513 lines
15 KiB
Bash
513 lines
15 KiB
Bash
#!/bin/bash
|
|
|
|
#========================================
|
|
# Industrial Network Security Assessment Tool
|
|
# Based on IEC 62443 Standards
|
|
#========================================
|
|
|
|
# Colors
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m' # No Color
|
|
|
|
echo ""
|
|
echo "========================================"
|
|
echo "Industrial Network Security Assessment"
|
|
echo "Based on IEC 62443 Standards"
|
|
echo "========================================"
|
|
echo ""
|
|
|
|
# Initialize counters
|
|
TOTAL_CHECKS=0
|
|
PASSED=0
|
|
FAILED=0
|
|
WARNING=0
|
|
NA=0
|
|
|
|
# Function to check and record result
|
|
check_item() {
|
|
local category=$1
|
|
local question=$2
|
|
local requirement=$3
|
|
|
|
echo ""
|
|
echo -e "${BLUE}[$category]${NC} $question"
|
|
echo "Requirement: $requirement"
|
|
echo ""
|
|
echo "Status:"
|
|
echo " 1) Pass (✓)"
|
|
echo " 2) Fail (✗)"
|
|
echo " 3) Warning (⚠)"
|
|
echo " 4) N/A"
|
|
read -p "Enter choice [1-4]: " choice
|
|
|
|
TOTAL_CHECKS=$((TOTAL_CHECKS + 1))
|
|
|
|
case $choice in
|
|
1)
|
|
echo -e "${GREEN}✓ PASS${NC}"
|
|
PASSED=$((PASSED + 1))
|
|
;;
|
|
2)
|
|
echo -e "${RED}✗ FAIL${NC}"
|
|
FAILED=$((FAILED + 1))
|
|
read -p "Enter finding/notes: " notes
|
|
echo "FAIL,$category,$question,$notes" >> assessment_findings.csv
|
|
;;
|
|
3)
|
|
echo -e "${YELLOW}⚠ WARNING${NC}"
|
|
WARNING=$((WARNING + 1))
|
|
read -p "Enter finding/notes: " notes
|
|
echo "WARNING,$category,$question,$notes" >> assessment_findings.csv
|
|
;;
|
|
4)
|
|
echo "N/A"
|
|
NA=$((NA + 1))
|
|
;;
|
|
*)
|
|
echo "Invalid choice, marking as FAIL"
|
|
FAILED=$((FAILED + 1))
|
|
;;
|
|
esac
|
|
}
|
|
|
|
# Initialize findings file
|
|
echo "Severity,Category,Item,Notes" > assessment_findings.csv
|
|
|
|
echo ""
|
|
echo "========================================"
|
|
echo "SECTION 1: ASSET INVENTORY"
|
|
echo "========================================"
|
|
|
|
check_item "Asset Inventory" \
|
|
"Are all PLCs documented with model, firmware version, and location?" \
|
|
"Complete inventory of all control system components per IEC 62443-2-1"
|
|
|
|
check_item "Asset Inventory" \
|
|
"Is network topology documented with current diagrams?" \
|
|
"Network architecture diagrams showing all zones and conduits"
|
|
|
|
check_item "Asset Inventory" \
|
|
"Are all communication paths documented?" \
|
|
"Data flow diagrams showing all network connections"
|
|
|
|
check_item "Asset Inventory" \
|
|
"Are software versions documented for all SCADA/HMI systems?" \
|
|
"Complete software inventory with versions"
|
|
|
|
echo ""
|
|
echo "========================================"
|
|
echo "SECTION 2: ACCESS CONTROL"
|
|
echo "========================================"
|
|
|
|
check_item "Access Control" \
|
|
"Do all PLCs have password protection enabled?" \
|
|
"IEC 62443-3-3 SR 1.1: Password protection on all devices"
|
|
|
|
check_item "Access Control" \
|
|
"Are passwords at least 8 characters with complexity requirements?" \
|
|
"IEC 62443-3-3 SR 1.5: Strong password policy"
|
|
|
|
check_item "Access Control" \
|
|
"Are IP Access Control Lists configured on PLCs?" \
|
|
"IEC 62443-3-3 SR 1.13: Access control based on IP address"
|
|
|
|
check_item "Access Control" \
