Dejan/Network-secrity-guide
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
Network-secrity-guide/industrial-network-security-guide.md
Dejan 46161ab057 Upload files to "/"
2026-02-16 19:48:24 +00:00

1484 lines
40 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Industrial Network Security Best Practices Guide
## Comprehensive Security for PLC and SCADA Systems
**Based on IEC 62443 Standards and Defense-in-Depth Principles**
---
## Table of Contents
1. [Introduction](#introduction)
2. [Security Frameworks and Standards](#security-frameworks-and-standards)
3. [Defense-in-Depth Strategy](#defense-in-depth-strategy)
4. [Network Segmentation (Zones and Conduits)](#network-segmentation)
5. [Siemens S7 PLC Specific Security](#siemens-s7-security)
6. [Implementation Checklist](#implementation-checklist)
7. [Security Assessment Procedures](#security-assessment)
8. [Ongoing Monitoring and Maintenance](#ongoing-monitoring)
9. [Incident Response](#incident-response)
10. [Compliance and Documentation](#compliance)
---
## 1. Introduction
### Why Industrial Network Security Matters
Industrial Control Systems (ICS) and Operational Technology (OT) environments face unique cybersecurity challenges:
- **Safety Critical**: Cyber attacks can cause physical harm, environmental damage, or loss of life
- **High Availability Requirements**: Production systems require 24/7 uptime
- **Long Lifecycles**: Equipment may operate for 20+ years with outdated software
- **Convergence of IT/OT**: Increasing connectivity exposes OT to IT-based threats
- **Targeted Attacks**: Nation-states and cybercriminals specifically target critical infrastructure
### Real-World Consequences
**Stuxnet (2010)**: Destroyed Iranian nuclear centrifuges via compromised Siemens S7 PLCs
**Ukraine Power Grid (2015)**: BlackEnergy malware caused blackouts affecting 230,000 people
**Triton/Trisis (2017)**: Targeted safety systems in petrochemical plant
**Colonial Pipeline (2021)**: Ransomware caused major fuel shortage in US
---
## 2. Security Frameworks and Standards
### IEC 62443 - The Gold Standard for Industrial Cybersecurity
IEC 62443 is the international standard specifically designed for Industrial Automation and Control Systems (IACS) security.
#### IEC 62443 Structure
The standard is divided into 4 main categories:
**1. General (IEC 62443-1-x)**
- Terminology, concepts, and models
- Foundation for the entire standard
- Defines security levels and zones
**2. Policies and Procedures (IEC 62443-2-x)**
- Cybersecurity management system requirements
- Risk assessment methodology
- Patch management and incident response
**3. System (IEC 62443-3-x)**
- System-level security requirements
- Network segmentation (zones and conduits)
- Security risk assessment for systems
**4. Component (IEC 62443-4-x)**
- Product development lifecycle requirements
- Component technical security requirements
- Secure coding and vulnerability management
#### Security Levels (SL) in IEC 62443
The standard defines 4 security levels based on threat capability:
| Security Level | Threat Type | Attacker Profile |
|----------------|-------------|------------------|
| **SL 0** | No special requirement | None |
| **SL 1** | Protection against casual or coincidental violation | Unskilled individual using simple means |
| **SL 2** | Protection against intentional violation using simple means | Skilled individual using simple means with low resources |
| **SL 3** | Protection against intentional violation using sophisticated means | Skilled individual with moderate resources and IACS-specific skills |
| **SL 4** | Protection against intentional violation using sophisticated means with extended resources | Highly skilled and motivated organization with extensive resources |
**Typical Target Levels:**
- Critical Infrastructure: SL 2-3
- High-Risk Facilities: SL 3-4
- Standard Industrial Plants: SL 1-2
### Other Relevant Standards
**NIST SP 800-82**: Guide to Industrial Control Systems (ICS) Security
**NIST Cybersecurity Framework (CSF)**: Identify, Protect, Detect, Respond, Recover
**ISO/IEC 27001**: Information Security Management Systems
**IEC 61511**: Safety Instrumented Systems (SIS) security
---
## 3. Defense-in-Depth Strategy
Defense-in-Depth applies **multiple layers of security controls** throughout the industrial network, ensuring that if one layer fails, others continue to provide protection.
