40 KiB
40 KiB
Industrial Network Security Best Practices Guide
Comprehensive Security for PLC and SCADA Systems
Based on IEC 62443 Standards and Defense-in-Depth Principles
Table of Contents
- Introduction
- Security Frameworks and Standards
- Defense-in-Depth Strategy
- Network Segmentation (Zones and Conduits)
- Siemens S7 PLC Specific Security
- Implementation Checklist
- Security Assessment Procedures
- Ongoing Monitoring and Maintenance
- Incident Response
- Compliance and Documentation
1. Introduction
Why Industrial Network Security Matters
Industrial Control Systems (ICS) and Operational Technology (OT) environments face unique cybersecurity challenges:
- Safety Critical: Cyber attacks can cause physical harm, environmental damage, or loss of life
- High Availability Requirements: Production systems require 24/7 uptime
- Long Lifecycles: Equipment may operate for 20+ years with outdated software
- Convergence of IT/OT: Increasing connectivity exposes OT to IT-based threats
- Targeted Attacks: Nation-states and cybercriminals specifically target critical infrastructure
Real-World Consequences
Stuxnet (2010): Destroyed Iranian nuclear centrifuges via compromised Siemens S7 PLCs Ukraine Power Grid (2015): BlackEnergy malware caused blackouts affecting 230,000 people Triton/Trisis (2017): Targeted safety systems in petrochemical plant Colonial Pipeline (2021): Ransomware caused major fuel shortage in US
2. Security Frameworks and Standards
IEC 62443 - The Gold Standard for Industrial Cybersecurity
IEC 62443 is the international standard specifically designed for Industrial Automation and Control Systems (IACS) security.
IEC 62443 Structure
The standard is divided into 4 main categories:
1. General (IEC 62443-1-x)
- Terminology, concepts, and models
- Foundation for the entire standard
- Defines security levels and zones
2. Policies and Procedures (IEC 62443-2-x)
- Cybersecurity management system requirements
- Risk assessment methodology
- Patch management and incident response
3. System (IEC 62443-3-x)
- System-level security requirements
- Network segmentation (zones and conduits)
- Security risk assessment for systems
4. Component (IEC 62443-4-x)
- Product development lifecycle requirements
- Component technical security requirements
- Secure coding and vulnerability management
Security Levels (SL) in IEC 62443
The standard defines 4 security levels based on threat capability:
| Security Level | Threat Type | Attacker Profile |
|---|---|---|
| SL 0 | No special requirement | None |
| SL 1 | Protection against casual or coincidental violation | Unskilled individual using simple means |
| SL 2 | Protection against intentional violation using simple means | Skilled individual using simple means with low resources |
| SL 3 | Protection against intentional violation using sophisticated means | Skilled individual with moderate resources and IACS-specific skills |
| SL 4 | Protection against intentional violation using sophisticated means with extended resources | Highly skilled and motivated organization with extensive resources |
Typical Target Levels:
- Critical Infrastructure: SL 2-3
- High-Risk Facilities: SL 3-4
- Standard Industrial Plants: SL 1-2
Other Relevant Standards
NIST SP 800-82: Guide to Industrial Control Systems (ICS) Security NIST Cybersecurity Framework (CSF): Identify, Protect, Detect, Respond, Recover ISO/IEC 27001: Information Security Management Systems IEC 61511: Safety Instrumented Systems (SIS) security
3. Defense-in-Depth Strategy
Defense-in-Depth applies multiple layers of security controls throughout the industrial network, ensuring that if one layer fails, others continue to provide protection.