|
|
"Is multi-factor authentication (MFA) used for remote access?" \
|
|
"IEC 62443-3-3 SR 1.2: Multi-factor authentication for remote access"
|
|
|
|
check_item "Access Control" \
|
|
"Are user accounts reviewed quarterly?" \
|
|
"IEC 62443-2-1: Regular access reviews and recertification"
|
|
|
|
check_item "Access Control" \
|
|
"Are default passwords changed on all devices?" \
|
|
"IEC 62443-4-2 CR 1.1: No default credentials"
|
|
|
|
check_item "Access Control" \
|
|
"Is role-based access control (RBAC) implemented?" \
|
|
"IEC 62443-3-3 SR 1.3: Least privilege principle"
|
|
|
|
echo ""
|
|
echo "========================================"
|
|
echo "SECTION 3: NETWORK SEGMENTATION"
|
|
echo "========================================"
|
|
|
|
check_item "Network Segmentation" \
|
|
"Are control networks physically or logically separated from corporate networks?" \
|
|
"IEC 62443-3-2: Zones and conduits architecture"
|
|
|
|
check_item "Network Segmentation" \
|
|
"Are firewalls deployed between security zones?" \
|
|
"IEC 62443-3-3 SR 3.1: Network segmentation with firewalls"
|
|
|
|
check_item "Network Segmentation" \
|
|
"Are firewall rules based on whitelist (deny by default)?" \
|
|
"IEC 62443-3-3 SR 3.1: Default deny policy"
|
|
|
|
check_item "Network Segmentation" \
|
|
"Is a DMZ implemented between IT and OT networks?" \
|
|
"Defense-in-depth: DMZ for data exchange"
|
|
|
|
check_item "Network Segmentation" \
|
|
"Are VLANs used for logical network separation?" \
|
|
"IEC 62443-3-3 SR 3.1: Network segregation"
|
|
|
|
check_item "Network Segmentation" \
|
|
"Are critical safety systems air-gapped or on separate network?" \
|
|
"IEC 62443-3-3 SR 3.1: Critical system isolation"
|
|
|
|
echo ""
|
|
echo "========================================"
|
|
echo "SECTION 4: PLC SECURITY CONFIGURATION"
|
|
echo "========================================"
|
|
|
|
check_item "PLC Security" \
|
|
"Are unused PLC services disabled (web server, FTP, SNMP)?" \
|
|
"IEC 62443-3-3 SR 7.6: Minimize attack surface"
|
|
|
|
check_item "PLC Security" \
|
|
"Is PLC firmware up to date?" \
|
|
"IEC 62443-4-1 SR 1.1: Security updates applied"
|
|
|
|
check_item "PLC Security" \
|
|
"Are PLC configuration changes logged?" \
|
|
"IEC 62443-3-3 SR 2.9: Audit logging"
|
|
|
|
check_item "PLC Security" \
|
|
"Are PLCs configured to only accept connections from authorized IPs?" \
|
|
"IEC 62443-4-2 CR 1.13: Source address validation"
|
|
|
|
check_item "PLC Security" \
|
|
"Is PLC front panel physically secured (S7-1500)?" \
|
|
"IEC 62443-3-3 SR 1.11: Physical access control"
|
|
|
|
check_item "PLC Security" \
|
|
"Are PLC communication processors (CPs) using firewalls/VPN?" \
|
|
"IEC 62443-3-3 SR 4.1: Encrypted communications"
|
|
|
|
echo ""
|
|
echo "========================================"
|
|
echo "SECTION 5: SYSTEM HARDENING"
|
|
echo "========================================"
|
|
|
|
check_item "System Hardening" \
|
|
"Are operating systems hardened per vendor guidance?" \
|
|
"IEC 62443-4-2 CR 7.6: Operating system hardening"
|
|
|
|
check_item "System Hardening" \
|
|
"Is antivirus/endpoint protection deployed on HMI/SCADA systems?" \
|
|
"IEC 62443-3-3 SR 3.2: Malware protection"
|
|
|
|
check_item "System Hardening" \
|
|
"Is application whitelisting implemented?" \