### Core Principles
1. **Layered Security**: No single point of failure
2. **Diversity**: Use different types of security controls
3. **Fail-Safe Design**: Systems fail to a secure state
4. **Least Privilege**: Minimum access necessary
5. **Separation of Duties**: No single person has complete control
### The Seven Layers of Defense
```
Layer 7: Policies, Procedures & Awareness
Layer 6: Physical Security
Layer 5: Perimeter Security (Firewalls, DMZ)
Layer 4: Network Security (Segmentation, VLANs, IDS)
Layer 3: Host Security (Hardening, Antivirus, Patching)
Layer 2: Application Security (Authentication, Encryption)
Layer 1: Data Security (Encryption, Backup, Integrity)
```
### Implementation Strategy
**Physical Layer:**
- Locked server rooms and control cabinets
- Access control systems (badge readers)
- CCTV monitoring
- Tamper-evident seals on critical equipment
**Network Layer:**
- Firewalls between zones
- Network segmentation (VLANs)
- Intrusion Detection Systems (IDS)
- Data diodes for one-way communication
**System Layer:**
- Operating system hardening
- Disable unnecessary services
- Application whitelisting
- Regular security updates and patches
**Application Layer:**
- Strong authentication (passwords, 2FA)
- Role-based access control (RBAC)
- Secure coding practices
- Input validation
**Data Layer:**
- Encryption at rest and in transit
- Regular backups (3-2-1 rule)
- Data integrity checks
- Secure data destruction
**People Layer:**
- Security awareness training
- Background checks for critical roles
- Documented security policies
- Incident response procedures
---
## 4. Network Segmentation (Zones and Conduits)
### The Purdue Model
The Purdue Enterprise Reference Architecture (PERA) is the foundation for ICS network segmentation:
```
Level 5: Enterprise Network (ERP, Email, Internet)
↓ DMZ / Firewall
Level 4: Business Planning & Logistics (MES, Historian)
↓ DMZ / Firewall
Level 3: Operations Management (SCADA, HMI)
↓ Industrial Firewall
Level 2: Area Supervisory Control (PLC, DCS)
↓ Industrial Switch
Level 1: Basic Control (PLC, RTU, Field Devices)
↓ Field Network
Level 0: Process (Sensors, Actuators, Motors)
```
### Zones and Conduits (IEC 62443-3-2)
**Zone**: A grouping of logical or physical assets that share common security requirements
**Conduit**: A logical grouping of communication channels connecting two or more zones
#### Example Zone Structure
**Zone 1: Enterprise Network**
- Business systems (ERP, email, file servers)
- Internet connectivity
- Office workstations
**Zone 2: DMZ (Demilitarized Zone)**
- Historian servers
- Data diodes
- Application servers accessible from both enterprise and control
**Zone 3: Control Network (Level 3)**
- SCADA servers
- HMI workstations
- Engineering workstations
**Zone 4: Process Control Network (Level 2)**
- PLCs (Siemens S7-1200/1500)
- DCS controllers
- Safety systems (SIS)
**Zone 5: Field Device Network (Level 1-0)**
- I/O modules
- Remote I/O
- Sensors and actuators
#### Conduit Security Requirements
Each conduit between zones must implement appropriate security controls:
| Conduit | Source Zone | Dest Zone | Security Requirements |
|---------|-------------|-----------|----------------------|
| C1 | Enterprise | DMZ | Corporate Firewall, VPN, Authentication |
| C2 | DMZ | Control Network | Industrial Firewall, Unidirectional Gateway |
| C3 | Control Network | Process Network | Industrial Switch with ACLs, Port Security |
| C4 | Process Network | Field Devices | Encrypted protocols (if supported), Physical isolation |
### Network Segmentation Best Practices
1. **Air-Gap Critical Systems**: Physically separate safety-critical systems
2. **Use Industrial Firewalls**: Commercial IT firewalls are not sufficient
3. **Implement Data Diodes**: For one-way data transfer from OT to IT
4. **VLANs for Logical Separation**: When physical separation isn't possible
5. **Limit Communication Paths**: Only allow necessary connections
6. **Monitor All Boundaries**: IDS/IPS at each zone boundary
---
## 5. Siemens S7 PLC Specific Security
### S7-1200/1500 Security Features
#### 1. Access Protection (Password Protection)
**Protection Levels:**
- **No Protection**: Full read/write access
- **Write Protection**: Read-only access without password
- **Read/Write Protection**: Password required for all access
- **Complete Protection + Integrity**: Strongest protection including know-how protection
**Configuration in TIA Portal:**
```
1. Open PLC properties
2. Go to "Protection & Security"
3. Set "Protection level"
4. Enter strong password (min. 8 characters)
5. Enable "Copy protection" for intellectual property
```
**Best Practice**: Use Read/Write Protection or Complete Protection for production PLCs
#### 2. IP Access Control Lists (ACLs)
Restrict which devices can communicate with the PLC by IP address.