Core Principles
- Layered Security: No single point of failure
- Diversity: Use different types of security controls
- Fail-Safe Design: Systems fail to a secure state
- Least Privilege: Minimum access necessary
- Separation of Duties: No single person has complete control
The Seven Layers of Defense
Layer 7: Policies, Procedures & Awareness
↓
Layer 6: Physical Security
↓
Layer 5: Perimeter Security (Firewalls, DMZ)
↓
Layer 4: Network Security (Segmentation, VLANs, IDS)
↓
Layer 3: Host Security (Hardening, Antivirus, Patching)
↓
Layer 2: Application Security (Authentication, Encryption)
↓
Layer 1: Data Security (Encryption, Backup, Integrity)
Implementation Strategy
Physical Layer:
- Locked server rooms and control cabinets
- Access control systems (badge readers)
- CCTV monitoring
- Tamper-evident seals on critical equipment
Network Layer:
- Firewalls between zones
- Network segmentation (VLANs)
- Intrusion Detection Systems (IDS)
- Data diodes for one-way communication
System Layer:
- Operating system hardening
- Disable unnecessary services
- Application whitelisting
- Regular security updates and patches
Application Layer:
- Strong authentication (passwords, 2FA)
- Role-based access control (RBAC)
- Secure coding practices
- Input validation
Data Layer:
- Encryption at rest and in transit
- Regular backups (3-2-1 rule)
- Data integrity checks
- Secure data destruction
People Layer:
- Security awareness training
- Background checks for critical roles
- Documented security policies
- Incident response procedures
4. Network Segmentation (Zones and Conduits)
The Purdue Model
The Purdue Enterprise Reference Architecture (PERA) is the foundation for ICS network segmentation:
Level 5: Enterprise Network (ERP, Email, Internet)
↓ DMZ / Firewall
Level 4: Business Planning & Logistics (MES, Historian)
↓ DMZ / Firewall
Level 3: Operations Management (SCADA, HMI)
↓ Industrial Firewall
Level 2: Area Supervisory Control (PLC, DCS)
↓ Industrial Switch
Level 1: Basic Control (PLC, RTU, Field Devices)
↓ Field Network
Level 0: Process (Sensors, Actuators, Motors)
Zones and Conduits (IEC 62443-3-2)
Zone: A grouping of logical or physical assets that share common security requirements Conduit: A logical grouping of communication channels connecting two or more zones
Example Zone Structure
Zone 1: Enterprise Network
- Business systems (ERP, email, file servers)
- Internet connectivity
- Office workstations
Zone 2: DMZ (Demilitarized Zone)
- Historian servers
- Data diodes
- Application servers accessible from both enterprise and control
Zone 3: Control Network (Level 3)
- SCADA servers
- HMI workstations
- Engineering workstations
Zone 4: Process Control Network (Level 2)
- PLCs (Siemens S7-1200/1500)
- DCS controllers
- Safety systems (SIS)
Zone 5: Field Device Network (Level 1-0)
- I/O modules
- Remote I/O
- Sensors and actuators
Conduit Security Requirements
Each conduit between zones must implement appropriate security controls:
| Conduit | Source Zone | Dest Zone | Security Requirements |
|---|---|---|---|
| C1 | Enterprise | DMZ | Corporate Firewall, VPN, Authentication |
| C2 | DMZ | Control Network | Industrial Firewall, Unidirectional Gateway |
| C3 | Control Network | Process Network | Industrial Switch with ACLs, Port Security |
| C4 | Process Network | Field Devices | Encrypted protocols (if supported), Physical isolation |
Network Segmentation Best Practices
- Air-Gap Critical Systems: Physically separate safety-critical systems
- Use Industrial Firewalls: Commercial IT firewalls are not sufficient
- Implement Data Diodes: For one-way data transfer from OT to IT
- VLANs for Logical Separation: When physical separation isn't possible
- Limit Communication Paths: Only allow necessary connections
- Monitor All Boundaries: IDS/IPS at each zone boundary
5. Siemens S7 PLC Specific Security
S7-1200/1500 Security Features
1. Access Protection (Password Protection)
Protection Levels:
- No Protection: Full read/write access
- Write Protection: Read-only access without password
- Read/Write Protection: Password required for all access
- Complete Protection + Integrity: Strongest protection including know-how protection
Configuration in TIA Portal:
1. Open PLC properties
2. Go to "Protection & Security"
3. Set "Protection level"
4. Enter strong password (min. 8 characters)
5. Enable "Copy protection" for intellectual property
Best Practice: Use Read/Write Protection or Complete Protection for production PLCs
2. IP Access Control Lists (ACLs)
Restrict which devices can communicate with the PLC by IP address.
