diff --git a/aquaponics-anomaly-monitor/README.md b/aquaponics-anomaly-monitor/README.md index 26ce14d..fce2dca 100644 --- a/aquaponics-anomaly-monitor/README.md +++ b/aquaponics-anomaly-monitor/README.md @@ -260,10 +260,20 @@ Agent: CRITICAL — Rapid pH crash detected (Δ-0.9 over ~12 hours). --- +## Companion Workspace + +This workspace monitors the **biology**. The companion workspace monitors the **security**: + +**[Aquaponics ICS Security](../aquaponics-ics-security/)** — Assesses and hardens the automation infrastructure (PLCs, SCADA, IoT controllers, network segmentation) that keeps fish alive and crops growing. + +The two workspaces are designed as a pair. A biological anomaly might be a cyber event (spoofed sensor data). A cyber event always has biological consequences (a compromised pump controller kills fish). See the [Bio-Cyber Cross-Correlation Guide](../aquaponics-ics-security/resources/bio-cyber-correlation.md) for how to use them together. + +--- + ## Built By -The Cognitropy Lab — Day 3 Workspace -Assigned by: [cognitropy.py](../cognitropy.py) -Domain: Aquaponics | Technique: Automated Anomaly Detection -Built by: Claude (Anthropic) × [DaxxSec](https://github.com/DaxxSec) +The Cognitropy Lab — Day 3 Workspace +Assigned by: [cognitropy.py](../cognitropy.py) +Domain: Aquaponics | Technique: Automated Anomaly Detection +Built by: Claude (Anthropic) × [DaxxSec](https://github.com/DaxxSec) Date: 2026-03-28 diff --git a/aquaponics-anomaly-monitor/resources/controller-platforms.md b/aquaponics-anomaly-monitor/resources/controller-platforms.md new file mode 100644 index 0000000..5eab0a8 --- /dev/null +++ b/aquaponics-anomaly-monitor/resources/controller-platforms.md @@ -0,0 +1,140 @@ +# Controller Platform Integration Guide + +## Purpose + +Most aquaponics systems use some form of automated monitoring — from a Raspberry Pi with pH and temperature probes to commercial SCADA systems. This guide covers how to get data out of common controller platforms and into this workspace for analysis. + +## Platform Profiles + +### Raspberry Pi + Custom Stack + +**Prevalence:** Most common in DIY and small commercial systems. + +**Typical setup:** +- Raspberry Pi 3/4/5 +- Atlas Scientific pH, DO, EC, temperature probes (I2C) +- Data logged to local CSV, SQLite, or InfluxDB +- Optional: Grafana dashboard, MQTT broker + +**How to get data into this workspace:** + +```bash +# If logging to CSV (most common) +# Copy the latest readings file +scp pi@192.168.1.100:/home/pi/aquaponics/logs/readings.csv ./outputs/ + +# Then use /scan with CSV reference +/scan readings.csv + +# If logging to InfluxDB +# Export last 24 hours to CSV +influx query 'from(bucket:"aquaponics") |> range(start: -24h)' --raw > outputs/readings.csv +``` + +**Data format expected:** +```csv +timestamp,pH,temp_c,do_mg_l,nh3_ppm,no2_ppm,no3_ppm,ec_us_cm +2026-03-28T08:00:00Z,6.9,27.2,7.1,0.08,0.04,22,850 +2026-03-28T09:00:00Z,6.8,27.4,6.9,0.09,0.04,23,860 +``` + +### Blynk IoT + +**Prevalence:** Common in hobby and small-scale systems. + +**Typical setup:** +- ESP32 or Arduino with Blynk library +- Sensors publish to Blynk virtual pins +- Data viewable in Blynk app/web + +**How to get data into this workspace:** + +```bash +# Blynk HTTP API — export pin data +# Replace TOKEN and pin numbers with your values +curl "https://blynk.cloud/external/api/get?token=YOUR_TOKEN&V0&V1&V2&V3" \ + -o outputs/blynk-snapshot.json + +# For historical data (Blynk Pro plan required) +curl "https://blynk.cloud/external/api/data/get?token=YOUR_TOKEN&pin=V0&period=WEEK" \ + -o outputs/blynk-history.json +``` + +**Pin mapping (document in `/onboard`):** +| Virtual Pin | Parameter | Unit | +|-------------|-----------|------| +| V0 | pH | - | +| V1 | Temperature | C | +| V2 | DO | mg/L | +| V3 | EC | uS/cm | + +### GroPal / FarmBot / Commercial Systems + +**Prevalence:** Commercial