**Configuration:**
```
1. PLC Properties → Protection & Security → Connection mechanisms
2. Enable "Permit access only for the following IP addresses/subnets"
3. Add authorized IPs:
- Engineering station: 192.168.10.50/32
- HMI: 192.168.10.60/32
- SCADA server: 192.168.10.70/32
4. Deny all other connections
```
#### 3. Communication Encryption
**CP 1543-1 Communication Processor:**
- Built-in VPN functionality (IPsec)
- Integrated firewall
- Supports encrypted S7 communication
**Configuration Steps:**
1. Install CP 1543-1 module in PLC
2. Configure VPN tunnel in TIA Portal
3. Set up IPsec parameters (AES-256 encryption)
4. Configure firewall rules
#### 4. Firmware Updates and Patch Management
**Check Current Firmware:**
```
TIA Portal → Online & Diagnostics → Device Information → Firmware Version
```
**Update Process:**
1. Download firmware from Siemens Support Portal
2. Verify firmware signature
3. Test in non-production environment first
4. Schedule maintenance window
5. Backup PLC program before updating
6. Update via TIA Portal → Online Tools → Firmware Update
**Subscribe to Siemens ProductCERT:**
- URL: https://www.siemens.com/cert
- Receive security advisories for vulnerabilities
- CSAF format for automated processing
#### 5. Disable Unused Services
**Services to Disable (if not needed):**
- Web Server (HTTP/HTTPS)
- FTP Server
- SNMP
- Modbus TCP (if using only S7 communication)
- OPC UA (if not required)
**Configuration:**
```
Device Properties → System and Clock Memory → Web server
□ Enable web server (uncheck if not needed)
```
#### 6. Secure Physical Access
**S7-1500 Front Flap Lock:**
- Prevents unauthorized access to:
- SIMATIC memory card
- Mode selector
- Display and buttons
**Configuration:**
1. Insert locking latch into front flap
2. Physical key required to open
3. Document key location in security procedures
#### 7. Network Services Security
**Default Ports Used by S7-1200/1500:**
| Port | Protocol | Service | Security Action |
|------|----------|---------|----------------|
| 102 | TCP | S7 Communication | Firewall, ACLs |
| 80 | TCP | HTTP Web Server | Disable or use HTTPS only |
| 443 | TCP | HTTPS Web Server | Enable with certificates |
| 161 | UDP | SNMP | Disable if not needed |
| 20000 | TCP | PN DCP | Limit to local segment |
**Firewall Rules Example (iptables):**
```bash
# Allow S7 communication only from authorized IPs
iptables -A INPUT -p tcp --dport 102 -s 192.168.10.50 -j ACCEPT
iptables -A INPUT -p tcp --dport 102 -s 192.168.10.60 -j ACCEPT
iptables -A INPUT -p tcp --dport 102 -j DROP
# Block web server from external access
iptables -A INPUT -p tcp --dport 80 -s 192.168.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
```
### Common S7 Vulnerabilities and Mitigations
#### CVE-2016-9159: Credential Disclosure
**Affected**: S7-300, S7-400 (older firmware)
**Risk**: Password can be extracted via network access to port 102
**Mitigation**:
1. Update to latest firmware
2. Implement network segmentation
3. Use CP modules with firewall
4. Monitor port 102 access
#### CVE-2019-13945: Denial of Service
**Affected**: S7-1200, S7-1500 (certain firmware versions)
**Risk**: Specially crafted packets can crash PLC
**Mitigation**:
1. Update firmware to latest version
2. Implement IDS to detect malformed packets
3. Firewall rules to filter suspicious traffic
#### Lack of Native Authentication
**Issue**: S7 protocol doesn't require authentication by default
**Mitigation**:
1. Use IP Access Control Lists
2. Network segmentation
3. VPN for remote access
4. Consider CP modules with VPN/firewall
---
## 6. Implementation Checklist
### Phase 1: Assessment and Planning (Weeks 1-4)
#### Week 1: Asset Inventory
- [ ] Document all PLCs (model, firmware version, location)
- [ ] Map network topology (create network diagrams)
- [ ] Identify all communication paths
- [ ] List all access points (local and remote)
- [ ] Document current security measures
**Tools:**
- Nmap for network discovery
- Siemens SINEC NMS for asset management
- Network documentation software (Visio, Lucidchart)
#### Week 2: Risk Assessment
- [ ] Identify critical assets and processes
- [ ] Evaluate potential threats (insider, external, accidental)
- [ ] Assess current vulnerabilities
- [ ] Determine Security Level targets (SL-T) per IEC 62443
- [ ] Prioritize risks (high/medium/low)
**Risk Assessment Matrix:**
```
Impact vs. Likelihood:
Low Medium High
High | Med | High | Critical
Medium | Low | Med | High
Low | Low | Low | Med
```
#### Week 3: Gap Analysis
- [ ] Compare current state to IEC 62443 requirements
- [ ] Identify missing security controls
- [ ] Document technical debt
- [ ] Estimate remediation effort and cost
- [ ] Create prioritized remediation plan
#### Week 4: Policy and Procedure Development
- [ ] Write/update cybersecurity policy
- [ ] Define roles and responsibilities
- [ ] Create access control procedures
- [ ] Develop incident response plan
- [ ] Establish change management process
### Phase 2: Quick Wins (Weeks 5-8)
#### Immediate Actions (No Downtime Required)
- [ ] Enable PLC password protection (all PLCs)
- [ ] Configure IP Access Control Lists
- [ ] Disable unused PLC services
- [ ] Change all default passwords
- [ ] Enable logging on network devices
- [ ] Document all changes
#### Low-Risk Improvements
- [ ] Install antivirus on HMI/SCADA systems
- [ ] Enable Windows Firewall on operator stations
- [ ] Implement USB device controls
- [ ] Create baseline configurations for all systems
- [ ] Set up centralized log collection
### Phase 3: Network Segmentation (Weeks 9-16)
#### Design Phase
- [ ] Design zone and conduit architecture
- [ ] Plan VLAN structure