Configuration:
1. PLC Properties → Protection & Security → Connection mechanisms
2. Enable "Permit access only for the following IP addresses/subnets"
3. Add authorized IPs:
- Engineering station: 192.168.10.50/32
- HMI: 192.168.10.60/32
- SCADA server: 192.168.10.70/32
4. Deny all other connections
3. Communication Encryption
CP 1543-1 Communication Processor:
- Built-in VPN functionality (IPsec)
- Integrated firewall
- Supports encrypted S7 communication
Configuration Steps:
- Install CP 1543-1 module in PLC
- Configure VPN tunnel in TIA Portal
- Set up IPsec parameters (AES-256 encryption)
- Configure firewall rules
4. Firmware Updates and Patch Management
Check Current Firmware:
TIA Portal → Online & Diagnostics → Device Information → Firmware Version
Update Process:
- Download firmware from Siemens Support Portal
- Verify firmware signature
- Test in non-production environment first
- Schedule maintenance window
- Backup PLC program before updating
- Update via TIA Portal → Online Tools → Firmware Update
Subscribe to Siemens ProductCERT:
- URL: https://www.siemens.com/cert
- Receive security advisories for vulnerabilities
- CSAF format for automated processing
5. Disable Unused Services
Services to Disable (if not needed):
- Web Server (HTTP/HTTPS)
- FTP Server
- SNMP
- Modbus TCP (if using only S7 communication)
- OPC UA (if not required)
Configuration:
Device Properties → System and Clock Memory → Web server
□ Enable web server (uncheck if not needed)
6. Secure Physical Access
S7-1500 Front Flap Lock:
- Prevents unauthorized access to:
- SIMATIC memory card
- Mode selector
- Display and buttons
Configuration:
- Insert locking latch into front flap
- Physical key required to open
- Document key location in security procedures
7. Network Services Security
Default Ports Used by S7-1200/1500:
| Port | Protocol | Service | Security Action |
|---|---|---|---|
| 102 | TCP | S7 Communication | Firewall, ACLs |
| 80 | TCP | HTTP Web Server | Disable or use HTTPS only |
| 443 | TCP | HTTPS Web Server | Enable with certificates |
| 161 | UDP | SNMP | Disable if not needed |
| 20000 | TCP | PN DCP | Limit to local segment |
Firewall Rules Example (iptables):
# Allow S7 communication only from authorized IPs
iptables -A INPUT -p tcp --dport 102 -s 192.168.10.50 -j ACCEPT
iptables -A INPUT -p tcp --dport 102 -s 192.168.10.60 -j ACCEPT
iptables -A INPUT -p tcp --dport 102 -j DROP
# Block web server from external access
iptables -A INPUT -p tcp --dport 80 -s 192.168.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
Common S7 Vulnerabilities and Mitigations
CVE-2016-9159: Credential Disclosure
Affected: S7-300, S7-400 (older firmware) Risk: Password can be extracted via network access to port 102 Mitigation:
- Update to latest firmware
- Implement network segmentation
- Use CP modules with firewall
- Monitor port 102 access
CVE-2019-13945: Denial of Service
Affected: S7-1200, S7-1500 (certain firmware versions) Risk: Specially crafted packets can crash PLC Mitigation:
- Update firmware to latest version
- Implement IDS to detect malformed packets
- Firewall rules to filter suspicious traffic
Lack of Native Authentication
Issue: S7 protocol doesn't require authentication by default Mitigation:
- Use IP Access Control Lists
- Network segmentation
- VPN for remote access
- Consider CP modules with VPN/firewall
6. Implementation Checklist
Phase 1: Assessment and Planning (Weeks 1-4)
Week 1: Asset Inventory
- Document all PLCs (model, firmware version, location)
- Map network topology (create network diagrams)
- Identify all communication paths
- List all access points (local and remote)
- Document current security measures
Tools:
- Nmap for network discovery
- Siemens SINEC NMS for asset management
- Network documentation software (Visio, Lucidchart)
Week 2: Risk Assessment
- Identify critical assets and processes
- Evaluate potential threats (insider, external, accidental)
- Assess current vulnerabilities
- Determine Security Level targets (SL-T) per IEC 62443
- Prioritize risks (high/medium/low)
Risk Assessment Matrix:
Impact vs. Likelihood:
Low Medium High
High | Med | High | Critical
Medium | Low | Med | High
Low | Low | Low | Med
Week 3: Gap Analysis
- Compare current state to IEC 62443 requirements
- Identify missing security controls
- Document technical debt
- Estimate remediation effort and cost
- Create prioritized remediation plan
Week 4: Policy and Procedure Development
- Write/update cybersecurity policy
- Define roles and responsibilities
- Create access control procedures
- Develop incident response plan
- Establish change management process
Phase 2: Quick Wins (Weeks 5-8)
Immediate Actions (No Downtime Required)
- Enable PLC password protection (all PLCs)
- Configure IP Access Control Lists
- Disable unused PLC services
- Change all default passwords
- Enable logging on network devices
- Document all changes
Low-Risk Improvements
- Install antivirus on HMI/SCADA systems
- Enable Windows Firewall on operator stations
- Implement USB device controls
- Create baseline configurations for all systems
- Set up centralized log collection
Phase 3: Network Segmentation (Weeks 9-16)
Design Phase
- Design zone and conduit architecture
- Plan VLAN structure
- Select firewall/switch hardware
- Create detailed implementation plan