operations and well-funded research setups. + +**Typical setup:** +- Cloud-connected controller with vendor dashboard +- API access varies by vendor and plan tier + +**General approach:** +1. Check if your platform has an API (most commercial systems do) +2. Export data as CSV or JSON +3. Place in `outputs/` directory +4. Use `/scan` with the file reference + +**Common export paths:** +- GroPal: Settings > Data Export > CSV +- FarmBot: API at `https://my.farm.bot/api/sensor_readings` +- Custom SCADA: Usually Modbus polling to historian — export from historian + +### Manual Readings (No Automation) + +**Prevalence:** Beginners, educational setups, backup monitoring. + +**How to use this workspace without a controller:** + +Simply paste your readings directly into `/scan`: + +``` +/scan +pH: 6.9, Temp: 27.2C, DO: 7.1 mg/L, NH3: 0.08 ppm, NO2: 0.04 ppm, NO3: 22 ppm +``` + +Or use the structured template in `prompts/anomaly-scan-template.md`. + +**Recommendation:** Even with manual testing, log every reading to `work-log/` with timestamp. Trend data is where anomaly detection becomes powerful — a single reading is a snapshot, but a week of readings reveals patterns. + +--- + +## MQTT Integration (Advanced) + +Many DIY systems publish sensor data to an MQTT broker. If your system uses MQTT: + +```bash +# Subscribe to sensor topic and log to file +mosquitto_sub -h localhost -t "aquaponics/sensors/#" \ + | tee -a outputs/mqtt-log.txt + +# Or capture a single snapshot +mosquitto_sub -h localhost -t "aquaponics/sensors/#" -C 1 \ + -o outputs/mqtt-snapshot.json +``` + +**Standard topic structure (if you're designing your MQTT schema):** +``` +aquaponics/sensors/ph +aquaponics/sensors/temperature +aquaponics/sensors/do +aquaponics/sensors/nh3 +aquaponics/sensors/no2 +aquaponics/sensors/no3 +aquaponics/sensors/ec +aquaponics/sensors/flow_rate +aquaponics/alerts/compound_events +``` + +--- + +## Security Note + +If your controller is network-connected, also consider running the companion workspace: **[Aquaponics ICS Security](../aquaponics-ics-security/)** — it assesses and hardens the automation infrastructure that keeps your fish alive and your crops growing. A compromised controller can kill a system faster than any biological anomaly. diff --git a/aquaponics-anomaly-monitor/resources/seasonal-calibration.md b/aquaponics-anomaly-monitor/resources/seasonal-calibration.md new file mode 100644 index 0000000..7d1fdfb --- /dev/null +++ b/aquaponics-anomaly-monitor/resources/seasonal-calibration.md @@ -0,0 +1,110 @@ +# Seasonal Calibration Reference + +## Purpose + +Aquaponics parameters shift with seasons. A pH of 7.0 in July and 7.0 in January may represent different system states depending on latitude, species, and system type. This reference provides seasonal baseline adjustment guidance so anomaly detection accounts for natural variation rather than flagging seasonal shifts as false positives. + +## Why Seasonal Calibration Matters + +- **Water temperature** varies with ambient air temp, especially in greenhouses and outdoor systems +- **Dissolved oxygen** solubility is inversely related to temperature — warmer water holds less DO +- **Biofilter efficiency** varies with temperature — nitrifying bacteria slow below 15C and stall below 10C +- **Fish metabolism** changes with temperature — feeding rates, waste output, and oxygen demand all shift +- **Plant uptake** varies with photoperiod and temperature — nutrient removal rates change seasonally + +Without seasonal calibration, a system that is perfectly healthy in winter may trigger anomaly alerts simply because "normal" was baselined during summer. + +## Seasonal Adjustment Tables + +### Water Temperature Norms by System Type + +| Season | Outdoor (Temperate) | Greenhouse (Unheated) | Greenhouse (Heated) | Indoor (Climate-Controlled) | +|--------|--------------------|-----------------------|--------------------|-----------------------------| +| Winter (Dec-Feb) | 4-10C | 10-18C | 22-28C | 24-28C | +| Spring (Mar-May) | 10-18C | 16-24C | 24-28C | 24-28C | +| Summer (Jun-Aug) | 22-30C | 24-34C | 26-32C | 24-28C | +| Fall (Sep-Nov) | 12-20C | 14-22C | 22-28C | 24-28C | + +**Note:** These ranges are for temperate latitudes (30-50 degrees). Tropical systems (0-23 degrees) have much smaller seasonal variation. Adjust for your latitude. + +### Dissolved Oxygen Saturation by Temperature + +DO saturation decreases as temperature increases. These are the 100% saturation values at sea level: + +| Water Temp (C) | DO Saturation (mg/L) | Practical Minimum for Fish | +|----------------|---------------------|---------------------------| +| 10 | 11.3 | 7.0 | +| 15 | 10.1 | 6.5 | +| 20 | 9.1 | 6.0 | +| 25 | 8.3 | 5.5 | +| 30 | 7.6 | 5.0 | +| 35 | 7.0 | 4.5 | + +**Calibration rule:** In summer, a DO of 6.0 mg/L at 30C represents 79% saturation — adequate. In winter, a DO of 6.0 mg/L at 10C represents only 53% saturation — something is consuming oxygen. Same number, different diagnosis. + +### Biofilter Efficiency by Temperature + +Nitrifying bacteria (Nitrosomonas, Nitrobacter) are temperature-sensitive: + +| Water Temp (C) | Relative Nitrification Rate | Practical Impact | +|----------------|----------------------------|------------------| +| <10 | <20% of peak | Biofilter effectively offline. Ammonia will accumulate. | +| 10-15 | 20-50% of peak | Biofilter sluggish. Reduce feeding to match. | +| 15-20 | 50-80% of peak | Biofilter functional but not peak. Monitor NH3/NO2. | +| 20-30 | 80-100% of peak | Optimal range. Full processing capacity. | +| >30 | Declining | Heat stress on bacteria. DO competition increases. | + +**Calibration rule:** In spring, an ammonia reading of 0.15 ppm may be normal — the biofilter is still warming up. In summer, the same reading is a warning — the biofilter should be at full capacity. + +### Feeding Rate Adjustment by Season + +| Season | Feeding Rate (% body weight/day) | Rationale | +|--------|----------------------------------|-----------| +| Winter (<15C) | 0.5-1.0% | Reduced metabolism, slow biofilter | +| Spring (15-20C) | 1.0-2.0% | Increasing metabolism, biofilter warming | +| Summer (20-30C) | 2.0-3.0% | Peak metabolism, full biofilter capacity | +| Fall (20-15C) | 1.5-2.0% | Decreasing metabolism, biofilter cooling | + +**Calibration rule:** Nitrogen loading (NH3 + NO2 + NO3 total) should be evaluated relative to feeding rate, not absolute thresholds. A system fed at 3% in summer will naturally have higher nitrogen than the same system fed at 1% in winter. + +## How to Apply Seasonal Calibration + +### Step 1: Determine Your Season Profile + +When running `/onboard` or `/baseline`, record: +- Latitude (for photoperiod and ambient temp range) +- System type (outdoor / greenhouse unheated / greenhouse heated / indoor) +- Species (temperature preferences determine the operating range) +- Current season and month + +### Step 2: Adjust Alert Thresholds + +The `/scan` command should apply seasonal adjustments: + +``` +If system_type == "outdoor" AND season == "winter": + NH3_warning = 0.2 ppm (relaxed from 0.1 — biofilter is slower) + DO_warning = 8.0 mg/L (tightened — cold water should hold more DO) + pH range = 6.6-7.6 (slightly wider — less biological buffering) + +If system_type == "outdoor" AND season == "summer": + NH3_warning = 0.1 ppm (standard — biofilter should be at capacity) + DO_warning = 5.5 mg/L (relaxed — warm water holds less DO) + pH range = 6.8-7.4 (standard) +``` + +### Step 3: Document Baseline Shifts + +The `/baseline` command should record seasonal baselines separately: +- Winter baseline (Dec-Feb readings) +- Spring baseline (Mar-May readings) +- Summer baseline (Jun-Aug readings) +- Fall baseline (Sep-Nov readings) + +Anomaly detection compares current