|
|
"NIST SP 800-82: Application control"
|
|
|
|
check_item "System Hardening" \
|
|
"Are USB ports disabled or controlled on operator stations?" \
|
|
"IEC 62443-3-3 SR 3.2: Removable media control"
|
|
|
|
check_item "System Hardening" \
|
|
"Are security patches applied in timely manner?" \
|
|
"IEC 62443-2-1: Patch management process"
|
|
|
|
check_item "System Hardening" \
|
|
"Are unnecessary Windows services disabled?" \
|
|
"Defense-in-depth: Minimize attack surface"
|
|
|
|
echo ""
|
|
echo "========================================"
|
|
echo "SECTION 6: MONITORING AND LOGGING"
|
|
echo "========================================"
|
|
|
|
check_item "Monitoring" \
|
|
"Is network traffic monitored with IDS/IPS?" \
|
|
"IEC 62443-3-3 SR 6.1: Network monitoring"
|
|
|
|
check_item "Monitoring" \
|
|
"Are logs centrally collected (SIEM)?" \
|
|
"IEC 62443-3-3 SR 2.8: Centralized logging"
|
|
|
|
check_item "Monitoring" \
|
|
"Are critical events alerting in real-time?" \
|
|
"IEC 62443-3-3 SR 2.9: Security event alerting"
|
|
|
|
check_item "Monitoring" \
|
|
"Are logs retained for at least 90 days?" \
|
|
"IEC 62443-2-1: Audit log retention"
|
|
|
|
check_item "Monitoring" \
|
|
"Are logs reviewed regularly?" \
|
|
"IEC 62443-2-1: Log review procedures"
|
|
|
|
check_item "Monitoring" \
|
|
"Is network baseline established and anomalies detected?" \
|
|
"IEC 62443-4-2 CR 3.3: Anomaly detection"
|
|
|
|
echo ""
|
|
echo "========================================"
|
|
echo "SECTION 7: REMOTE ACCESS"
|
|
echo "========================================"
|
|
|
|
check_item "Remote Access" \
|
|
"Is VPN required for all remote access?" \
|
|
"IEC 62443-3-3 SR 4.1: Encrypted remote access"
|
|
|
|
check_item "Remote Access" \
|
|
"Is MFA required for VPN access?" \
|
|
"IEC 62443-3-3 SR 1.2: Multi-factor authentication"
|
|
|
|
check_item "Remote Access" \
|
|
"Are vendor remote access sessions monitored and time-limited?" \
|
|
"CISA: Vendor remote access controls"
|
|
|
|
check_item "Remote Access" \
|
|
"Is remote access logged and reviewed?" \
|
|
"IEC 62443-3-3 SR 2.9: Remote access auditing"
|
|
|
|
check_item "Remote Access" \
|
|
"Are jump servers/bastion hosts used for remote access?" \
|
|
"Defense-in-depth: Controlled access points"
|
|
|
|
echo ""
|
|
echo "========================================"
|
|
echo "SECTION 8: PHYSICAL SECURITY"
|
|
echo "========================================"
|
|
|
|
check_item "Physical Security" \
|
|
"Are control rooms and server rooms physically secured?" \
|
|
"IEC 62443-3-3 SR 1.11: Physical access control"
|
|
|
|
check_item "Physical Security" \
|
|
"Is access to control rooms logged (badge system)?" \
|
|
"IEC 62443-3-3 SR 1.11: Physical access auditing"
|
|
|
|
check_item "Physical Security" \
|
|
"Are network cabinets locked?" \
|
|
"IEC 62443-3-3 SR 1.11: Equipment physical protection"
|
|
|
|
check_item "Physical Security" \
|
|
"Is CCTV monitoring implemented for critical areas?" \
|
|
"Defense-in-depth: Video surveillance"
|
|
|
|
check_item "Physical Security" \
|
|
"Are visitor access procedures documented and followed?" \
|
|
"IEC 62443-2-1: Visitor management"
|
|
|
|
echo ""
|
|
echo "========================================"
|
|
echo "SECTION 9: BACKUP AND RECOVERY"
