‹ 首页

ot-ics-scada-security

@masriyan · 收录于 1 周前

Operational Technology and industrial control system security — Purdue model segmentation, industrial protocol analysis (Modbus, DNP3, S7, EtherNet/IP), PLC/HMI exposure, IEC 62443 alignment, and MITRE ATT&CK for ICS, for authorized and safety-conscious assessments

适合你,如果负责工业控制系统安全评估与防护

/ 下载安装
ot-ics-scada-security.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add masriyan/claude-code-cybersecurity-skill/ot-ics-scada-security
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- masriyan/claude-code-cybersecurity-skill/ot-ics-scada-security
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify masriyan/claude-code-cybersecurity-skill/ot-ics-scada-security
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
160GitHub stars
~1.8K最小装载
~3.2K含声明引用
~3.6K文本包总量
镜像托管

怎么用

技能原文 SKILL.md作者撰写 · MIT · 2c864e3

OT / ICS / SCADA Security

Purpose

Enable Claude to assess Operational Technology (OT) and Industrial Control System (ICS) environments — PLCs, RTUs, HMIs, SCADA servers, historians, and field devices — with safety as the first constraint. Claude reasons about the Purdue/ISA-95 model, analyzes industrial protocols passively, maps adversary behavior to MITRE ATT&CK for ICS, and aligns recommendations to IEC 62443 and the NIST SP 800-82 guidance.

SAFETY & AUTHORIZATION — READ FIRST: OT systems control physical processes; a crashed PLC can mean equipment damage, environmental release, or loss of life. Default to passive, non-intrusive methods. Never send active scans, writes, or protocol fuzzing to production OT without written authorization, asset-owner sign-off, and a tested rollback/safety plan — ideally on a test bench or during a maintenance window. Confirm scope and the "do-no-harm" boundary before proceeding.

Activation Triggers

This skill activates when the user asks about:

  • ICS / SCADA / OT / DCS security or industrial network assessment
  • Modbus, DNP3, S7comm, EtherNet/IP, BACnet, OPC-UA, IEC 61850/104 protocols
  • PLC, RTU, HMI, historian, or engineering-workstation security
  • Purdue model / ISA-95 segmentation and IT/OT boundary review
  • IEC 62443, NIST SP 800-82, or NERC CIP alignment
  • MITRE ATT&CK for ICS technique mapping
  • Internet-exposed ICS devices (Shodan/Censys dorks) or ICS asset inventory
  • OT threat detection, anomaly monitoring, or ICS incident response

Prerequisites
pip install requests pyyaml
# Protocol libraries (lab use): pip install pymodbus scapy

Optional enhanced capabilities:

  • Wireshark / tshark with ICS dissectors (Modbus, DNP3, S7, ENIP, GOOSE)
  • nmap ICS NSE scripts (use read-only scripts only, with care)
  • GRASSMARLIN / passive asset-discovery tooling
  • Shodan/Censys access for exposure checks (passive, external)

Core Capabilities
1. Architecture & Purdue Model Review

When asked to review OT architecture, map assets to Purdue levels and assess the boundaries:

| Level | Zone | Assets | Key control | |-------|------|--------|-------------| | 4–5 | Enterprise / IT | ERP, business network, internet | Should never directly reach L0–L2 | | 3.5 | IDMZ | Jump hosts, patch/AV relays, historian replica | Brokered, inspected IT↔OT traffic only | | 3 | Operations | SCADA servers, historians, engineering WS | Hardened, monitored | | 2 | Supervisory | HMIs, control servers | | | 1 | Control | PLCs, RTUs, IEDs | | | 0 | Process | Sensors, actuators, drives | |

Flag: missing IDMZ, flat IT/OT networks, dual-homed engineering workstations, remote vendor access bypassing the DMZ, and any direct path from L4/L5 to L0–L2.

2. Industrial Protocol Analysis (Passive-First)

Prefer reading a SPAN/TAP capture over active probing. From a PCAP, identify:

  • Modbus/TCP (502) — function codes; flag writes (FC 5/6/15/16), unauthenticated reads, exposure beyond the cell.
  • DNP3 (20000) — operate/direct-operate, lack of Secure Authentication (SAv5).
  • S7comm / S7comm-plus (102) — PLC start/stop, program upload/download.
  • EtherNet/IP + CIP (44818/2222) — forward-open, attribute writes.
  • OPC-UA (4840) — security policy None, anonymous sessions.
  • IEC 61850 GOOSE/MMS, IEC 60870-5-104 (2404), BACnet (47808) as present.