readings to the *seasonal* baseline, not the annual average. + +--- + +## Domain Accuracy Note + +The temperature-DO solubility relationship and nitrification rate curves in this document are based on published aquaculture science (Timmons & Ebeling, *Recirculating Aquaculture*, 3rd ed.; Lennard & Leonard, *A Comparison of Three Different Hydroponic Sub-systems*). Feeding rate percentages are general guidelines — actual rates depend on species, life stage, and system design. **This reference should be reviewed by a practicing aquaponics operator before use in production monitoring.** If you identify inaccuracies, please open an issue. diff --git a/aquaponics-ics-security/README.md b/aquaponics-ics-security/README.md index c6c6c39..cf615af 100644 --- a/aquaponics-ics-security/README.md +++ b/aquaponics-ics-security/README.md @@ -172,6 +172,16 @@ These workspaces are designed to complement each other. The anomaly monitor aler --- +## Companion Workspace + +This workspace secures the **automation**. The companion workspace monitors the **biology**: + +**[Aquaponics Anomaly Monitor](../aquaponics-anomaly-monitor/)** — Automated anomaly detection for water chemistry, biofilter health, and fish/plant systems. + +The two workspaces are designed as a pair. A cyber event always has biological consequences. A biological anomaly might be a cyber indicator. See [resources/bio-cyber-correlation.md](resources/bio-cyber-correlation.md) for the cross-correlation guide. + +--- + ## Disclaimer This workspace is for authorized security assessment of systems you own or have explicit written permission to test. The agent will not assist with unauthorized access to systems. All active testing guidance includes explicit requirements for written authorization and maintenance windows. diff --git a/aquaponics-ics-security/resources/bio-cyber-correlation.md b/aquaponics-ics-security/resources/bio-cyber-correlation.md new file mode 100644 index 0000000..0a4cedc --- /dev/null +++ b/aquaponics-ics-security/resources/bio-cyber-correlation.md @@ -0,0 +1,104 @@ +# Bio-Cyber Cross-Correlation Guide + +## Purpose + +In aquaponics, the biological system and the cyber system are inseparable. A sensor anomaly might be biology (biofilter crash) or it might be cyber (spoofed sensor data). This guide helps operators distinguish between the two — and recognize when a biological anomaly is actually a cyber indicator, or vice versa. + +This document bridges the **[Aquaponics Anomaly Monitor](../aquaponics-anomaly-monitor/)** (biological monitoring) and this workspace (cyber security). + +--- + +## The Core Problem + +**A compromised controller can make a dying system look healthy.** + +If an attacker gains access to the sensor reporting chain — the MQTT broker, the database, the dashboard — they can replace real readings with fabricated ones. The dashboard shows pH 7.0, DO 7.5, NH3 0.05. Everything looks perfect. Meanwhile, the actual water is crashing. + +Conversely, **a compromised controller can make a healthy system look sick.** + +An attacker who can inject false sensor data could trigger automated responses — dosing pumps adding chemicals that aren't needed, feeders shutting off, alarms exhausting operator attention (alert fatigue as a tactic). + +--- + +## Bio → Cyber Indicators + +When the biological monitoring system flags an anomaly, ask: **could this be cyber?