performing-ot-vulnerability-assessment-with-claroty

本技能涵盖使用Claroty xDome平台在OT环境中执行漏洞评估,实现全面资产发现、风险评分、漏洞关联和修复优先级排序。内容涉及通过流量分析进行被动漏洞识别、OT设备安全主动查询、与CVE数据库和ICS-CERT公告集成,以及考虑运营影响和补偿控制措施的基于风险的优先级排序。

9 stars

Best use case

performing-ot-vulnerability-assessment-with-claroty is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

本技能涵盖使用Claroty xDome平台在OT环境中执行漏洞评估,实现全面资产发现、风险评分、漏洞关联和修复优先级排序。内容涉及通过流量分析进行被动漏洞识别、OT设备安全主动查询、与CVE数据库和ICS-CERT公告集成,以及考虑运营影响和补偿控制措施的基于风险的优先级排序。

Teams using performing-ot-vulnerability-assessment-with-claroty should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/performing-ot-vulnerability-assessment-with-claroty/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/performing-ot-vulnerability-assessment-with-claroty/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/performing-ot-vulnerability-assessment-with-claroty/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How performing-ot-vulnerability-assessment-with-claroty Compares

Feature / Agentperforming-ot-vulnerability-assessment-with-clarotyStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

本技能涵盖使用Claroty xDome平台在OT环境中执行漏洞评估,实现全面资产发现、风险评分、漏洞关联和修复优先级排序。内容涉及通过流量分析进行被动漏洞识别、OT设备安全主动查询、与CVE数据库和ICS-CERT公告集成,以及考虑运营影响和补偿控制措施的基于风险的优先级排序。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 使用Claroty执行OT漏洞评估

## 适用场景

- 按照IEC 62443或NERC CIP要求进行定期OT漏洞评估时
- 首次部署Claroty xDome并执行初始资产发现和风险评估时
- 将新发布的ICS-CERT公告与OT资产清单进行关联时
- 在有限维护窗口内对OT漏洞修复进行优先级排序时
- 为CIP-010-4漏洞评估要求生成合规证据时

**不适用于**对PLC和安全系统进行主动漏洞扫描(参见performing-ot-network-security-assessment的被动方法)、仅IT漏洞管理(使用标准漏洞扫描器),或渗透测试(参见performing-ics-penetration-testing)。

## 前置条件

- 在OT网络上部署了传感器的Claroty xDome或CTD(持续威胁检测)
- 用于被动资产发现的网络SPAN/TAP访问
- 用于漏洞跟踪的CISA ICS-CERT公告订阅
- 包含所有OT设备固件版本的资产清单
- 维护窗口期间补丁部署的变更管理流程

