ICS/SCADA(OT) CYBERSECURI

Implementing ICS/SCADA Security best practices is a critical component in safeguarding Critical Infrastructure Such as

Various ICS Malware are being used by Attackers for targeting those critical infrastructure sectors, at both local and remote f
pumps or other equipment. IT Systems in OT environment also can be targeted. Customer’s production specific data can
Connection of ICS/OT or business systems to the internet or to local area networks (LANs) can create vulnerabilities. Remote a
Physical security of all ICS and business systems to preve

These Self-Assessment questions in the following

This checklist have been compiled to assist with a basic ICS/SCADA(OT) Security Assessment. It is not an exhaustive questi
infrastructure may benefit from a more detailed cyber security assessment completed by an information technology or cyber
to your system, before d
Function Category

Asset Management

Business Environment

Governance

Identify
Identify

Risk Assessment

Risk management Strategy

Supply Chain Risk Management

Physical Security

Awareness and Training

Data Security

Protect
Protect
Information protection Processes and P

Maintenance

Protective Technology

Anomalies and Events

Security Continuous Monitoring

Detect
Detection Processes
 Response Planning

Communications

Analysis
Respond

Mitigation
 Improvements

Recovery Planning

Improvements
Recover

Communications
 ICS/SCADA(OT) CYBERSECURITY SELF ASSESSMENT CHECKLIST

best practices is a critical component in safeguarding Critical Infrastructure Such as Oil/Gas Facilities, Water/Waste-Water Management, C

ackers for targeting those critical infrastructure sectors, at both local and remote facilities. Such attacks can cause significant cyber-physica
s in OT environment also can be targeted. Customer’s production specific data can be stolen and systems can be compromised by maliciou
o the internet or to local area networks (LANs) can create vulnerabilities. Remote access into ICS/OT can also create potential vulnerabiliti
Physical security of all ICS and business systems to prevent unauthorized access to equipment is equally import

These Self-Assessment questions in the following checklist have been mapped to NIST 800-82 standard.

sist with a basic ICS/SCADA(OT) Security Assessment. It is not an exhaustive questionnaire and it may not be exactly appropriate to your e
ailed cyber security assessment completed by an information technology or cyber security professional. You may want to consider the co
to your system, before deciding to use this checklist.
Questions

Do you have OT asset inventory up to date ? How are you maintaining Asset Inventory ? Are you using any Tools ? Or Excel ba
Are the firewalls managed by site owners ? Or Vendors ? Do you "separation of duties" when assigning responsibilities betwee
Are OT switches managed by site owners.?
Have you updated firmware for OT Network Devices like Switches or Firewalls ?
Does Authentication to Firewall, Switches, Workstations and other components have unique strong passwords?
Do the site owners update application patches/updates at least annually?
Have you defined patch management program for your OT Assets ?
Does OT workstations have Unique User's passwords ?
Do the site owners apply operating system level patches ?

Is confidential information (e.g., business sensitive, production specific, etc.) restricted to authorized users ?
Is the determination of "system security requirements" part of business case planning ?
Is the security authorization on different OT Systems updated on a defined frequency?
Is the OT security officer appointed with the mission and resources to coordinate, develop, implement, and maintain an organ
program?
Does the organization have established OT Security improvement program along with workforce development ?
Does the organization have a clearly defined, documented, and approved processes (Technical and Management related proc
Do you strictly follow the security procedure from BCP ?

Have you defined OT security responsibilities and assigned accordingly to appropriate responsible team members ?
Is there a supply chain risk management program implemented ? Have you incorporated OT security requirements in your con
clearly defined as part of your FAT/SAT Procedures ?
Policies and procedures established for network segmentation including implementation of DMZs based on type and sensitivit
roles, and types of systems established ?
Are the OT Security policies, Guidelines and procedures accessible to all authorised staff ?
Is there a process defined for establishing a new system into the network ? And the needed approvals for the same ?
Are the environmental risk factors considered into the risk assessment ?
Policies for security of standalone, lost, and misplaced equipment in place ?
Physical protection against fire, flood, earthquake, explosion, civil unrest, etc. is implemented ?

Has the Organization performed any Risk Assessment ?

What is the frequency of Risk Assessment occurrence ? Have you defined your crown jewel sites ?(In High/Medium/Low critica
Does the risk management process include Threat Modelling ?
Are current risk assessment policies and procedures reviewed and updated ?
Does the organization define a frequency for reviewing risk assessment results ? And take corrective action accordingly ?