Note that most ICS protocols have no authentication or encryption by design — any reachable client can issue commands. Use scripts/ics_protocol_analyzer.py to summarize an exported PCAP and flag write/control operations and unexpected talkers.

3. Exposure & Asset Discovery
  • Passive inventory from captures (MAC/OUI → vendor, protocol → device role).
  • External exposure (read-only, external) via Shodan/Censys dorks — never expose live device details publicly:
  • port:502 product:Modbus, port:20000 source address, tag:ics, "Siemens, SIMATIC", port:47808, "Schneider Electric".
  • For any device that must be reachable, document why, the compensating controls, and whether it should be behind the IDMZ instead.
  • Active scanning, if authorized: use only read-only nmap NSE (modbus-discover, s7-info, bacnet-info, enip-info) with low rate, never against safety-instrumented systems (SIS).
4. Threat Modeling — MITRE ATT&CK for ICS

Map plausible adversary paths using the ICS matrix tactics: Initial Access → Execution → Persistence → Evasion → Discovery → Lateral Movement → Collection → Command-and-Control → Inhibit Response FunctionImpair Process ControlImpact. Reference high-signal techniques (e.g., T0883 Internet-Accessible Device, T0836 Modify Parameter, T0831 Manipulation of Control, T0814 Denial of Service, T0816 Device Restart/Shutdown). Anchor scenarios to real tradecraft (Stuxnet, TRITON/TRISIS targeting SIS, Industroyer/CRASHOVERRIDE, PIPEDREAM/INCONTROLLER).

5. IEC 62443 / NIST SP 800-82 Alignment
  • Define zones and conduits; assign Security Levels (SL 1–4) per zone based on threat.
  • Review against IEC 62443-3-3 system requirements (FR1 IAC, FR2 UC, FR3 system integrity, FR4 data confidentiality, FR5 restricted data flow, FR6 timely response, FR7 resource availability).
  • Map to NIST SP 800-82r3 control overlays and NERC CIP where the asset owner is in scope (BES).
6. OT-Aware Detection & Incident Response
  • Detection: baseline normal protocol talkers and command rates; alert on unexpected write/program-download, new engineering connections, off-hours commands, and L4→L1 traffic.
  • IR (coordinate with → Skill 07, but OT-modified): safety and process continuity outrank evidence preservation; involve process/safety engineers; prefer passive collection; have a manual-operations fallback before isolating anything.

Output Standards
# OT/ICS Security Assessment — [Site / System]
Date: [Date] | Scope: [Zones/Assets] | Method: [Passive/Active] | Analyst: [Name]
Safety constraints honored: [yes — passive only / window used / etc.]

## Executive Summary
[Posture, top safety-relevant risks]

## Purdue / Zone-Conduit Map
[Levels, boundaries, IDMZ status]

## Findings
### [O-01] Modbus writes reachable from IT VLAN  (Critical)
- ATT&CK ICS: T0883, T0836 | IEC 62443 FR5
- Evidence: [pcap flow IT-host → PLC FC16]
- Process impact: [what physical effect is possible]
- Remediation: [conduit/firewall rule, IDMZ broker, read-only segmentation]

## IEC 62443 Zone/SL Recommendations
| Zone | Current SL | Target SL | Gap |

## Prioritized Remediation (safety-weighted)

Script Reference
ics_protocol_analyzer.py
# Summarize an exported PCAP CSV/JSON (from tshark) and flag control/write ops
tshark -r capture.pcap -T json > capture.json
python scripts/ics_protocol_analyzer.py --input capture.json --output ics_report.json

# Generate Shodan/Censys exposure dorks for a vendor/protocol set
python scripts/ics_protocol_analyzer.py --dorks --vendor siemens --output dorks.txt

Skill Integration

| Next Step | Condition | Target Skill | |-----------|-----------|--------------| | Deep PCAP / IDS rules | Network capture available | → Skill 08 | | Firmware / device RE | PLC/RTU firmware obtained | → Skill 04 | | OT incident handling | Active incident | → Skill 07 | | Detection content | SIEM/OT-monitoring rules needed | → Skill 12 | | IT-side segmentation hardening | IT/OT boundary hosts | → Skill 15 |


References
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。