- [ ] Select firewall/switch hardware
- [ ] Create detailed implementation plan
- [ ] Schedule maintenance windows
#### Implementation Phase
- [ ] Install firewalls between zones
- [ ] Configure VLANs on switches
- [ ] Set up firewall rules (whitelist approach)
- [ ] Install IDS/IPS sensors
- [ ] Test all communication paths
- [ ] Document new architecture
**Firewall Rule Template:**
```
Source Zone: Level 3 (SCADA)
Dest Zone: Level 2 (PLCs)
Protocol: TCP
Port: 102
Action: ALLOW
Log: Yes
```
### Phase 4: Advanced Security Controls (Weeks 17-24)
#### System Hardening
- [ ] Harden all Windows systems (CIS benchmarks)
- [ ] Implement application whitelisting
- [ ] Deploy endpoint protection
- [ ] Configure secure logging (SIEM)
- [ ] Enable file integrity monitoring
#### Access Control
- [ ] Implement multi-factor authentication (MFA)
- [ ] Deploy jump servers for remote access
- [ ] Configure VPN with strong encryption
- [ ] Establish privileged access management (PAM)
- [ ] Create audit trails for all access
#### Monitoring and Detection
- [ ] Deploy network monitoring (IDS/IPS)
- [ ] Configure SIEM alerts
- [ ] Establish baseline behavior
- [ ] Create detection use cases
- [ ] Set up automated alerting
### Phase 5: Testing and Validation (Weeks 25-28)
#### Security Testing
- [ ] Vulnerability scanning (authenticated scans only)
- [ ] Penetration testing (with extreme caution)
- [ ] Firewall rule testing
- [ ] Incident response tabletop exercise
- [ ] Disaster recovery test
- [ ] User awareness testing (phishing simulation)
**IMPORTANT**: Never perform aggressive testing on production OT systems
#### Validation Checklist
- [ ] All PLCs have password protection
- [ ] IP ACLs configured on all PLCs
- [ ] Unnecessary services disabled
- [ ] Firewalls between all zones
- [ ] Remote access requires VPN + MFA
- [ ] All systems logging to SIEM
- [ ] Backup and recovery tested
- [ ] Incident response plan tested
### Phase 6: Continuous Improvement (Ongoing)
#### Monthly Tasks
- [ ] Review firewall logs
- [ ] Check for firmware updates
- [ ] Review access logs
- [ ] Update asset inventory
- [ ] Security awareness training reminder
#### Quarterly Tasks
- [ ] Vulnerability assessment
- [ ] Review and update policies
- [ ] Access rights review (recertification)
- [ ] Test backups
- [ ] Review IDS/IPS alerts
#### Annual Tasks
- [ ] Full security audit
- [ ] Penetration test (controlled environment)
- [ ] Update risk assessment
- [ ] Incident response drill
- [ ] Review and update BCP/DR plans
- [ ] Security awareness training (full program)
---
## 7. Security Assessment Procedures
### Pre-Assessment Preparation
#### Safety First
**CRITICAL**: OT security assessments can disrupt operations or cause safety issues.
**Before Any Assessment:**
1. Obtain written approval from operations manager
2. Schedule during planned maintenance window
3. Have control system engineers on-site
4. Test all procedures in non-production environment first
5. Prepare rollback plan
6. Brief safety personnel
### Assessment Levels
#### Level 1: Passive Assessment (No Risk)
**Activities:**
- Document review
- Architecture review
- Policy and procedure review
- Interviews with staff
- Review of logs and reports
**Tools**: None (manual review)
#### Level 2: Network Monitoring (Minimal Risk)
**Activities:**
- Passive network traffic capture
- Protocol analysis
- Device discovery (passive)
- Baseline establishment
**Tools**:
- Wireshark
- Nozomi Networks
- Claroty
- Dragos Platform
#### Level 3: Active Scanning (Low Risk)
**Activities:**
- Network discovery (active)
- Service enumeration
- OS fingerprinting
- Credential validation
**Tools** (use with caution):
- Nmap (with rate limiting)
- Siemens SINEC NMS
- Tenable.sc (ICS profile)
**Configuration Example (Safe Nmap Scan):**
```bash
# Safe, slow scan for S7 PLCs
nmap -sT -T1 --max-rate 10 -p 102 --script s7-info 192.168.10.0/24
# Explanation:
# -sT: TCP connect scan (not SYN scan)
# -T1: Slowest timing template
# --max-rate 10: Max 10 packets/second
# -p 102: Only S7 port
# --script s7-info: Siemens-specific enumeration
```
#### Level 4: Vulnerability Scanning (Medium Risk)
**Activities:**
- Authenticated vulnerability scans
- Configuration compliance checks
- Missing patch identification
**Tools**:
- Tenable.sc with ICS plugin
- Rapid7 Nexpose
- Qualys VM
**CRITICAL Requirements:**
1. Test in lab environment first
2. Use ICS-specific scan profiles
3. Schedule during maintenance window
4. Have control engineers present
5. Start with single device
6. Monitor PLC scan time and CPU load
#### Level 5: Penetration Testing (High Risk)
**ONLY in isolated test environment or with extreme caution**
**Activities:**
- Exploit validation
- Privilege escalation
- Lateral movement testing
- Data exfiltration simulation
**Requirements:**
- Dedicated test network
- Replica of production environment
- Experienced ICS penetration testers
- 24/7 on-site support
- Detailed test plan approved by all stakeholders
### Step-by-Step Security Assessment
#### Step 1: Information Gathering (Passive)
**Objective**: Understand the environment without touching systems
**Tasks:**
1. Review network diagrams
2. Document all PLCs and versions
3. Identify communication protocols
4. Map data flows
5. Review existing security controls
6. Identify critical assets
**Deliverable**: Asset inventory and network map
#### Step 2: Vulnerability Identification
**2a. Configuration Review**
```bash
# Check for common misconfigurations
# PLC Password Protection
✓ Is password protection enabled?
✓ Password meets complexity requirements? (min 8 chars)
✓ Password documented in secure location?