## 工作流程

### 步骤 1:配置资产发现和漏洞关联

配置Claroty执行被动和主动安全发现,建立包含固件版本的完整资产清单用于漏洞关联。

```python
#!/usr/bin/env python3
"""OT漏洞评估管理器。

将OT资产清单与ICS-CERT公告和CVE数据进行关联,
以识别、优先排序和跟踪OT漏洞。设计用于
与Claroty xDome API集成或独立运行。
"""

import json
import sys
from collections import defaultdict
from dataclasses import dataclass, field, asdict
from datetime import datetime

import requests


@dataclass
class OTAsset:
    asset_id: str
    name: str
    vendor: str
    model: str
    firmware_version: str
    asset_type: str  # PLC, HMI, RTU, historian, switch等
    purdue_level: str
    ip_address: str
    protocol: str
    criticality: str  # critical, high, medium, low
    zone: str


@dataclass
class OTVulnerability:
    vuln_id: str
    cve_id: str
    title: str
    severity: str  # critical, high, medium, low
    cvss_score: float
    affected_vendor: str
    affected_product: str
    affected_versions: str
    description: str
    ics_cert_advisory: str = ""
    remediation: str = ""
    patch_available: bool = False
    compensating_controls: str = ""


@dataclass
class RiskAssessment:
    asset: OTAsset
    vulnerability: OTVulnerability
    risk_score: float = 0.0
    risk_rating: str = ""
    exploitability: str = ""
    operational_impact: str = ""
    compensating_controls: list = field(default_factory=list)
    remediation_priority: int = 0


class OTVulnerabilityAssessment:
    """OT漏洞评估和优先级排序引擎。"""

    def __init__(self):
        self.assets = []
        self.vulnerabilities = []
        self.risk_assessments = []

    def load_assets(self, assets_data):
        """从Claroty导出或手动清单加载资产。"""
        for a in assets_data:
            self.assets.append(OTAsset(**a))
        print(f"[*] 已加载 {len(self.assets)} 个OT资产")

    def fetch_ics_advisories(self):
        """从CISA获取最新ICS-CERT公告。"""
        print("[*] 从CISA获取ICS-CERT公告...")
        try:
            # CISA已知被利用漏洞目录
            url = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
            resp = requests.get(url, timeout=30)
            resp.raise_for_status()
            data = resp.json()

            ics_vulns = []
            for vuln in data.get("vulnerabilities", []):
                # 过滤ICS相关供应商
                ics_vendors = [
                    "siemens", "schneider", "rockwell", "honeywell",
                    "abb", "ge", "emerson", "yokogawa", "omron",
                    "mitsubishi", "phoenix", "moxa", "advantech",
                ]
                vendor = vuln.get("vendorProject", "").lower()
                if any(v in vendor for v in ics_vendors):
                    ics_vulns.append(vuln)

            print(f"  发现 {len(ics_vulns)} 个ICS相关已知利用漏洞")
            return ics_vulns

        except Exception as e:
            print(f"[警告] 无法获取公告: {e}")
            return []

    def correlate_vulnerabilities(self):
        """基于供应商/型号/固件将漏洞与资产匹配。"""
        print("[*] 将漏洞与资产关联...")

        for asset in self.assets:
            for vuln in self.vulnerabilities:
                if (vuln.affected_vendor.lower() in asset.vendor.lower() and
                    vuln.affected_product.lower() in asset.model.lower()):
                    # 如有指定则检查固件版本
                    ra = RiskAssessment(asset=asset, vulnerability=vuln)
                    self._calculate_risk_score(ra)
                    self.risk_assessments.append(ra)

        print(f"  已关联 {len(self.risk_assessments)} 个资产-漏洞对")

    def _calculate_risk_score(self, ra):
        """计算考虑运营影响的OT特定风险评分。"""
        # 基于CVSS的基础评分
        base = ra.vulnerability.cvss_score

        # 基于资产功能的关键性乘数
        criticality_weights = {
            "critical": 1.5,  # SIS、安全系统
            "high": 1.3,      # PLC、主要控制
            "medium": 1.0,    # HMI、历史服务器
            "low": 0.7,       # 非关键支持系统
        }
        criticality = criticality_weights.get(ra.asset.criticality, 1.0)

        # Purdue级别接近度因子(级别越低 = 风险越高)
        level_weights = {
            "Level 0-1": 1.5,
            "Level 2": 1.3,
            "Level 3": 1.0,
            "Level 3.5": 0.8,
            "Level 4": 0.6,
        }
        level_factor = level_weights.get(ra.asset.purdue_level, 1.0)

        # 如有补偿控制措施则降低网络暴露风险
        comp_reduction = 0.8 if ra.compensating_controls else 1.0

        ra.risk_score = round(base * criticality * level_factor * comp_reduction, 1)
        ra.risk_score = min(ra.risk_score, 10.0)

        if ra.risk_score >= 9.0:
            ra.risk_rating = "critical"
            ra.remediation_priority = 1
        elif ra.risk_score >= 7.0:
            ra.risk_rating = "high"
            ra.remediation_priority = 2
        elif ra.risk_score >= 4.0:
            ra.risk_rating = "medium"
            ra.remediation_priority = 3
        else:
            ra.risk_rating = "low"
            ra.remediation_priority = 4

    def generate_report(self):
        """生成漏洞评估报告。"""
        # 按风险评分降序排列
        sorted_ra = sorted(self.risk_assessments, key=lambda x: -x.risk_score)

        report = []
        report.append("=" * 70)
        report.append("OT漏洞评估报告")
        report.append(f"日期: {datetime.now().isoformat()}")
        report.append(f"资产: {len(self.assets)} | 漏洞: {len(self.vulnerabilities)}")
        report.append(f"风险评估: {len(self.risk_assessments)}")
        report.append("=" * 70)

        for sev in ["critical", "high", "medium", "low"]:
            findings = [ra for ra in sorted_ra if ra.risk_rating == sev]
            if findings:
                report.append(f"\n--- {sev.upper()} 风险 ({len(findings)}) ---")
                for ra in findings[:10]:
                    report.append(f"\n  风险评分: {ra.risk_score}/10.0")
                    report.append(f"  资产: {ra.asset.name} ({ra.asset.vendor} {ra.asset.model})")
                    report.append(f"  区域: {ra.asset.zone} ({ra.asset.purdue_level})")
                    report.append(f"  CVE: {ra.vulnerability.cve_id} (CVSS: {ra.vulnerability.cvss_score})")
                    report.append(f"  标题: {ra.vulnerability.title}")
                    if ra.vulnerability.patch_available:
                        report.append(f"  补丁: 可用 - 安排在下次维护窗口")
                    else:
                        report.append(f"  补丁: 不可用 - 应用补偿控制措施")

        return "\n".join(report)

    def export_json(self, output_file):
        """将评估导出为JSON。"""
        data = {
            "assessment_date": datetime.now().isoformat(),
            "asset_count": len(self.assets),
            "vulnerability_count": len(self.vulnerabilities),
            "risk_assessments": [
                {
                    "asset_name": ra.asset.name,
                    "asset_ip": ra.asset.ip_address,
                    "cve": ra.vulnerability.cve_id,
                    "risk_score": ra.risk_score,
                    "risk_rating": ra.risk_rating,
                    "priority": ra.remediation_priority,
                }
                for ra in sorted(self.risk_assessments, key=lambda x: -x.risk_score)
            ],
        }
        with open(output_file, "w") as f:
            json.dump(data, f, indent=2)


if __name__ == "__main__":
    assessment = OTVulnerabilityAssessment()
    advisories = assessment.fetch_ics_advisories()
    print(f"从CISA KEV目录获取了 {len(advisories)} 条ICS公告")
```