When a new major incident is recorded, is the security risk assessment plan updated?
Are auditable parameters added or modified as new threats are discovered?
Are system connections continuously monitored to ensure compliance with documented security requirements?
Is a security assessment report generated that documents the assessment's findings?
Is the site owner using a standard procedure for dealing with existing vulnerabilities?
Is there a comprehensive risk management plan in place for organisational operations and assets, persons ? (Covering People,

Does the organization have a Supply Chain Risk Management policy ?

Is the 3rd party vendor screening done thoroughly before the contracts are awarded including NDA ?
Does the organization have a supply chain risk management team?
Also Are vendor's people escorted from entry-to-exit inside the plant ?
Does vendors have their own restricted users for the system accessibility ?
Does the organization maintain Software BOM (Bill of Materials) ?
Is the organization's data, documentation, tools, or system components disposed of using predefined techniques and method

Are all physical access points to the facility subject to physical access authorizations ?
Does the organization provide unique id card to each of its workers and visitors ?
Is physical access monitored for the purpose of detecting and responding to physical security incidents?
Are keys, combinations and other physical access devices secured ?
Is physical access to output devices controlled ?
Is the control of publicly accessible sites in accordance with the organization's risk assessment ?
Before allowing entry to the facility are individual access authorizations verified?
Is the access list and authorization credentials checked and approved at least once a year and are those that no longer need a

Is basic OT security awareness training provided to all system users before system access is granted ?
Does organization conduct Conducts Fire drills ?
Does organization provides Do's and Don’t training to its visitors
Are individual system security training activities documented, maintained, and monitored?
Is refresher training provided on a defined frequency, at least annually?
Are practical exercises or scenarios included in the OT security awareness training that simulate actual cyber-attacks?

Is there security authentication feature setup for accessing plants critical data?
Is there a disaster recovery plan in place for data recovery?
Are the servers deployed in RAID configuration
Does the plant use remote backup servers?
Does the plant encrypts data before transferring it to remote servers
Does the plant use plain text protocols like FTP, Telnet, HTTP?
Are the security keys revised at least yearly?
Are security keys revoked for the users who have left the organization?

Does the organization restrict the use of system media that can't be sanitized?
Does the organization manage the accessibility of USB devices ? Do you use Sheep Dip Stations ?
Are data storage devices (HDD, SSD) erased prior to redeployment?
Are cryptographic mechanisms used to protect information?
Are the circumstances defined where portable, removable storage devices are required to be sanitized prior to connection to
Does the sensitivity of the material determine how the media are stored?

Are all sessions and remote connections provided via jump servers, On-Demand basis and Monitored and terminated when re
completed?
If password-based authentication is used to perform remote maintenance, are passwords changed after each session?
Are remote maintenance and diagnostic sessions audited and do designated organisational individuals evaluate remote sessio
Is documentation available for the installation and operation of remote maintenance and diagnostic links?
Is the use of system maintenance tools approved and monitored?
Are all media containing diagnostic and test programs checked for malicious code before the media are used in the system?
Is there maintenance support and spare parts available for security-critical system components?
Is remote maintenance and diagnostic work authorised, monitored, and controlled?
Are remote maintenance and diagnostic tools only utilised in accordance with policy and as documented in the system's secur
Are records for remote maintenance and diagnostic activities maintained?

Are Antivirus servers Deployed ? Is the Antivirus solution approved by OT Vendor ?

Does the patches get updated ? Are those patches approved by vendors ?
Organization has deployed IT SOC with OT Capabilities ?
Does the organization has OT specific threat intelligence service ?

Are events on the system monitored ?

Are system attacks detected? (Attacks can be detected via log monitoring, IDS system monitoring, Signature/indicators)
Is unauthorized use of the system identified? (e.g., log monitoring)
Are there monitoring devices strategically placed throughout the system to acquire critical data and track specific types of tran
Is the amount of system monitoring activities enhanced if there is a sign of heightened risk?
When it comes to system monitoring, does legal counsel become involved?
Are automated tools used to support near real-time analysis of events?
Does the system monitor inbound and outbound communications for unusual or unauthorized activities or conditions?
Is a real-time alert sent by the system when indications of compromise or possible compromise occurs ?

Are events on the system monitored?

