VISHAKHVIJAYAN/iec62443-risk-assessment

# AI-Enhanced IEC 62443 Risk Assessment Framework for Oil and Gas ICS Security **MCA Major Project | Amity University Online | Vishakh P** A Python-based tool that assesses OT/ICS asset security posture against IEC 62443 requirements. It takes an asset inventory CSV, runs rule-based compliance checks (FR1-FR7, SL gap), enriches assets with real CISA threat intelligence, predicts risk with a Random Forest model, and produces prioritized reports. Built from 11+ years of hands-on OT experience with Honeywell Experion DCS, Safety Manager ESD, SCADA, and process instrumentation in oil and gas gathering operations. ## What It Does ## Risk Formula Vulnerability = 0.60 x (1 - compliance_score) + 0.40 x KEV_score Threat = 0.70 x ML_expected + 0.30 x ICS-CERT_score Likelihood = 0.50 x Vulnerability + 0.50 x Threat Risk = Likelihood x Consequence Risk bands: CRITICAL (>=0.90) | HIGH (>=0.60) | MEDIUM (>=0.30) | LOW (<0.30) CRITICAL is a post-ML consequence layer — the model only predicts LOW/MEDIUM/HIGH. MITRE ATT&CK mappings are for explanation/recommendations only, not numeric scoring. ## Quick Start ### CLI pip install -r requirements.txt # Run with first demo (trains model on first run) python main.py --input sample_inputs/demo_starwar_gas.csv --train --output outputs/starwar_gas # Run remaining demos (uses saved model) python main.py --input sample_inputs/demo_narachi_petrochem.csv --output outputs/narachi_petrochem python main.py --input sample_inputs/demo_thumbad_ammonia.csv --output outputs/thumbad_ammonia ### Flask GUI python app.py # Open http://127.0.0.1:5000 Or double-click `START_TOOL.bat` on Windows — it sets up the venv and launches automatically. ### Tests python -m pytest tests/ -v ## Project Structure ├── main.py # CLI entry point ├── app.py # Flask web GUI ├── START_TOOL.bat # Windows launcher (creates venv, installs deps, starts GUI) │ ├── src/ # Active pipeline modules (all imported by assessment_pipeline.py) │ ├── assessment_pipeline.py # Shared backend — both CLI and Flask call this │ ├── asset_loader.py # CSV input parsing (20-field schema) │ ├── iec62443_engine.py # FR1-FR7 compliance + SL gap + recommendations │ ├── zone_conduit_mapper.py # Purdue zone and conduit checks │ ├── kev_enricher.py # CISA KEV lookup by vendor+product │ ├── icscert_enricher.py # ICS-CERT advisory lookup │ ├── mitre_enricher.py # ATT&CK technique mapping (9 rules + CVE cross-ref) │ ├── ml_predictor.py # Random Forest model (18 features) │ ├── risk_aggregator.py # Risk = Likelihood x Consequence │ └── report_generator.py # CSV, charts, recommendations, HTML report │ ├── experimental/ # Future scope / optional reference modules │ └── swat_mapper.py # Optional SWaT attack-pattern reference module (future validation). │ # NOT imported by the active assessment pipeline. │ ├── data/ │ ├── cisa_kev.json # Cached CISA KEV catalog │ ├── icscert_advisories.json # Curated ICS-CERT advisories (80 entries) │ ├── cve_to_technique.json # CVE-to-ATT&CK mapping (31 verified entries) │ ├── mitre_ics_v18_1.json # MITRE ATT&CK for ICS technique data │ ├── training_dataset.csv # ML training data (501 rows, 18 features + metadata) │ └── template_assets.csv # Empty 20-column template │ ├── sample_inputs/ # Three demo facility inventories ├── models/ # Saved Random Forest model (.pkl) ├── tests/ # pytest unit tests ├── templates/ # Flask HTML templates ├── static/ # Flask CSS/JS assets └── tools/ # Data generation scripts ## Input Schema (20 Fields) asset_id, asset_name, asset_type, vendor, product, firmware_version, zone, authentication_type, patch_status, network_segmented, internet_facing, remote_access, encryption_enabled, target_sl, process_criticality, communication_protocol, os_end_of_life, has_role_based_access, has_audit_logging, has_redundancy vendor/product/firmware_version are used for KEV and ICS-CERT matching — they are NOT ML features. ## Training Dataset Notes `data/training_dataset.csv` contains 501 synthetic OT asset profiles used to train the Random Forest model. The file has 25 columns: - **18 ML input features** (the exact `FEATURE_NAMES` list in `ml_predictor.py`) - **3 lookup identifiers** not used as features: `vendor`, `product`, `firmware_version` - **3 metadata / audit-trail columns** not used as ML input features: `compliance_score`, `final_risk_score`, and `risk_label` (where `risk_label` is the training target class) - **1 derived field**: `sl_gap` (used as feature #15 in the 18-feature vector) `compliance_score` and `final_risk_score` are pre-computed reference values included for audit-trail purposes only. They are not fed into the Random Forest encoder and do not affect model training or prediction. ## Demo Facilities | Facility | Security Posture | Expected Outcome | |---|---|---| | Star War Gas Plant | Hardened baseline | All LOW risk in current demo run | | Narachi Petrochemical | Mixed controls | MEDIUM/HIGH risks | | Thumbad Ammonia Plant | Weak security | HIGH/CRITICAL risks | ## Key Design Decisions - **achieved_sl is always a calculated output**, never a CSV input column - **SL heuristic** is inspired by IEC 62443-3-3 SR/RE tables, not an official formula - **kev_max_cvss** is a severity proxy from KEV description keywords, not real NVD CVSS - **MITRE ATT&CK for ICS v18.1** (October 28, 2025) — cite consistently - **SWaT raw data** is NOT used in runtime scoring — kept in `experimental/` as optional reference - **60/40 vulnerability split** and **70/30 threat split** are project-defined weights - **Risk formula weights** are project-defined for academic prioritization, aligned with IEC 62443 risk methodology concepts — not official IEC standard coefficients ## Standards References - IEC 62443-1-1: Terminology, Concepts and Models - IEC 62443-2-1: Cybersecurity Management System (risk assessment methodology) - IEC 62443-3-2: Security Risk Assessment for System Design - IEC 62443-3-3: System Security Requirements and Security Levels - MITRE ATT&CK for ICS v18.1 - CISA Known Exploited Vulnerabilities Catalog - CISA ICS-CERT Advisories