ot-security-assessment

What this skill does

# OT Security Assessment

## Overview

This skill provides a structured methodology for conducting Operational Technology (OT) and Industrial Control System (ICS) security assessments. The approach follows a two-stage methodology: (1) **Identification/Discovery** of OT devices, protocols, and services, and (2) **Vulnerability Assessment** using online vulnerability databases and Metasploit Framework for deeper analysis.

**IMPORTANT**: OT security assessments may impact critical industrial processes and must only be conducted with proper authorization. Always ensure written permission before assessing OT systems. Never test production systems without explicit authorization.

**OT Network Security Considerations**:
- Well-secured OT systems will not allow internet-connected devices (like this system) to be plugged into the network for assessment
- Most production OT assessments will be conducted offline on air-gapped networks
- This skill is suitable for:
  - Less secure or open OT/SCADA systems
  - Lab environments and test networks
  - Authorized assessment scenarios where network isolation is managed separately
- Always coordinate with operations team to ensure proper network isolation and security controls

## Quick Start

Basic OT device discovery and protocol enumeration:

```bash
# TCP Connect scan for common OT ports (no root required, safer for OT)
nmap -sT -p 502,102,2404,20000,47808,2222 <target-ip>

# Modbus enumeration (no root required)
nmap -p 502 --script modbus-read-registers,modbus-read-coils <target-ip>

# Comprehensive OT scan with service detection (no root required)
nmap -sV -p 502,102,2404,20000,47808,2222 --script modbus-read-registers,s7-info,bacnet-info <target-ip>
```

## Placeholder System

When executing commands, replace these placeholders with actual values:

- `<target-ip>` - Single IP address (e.g., `192.168.1.100`)
- `<target-network>` - IP range in CIDR notation (e.g., `192.168.1.0/24`)
- `<rhost>` - Remote host (Metasploit) - IP address or hostname
- `<rport>` - Remote port (Metasploit) - Port number
- `<unit-id>` - Modbus unit ID (typically 1-255)

## Core Workflow

### Workflow Checklist (for complex operations)

Progress:
[ ] 1. Verify authorization and scope for OT assessment
[ ] 2. Perform network discovery and identify live hosts
[ ] 3. Scan for common OT protocol ports
[ ] 4. Enumerate OT protocols and identify devices
[ ] 5. Gather device information and service versions
[ ] 6. Research vulnerabilities using online sources
[ ] 7. Perform vulnerability assessment with Metasploit
[ ] 8. Document findings and generate assessment report
[ ] 9. Validate results and identify false positives

Work through each step systematically. Check off completed items.

### 1. Authorization Verification

**CRITICAL**: Before any OT assessment activities:
- Confirm written authorization from system owner and operations team
- Review scope document for in-scope IP ranges and OT systems
- Verify scanning windows and rate-limiting requirements (OT systems are sensitive)
- Document emergency contact for accidental disruption
- Confirm blacklisted hosts (production PLCs, safety systems, critical infrastructure)
- Coordinate with operations team for safe testing windows

### 2. Network Discovery

Identify live hosts in target OT network:

```bash
# Ping sweep (ICMP echo)
nmap -sn <target-network>/24

# ARP scan (local network only, faster and more reliable)
nmap -sn -PR <target-network>/24

# TCP SYN ping (when ICMP blocked, use OT ports)
nmap -sn -PS502,102,2404 <target-network>/24

# Disable ping, assume all hosts alive (common in OT networks)
nmap -Pn <target-network>/24

# Output live hosts to file
nmap -sn <target-network>/24 -oG - | awk '/Up$/{print $2}' > live_hosts.txt
```

**OT Network Discovery Techniques**:
- **ICMP Echo (-PE)**: Standard ping, often blocked in OT networks
- **TCP SYN (-PS)**: Half-open connection to OT protocol ports (502, 102, etc.)
- **UDP (-PU)**: Sends UDP packets to OT UDP ports (47808 for BACnet)
- **ARP (-PR)**: Layer 2 discovery, only works on local network segment