# Network Access
✓ Are IP ACLs configured?
✓ Is web server disabled (if not needed)?
✓ Are unused protocols disabled?
# Firmware
✓ Firmware version documented?
✓ Firmware up to date?
✓ Update process documented?
```
**2b. Network Vulnerability Scan**
```bash
# Use Nmap safely for S7 PLCs
nmap -sT -T1 -p 102,80,443,161 --max-rate 5 192.168.10.100
# Check results for:
# - Open ports (should only be 102 if others disabled)
# - Service versions
# - Banner information
```
**2c. Known Vulnerability Check**
- Check Siemens ProductCERT advisories
- Compare firmware version to CVE database
- Review CISA ICS-CERT advisories
#### Step 3: Risk Evaluation
**Risk Scoring:**
```
Risk = Likelihood × Impact × Exploitability
Likelihood (1-5):
1 = Very unlikely
3 = Possible
5 = Very likely
Impact (1-5):
1 = Minimal
3 = Moderate (production delay)
5 = Critical (safety hazard)
Exploitability (1-5):
1 = Very difficult (requires insider access)
3 = Moderate (requires some skill)
5 = Easy (public exploit available)
```
**Example:**
- Finding: PLC has no password protection
- Likelihood: 4 (network accessible)
- Impact: 5 (controls safety system)
- Exploitability: 5 (trivial to access)
- Risk Score: 4 × 5 × 5 = 100 (CRITICAL)
#### Step 4: Reporting
**Report Structure:**
1. Executive Summary
2. Scope and Methodology
3. Asset Inventory
4. Findings (organized by severity)
5. Risk Assessment
6. Recommendations (prioritized)
7. Remediation Plan
**Finding Template:**
```
FINDING ID: VUL-001
SEVERITY: Critical
TITLE: PLC Password Protection Disabled
DESCRIPTION: S7-1200 at 192.168.10.100 has no password protection
IMPACT: Unauthorized user can read/modify PLC program, causing safety hazard
LIKELIHOOD: High (network accessible from control network)
EXPLOITABILITY: High (no authentication required)
AFFECTED SYSTEMS: PLC-REACTOR-01 (192.168.10.100)
RECOMMENDATION: Enable Read/Write Protection with strong password
EFFORT: Low (15 minutes per PLC)
PRIORITY: 1 (Critical - remediate within 24 hours)
```
---
## 8. Ongoing Monitoring and Maintenance
### Continuous Monitoring Strategy
#### What to Monitor
**Network Level:**
- Firewall rule violations
- Unauthorized connection attempts
- Protocol anomalies
- Bandwidth utilization
- New devices on network
**System Level:**
- Login attempts (successful and failed)
- Configuration changes
- Firmware updates
- Service start/stop
- Antivirus alerts
**Application Level:**
- PLC mode changes (RUN/STOP)
- Program uploads/downloads
- Recipe changes
- Setpoint modifications
- Alarm patterns
**Physical Level:**
- Door access events
- CCTV events
- Environmental sensors (temperature, humidity)
### Monitoring Tools
#### Network IDS/IPS for OT
**Commercial Solutions:**
- Nozomi Networks Guardian
- Claroty
- Dragos Platform
- Fortinet FortiGate (OT-specific)
- Cisco Cyber Vision
**Open Source:**
- Snort (with OT rules)
- Suricata (with ICS signatures)
- Zeek (formerly Bro) with S7Comm analyzer
#### SIEM Integration
**Popular SIEM Solutions:**
- Splunk (with ICS apps)
- IBM QRadar
- ArcSight
- LogRhythm
**Key Log Sources:**
1. Firewall logs
2. IDS/IPS alerts
3. Windows Event Logs (HMI, Engineering stations)
4. PLC audit logs (if available)
5. Switch logs (MAC address changes, port security)
6. VPN access logs
7. Physical access control logs
### Alert Configuration
#### Critical Alerts (Immediate Response)
```
1. PLC Program Download
- Trigger: S7 WRITE command to program blocks
- Action: Page on-call engineer, log event
2. PLC Mode Change (RUN → STOP)
- Trigger: PLC state change
- Action: Alert operations, investigate
3. Unauthorized IP Connection
- Trigger: Connection from IP not in whitelist
- Action: Block IP, alert security team
4. Multiple Failed Login Attempts
- Trigger: 3 failed logins within 5 minutes
- Action: Lock account, alert security
5. New Device on Control Network
- Trigger: New MAC address detected
- Action: Alert network admin, investigate
```
#### Warning Alerts (Review Within 24h)
```
1. Configuration Change
2. Firmware Update
3. New user account created
4. Privilege escalation
5. Anomalous protocol usage
```
### Patch Management
#### Siemens S7 Patch Process
**1. Monitor for Updates**
- Subscribe to Siemens ProductCERT: https://www.siemens.com/cert
- Check TIA Portal updates monthly
- Review security advisories
**2. Evaluate Patches**
```
For each patch, assess:
- Severity: Critical / High / Medium / Low
- Applicability: Does it affect our systems?
- Impact: Will it affect production?
- Prerequisites: Required firmware version?
- Testing: Can we test in lab first?