** + +| Biological Anomaly | Possible Cyber Cause | How to Distinguish | +|--------------------|---------------------|-------------------| +| Sudden perfect readings after fluctuation | Sensor data being overwritten with static values | Compare controller reading to manual test kit reading. If they disagree, suspect sensor chain compromise. | +| All parameters change simultaneously | Controller firmware replaced or config overwritten | Legitimate bio events affect parameters in sequence (NH3 rises first, then NO2, then pH drops). Simultaneous change across unrelated parameters is suspicious. | +| Readings inconsistent with physical observation | Sensor data spoofed at reporting layer | Look at the fish. If fish are surfacing but DO reads 8.0 mg/L, the sensor is lying. | +| Automated responses triggering without anomaly | Attacker sending commands directly to actuators | Check command logs. Did the dosing pump receive a command that the control logic didn't generate? | +| Readings frozen (exact same value repeated) | Sensor polling stopped, last value cached | Real sensors have noise — 0.01-0.05 variation is normal. Exact repetition (7.000, 7.000, 7.000) across multiple readings means the sensor isn't being polled. | + +## Cyber → Bio Indicators + +When the security monitoring system flags an anomaly, ask: **what's the biological impact?** + +| Cyber Anomaly | Biological Risk | Response Priority | +|---------------|----------------|-------------------| +| Unauthorized access to controller | Immediate: attacker can modify pump/feeder/dosing schedules | **CRITICAL** — verify all actuator states physically | +| MQTT broker compromise | Sensor data integrity lost — monitoring becomes unreliable | **HIGH** — switch to manual monitoring until broker is verified | +| Dashboard credentials compromised | Observation capability lost — attacker can see but not act (unless dashboard has write access) | **MEDIUM** — rotate credentials, check for write permissions | +| Network scan detected on OT VLAN | Reconnaissance phase — attack likely incoming | **HIGH** — isolate OT network, increase monitoring frequency | +| Firmware update pushed outside maintenance window | Controller behavior may be modified — unknown impact | **CRITICAL** — do not trust sensor data until firmware is verified | +| DNS or NTP manipulation | Logging timestamps unreliable — forensic integrity lost | **MEDIUM** — verify system time, check for time-based automation triggers | + +## The Validation Protocol + +When any anomaly is detected — biological or cyber — run this cross-validation: + +### Step 1: Physical Ground Truth +- **Look at the fish.** Behavior is a leading indicator. Gasping at surface = low DO regardless of what the sensor says. +- **Look at the plants.** Wilting, yellowing, or root discoloration that doesn't match sensor data = suspect data integrity. +- **Smell the water.** Ammonia has a distinctive smell at concentrations above 0.5 ppm. If the sensor says 0.05 but you can smell it, the sensor is wrong. +- **Use a manual test kit.** API, Hanna, or Salifert test kits are the ground truth. Compare to controller reading. + +### Step 2: Sensor Chain Verification +- **Compare sensor output to controller input.** If the sensor probe reads differently from what the controller reports, the chain is compromised between probe and controller. +- **Check MQTT messages against database values.** If MQTT published 6.5 but the database shows 7.0, something is modifying data in transit or at rest. +- **Check dashboard against database.** If the database shows 6.5 but the dashboard shows 7.0, the visualization layer is compromised. +- **Check controller logs for unexpected commands.** Pumps, feeders, and dosing systems should only respond to commands from the control logic. Orphan commands indicate unauthorized access. + +### Step 3: Timeline Correlation +- **When did the biological anomaly start?** +- **When did the last cyber event occur?** (Failed login, network scan, firmware update, config change) +- **Do they correlate?** If ammonia started rising 30 minutes after an unauthorized SSH login to the controller, that's correlation. +- **Check for the "too quiet" signal.