2,461
Assets Monitored
PLCs, RTUs, HMIs, DCS, SIS
12
Zones / 34 Conduits
ISA/IEC 62443 enforced
23
Critical Vulns
Firmware correlation active
71.5%
Compliance Score
6 frameworks tracked
8
Remote Sessions
JIT + MFA + recorded
47
ATT&CK Techniques
ICS matrix coverage
Purdue Model — Zone Health
L5 Enterprise 142 assets · 2 findings · 3 conduits
L4 Site Business 89 assets · 5 findings · 4 conduits
L3.5 Industrial DMZ 24 assets · 1 finding · 6 conduits
L3 Site Operations 156 assets · 8 findings · 8 conduits
L2 Supervisory 312 assets · 4 findings · 7 conduits
L1 Basic Control 487 assets · 12 findings · 4 conduits
L0 Physical Process 1,251 assets · 3 findings · 2 conduits
Real-time Alerts
14:23 UTC
Unauthorized Modbus Write — PLC-047
FC 0x06 from 10.10.8.99 — not in engineering whitelist. Blocked by IDS.
09:15 UTC
S7comm Auth Bypass Attempt — PLC-001
5 failed auth from EWS-001. Account locked. ATT&CK T0812.
07:41 UTC
Config Drift — HMI-003 Golden Image Mismatch
12 registry changes vs golden image. Unauthorized software.
04:02 UTC
Rogue Device on L2 — Baseline Violation
Unknown MAC 00:1A:2B:3C:4D:5E on VLAN 120. Not in inventory.
02:30 UTC
JIT Vendor Session — Siemens Support
PLC-001 firmware check. Approved by OT-Admin. Session recorded.
Communication Baselines
Normal L2→L1 protocolsModbus, S7comm, EtherNet/IP ✓
Unauthorized protocol detectedSMBv1 on L2 VLAN ✗
New connections (24h)3 new pairs
Polling frequency anomalyNone detected ✓
Asset Intelligence — Passive Discovery (SPAN/TAP)
2,461
Total Assets
2,318
Online
67
Vulnerable
18
End-of-Life
12
OT Protocols
Full Asset Inventory
| ID | Name | Type | Vendor | FW / OS | Protocol | Zone | IP | Criticality | Status |
|---|---|---|---|---|---|---|---|---|---|
| PLC-001 | Main Process Controller | PLC | Siemens S7-1500 | V2.9.7 | S7comm+ | L1 | 10.10.1.10 | CRITICAL | ONLINE |
| PLC-002 | Water Treatment PLC | PLC | Allen-Bradley CLX | V33.011 | EtherNet/IP | L1 | 10.10.1.11 | CRITICAL | VULN |
| SIS-001 | Safety System | SIS | Triconex 3008 | V10.6 | TriStation | L1 | 10.10.1.100 | CRITICAL | ONLINE |
| DCS-001 | CENTUM VP | DCS | Yokogawa | R6.09 | OPC UA | L1 | 10.10.1.200 | CRITICAL | ONLINE |
| RTU-001 | Substation RTU | RTU | GE D400 | V8.1 | DNP3 | L1 | 10.10.2.20 | HIGH | ONLINE |
| HMI-001 | Operator Station 1 | HMI | AVEVA | 2023 R1 | OPC UA | L2 | 10.10.3.30 | HIGH | PATCH |
| SRV-001 | SCADA Server | Server | AVEVA | 2023.1 | Modbus | L3 | 10.10.4.41 | CRITICAL | VULN |
| FW-001 | OT Firewall | Firewall | Palo Alto PA-3260 | PAN-OS 11.1.2 | — | DMZ | 10.10.5.1 | CRITICAL | ONLINE |
| IOT-001 | MQTT Broker | Broker | Eclipse Mosquitto | V2.0.18 | MQTT | L3 | 10.10.9.10 | MEDIUM | MONITOR |
Identity, Access & Remote Operations
8
Active Sessions
JIT enforced
100%
MFA Enforced
All remote access
3
Default Creds Found
Remediation required
156
Session Recordings
Last 30 days
JIT Remote Access — Active Sessions
| User | Role | Target | Approved By | MFA | Rec |
|---|---|---|---|---|---|
| siemens-support | Vendor | PLC-001 | OT-Admin-1 | YES | REC |
| ot-engineer-2 | Engineer | EWS-001 | OT-Manager | YES | REC |
| vendor-abb | Vendor | RTU-002 | Power-Eng | YES | REC |
Default Credential Alerts
| Device | Protocol | Credential | Risk |
|---|---|---|---|
| SW-003 (Moxa) | SNMP | Community: public | CRITICAL |
| IOT-012 | MQTT | admin:admin | CRITICAL |
| CAM-005 | HTTP | admin:123456 | HIGH |
Vulnerability, Patch & Exposure Management
23
Critical (9.0+)
67
High (7.0-8.9)
142
Medium (4.0-6.9)
18
EOL Systems
89%
Patch Current
ICS-CERT Advisory Correlation
| CVE | Product | CVSS | Assets | Patch | Status |