```
**3. Test in Non-Production**
- Apply patch to lab PLC
- Run full functional tests
- Monitor for 48 hours
- Document any issues
**4. Schedule Production Update**
- Coordinate with operations
- Schedule maintenance window
- Prepare rollback plan
- Notify all stakeholders
**5. Apply and Verify**
```
Pre-Update:
- Backup PLC program
- Document current firmware version
- Take screenshot of diagnostics
Update:
- Apply firmware update
- Verify version number
- Run functional tests
Post-Update:
- Monitor for 24 hours
- Document completion
- Update asset inventory
```
**6. Document**
- Update change log
- Record in CMDB
- Update network diagram if needed
#### Patch Priority Matrix
| Severity | Affected Systems | Priority | Timeline |
|----------|-----------------|----------|----------|
| Critical | Safety Systems | P1 | 7 days |
| Critical | Production Systems | P2 | 30 days |
| High | Safety Systems | P2 | 30 days |
| High | Production Systems | P3 | 90 days |
| Medium | Any | P4 | Next maintenance window |
| Low | Any | P5 | Annual review |
### Backup and Recovery
#### PLC Backup Strategy
**What to Backup:**
- PLC program (complete project)
- Configuration (IP address, parameters)
- Firmware version (document for reinstall)
- Hardware configuration
- Documentation (I/O lists, functional specs)
**Backup Frequency:**
- After any program change (immediate)
- Weekly (automated if possible)
- Before firmware updates
- Before major maintenance
**Backup Storage:**
- Primary: Network location (secured)
- Secondary: External hard drive (offline)
- Tertiary: Off-site (cloud or remote facility)
- Follow 3-2-1 rule: 3 copies, 2 media types, 1 off-site
**TIA Portal Backup Process:**
```
1. Open project in TIA Portal
2. Project → Archive...
3. Select "Create archive with all files"
4. Name with date: "PLC_REACTOR_2026-02-16.zap"
5. Save to secure network location
6. Verify archive integrity
7. Document in backup log
```
**Recovery Testing:**
- Test recovery quarterly
- Document recovery time objective (RTO)
- Practice in lab environment
- Train multiple personnel on recovery
---
## 9. Incident Response
### Incident Response Plan
#### Phase 1: Preparation
**Pre-Incident Checklist:**
- [ ] Incident response team identified (roles assigned)
- [ ] Contact list maintained (on-call rotation)
- [ ] Communication plan established
- [ ] Forensic tools prepared
- [ ] Backup systems verified
- [ ] Tabletop exercises conducted (annually)
**IR Team Roles:**
- **Incident Commander**: Overall response coordination
- **Operations Lead**: Production continuity
- **Safety Lead**: Safety assessment and procedures
- **Technical Lead**: System investigation and remediation
- **Communications Lead**: Internal and external communications
- **Legal/Compliance**: Regulatory requirements
#### Phase 2: Detection and Analysis
**Detection Methods:**
1. SIEM alerts
2. IDS/IPS alarms
3. Operator reports
4. Anomaly detection
5. External notification (vendor, CERT)
**Initial Response (First 15 minutes):**
```
1. Alert incident commander
2. Assess safety impact
3. Isolate affected systems (if safe to do so)
4. Preserve evidence
5. Begin documentation
```
**Incident Classification:**
| Severity | Definition | Response Time | Escalation |
|----------|-----------|---------------|------------|
| **Critical** | Safety impact or major production loss | Immediate | Executive team, authorities |
| **High** | Production impact but no safety concern | Within 1 hour | Management, legal |
| **Medium** | Limited impact, contained | Within 4 hours | IR team only |
| **Low** | No operational impact | Next business day | Technical team |
#### Phase 3: Containment
**Short-Term Containment:**
- Isolate affected network segment
- Disconnect from external networks
- Change credentials
- Block malicious IPs
- Switch to backup systems (if available)
**Long-Term Containment:**
- Rebuild compromised systems
- Implement additional controls
- Enhanced monitoring
- Forensic analysis
**Containment Decision Matrix:**
For PLC Compromise:
```
Question 1: Is safety at risk?
→ YES: Immediately switch to manual control / shutdown
→ NO: Proceed to Q2
Question 2: Is production at risk?
→ YES: Isolate PLC, switch to backup if available
→ NO: Proceed to Q3
Question 3: Can we contain without interruption?
→ YES: Isolate network segment, monitor
→ NO: Schedule emergency maintenance
```
#### Phase 4: Eradication
**Steps:**
1. Identify root cause
2. Remove malware/backdoors
3. Close vulnerability
4. Patch systems
5. Validate removal
6. Restore from clean backup
**For Compromised PLC:**
```
1. Disconnect PLC from network
2. Clear PLC memory (factory reset if needed)
3. Update firmware to latest version
4. Restore program from verified clean backup
5. Change all passwords
6. Reconfigure IP ACLs
7. Validate against known-good configuration
8. Test offline before reconnecting
```
#### Phase 5: Recovery
**Recovery Checklist:**
- [ ] Affected systems rebuilt/restored
- [ ] Security controls verified
- [ ] Monitoring enhanced
- [ ] Credentials rotated
- [ ] Communications to stakeholders
- [ ] Operations returned to normal
- [ ] Increased monitoring period (48-72 hours)