## 核心概念

| 术语 | 定义 |
|------|------|
| Claroty xDome | 为OT/IoT环境提供资产发现、漏洞管理和威胁检测的网络物理系统保护平台 |
| 被动发现(Passive Discovery) | 通过分析网络流量识别OT资产而不发送任何数据包,对生产环境安全 |
| 安全主动查询(Safe Active Query) | 以安全速率使用原生工业协议查询OT设备,收集详细资产信息而不干扰运营 |
| OT风险评分 | 结合CVSS基础评分、资产关键性、Purdue级别和补偿控制措施的OT适用风险评级 |
| ICS-CERT公告 | CISA发布的工业控制系统漏洞安全公告,包含供应商特定修复指导 |
| 虚拟打补丁(Virtual Patching) | 在无法立即应用固件补丁时,部署IPS/防火墙规则阻止已知漏洞利用 |

## 工具和系统

- **Claroty xDome**: 全面的OT/IoT资产发现、漏洞管理和持续威胁检测平台
- **Claroty CTD**: 用于OT环境被动网络监控的持续威胁检测传感器
- **CISA ICS-CERT**: 发布ICS漏洞通知和缓解指导的美国政府咨询服务
- **Dragos平台**: 具有资产可见性和漏洞管理功能的备选OT安全平台
- **Nozomi Networks Guardian**: 具有漏洞关联和风险评分的OT监控平台

## 输出格式

```
OT漏洞评估报告
=====================================
工具: Claroty xDome / 手动评估
日期: YYYY-MM-DD
已扫描资产: [N]

风险摘要:
  严重风险: [N]个漏洞影响[N]个资产
  高风险: [N]个漏洞影响[N]个资产
  中风险: [N]个漏洞影响[N]个资产
  低风险: [N]个漏洞影响[N]个资产

主要风险:
  [风险评分] [CVE-ID] 影响 [资产名称] ([区域])
    修复: [补丁/补偿控制措施]
    时限: [下次维护窗口/立即]
```