** If the system was generating normal sensor noise and suddenly goes perfectly flat, that's the data equivalent of a phone going dead — silence is a signal. + +--- + +## Integration Workflow + +For operators running both workspaces: + +1. Run `/scan` in the Anomaly Monitor with current readings +2. If anomaly detected, check this guide's Bio → Cyber table +3. If cyber cause suspected, switch to ICS Security workspace +4. Run `/incident-response` if compromise is likely +5. Run the Validation Protocol regardless of initial assessment +6. Log findings in both workspaces' `work-log/` directories + +For security assessors evaluating an aquaponics site: + +1. Run `/asset-inventory` and `/network-audit` in ICS Security +2. For each finding, check this guide's Cyber → Bio table for biological risk +3. Prioritize findings by biological impact, not just technical severity +4. A low-severity IT finding (default password on dashboard) becomes critical if that dashboard has write access to actuators + +--- + +## Key Principle + +**In aquaponics, every cyber event is also a biological event.** + +A firewall rule misconfiguration doesn't just create a security exposure — it creates a path from the internet to the pump that keeps 10,000 fish alive. A default password isn't just a compliance finding — it's the only thing standing between an attacker and the feeding schedule that determines whether a crop lives or dies. + +Security assessments that ignore biological impact are incomplete. Biological monitoring that ignores cyber integrity is naive. The two workspaces exist as a pair for this reason. + +--- + +## Domain Accuracy Note + +The bio-cyber correlation patterns in this document are based on published ICS security research (CISA advisories, SANS ICS whitepapers) and aquaculture monitoring best practices. The specific sensor behavior patterns (noise characteristics, response sequences) reflect general aquaponics system behavior — your system may differ based on sensor brand, calibration frequency, and controller firmware. **This guide should be reviewed by both a security practitioner and an aquaponics operator before use in incident response.** If you identify inaccuracies, please open an issue. diff --git a/aquaponics-ics-security/resources/shodan-dorks.md b/aquaponics-ics-security/resources/shodan-dorks.md new file mode 100644 index 0000000..9aae492 --- /dev/null +++ b/aquaponics-ics-security/resources/shodan-dorks.md @@ -0,0 +1,159 @@ +# Shodan Dork Library — Aquaponics & Smart Agriculture + +## Purpose + +These Shodan search queries help identify exposed aquaponics and smart agriculture infrastructure on the public internet. Use them during `/network-audit` to check whether your own systems are externally visible, or during threat modeling to understand the attack surface of the sector. + +**Ethical use only.** These queries identify publicly exposed systems. Do not access, probe, or interact with systems you do not own or have authorization to assess. + +--- + +## Unitronics PLCs (CISA AA23-335A targets) + +``` +# Unitronics Vision/Samba — PCOM protocol +port:20256 "Unitronics" + +# Unitronics web interface +http.title:"Unitronics" port:80 + +# Unitronics VNC (HMI remote access) +port:5900 "Unitronics" + +# UniStream web server +http.title:"UniStream" OR http.title:"Unilogic" +``` + +## MQTT Brokers (Sensor Data) + +``` +# Open MQTT brokers (no auth) +port:1883 "MQTT" + +# MQTT with aquaponics/agriculture topics (rare but findable) +port:1883 "aqua" OR "greenhouse" OR "hydro" + +# MQTT WebSocket interface +port:9001 "MQTT" + +# Mosquitto broker version disclosure +port:1883 product:"Mosquitto" +``` + +## Raspberry Pi Controllers + +``` +# Raspberry Pi SSH (default config) +port:22 "SSH" os:"Linux" "raspbian" OR "Raspberry" + +# Node-RED (common automation UI) +http.title:"Node-RED" + +# Grafana dashboards (sensor visualization) +http.title:"Grafana" "aqua" OR "fish" OR "greenhouse" OR "hydro" + +# InfluxDB (sensor time-series database) +port:8086 product:"InfluxDB" +``` + +## SCADA / HMI Systems + +``` +# General SCADA web interfaces +http.title:"SCADA" "water" OR "pump" OR "ph" OR "temperature" + +# Modbus TCP (industrial protocol, no auth by design) +port:502 "Modbus" + +# DNP3 (less common in aquaponics but used in water treatment) +port:20000 "DNP3" + +# BACnet (building automation — greenhouses) +port:47808 "BACnet" +``` + +## Greenhouse & Environmental Controllers + +``` +# Argus Controls (commercial greenhouse) +http.title:"Argus Controls" + +# Priva (greenhouse climate control) +http.title:"Priva" + +# Growlink / GroPal +http.title:"Growlink" OR http.title:"GroPal" + +# Generic environmental monitoring +http.title:"Environmental Monitor" "temperature" "humidity" +``` + +## Webcams (Physical Observation) + +``` +# IP cameras in greenhouse/aquaculture settings +http.title:"camera" "fish" OR "aqua" OR "greenhouse" OR "grow" + +# Common camera brands in agricultural settings +http.title:"HIKVISION" "farm" OR "greenhouse" +``` + +## Compound Queries (High Signal) + +``` +# Unitronics PLC + default port (highest risk — CISA advisory target) +port:20256 + +# Open MQTT + open Grafana on same network (full sensor visibility) +port:1883 port:3000 "Grafana" + +# Modbus + water/agriculture keywords +port:502 "water" OR "pump" OR "aqua" +``` + +--- + +## How to Use These Queries + +### Check Your Own Exposure + +```bash +# Search for your public IP in Shodan +shodan host YOUR_PUBLIC_IP + +# Search for your organization name +shodan search "org:YOUR_ORG_NAME" port:20256,1883,502,80 + +# Monitor for new exposure (Shodan Monitor — paid) +shodan alert create "My Aquaponics" YOUR_IP/24 +``` + +### Assess Sector Exposure (Research) + +```bash +# Count exposed Unitronics PLCs globally +shodan count port:20256 + +# Count exposed MQTT brokers +shodan count port:1883 product:"Mosquitto" + +# Export results for analysis (researcher API key required) +shodan download aquaponics-exposure port:20256 +``` + +### Integrate with `/threat-model` + +When running `/threat-model`, reference these queries to identify realistic attack vectors: +- "Shodan shows X Unitronics PLCs exposed on port 20256 globally" +- "MQTT brokers without auth are discoverable — here's what an attacker sees" +- "Your Node-RED instance is accessible from the internet" + +--- + +## Responsible Disclosure + +If you discover exposed aquaponics or agriculture infrastructure that is not your own: +1. Do NOT access, probe, or interact with the system +2. Attempt to identify the owner through WHOIS, Shodan org data, or reverse DNS +3. If identifiable, notify the owner through appropriate channels +4. If critical infrastructure (water treatment, food production), consider notifying CISA: https://www.cisa.gov/report diff --git a/aquaponics-ics-security/resources/vendor-hardening-profiles.md b/aquaponics-ics-security/resources/vendor-hardening-profiles.md new file mode 100644 index 0000000..2d5b80b --- /dev/null +++ b/aquaponics-ics-security/resources/vendor-hardening-profiles.md @@ -0,0 +1,136 @@ +# Vendor-Specific Hardening Profiles + +## Purpose + +Most aquaponics automation is built on three platform families. Each has different default configurations, common vulnerabilities, and hardening approaches. This guide provides specific, actionable hardening steps for each. + +--- + +## Profile 1: Raspberry Pi + Custom Stack + +**Risk level:** HIGH — these systems are typically built by aquaculture practitioners, not security engineers. + +### Common Vulnerabilities +- Default `pi`/`raspberry` credentials left unchanged +- SSH exposed on port 22 with password auth +- No firewall — all ports open on the local network +- Sensor data transmitted unencrypted over I2C/UART (physical access risk) +- Web dashboards (Grafana, Node-RED, custom Flask) with no authentication +- MQTT broker with no auth (anonymous publish/subscribe) +- No automatic updates — known CVEs persist