|
|
echo "========================================"
|
|
|
|
check_item "Backup/Recovery" \
|
|
"Are PLC programs backed up after every change?" \
|
|
"IEC 62443-2-1: Configuration management"
|
|
|
|
check_item "Backup/Recovery" \
|
|
"Are backups stored offline or off-site?" \
|
|
"Defense-in-depth: 3-2-1 backup rule"
|
|
|
|
check_item "Backup/Recovery" \
|
|
"Are backup integrity checks performed?" \
|
|
"IEC 62443-3-3 SR 7.3: Backup verification"
|
|
|
|
check_item "Backup/Recovery" \
|
|
"Is recovery tested at least quarterly?" \
|
|
"IEC 62443-2-1: Disaster recovery testing"
|
|
|
|
check_item "Backup/Recovery" \
|
|
"Are Recovery Time Objectives (RTO) documented?" \
|
|
"Business continuity planning"
|
|
|
|
echo ""
|
|
echo "========================================"
|
|
echo "SECTION 10: INCIDENT RESPONSE"
|
|
echo "========================================"
|
|
|
|
check_item "Incident Response" \
|
|
"Is an incident response plan documented?" \
|
|
"IEC 62443-2-1: Incident management"
|
|
|
|
check_item "Incident Response" \
|
|
"Is incident response team identified with roles assigned?" \
|
|
"IEC 62443-2-1: IR team structure"
|
|
|
|
check_item "Incident Response" \
|
|
"Are incident response procedures tested annually?" \
|
|
"IEC 62443-2-1: Tabletop exercises"
|
|
|
|
check_item "Incident Response" \
|
|
"Are incidents documented and lessons learned captured?" \
|
|
"IEC 62443-2-1: Continuous improvement"
|
|
|
|
check_item "Incident Response" \
|
|
"Is there a communication plan for incidents?" \
|
|
"IEC 62443-2-1: Stakeholder communication"
|
|
|
|
echo ""
|
|
echo "========================================"
|
|
echo "SECTION 11: POLICIES AND PROCEDURES"
|
|
echo "========================================"
|
|
|
|
check_item "Policies" \
|
|
"Is a cybersecurity policy documented and approved?" \
|
|
"IEC 62443-2-1: Cybersecurity policy"
|
|
|
|
check_item "Policies" \
|
|
"Are change management procedures documented and followed?" \
|
|
"IEC 62443-2-1: Change control"
|
|
|
|
check_item "Policies" \
|
|
"Is patch management process documented?" \
|
|
"IEC 62443-2-1: Security update management"
|
|
|
|
check_item "Policies" \
|
|
"Are security roles and responsibilities documented?" \
|
|
"IEC 62443-2-1: Governance structure"
|
|
|
|
check_item "Policies" \
|
|
"Is security awareness training conducted annually?" \
|
|
"IEC 62443-2-1: Personnel security awareness"
|
|
|
|
echo ""
|
|
echo "========================================"
|
|
echo "SECTION 12: RISK MANAGEMENT"
|
|
echo "========================================"
|
|
|
|
check_item "Risk Management" \
|
|
"Has a security risk assessment been conducted?" \
|
|
"IEC 62443-3-2: Security risk assessment"
|
|
|
|
check_item "Risk Management" \
|
|
"Are risk assessment results documented?" \
|
|
"IEC 62443-3-2: Risk documentation"
|
|
|
|
check_item "Risk Management" \
|
|
"Are target security levels (SL-T) defined for each zone?" \
|
|
"IEC 62443-3-2: Security level targets"
|
|
|
|
check_item "Risk Management" \
|
|
"Is risk assessment updated annually or after major changes?" \
|
|
"IEC 62443-2-1: Risk assessment review"
|
|
|
|
check_item "Risk Management" \
|
|
"Are residual risks accepted by management?" \
|
|
"IEC 62443-2-1: Risk acceptance"
|
|
|
|