- Schedule maintenance windows
Implementation Phase
- Install firewalls between zones
- Configure VLANs on switches
- Set up firewall rules (whitelist approach)
- Install IDS/IPS sensors
- Test all communication paths
- Document new architecture
Firewall Rule Template:
Source Zone: Level 3 (SCADA)
Dest Zone: Level 2 (PLCs)
Protocol: TCP
Port: 102
Action: ALLOW
Log: Yes
Phase 4: Advanced Security Controls (Weeks 17-24)
System Hardening
- Harden all Windows systems (CIS benchmarks)
- Implement application whitelisting
- Deploy endpoint protection
- Configure secure logging (SIEM)
- Enable file integrity monitoring
Access Control
- Implement multi-factor authentication (MFA)
- Deploy jump servers for remote access
- Configure VPN with strong encryption
- Establish privileged access management (PAM)
- Create audit trails for all access
Monitoring and Detection
- Deploy network monitoring (IDS/IPS)
- Configure SIEM alerts
- Establish baseline behavior
- Create detection use cases
- Set up automated alerting
Phase 5: Testing and Validation (Weeks 25-28)
Security Testing
- Vulnerability scanning (authenticated scans only)
- Penetration testing (with extreme caution)
- Firewall rule testing
- Incident response tabletop exercise
- Disaster recovery test
- User awareness testing (phishing simulation)
IMPORTANT: Never perform aggressive testing on production OT systems
Validation Checklist
- All PLCs have password protection
- IP ACLs configured on all PLCs
- Unnecessary services disabled
- Firewalls between all zones
- Remote access requires VPN + MFA
- All systems logging to SIEM
- Backup and recovery tested
- Incident response plan tested
Phase 6: Continuous Improvement (Ongoing)
Monthly Tasks
- Review firewall logs
- Check for firmware updates
- Review access logs
- Update asset inventory
- Security awareness training reminder
Quarterly Tasks
- Vulnerability assessment
- Review and update policies
- Access rights review (recertification)
- Test backups
- Review IDS/IPS alerts
Annual Tasks
- Full security audit
- Penetration test (controlled environment)
- Update risk assessment
- Incident response drill
- Review and update BCP/DR plans
- Security awareness training (full program)
7. Security Assessment Procedures
Pre-Assessment Preparation
Safety First
CRITICAL: OT security assessments can disrupt operations or cause safety issues.
Before Any Assessment:
- Obtain written approval from operations manager
- Schedule during planned maintenance window
- Have control system engineers on-site
- Test all procedures in non-production environment first
- Prepare rollback plan
- Brief safety personnel
Assessment Levels
Level 1: Passive Assessment (No Risk)
Activities:
- Document review
- Architecture review
- Policy and procedure review
- Interviews with staff
- Review of logs and reports
Tools: None (manual review)
Level 2: Network Monitoring (Minimal Risk)
Activities:
- Passive network traffic capture
- Protocol analysis
- Device discovery (passive)
- Baseline establishment
Tools:
- Wireshark
- Nozomi Networks
- Claroty
- Dragos Platform
Level 3: Active Scanning (Low Risk)
Activities:
- Network discovery (active)
- Service enumeration
- OS fingerprinting
- Credential validation
Tools (use with caution):
- Nmap (with rate limiting)
- Siemens SINEC NMS
- Tenable.sc (ICS profile)
Configuration Example (Safe Nmap Scan):
# Safe, slow scan for S7 PLCs
nmap -sT -T1 --max-rate 10 -p 102 --script s7-info 192.168.10.0/24
# Explanation:
# -sT: TCP connect scan (not SYN scan)
# -T1: Slowest timing template
# --max-rate 10: Max 10 packets/second
# -p 102: Only S7 port
# --script s7-info: Siemens-specific enumeration
Level 4: Vulnerability Scanning (Medium Risk)
Activities:
- Authenticated vulnerability scans
- Configuration compliance checks
- Missing patch identification
Tools:
- Tenable.sc with ICS plugin
- Rapid7 Nexpose
- Qualys VM
CRITICAL Requirements:
- Test in lab environment first
- Use ICS-specific scan profiles
- Schedule during maintenance window
- Have control engineers present
- Start with single device
- Monitor PLC scan time and CPU load
Level 5: Penetration Testing (High Risk)
ONLY in isolated test environment or with extreme caution
Activities:
- Exploit validation
- Privilege escalation
- Lateral movement testing
- Data exfiltration simulation
Requirements:
- Dedicated test network
- Replica of production environment
- Experienced ICS penetration testers
- 24/7 on-site support
- Detailed test plan approved by all stakeholders
Step-by-Step Security Assessment
Step 1: Information Gathering (Passive)
Objective: Understand the environment without touching systems
Tasks:
- Review network diagrams
- Document all PLCs and versions
- Identify communication protocols
- Map data flows
- Review existing security controls
- Identify critical assets
Deliverable: Asset inventory and network map
Step 2: Vulnerability Identification
2a. Configuration Review
# Check for common misconfigurations
# PLC Password Protection
✓ Is password protection enabled?
✓ Password meets complexity requirements? (min 8 chars)
✓ Password documented in secure location?
# Network Access
✓ Are IP ACLs configured?
✓ Is web server disabled (if not needed)?
✓ Are unused protocols disabled?
# Firmware
✓ Firmware version documented?
✓ Firmware up to date?
✓ Update process documented?