#### Phase 6: Post-Incident Activities
**Lessons Learned Meeting (within 2 weeks):**
1. Timeline review
2. What went well?
3. What could be improved?
4. Action items (assign owners and due dates)
**Incident Report Contents:**
1. Executive summary
2. Incident timeline
3. Root cause analysis
4. Impact assessment (financial, operational, safety)
5. Response actions taken
6. Lessons learned
7. Recommendations
8. Action plan
**Follow-Up Actions:**
- Update incident response plan
- Update detection rules
- Implement preventive controls
- Training for staff
- Share findings (anonymized) with industry
### Reporting Requirements
#### Internal Reporting
- Immediate: Safety/operations management
- Within 24h: Executive team
- Within 1 week: Complete incident report
#### External Reporting
**Regulatory (if applicable):**
- NERC CIP (electric sector): Within 1 hour for critical incidents
- TSA (pipelines/rail): Within 24 hours
- EPA (water): Within requirements
- OSHA (safety incident): Within 8 hours for fatality/hospitalization
**Industry Sharing:**
- ICS-CERT (CISA): Voluntary but recommended
- Information Sharing and Analysis Centers (ISACs)
- Local law enforcement (if criminal)
---
## 10. Compliance and Documentation
### Documentation Requirements
#### Security Documentation Repository
**1. Policies and Standards**
- Information Security Policy
- Acceptable Use Policy
- Password Policy
- Change Management Policy
- Incident Response Policy
- Access Control Policy
**2. Procedures**
- System Hardening Procedures
- Backup and Recovery Procedures
- Patch Management Procedures
- User Access Provisioning/Deprovisioning
- Vendor Access Procedures
- Incident Response Procedures
**3. Technical Documentation**
- Network Architecture Diagrams
- Asset Inventory (with security controls)
- Firewall Configurations and Rule Sets
- PLC Configurations (baseline)
- System Baseline Configurations
- Data Flow Diagrams
**4. Risk Management**
- Risk Assessment Results
- Risk Register (tracking all identified risks)
- Risk Treatment Plans
- Security Control Matrices
- Compliance Gap Analysis
**5. Operations**
- Change Logs
- Incident Logs
- Access Logs Reviews
- Audit Reports
- Test Results (vulnerability scans, penetration tests)
- Training Records
### Audit and Compliance
#### Internal Audits
**Quarterly Audit Checklist:**
**Access Control:**
- [ ] User access reviews completed
- [ ] Privileged access reviewed
- [ ] Terminated user accounts disabled
- [ ] Password policy compliance
- [ ] MFA enabled for remote access
**Change Management:**
- [ ] All changes documented in change log
- [ ] Changes approved before implementation
- [ ] Testing performed per requirements
- [ ] Rollback plans documented
**Patch Management:**
- [ ] Patch inventory current
- [ ] Critical patches applied per timeline
- [ ] Patch testing documented
- [ ] Exceptions documented and approved
**Backup/Recovery:**
- [ ] Backups performed per schedule
- [ ] Backup integrity verified
- [ ] Recovery test performed (quarterly)
- [ ] Off-site backup verified
**Security Controls:**
- [ ] Antivirus definitions current
- [ ] Firewall rules reviewed
- [ ] IDS/IPS signatures updated
- [ ] Log collection verified
- [ ] Physical security controls verified
**Training and Awareness:**
- [ ] Annual security training completed
- [ ] Phishing simulations performed
- [ ] Incident response training conducted
- [ ] New employee orientation completed
#### External Audits
**Preparation:**
1. Gather all required documentation
2. Review previous audit findings
3. Verify all action items completed
4. Conduct pre-audit self-assessment
5. Assign audit coordinator
**Common Audit Frameworks:**
- IEC 62443 (ISASecure certification)
- NERC CIP (electric sector)
- NIST CSF
- ISO 27001
- SOC 2 Type II
**Audit Evidence Examples:**
- Screenshots of configurations
- Log excerpts
- Access control lists
- Change management tickets
- Training completion records
- Incident response logs
### Regulatory Compliance
#### Industry-Specific Requirements
**Critical Manufacturing:**
- CISA guidelines
- State-specific requirements
**Electric Sector:**
- NERC CIP (Critical Infrastructure Protection)
- FERC regulations
**Water/Wastewater:**
- EPA regulations
- America's Water Infrastructure Act (AWIA)
**Chemical:**
- CFATS (Chemical Facility Anti-Terrorism Standards)
- Process Safety Management (PSM)
**Oil and Gas:**
- TSA pipeline security
- API standards
---
## Appendices
### Appendix A: Useful Commands and Scripts
#### Network Discovery (Safe for OT)
```bash
# Passive network monitoring
tcpdump -i eth0 -w capture.pcap 'port 102'
# Safe Nmap scan for S7 PLCs
nmap -sT -T1 --max-rate 5 -p 102 --script s7-info <IP_RANGE>
# Check specific PLC
nmap -sT -p 102,80,443 192.168.10.100
```
#### Firewall Rule Examples
**IPTables (Linux):**
```bash
# Allow S7 communication from HMI only
iptables -A FORWARD -s 192.168.10.50 -d 192.168.10.100 -p tcp --dport 102 -j ACCEPT
iptables -A FORWARD -d 192.168.10.100 -p tcp --dport 102 -j LOG --log-prefix "BLOCKED_S7: "
iptables -A FORWARD -d 192.168.10.100 -p tcp --dport 102 -j DROP
# Block all traffic between IT and OT zones except via DMZ
iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.10.0/24 -j DROP
