creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 06:04:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/performing-ot-network-security-assessment/references/workflows.md
T

4.7 KiB
Raw Blame History

Workflows - OT Network Security Assessment

Assessment Lifecycle

Phase 1: Scoping          Phase 2: Discovery       Phase 3: Analysis
+-----------------+       +-----------------+      +-----------------+
| Define scope    |       | Passive capture |      | Protocol review |
| Safety limits   | ----> | Asset inventory | ---> | Zone evaluation |
| Authorization   |       | Traffic mapping |      | Firewall audit  |
+-----------------+       +-----------------+      +-----------------+
                                                          |
Phase 6: Verify           Phase 5: Remediate       Phase 4: Report
+-----------------+       +-----------------+      +-----------------+
| Validate fixes  |       | Segmentation    |      | Risk scoring    |
| Re-assessment   | <---- | FW rule changes | <--- | Finding detail  |
| Compliance map  |       | Protocol harden |      | Prioritization  |
+-----------------+       +-----------------+      +-----------------+

Phase 1: Scoping and Authorization

Inputs

  • Facility type and industry vertical
  • Regulatory requirements (NERC CIP, IEC 62443, NIST CSF)
  • Existing network diagrams and asset inventories
  • Maintenance window schedules

Activities

  1. Meet with operations, engineering, and IT security teams
  2. Define Purdue levels in scope and safety-critical exclusions
  3. Obtain written authorization specifying permitted assessment activities
  4. Identify SPAN/TAP points for passive monitoring deployment
  5. Review prior assessment reports and known issues

Outputs

  • Signed Rules of Engagement document
  • Assessment scope matrix (Purdue levels vs. activity types)
  • SPAN/TAP deployment plan
  • Emergency contact list and escalation procedures

Phase 2: Passive Network Discovery

Inputs

  • SPAN port access on OT network switches
  • Assessment scope document

Activities

  1. Deploy passive monitoring sensors on SPAN ports at each Purdue level boundary
  2. Capture network traffic for minimum 2 weeks to observe full operational cycle
  3. Build asset inventory from observed traffic (MAC, IP, protocols, firmware versions)
  4. Map all communication flows with source, destination, protocol, and frequency
  5. Identify industrial protocols in use (Modbus, DNP3, OPC UA, EtherNet/IP, S7comm)
  6. Detect unauthorized devices and rogue connections

Activities - Wireless Assessment

  1. Scan for wireless access points in OT areas using spectrum analyzer
  2. Identify wireless industrial protocols (WirelessHART, ISA100.11a, Zigbee)
  3. Check for unauthorized Wi-Fi networks bridging IT and OT

Outputs

  • Complete asset inventory with Purdue level classification
  • Network communication flow map
  • Protocol distribution analysis
  • Unauthorized device/connection list

Phase 3: Analysis and Evaluation

Inputs

  • Asset inventory and traffic capture data
  • Firewall rule exports
  • Network architecture diagrams

Activities

  1. Evaluate zone architecture against IEC 62443-3-2 requirements
  2. Analyze firewall rules for overly permissive or prohibited conduits
  3. Assess industrial protocol security (authentication, encryption, access controls)
  4. Review remote access architecture and authentication mechanisms
  5. Evaluate patch levels of HMI, engineering workstations, and servers
  6. Check for known vulnerabilities in discovered OT firmware versions
  7. Assess physical security of network equipment in field locations

Outputs

  • Finding list with severity ratings
  • Gap analysis against applicable standards
  • Risk matrix mapping findings to operational/safety impact

Phase 4: Reporting

Report Structure

  1. Executive Summary (1 page)
  2. Scope and Methodology
  3. Asset Inventory Summary
  4. Network Architecture Assessment
  5. Detailed Findings (Critical/High/Medium/Low)
  6. Compliance Gap Analysis
  7. Remediation Roadmap with Prioritization
  8. Appendices (asset inventory, network diagrams, tool output)

Phase 5: Remediation Support

Priority Order

  1. Immediate: Block unauthorized cross-zone paths (enterprise to field devices)
  2. 30-day: Implement DMZ between corporate IT and OT operations
  3. 60-day: Deploy industrial protocol-aware firewalls between zones
  4. 90-day: Harden remote access with MFA and jump servers
  5. 6-month: Full zone/conduit segmentation per IEC 62443 design

Risk Scoring for OT Environments

OT risk scoring must account for safety impact beyond traditional CIA triad:

Factor Weight Description
Safety Impact 30% Potential for physical harm to personnel or public
Operational Impact 25% Production disruption or equipment damage
Environmental Impact 15% Release of hazardous materials
Financial Impact 15% Direct costs and regulatory penalties
Reputational Impact 15% Public trust and regulatory scrutiny
Reference in New Issue View Git Blame Copy Permalink