2b. Network Vulnerability Scan
# Use Nmap safely for S7 PLCs
nmap -sT -T1 -p 102,80,443,161 --max-rate 5 192.168.10.100
# Check results for:
# - Open ports (should only be 102 if others disabled)
# - Service versions
# - Banner information
2c. Known Vulnerability Check
- Check Siemens ProductCERT advisories
- Compare firmware version to CVE database
- Review CISA ICS-CERT advisories
Step 3: Risk Evaluation
Risk Scoring:
Risk = Likelihood × Impact × Exploitability
Likelihood (1-5):
1 = Very unlikely
3 = Possible
5 = Very likely
Impact (1-5):
1 = Minimal
3 = Moderate (production delay)
5 = Critical (safety hazard)
Exploitability (1-5):
1 = Very difficult (requires insider access)
3 = Moderate (requires some skill)
5 = Easy (public exploit available)
Example:
- Finding: PLC has no password protection
- Likelihood: 4 (network accessible)
- Impact: 5 (controls safety system)
- Exploitability: 5 (trivial to access)
- Risk Score: 4 × 5 × 5 = 100 (CRITICAL)
Step 4: Reporting
Report Structure:
- Executive Summary
- Scope and Methodology
- Asset Inventory
- Findings (organized by severity)
- Risk Assessment
- Recommendations (prioritized)
- Remediation Plan
Finding Template:
FINDING ID: VUL-001
SEVERITY: Critical
TITLE: PLC Password Protection Disabled
DESCRIPTION: S7-1200 at 192.168.10.100 has no password protection
IMPACT: Unauthorized user can read/modify PLC program, causing safety hazard
LIKELIHOOD: High (network accessible from control network)
EXPLOITABILITY: High (no authentication required)
AFFECTED SYSTEMS: PLC-REACTOR-01 (192.168.10.100)
RECOMMENDATION: Enable Read/Write Protection with strong password
EFFORT: Low (15 minutes per PLC)
PRIORITY: 1 (Critical - remediate within 24 hours)
8. Ongoing Monitoring and Maintenance
Continuous Monitoring Strategy
What to Monitor
Network Level:
- Firewall rule violations
- Unauthorized connection attempts
- Protocol anomalies
- Bandwidth utilization
- New devices on network
System Level:
- Login attempts (successful and failed)
- Configuration changes
- Firmware updates
- Service start/stop
- Antivirus alerts
Application Level:
- PLC mode changes (RUN/STOP)
- Program uploads/downloads
- Recipe changes
- Setpoint modifications
- Alarm patterns
Physical Level:
- Door access events
- CCTV events
- Environmental sensors (temperature, humidity)
Monitoring Tools
Network IDS/IPS for OT
Commercial Solutions:
- Nozomi Networks Guardian
- Claroty
- Dragos Platform
- Fortinet FortiGate (OT-specific)
- Cisco Cyber Vision
Open Source:
- Snort (with OT rules)
- Suricata (with ICS signatures)
- Zeek (formerly Bro) with S7Comm analyzer
SIEM Integration
Popular SIEM Solutions:
- Splunk (with ICS apps)
- IBM QRadar
- ArcSight
- LogRhythm
Key Log Sources:
- Firewall logs
- IDS/IPS alerts
- Windows Event Logs (HMI, Engineering stations)
- PLC audit logs (if available)
- Switch logs (MAC address changes, port security)
- VPN access logs
- Physical access control logs
Alert Configuration
Critical Alerts (Immediate Response)
1. PLC Program Download
- Trigger: S7 WRITE command to program blocks
- Action: Page on-call engineer, log event
2. PLC Mode Change (RUN → STOP)
- Trigger: PLC state change
- Action: Alert operations, investigate
3. Unauthorized IP Connection
- Trigger: Connection from IP not in whitelist
- Action: Block IP, alert security team
4. Multiple Failed Login Attempts
- Trigger: 3 failed logins within 5 minutes
- Action: Lock account, alert security
5. New Device on Control Network
- Trigger: New MAC address detected
- Action: Alert network admin, investigate
Warning Alerts (Review Within 24h)
1. Configuration Change
2. Firmware Update
3. New user account created
4. Privilege escalation
5. Anomalous protocol usage
Patch Management
Siemens S7 Patch Process
1. Monitor for Updates
- Subscribe to Siemens ProductCERT: https://www.siemens.com/cert
- Check TIA Portal updates monthly
- Review security advisories
2. Evaluate Patches
For each patch, assess:
- Severity: Critical / High / Medium / Low
- Applicability: Does it affect our systems?
- Impact: Will it affect production?
- Prerequisites: Required firmware version?
- Testing: Can we test in lab first?