|---|---|---|---|---|---|
| CVE-2023-28489 | Siemens S7-1500 | 9.8 | 3 | V3.0.1 | Scheduled |
| CVE-2022-1159 | Rockwell CompactLogix | 8.6 | 7 | V34.011 | Testing |
| CVE-2023-34360 | AVEVA SCADA | 8.1 | 2 | 2023.2 | Open |
| CVE-2023-0955 | JCI BMS | 6.5 | 4 | V4.4 | Compensating |
| CVE-2022-38152 | Moxa EDS-516A | 7.5 | 8 | V3.11 | Deploying |
| CVE-2023-28366 | Eclipse Mosquitto | 5.3 | 1 | V2.0.19 | Patched |
IoT Security Controls & Device Lifecycle
847
IoT Devices
92%
Secure Config
14
Certs Expiring
100%
Encrypted Transit
Secure Onboarding Queue
| Device | Type | Creds | Cert | Config | Status |
|---|---|---|---|---|---|
| TEMP-094 | Temp Sensor | ✗ Default | ✗ None | ✗ Factory | BLOCKED |
| FLOW-027 | Flow Meter | ✓ Changed | ✓ Issued | ✗ Pending | IN PROGRESS |
| VIB-011 | Vibration | ✓ Changed | ✓ Issued | ✓ Applied | APPROVED |
Detection Engineering & MITRE ATT&CK for ICS
47
ATT&CK Techniques
156
Alerts (24h)
98.2%
Log Coverage
14
Event Sources
ATT&CK for ICS — Detection Rules
| Technique | ID | Tactic | Rules | Last Triggered |
|---|---|---|---|---|
| Unauthorized Command Message | T0855 | Impair Process | 3 | 14:23 today |
| Program Upload | T0845 | Lateral Movement | 2 | Yesterday |
| Modify Controller Tasking | T0821 | Execution | 4 | 3 days ago |
| Default Credentials | T0812 | Initial Access | 3 | 09:15 today |
| Exploitation of Remote Services | T0866 | Initial Access | 5 | 5 days ago |
| Denial of Service | T0814 | Inhibit Response | 2 | 7 days ago |
Incident Response & Recovery
2
Open P1
5
Open P2
14
Resolved (30d)
4.2h
Avg Response
Active Incidents
| ID | Title | Sev | Zone | Status |
|---|---|---|---|---|
| INC-089 | Unauthorized Modbus Write | P1 | L1 | Containment |
| INC-088 | S7comm Brute Force | P1 | L1 | Investigation |
| INC-087 | Rogue Device on L2 | P2 | L2 | Triage |
Evidence Locker — INC-089
| Type | Description | Chain of Custody |
|---|---|---|
| PCAP | Modbus capture — 10.10.8.99 | SOC-Analyst → Evidence-Srv |
| Logs | Firewall deny logs L1 | SIEM → Locked storage |
| PLC State | PLC-047 register dump | OT-Eng → Evidence-Srv |
OT Playbook — Unauthorized PLC Write
1
Isolate: Block source IP at zone firewall. Do NOT power cycle PLC. ⚠ SAFETY GATE
2
Verify: Compare current PLC program against golden backup. Check logic mods.
3
Preserve: Capture PCAP, PLC state, logs. Maintain chain of custody.
4
Assess: Verify physical process safe with operations team. ⚠ SAFETY GATE
5
Restore: If compromised, restore from verified backup. Re-enable monitoring.
6
Report: Notify CISO, plant manager, regulators. Document lessons learned.
Segmentation & Zone/Conduit Policy
12
Zones
34
Conduits
7
Violations
93%
Policy Match
Conduit Policy Enforcement
| Conduit | Source → Dest | Allowed | Violations | Status |
|---|---|---|---|---|
| C-01 | L3 → L2 | OPC UA :4840, Modbus :502 | 0 | OK |
| C-02 | L4 → DMZ | HTTPS :443 only | 0 | OK |
| C-03 | DMZ → L3 | OPC UA :4840 (read-only) | 2 | ALERT |
| C-05 | L2 → L1 | S7comm :102, EtherNet/IP :44818 | 5 | BREACH |
| C-06 | VPN → DMZ | IPSec (JIT, recorded) | 0 | OK |
Governance, Compliance & Audit
71.5%
Overall Score
892
Implemented
23
Critical Gaps
1,247
Total Controls
Framework Compliance
| Standard | Version | Score | Implemented | Gaps |
|---|---|---|---|---|
| ISA/IEC 62443 | 2018 | 68% | 204 / 300 | 96 |
| NIST SP 800-82 | Rev 3 | 75% | 188 / 250 | 62 |
| NERC CIP | v7 | 82% | 164 / 200 | 36 |
| MITRE ATT&CK ICS | v14 | 84% | 47 / 56 | 9 |
| CIS Controls | v8.1 | 74% | 133 / 180 | 47 |
| CISA ICS Baseline | 2024 | 65% | 156 / 240 | 84 |