Are system attacks detected? (Attacks can be detected via log monitoring, IDS system monitoring, Signature/indicators)
Does organization use NTP servers? Which stratum model ?
Is the time correct and consistent in critical systems?
Is intrusion monitoring application evaluated over a particular time period?
Is network access control used to prevent MITM attacks and the addition of rogue devices to the network?

Are all the methods of remote access to the system authorized, monitored, and managed?
Are automated mechanisms used to facilitate the monitoring and control of remote access methods?
Is cryptography used to protect the confidentiality and integrity of remote access sessions?
Does the system route all remote accesses through a limited number of managed access control points?
Is remote access for privileged commands and security-relevant information authorized only for compelling operational needs
such access documented?
Does the system terminate a network connection at the end of a session or after a defined time period of inactivity?
Is automatic session termination applied to local and remote sessions?
Are the terms and conditions established for authorized individuals to access the system from an external system?
Are the terms and conditions established for authorized individuals to process, store, and transmit organization-controlled info
external system?

Are authorized individuals prohibited from using an external system to access the system or to process, store, or transmit orga
information except in situations where the organization: (a) can verify the implementation of required security controls on the
specified in the organization's security policy and security plan, or (b) has approved system connection or processing agreeme
organizational entity hosting the external system?

Is an incident handling capability implemented for security incidents that include preparation, detection and analysis, containm
recovery?
Are incident handling activities coordinated with contingency planning activities?
Are lessons learned from ongoing incident handling activities incorporated into incident response procedures?
Are system network security incidents tracked and documented on an ongoing basis?
Are cyber and control system security incident information promptly reported to authorities?
Is an incident response support resource provided that offers advice and assistance?
Are personnel required to report suspected security incidents to the organizational incident response authority within a define
Are automated mechanisms used to increase the availability of incident response-related information and support?
Does the organization implement an insider threat program that includes a cross-discipline insider threat incident handling tea
Is the incident response investigation and analysis process developed, tested, deployed, and documented?

Does the organization display common contact number for emergency situations ?
Does the Organization maintains the communication channels ?
Does the organization simulates a drill which includes communication ?
Does the organization maintain a list of personnel contact number for emergency situations ?
Does the organization maintain Alarming system including Alarm servers in OT ?

Is the incident response investigation and analysis process developed, tested, deployed, and documented ?
Are incident handling activities coordinated with contingency planning activities ?
Are lessons learned from ongoing incident handling activities incorporated into incident response procedures ?
Are system network security incidents tracked and documented on an ongoing basis?
Is an incident response support resource provided ? that offers advice and assistance?
Are personnel required to report suspected security incidents to the organizational incident response authority within a define
Are automated mechanisms used to increase the availability of incident response-related information and support?
Does the organization implement an insider threat program that includes a cross-discipline insider threat incident handling tea

Does the risk management process include risk mitigation ?

Does the organization document the vulnerability assessment result for mitigation steps taken ?
Does the organization considers environmental hazards as its risk mitigations ?
Are risk-reduction mitigation measures planned and implemented ?
Are potential accessibility problems to the alternate control centre identified in the event of an area-wide disruption or disaste
mitigation actions outlined?
Are potential accessibility problems at the alternative storage site identified in the event of an area wide disruption or disaster
mitigation actions outlined?
Does the organization establish an information security workforce development and improvement program ?
Does the organization update It's OT Security Incident Response program with ever-changing threats ?
Does the organization update its improvement program with every incident recorded ?

Does the organization have Recovery management plan ?

Is the Recovery plan for the system reviewed on a defined frequency, annually at a minimum ?
Does the recovery plan align with the organization's enterprise architecture?
Is the authorizing official or designated representative who reviews and approves the recovery plan specified ?
Does the organization have a Configuration Management and Change Management Process in place ?

Does the organisation consider recovery improvements as part of its business continuity plan ?
Does the organization document Recovery improvements ?
Does the organization practices the new improvements developed for recovery?

Are the Incidents communicated to appropriate stake holders including affected parties ?
Is the status of recuperation communicated?
Do you have alternate communication channel for recovery communication ?
Is the average time of recovery is recorded and communicated across ?
Is the organization's average time to report for recovery communication defined ?
Manufacturing facilities, Transportation Sector etc.

pening and closing of valves, overriding alarms or disabling

ch as ransomware, disabling process control systems.
ks, however, are not limited only to internet-based attacks.

d for all systems. Systems with large or complex cyber

ur system, the risk to your system and the potential impact

Comments or Target Completion Date

Corrective Actions if
any