3. Test in Non-Production
- Apply patch to lab PLC
- Run full functional tests
- Monitor for 48 hours
- Document any issues
4. Schedule Production Update
- Coordinate with operations
- Schedule maintenance window
- Prepare rollback plan
- Notify all stakeholders
5. Apply and Verify
Pre-Update:
- Backup PLC program
- Document current firmware version
- Take screenshot of diagnostics
Update:
- Apply firmware update
- Verify version number
- Run functional tests
Post-Update:
- Monitor for 24 hours
- Document completion
- Update asset inventory
6. Document
- Update change log
- Record in CMDB
- Update network diagram if needed
Patch Priority Matrix
| Severity | Affected Systems | Priority | Timeline |
|---|---|---|---|
| Critical | Safety Systems | P1 | 7 days |
| Critical | Production Systems | P2 | 30 days |
| High | Safety Systems | P2 | 30 days |
| High | Production Systems | P3 | 90 days |
| Medium | Any | P4 | Next maintenance window |
| Low | Any | P5 | Annual review |
Backup and Recovery
PLC Backup Strategy
What to Backup:
- PLC program (complete project)
- Configuration (IP address, parameters)
- Firmware version (document for reinstall)
- Hardware configuration
- Documentation (I/O lists, functional specs)
Backup Frequency:
- After any program change (immediate)
- Weekly (automated if possible)
- Before firmware updates
- Before major maintenance
Backup Storage:
- Primary: Network location (secured)
- Secondary: External hard drive (offline)
- Tertiary: Off-site (cloud or remote facility)
- Follow 3-2-1 rule: 3 copies, 2 media types, 1 off-site
TIA Portal Backup Process:
1. Open project in TIA Portal
2. Project → Archive...
3. Select "Create archive with all files"
4. Name with date: "PLC_REACTOR_2026-02-16.zap"
5. Save to secure network location
6. Verify archive integrity
7. Document in backup log
Recovery Testing:
- Test recovery quarterly
- Document recovery time objective (RTO)
- Practice in lab environment
- Train multiple personnel on recovery
9. Incident Response
Incident Response Plan
Phase 1: Preparation
Pre-Incident Checklist:
- Incident response team identified (roles assigned)
- Contact list maintained (on-call rotation)
- Communication plan established
- Forensic tools prepared
- Backup systems verified
- Tabletop exercises conducted (annually)
IR Team Roles:
- Incident Commander: Overall response coordination
- Operations Lead: Production continuity
- Safety Lead: Safety assessment and procedures
- Technical Lead: System investigation and remediation
- Communications Lead: Internal and external communications
- Legal/Compliance: Regulatory requirements
Phase 2: Detection and Analysis
Detection Methods:
- SIEM alerts
- IDS/IPS alarms
- Operator reports
- Anomaly detection
- External notification (vendor, CERT)
Initial Response (First 15 minutes):
1. Alert incident commander
2. Assess safety impact
3. Isolate affected systems (if safe to do so)
4. Preserve evidence
5. Begin documentation
Incident Classification:
| Severity | Definition | Response Time | Escalation |
|---|---|---|---|
| Critical | Safety impact or major production loss | Immediate | Executive team, authorities |
| High | Production impact but no safety concern | Within 1 hour | Management, legal |
| Medium | Limited impact, contained | Within 4 hours | IR team only |
| Low | No operational impact | Next business day | Technical team |
Phase 3: Containment
Short-Term Containment:
- Isolate affected network segment
- Disconnect from external networks
- Change credentials
- Block malicious IPs
- Switch to backup systems (if available)
Long-Term Containment:
- Rebuild compromised systems
- Implement additional controls
- Enhanced monitoring
- Forensic analysis
Containment Decision Matrix:
For PLC Compromise:
Question 1: Is safety at risk?
→ YES: Immediately switch to manual control / shutdown
→ NO: Proceed to Q2
Question 2: Is production at risk?
→ YES: Isolate PLC, switch to backup if available
→ NO: Proceed to Q3
Question 3: Can we contain without interruption?
→ YES: Isolate network segment, monitor
→ NO: Schedule emergency maintenance
Phase 4: Eradication
Steps:
- Identify root cause
- Remove malware/backdoors
- Close vulnerability
- Patch systems
- Validate removal
- Restore from clean backup
For Compromised PLC:
1. Disconnect PLC from network
2. Clear PLC memory (factory reset if needed)
3. Update firmware to latest version
4. Restore program from verified clean backup
5. Change all passwords
6. Reconfigure IP ACLs
7. Validate against known-good configuration
8. Test offline before reconnecting
Phase 5: Recovery
Recovery Checklist:
- Affected systems rebuilt/restored
- Security controls verified
- Monitoring enhanced
- Credentials rotated
- Communications to stakeholders
- Operations returned to normal
- Increased monitoring period (48-72 hours)
Phase 6: Post-Incident Activities
Lessons Learned Meeting (within 2 weeks):
- Timeline review
- What went well?
- What could be improved?