Related Skills

testing-api-for-mass-assignment-vulnerability

9
from killvxk/cybersecurity-skills-zh

测试 API 是否存在批量赋值(mass assignment,自动绑定)漏洞——攻击者可在 API 请求中附加额外参数,从而修改本不应被访问的对象属性。测试人员识别可写端点,向请求体注入未公开字段(role、isAdmin、price、balance),验证服务器是否在未过滤的情况下将这些字段绑定到数据模型。属于 OWASP API3:2023 Broken Object Property Level Authorization 范畴。适用于批量赋值测试、参数绑定滥用、自动绑定漏洞或 API 过度发布(over-posting)相关请求。

performing-yara-rule-development-for-detection

9
from killvxk/cybersecurity-skills-zh

通过识别可执行文件中的唯一字节模式、字符串和行为指标,开发精准的 YARA 恶意软件检测规则,同时将误报率降至最低。

performing-wireless-security-assessment-with-kismet

9
from killvxk/cybersecurity-skills-zh

使用 Kismet 通过被动射频监控进行无线网络安全评估,检测流氓接入点(Rogue AP)、隐藏 SSID、弱加密和未授权客户端。

performing-wireless-network-penetration-test

9
from killvxk/cybersecurity-skills-zh

执行无线网络渗透测试,通过捕获握手包、破解 WPA2/WPA3 密钥、检测流氓接入点以及使用 Aircrack-ng 和相关工具测试无线网络分段,评估 WiFi 安全性。

performing-windows-artifact-analysis-with-eric-zimmerman-tools

9
from killvxk/cybersecurity-skills-zh

使用 Eric Zimmerman 的开源 EZ Tools 套件(包括 KAPE、MFTECmd、PECmd、LECmd、JLECmd 和 Timeline Explorer)执行全面的 Windows 取证制品分析,解析注册表 hive、预取文件、事件日志和文件系统元数据。

performing-wifi-password-cracking-with-aircrack

9
from killvxk/cybersecurity-skills-zh

在授权无线安全评估中捕获 WPA/WPA2 握手包,并使用 aircrack-ng、hashcat 和字典攻击进行离线密码破解, 以评估密码短语强度和无线网络安全状况。

performing-web-cache-poisoning-attack

9
from killvxk/cybersecurity-skills-zh

在授权安全测试期间,通过未纳入缓存键的头部和参数毒化缓存响应,利用 Web 缓存机制向其他用户投递恶意内容。

performing-web-cache-deception-attack

9
from killvxk/cybersecurity-skills-zh

通过利用 CDN 缓存层与源服务器之间的路径规范化差异,执行 Web 缓存欺骗攻击,从而缓存并获取敏感的已认证内容。

performing-web-application-vulnerability-triage

9
from killvxk/cybersecurity-skills-zh

使用 OWASP 风险评级方法论对 DAST/SAST 扫描器的 Web 应用程序漏洞发现进行分类,区分真阳性和假阳性,并确定修复优先级。

performing-web-application-scanning-with-nikto

9
from killvxk/cybersecurity-skills-zh

Nikto 是一款开源 Web 服务器和 Web 应用程序扫描器,可针对超过 7,000 个潜在危险文件/程序进行测试,检查超过 1,250 个服务器的过期版本,并识别超过 270 个服务器的版本特定问题。

performing-web-application-penetration-test

9
from killvxk/cybersecurity-skills-zh

遵循 OWASP Web 安全测试指南(WSTG)方法论,对 Web 应用程序执行系统化安全测试,识别认证、授权、 输入验证、会话管理和业务逻辑中的漏洞。测试人员以 Burp Suite 作为主要拦截代理,结合手动测试技术 发现自动化扫描器遗漏的缺陷。适用于 Web 应用渗透测试、OWASP 测试、应用安全评估或 Web 漏洞测试等请求场景。

performing-web-application-firewall-bypass

9
from killvxk/cybersecurity-skills-zh

使用编码技术、HTTP 方法操控、参数污染和载荷混淆绕过 Web 应用防火墙保护,将 SQL 注入、XSS 及其他攻击载荷穿透 WAF 检测规则。