### 3. OT Protocol Port Scanning

Scan discovered hosts for common OT protocol ports:

```bash
# TCP Connect scan for common OT protocol ports (no root required)
nmap -sT -p 502,102,2404,20000,47808,2222,161,623 -iL live_hosts.txt

# Comprehensive scan with service detection (no root required)
nmap -sV -p 502,102,2404,20000,47808,2222 -iL live_hosts.txt -oA ot_scan

# UDP scan for OT protocols (BACnet, SNMP) - requires root
sudo nmap -sU -p 47808,161,623 -iL live_hosts.txt -oA ot_udp_scan
```

**Common OT Protocol Ports**:
- **502**: Modbus TCP
- **102**: S7/Siemens
- **2404**: IEC 104
- **20000**: DNP3
- **47808**: BACnet/IP (UDP)
- **2222**: EtherNet/IP
- **161**: SNMP (UDP)
- **623**: IPMI (UDP)

**Timing and Performance for OT Networks**:

OT networks are sensitive to high traffic volumes. Use conservative timing:

```bash
# Polite (2) - Recommended for OT networks
nmap -T2 --max-rate 10 -p 502,102,2404 <target-ip>

# Scan with delays to avoid disruption
nmap --scan-delay 2s -p 502,102,2404 <target-ip>
```

### 4. OT Protocol Enumeration

Enumerate and identify OT protocols and devices:

#### Modbus TCP (Port 502)

```bash
# Basic Modbus enumeration
nmap -p 502 --script modbus-read-registers,modbus-read-coils <target-ip>

# Comprehensive Modbus enumeration
nmap -p 502 --script modbus-read-registers,modbus-read-coils <target-ip> -oA modbus_enum

# Read holding registers (unit ID 1, start 0, count 10)
modbus read <target-ip> 502 1 0 10
```

#### S7/Siemens (Port 102)

```bash
# S7 information gathering
nmap -p 102 --script s7-info <target-ip> -oA s7_info

# Python SNAP7 enumeration
python3 -c "import snap7; client = snap7.client.Client(); client.connect('<target-ip>', 0, 1); print(client.get_cpu_info()); client.disconnect()"
```

#### DNP3 (Port 20000)

The `dnp3-info` NSE script is not included in standard Nmap installations. Obtain it from the official Nmap community scripts repository:

```bash
# Download dnp3-info.nse from the official Nmap community scripts repo
curl -o /usr/local/share/nmap/scripts/dnp3-info.nse \
  https://raw.githubusercontent.com/nmap/nmap/master/scripts/dnp3-info.nse

# Update Nmap script database
nmap --script-updatedb

# Verify script is available
nmap --script-help dnp3-info

# Run DNP3 enumeration
nmap -p 20000 --script dnp3-info <target-ip> -oA dnp3_info
```

#### Other OT Protocols

```bash
# IEC 104 (Port 2404)
nmap -p 2404 -sV <target-ip> -oA iec104_scan

# BACnet/IP (Port 47808/UDP) - requires root for UDP scan
sudo nmap -sU -p 47808 --script bacnet-info <target-ip> -oA bacnet_info

# EtherNet/IP (Port 2222)
nmap -p 2222 -sV <target-ip> -oA ethernetip_tcp
```

### 5. Service and Device Information Gathering

Identify services and extract version information:

```bash
# Service version detection for OT protocols
nmap -sV -p 502,102,2404,20000,47808,2222 <target-ip>

# OT-specific service enumeration (no root required for TCP scans)
nmap -p 502 --script modbus-read-registers,modbus-read-coils <target-ip>
nmap -p 102 --script s7-info <target-ip>
nmap -p 20000 --script dnp3-info <target-ip>
# UDP scan requires root
sudo nmap -sU -p 47808 --script bacnet-info <target-ip>
```

### 6. Online Vulnerability Research

Research identified devices and services for known vulnerabilities:

```bash
# Query NVD for ICS/SCADA vulnerabilities
curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=industrial+control+system" \
  -H "apiKey: <api-key>" -o nvd_ics_$(date +%Y%m%d).json

# Fetch latest ICS-CERT advisories
curl -s "https://www.cisa.gov/news-events/cybersecurity-advisories" \
  -o ics-cert_$(date +%Y%m%d).html

# Search CVE database
curl -s "https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SCADA" \
  -o cve_scada_$(date +%Y%m%d).html
```

### 7. Metasploit Vulnerability Assessment

Use Metasploit Framework for deeper OT protocol analysis:

```bash
# Start Metasploit Framework console
msf