- Action items (assign owners and due dates)
Incident Report Contents:
- Executive summary
- Incident timeline
- Root cause analysis
- Impact assessment (financial, operational, safety)
- Response actions taken
- Lessons learned
- Recommendations
- Action plan
Follow-Up Actions:
- Update incident response plan
- Update detection rules
- Implement preventive controls
- Training for staff
- Share findings (anonymized) with industry
Reporting Requirements
Internal Reporting
- Immediate: Safety/operations management
- Within 24h: Executive team
- Within 1 week: Complete incident report
External Reporting
Regulatory (if applicable):
- NERC CIP (electric sector): Within 1 hour for critical incidents
- TSA (pipelines/rail): Within 24 hours
- EPA (water): Within requirements
- OSHA (safety incident): Within 8 hours for fatality/hospitalization
Industry Sharing:
- ICS-CERT (CISA): Voluntary but recommended
- Information Sharing and Analysis Centers (ISACs)
- Local law enforcement (if criminal)
10. Compliance and Documentation
Documentation Requirements
Security Documentation Repository
1. Policies and Standards
- Information Security Policy
- Acceptable Use Policy
- Password Policy
- Change Management Policy
- Incident Response Policy
- Access Control Policy
2. Procedures
- System Hardening Procedures
- Backup and Recovery Procedures
- Patch Management Procedures
- User Access Provisioning/Deprovisioning
- Vendor Access Procedures
- Incident Response Procedures
3. Technical Documentation
- Network Architecture Diagrams
- Asset Inventory (with security controls)
- Firewall Configurations and Rule Sets
- PLC Configurations (baseline)
- System Baseline Configurations
- Data Flow Diagrams
4. Risk Management
- Risk Assessment Results
- Risk Register (tracking all identified risks)
- Risk Treatment Plans
- Security Control Matrices
- Compliance Gap Analysis
5. Operations
- Change Logs
- Incident Logs
- Access Logs Reviews
- Audit Reports
- Test Results (vulnerability scans, penetration tests)
- Training Records
Audit and Compliance
Internal Audits
Quarterly Audit Checklist:
Access Control:
- User access reviews completed
- Privileged access reviewed
- Terminated user accounts disabled
- Password policy compliance
- MFA enabled for remote access
Change Management:
- All changes documented in change log
- Changes approved before implementation
- Testing performed per requirements
- Rollback plans documented
Patch Management:
- Patch inventory current
- Critical patches applied per timeline
- Patch testing documented
- Exceptions documented and approved
Backup/Recovery:
- Backups performed per schedule
- Backup integrity verified
- Recovery test performed (quarterly)
- Off-site backup verified
Security Controls:
- Antivirus definitions current
- Firewall rules reviewed
- IDS/IPS signatures updated
- Log collection verified
- Physical security controls verified
Training and Awareness:
- Annual security training completed
- Phishing simulations performed
- Incident response training conducted
- New employee orientation completed
External Audits
Preparation:
- Gather all required documentation
- Review previous audit findings
- Verify all action items completed
- Conduct pre-audit self-assessment
- Assign audit coordinator
Common Audit Frameworks:
- IEC 62443 (ISASecure certification)
- NERC CIP (electric sector)
- NIST CSF
- ISO 27001
- SOC 2 Type II
Audit Evidence Examples:
- Screenshots of configurations
- Log excerpts
- Access control lists
- Change management tickets
- Training completion records
- Incident response logs
Regulatory Compliance
Industry-Specific Requirements
Critical Manufacturing:
- CISA guidelines
- State-specific requirements
Electric Sector:
- NERC CIP (Critical Infrastructure Protection)
- FERC regulations
Water/Wastewater:
- EPA regulations
- America's Water Infrastructure Act (AWIA)
Chemical:
- CFATS (Chemical Facility Anti-Terrorism Standards)
- Process Safety Management (PSM)
Oil and Gas:
- TSA pipeline security
- API standards
Appendices
Appendix A: Useful Commands and Scripts
Network Discovery (Safe for OT)
# Passive network monitoring
tcpdump -i eth0 -w capture.pcap 'port 102'
# Safe Nmap scan for S7 PLCs
nmap -sT -T1 --max-rate 5 -p 102 --script s7-info <IP_RANGE>
# Check specific PLC
nmap -sT -p 102,80,443 192.168.10.100
Firewall Rule Examples
IPTables (Linux):
# Allow S7 communication from HMI only
iptables -A FORWARD -s 192.168.10.50 -d 192.168.10.100 -p tcp --dport 102 -j ACCEPT
iptables -A FORWARD -d 192.168.10.100 -p tcp --dport 102 -j LOG --log-prefix "BLOCKED_S7: "
iptables -A FORWARD -d 192.168.10.100 -p tcp --dport 102 -j DROP
# Block all traffic between IT and OT zones except via DMZ
iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.10.0/24 -j DROP
Cisco ASA:
! Allow S7 from SCADA to PLC network