```
**Cisco ASA:**
```
! Allow S7 from SCADA to PLC network
access-list SCADA_TO_PLC extended permit tcp object SCADA_NETWORK object PLC_NETWORK eq 102
access-list SCADA_TO_PLC extended deny ip any any log
! Apply to interface
access-group SCADA_TO_PLC in interface inside
```
### Appendix B: Security Assessment Template
```markdown
# Security Assessment Report
## Executive Summary
- Assessment Date: _______________
- Scope: _________________________
- Overall Risk Rating: ____________
## Findings Summary
- Critical: ___
- High: ___
- Medium: ___
- Low: ___
## Top 5 Risks
1. [Finding ID] [Title] - [Risk Score]
2. [Finding ID] [Title] - [Risk Score]
3. [Finding ID] [Title] - [Risk Score]
4. [Finding ID] [Title] - [Risk Score]
5. [Finding ID] [Title] - [Risk Score]
## Detailed Findings
### Finding 1: [Title]
- **Severity**: Critical/High/Medium/Low
- **Risk Score**: ___
- **Affected Systems**: ___
- **Description**: ___
- **Impact**: ___
- **Recommendation**: ___
- **Priority**: ___
- **Estimated Effort**: ___
[Repeat for each finding]
## Remediation Plan
[Prioritized list of remediation actions with timeline]
```
### Appendix C: Emergency Contact List Template
```
INCIDENT RESPONSE TEAM
Incident Commander:
Name: _______________
Phone: _______________
Email: _______________
Operations Lead:
Name: _______________
Phone: _______________
Email: _______________
Technical Lead:
Name: _______________
Phone: _______________
Email: _______________
Safety Lead:
Name: _______________
Phone: _______________
Email: _______________
EXTERNAL CONTACTS
Siemens Support: 1-800-XXX-XXXX
Local FBI Cyber: _______________
CISA (ICS-CERT): 888-282-0870 / ics-cert@cisa.dhs.gov
Local Law Enforcement: 911
```
### Appendix D: Training Resources
**Free Training:**
- CISA ICS Training: https://www.cisa.gov/ics-training-catalog
- SANS ICS Security: https://www.sans.org/cyber-security-courses/ics-scada-cyber-security/
- Siemens Learning Portal: https://support.industry.siemens.com/tf/ww/en/
**Certifications:**
- GICSP (Global Industrial Cyber Security Professional) - SANS
- GRID (Response and Industrial Defense) - SANS
- Certified ICS Security Specialist - Various providers
**Industry Organizations:**
- ICS-CERT (CISA)
- SANS ICS
- ISA (International Society of Automation)
- ISAGCA (ISA Global Cybersecurity Alliance)
### Appendix E: Vendor Security Questionnaire
Use this when evaluating control system vendors or integrators:
```
1. Do you follow IEC 62443 development lifecycle?
2. Do you have ISASecure certification for your products?
3. How do you handle vulnerability disclosure?
4. What is your patch release timeline for critical vulnerabilities?
5. Do you provide security advisories?
6. Are default passwords required to be changed?
7. Do you support encrypted communications?
8. Do you provide security hardening guides?
9. What logging and auditing capabilities exist?
10. Do you require/offer security training for your products?
```
---
## Quick Reference Card
### Daily Security Checks (5 minutes)
1. Review critical SIEM alerts
2. Check firewall logs for violations
3. Verify backup completion
### Weekly Security Tasks (30 minutes)
1. Review all SIEM alerts
2. Check for Siemens security advisories
3. Review access logs
4. Update asset inventory (if changes)
### Monthly Security Tasks (2-4 hours)
1. User access review/recertification
2. Review and update firewall rules
3. Vulnerability scan (safe profile)
4. Security awareness reminder
5. Review incident log
### Quarterly Security Tasks (1-2 days)
1. Full vulnerability assessment
2. Test backup/recovery
3. Review and update policies
4. Physical security inspection
5. Internal audit
6. Tabletop exercise
### Annual Security Tasks (1-2 weeks)
1. Full security audit
2. Penetration testing (test environment)
3. Risk assessment update
4. All policies and procedures review
5. Disaster recovery test
6. Security training (all staff)
7. Contract/vendor reviews
---
## Glossary
**ACL (Access Control List)**: List of permissions attached to an object
**DMZ (Demilitarized Zone)**: Network segment that sits between internal and external networks
**ICS (Industrial Control System)**: Generic term for control systems including SCADA, DCS, PLC
**IDS (Intrusion Detection System)**: Monitors network traffic for suspicious activity
**IPS (Intrusion Prevention System)**: IDS that can also block threats
**OT (Operational Technology)**: Hardware and software controlling physical processes
**PLC (Programmable Logic Controller)**: Digital computer for automation
**SCADA (Supervisory Control and Data Acquisition)**: System for remote monitoring and control
**SIEM (Security Information and Event Management)**: Centralized logging and analysis
**SL (Security Level)**: IEC 62443 measure of protection against threats
**VPN (Virtual Private Network)**: Encrypted connection over public network
---
**Document Version**: 1.0
**Last Updated**: February 16, 2026
**Based On**: IEC 62443, NIST SP 800-82, CISA Guidelines
**Intended Audience**: Control System Engineers, ICS Security Professionals, Plant Managers
Reference in a new issue View git blame Copy permalink