LEVEL" echo "" # Save summary to file cat > assessment_summary.txt <> assessment_summary.txt fi if [ $WARNING -gt 0 ]; then echo "2. Review and remediate WARNING items (High Priority)" >> assessment_summary.txt fi if [ $COMPLIANCE_PCT -lt 90 ]; then echo "3. Develop remediation plan to achieve 90%+ compliance" >> assessment_summary.txt fi echo "4. Schedule next assessment in 6 months" >> assessment_summary.txt echo "" >> assessment_summary.txt echo "Files Generated:" echo "----------------" echo "1. assessment_findings.csv - Detailed findings list" echo "2. assessment_summary.txt - Summary report" echo "" # Show top findings if [ -f assessment_findings.csv ]; then echo "Top Findings:" echo "-------------" grep "^FAIL" assessment_findings.csv | head -5 echo "" grep "^WARNING" assessment_findings.csv | head -3 echo "" fi echo "========================================" echo "Next Steps:" echo "========================================" echo "1. Review findings in assessment_findings.csv" echo "2. Prioritize remediation actions" echo "3. Create remediation plan with timeline" echo "4. Assign owners to each finding" echo "5. Track progress and re-assess" echo "" echo "For detailed guidance, see:" echo " - industrial-network-security-guide.md" echo " - IEC 62443 standards documentation" echo ""