access-list SCADA_TO_PLC extended permit tcp object SCADA_NETWORK object PLC_NETWORK eq 102
access-list SCADA_TO_PLC extended deny ip any any log
! Apply to interface
access-group SCADA_TO_PLC in interface inside
Appendix B: Security Assessment Template
# Security Assessment Report
## Executive Summary
- Assessment Date: _______________
- Scope: _________________________
- Overall Risk Rating: ____________
## Findings Summary
- Critical: ___
- High: ___
- Medium: ___
- Low: ___
## Top 5 Risks
1. [Finding ID] [Title] - [Risk Score]
2. [Finding ID] [Title] - [Risk Score]
3. [Finding ID] [Title] - [Risk Score]
4. [Finding ID] [Title] - [Risk Score]
5. [Finding ID] [Title] - [Risk Score]
## Detailed Findings
### Finding 1: [Title]
- **Severity**: Critical/High/Medium/Low
- **Risk Score**: ___
- **Affected Systems**: ___
- **Description**: ___
- **Impact**: ___
- **Recommendation**: ___
- **Priority**: ___
- **Estimated Effort**: ___
[Repeat for each finding]
## Remediation Plan
[Prioritized list of remediation actions with timeline]
Appendix C: Emergency Contact List Template
INCIDENT RESPONSE TEAM
Incident Commander:
Name: _______________
Phone: _______________
Email: _______________
Operations Lead:
Name: _______________
Phone: _______________
Email: _______________
Technical Lead:
Name: _______________
Phone: _______________
Email: _______________
Safety Lead:
Name: _______________
Phone: _______________
Email: _______________
EXTERNAL CONTACTS
Siemens Support: 1-800-XXX-XXXX
Local FBI Cyber: _______________
CISA (ICS-CERT): 888-282-0870 / ics-cert@cisa.dhs.gov
Local Law Enforcement: 911
Appendix D: Training Resources
Free Training:
- CISA ICS Training: https://www.cisa.gov/ics-training-catalog
- SANS ICS Security: https://www.sans.org/cyber-security-courses/ics-scada-cyber-security/
- Siemens Learning Portal: https://support.industry.siemens.com/tf/ww/en/
Certifications:
- GICSP (Global Industrial Cyber Security Professional) - SANS
- GRID (Response and Industrial Defense) - SANS
- Certified ICS Security Specialist - Various providers
Industry Organizations:
- ICS-CERT (CISA)
- SANS ICS
- ISA (International Society of Automation)
- ISAGCA (ISA Global Cybersecurity Alliance)
Appendix E: Vendor Security Questionnaire
Use this when evaluating control system vendors or integrators:
1. Do you follow IEC 62443 development lifecycle?
2. Do you have ISASecure certification for your products?
3. How do you handle vulnerability disclosure?
4. What is your patch release timeline for critical vulnerabilities?
5. Do you provide security advisories?
6. Are default passwords required to be changed?
7. Do you support encrypted communications?
8. Do you provide security hardening guides?
9. What logging and auditing capabilities exist?
10. Do you require/offer security training for your products?
Quick Reference Card
Daily Security Checks (5 minutes)
- Review critical SIEM alerts
- Check firewall logs for violations
- Verify backup completion
Weekly Security Tasks (30 minutes)
- Review all SIEM alerts
- Check for Siemens security advisories
- Review access logs
- Update asset inventory (if changes)
Monthly Security Tasks (2-4 hours)
- User access review/recertification
- Review and update firewall rules
- Vulnerability scan (safe profile)
- Security awareness reminder
- Review incident log
Quarterly Security Tasks (1-2 days)
- Full vulnerability assessment
- Test backup/recovery
- Review and update policies
- Physical security inspection
- Internal audit
- Tabletop exercise
Annual Security Tasks (1-2 weeks)
- Full security audit
- Penetration testing (test environment)
- Risk assessment update
- All policies and procedures review
- Disaster recovery test
- Security training (all staff)
- Contract/vendor reviews
Glossary
ACL (Access Control List): List of permissions attached to an object DMZ (Demilitarized Zone): Network segment that sits between internal and external networks ICS (Industrial Control System): Generic term for control systems including SCADA, DCS, PLC IDS (Intrusion Detection System): Monitors network traffic for suspicious activity IPS (Intrusion Prevention System): IDS that can also block threats OT (Operational Technology): Hardware and software controlling physical processes PLC (Programmable Logic Controller): Digital computer for automation SCADA (Supervisory Control and Data Acquisition): System for remote monitoring and control SIEM (Security Information and Event Management): Centralized logging and analysis SL (Security Level): IEC 62443 measure of protection against threats VPN (Virtual Private Network): Encrypted connection over public network
Document Version: 1.0
Last Updated: February 16, 2026
Based On: IEC 62443, NIST SP 800-82, CISA Guidelines
Intended Audience: Control System Engineers, ICS Security Professionals, Plant Managers