#========================================
|
|
# Generate Report
|
|
#========================================
|
|
|
|
echo ""
|
|
echo "========================================"
|
|
echo "ASSESSMENT COMPLETE"
|
|
echo "========================================"
|
|
echo ""
|
|
|
|
# Calculate percentages
|
|
COMPLIANCE_ITEMS=$((TOTAL_CHECKS - NA))
|
|
if [ $COMPLIANCE_ITEMS -gt 0 ]; then
|
|
COMPLIANCE_PCT=$((PASSED * 100 / COMPLIANCE_ITEMS))
|
|
else
|
|
COMPLIANCE_PCT=0
|
|
fi
|
|
|
|
echo "Assessment Summary:"
|
|
echo "-------------------"
|
|
echo "Total Checks: $TOTAL_CHECKS"
|
|
echo "Passed: $PASSED"
|
|
echo "Failed: $FAILED"
|
|
echo "Warnings: $WARNING"
|
|
echo "Not Applicable: $NA"
|
|
echo ""
|
|
echo "Compliance Rate: $COMPLIANCE_PCT% (excluding N/A)"
|
|
echo ""
|
|
|
|
# Risk Rating
|
|
if [ $COMPLIANCE_PCT -ge 90 ]; then
|
|
RISK_LEVEL="${GREEN}LOW RISK${NC}"
|
|
elif [ $COMPLIANCE_PCT -ge 70 ]; then
|
|
RISK_LEVEL="${YELLOW}MEDIUM RISK${NC}"
|
|
elif [ $COMPLIANCE_PCT -ge 50 ]; then
|
|
RISK_LEVEL="${YELLOW}HIGH RISK${NC}"
|
|
else
|
|
RISK_LEVEL="${RED}CRITICAL RISK${NC}"
|
|
fi
|
|
|
|
echo -e "Overall Risk Level: $RISK_LEVEL"
|
|
echo ""
|
|
|
|
# Save summary to file
|
|
cat > assessment_summary.txt <<EOF
|
|
INDUSTRIAL NETWORK SECURITY ASSESSMENT SUMMARY
|
|
==============================================
|
|
|
|
Date: $(date)
|
|
Assessor: $USER
|
|
|
|
RESULTS:
|
|
--------
|
|
Total Checks: $TOTAL_CHECKS
|
|
Passed: $PASSED (${GREEN}✓${NC})
|
|
Failed: $FAILED (${RED}✗${NC})
|
|
Warnings: $WARNING (${YELLOW}⚠${NC})
|
|
Not Applicable: $NA
|
|
|
|
Compliance Rate: $COMPLIANCE_PCT%
|
|
Overall Risk: $RISK_LEVEL
|
|
|
|
FINDINGS:
|
|
---------
|
|
See assessment_findings.csv for detailed findings.
|
|
|
|
RECOMMENDATIONS:
|
|
----------------
|
|
EOF
|
|
|
|
if [ $FAILED -gt 0 ]; then
|
|
echo "1. Address all FAILED items immediately (Critical Priority)" >> assessment_summary.txt
|
|
fi
|
|
|
|
if [ $WARNING -gt 0 ]; then
|
|
echo "2. Review and remediate WARNING items (High Priority)" >> assessment_summary.txt
|
|
fi
|
|
|
|
if [ $COMPLIANCE_PCT -lt 90 ]; then
|
|
echo "3. Develop remediation plan to achieve 90%+ compliance" >> assessment_summary.txt
|
|
fi
|
|
|
|
echo "4. Schedule next assessment in 6 months" >> assessment_summary.txt
|
|
echo "" >> assessment_summary.txt
|
|
|
|
echo "Files Generated:"
|
|
echo "----------------"
|
|
echo "1. assessment_findings.csv - Detailed findings list"
|
|
echo "2. assessment_summary.txt - Summary report"
|
|
echo ""
|
|
|
|
# Show top findings
|
|
if [ -f assessment_findings.csv ]; then
|
|
echo "Top Findings:"
|
|
echo "-------------"
|
|
grep "^FAIL" assessment_findings.csv | head -5
|
|
echo ""
|
|
grep "^WARNING" assessment_findings.csv | head -3
|
|
echo ""
|
|
fi
|
|
|
|
echo "========================================"
|
|
echo "Next Steps:"
|
|
echo "========================================"
|
|
echo "1. Review findings in assessment_findings.csv"
|
|
echo "2. Prioritize remediation actions"
|
|
echo "3. Create remediation plan with timeline"
|
|
echo "4. Assign owners to each finding"
|
|
echo "5. Track progress and re-assess"
|
|
echo ""
|
|
echo "For detailed guidance, see:"
|
|
echo " - industrial-network-security-guide.md"
|
|
echo " - IEC 62443 standards documentation"
|
|
echo ""
|