indefinitely +- SD card unencrypted — physical theft exposes all config and data + +### Hardening Checklist + +**Immediate (do now):** +- [ ] Change default password: `sudo passwd pi` +- [ ] Disable password SSH, enable key-only: edit `/etc/ssh/sshd_config` → `PasswordAuthentication no` +- [ ] Enable UFW firewall: `sudo ufw enable && sudo ufw default deny incoming` +- [ ] Allow only needed ports: `sudo ufw allow from 192.168.1.0/24 to any port 22` (SSH from LAN only) +- [ ] Set MQTT broker auth: add `password_file /etc/mosquitto/passwd` to `mosquitto.conf` +- [ ] Add auth to web dashboards (Grafana: built-in, Node-RED: `adminAuth` in settings.js) + +**Short-term (this week):** +- [ ] Enable automatic security updates: `sudo apt install unattended-upgrades` +- [ ] Move SSH to non-standard port: `Port 2222` in sshd_config +- [ ] Set up fail2ban: `sudo apt install fail2ban` +- [ ] Enable HTTPS for web dashboards (Let's Encrypt or self-signed) +- [ ] Segment IoT network from main LAN (VLAN or separate subnet) +- [ ] Disable unused services: `sudo systemctl disable bluetooth avahi-daemon` + +**Medium-term (this month):** +- [ ] Encrypt SD card (LUKS): protects against physical theft +- [ ] Set up VPN for remote access instead of port forwarding +- [ ] Implement TLS for MQTT: `listener 8883` with cert configuration +- [ ] Add watchdog: `sudo apt install watchdog` — auto-reboot on hang +- [ ] Backup configuration to encrypted off-device storage + +--- + +## Profile 2: Unitronics PLCs (Vision/Samba/UniStream) + +**Risk level:** CRITICAL — these are the PLCs cited in the 2023 CISA Unitronics advisory (AA23-335A). + +### Common Vulnerabilities +- Default password `1111` on all Vision and Samba series PLCs +- PCOM protocol on TCP/20256 — no authentication, no encryption +- VNC on TCP/5900 with default or no password (HMI remote access) +- Web server on TCP/80 (UniStream) with default credentials +- Firmware update mechanism has no signature verification (pre-2024 firmware) +- No audit logging — unauthorized changes leave no trace +- Often directly exposed to the internet via port forwarding for "remote monitoring" + +### Hardening Checklist + +**Immediate (do now — CISA AA23-335A compliance):** +- [ ] Change default password from `1111` — use 8+ characters, alphanumeric +- [ ] Disable VNC if not needed: VisiLogic > PLC > VNC > Disable +- [ ] Block TCP/20256 (PCOM) from internet: firewall rule at network edge +- [ ] Block TCP/5900 (VNC) from internet +- [ ] Block TCP/80 (web server) from internet +- [ ] Verify PLC firmware is current: check Unitronics download center + +**Short-term (this week):** +- [ ] Segment PLC onto dedicated OT VLAN — no direct path from IT network +- [ ] Implement jump host for PLC programming (don't connect laptop directly to OT network) +- [ ] Enable PLC access logging if firmware supports it (UniStream v1.31+) +- [ ] Document all PLC IP addresses, firmware versions, and access credentials in asset inventory +- [ ] Set up network monitoring on OT VLAN (even basic pcap) + +**Medium-term (this month):** +- [ ] Deploy industrial firewall between IT and OT segments (Fortinet, Palo Alto OT, or open-source OPNsense with Suricata) +- [ ] Implement MFA for remote access to PLC programming environment +- [ ] Establish change management: no PLC program changes without documented approval +- [ ] Back up PLC programs to version-controlled repository +- [ ] Test backup restoration procedure — can you rebuild from backup? + +--- + +## Profile 3: Arduino/ESP32 + DIY Controllers + +**Risk level:** MEDIUM-HIGH — less capable than Pi systems but often completely unhardened. + +### Common Vulnerabilities +- OTA (Over-The-Air) update enabled with no authentication +- WiFi credentials hardcoded in firmware source code +- Web server for configuration with no auth (common in ESP32 projects) +- mDNS/Bonjour broadcasting device identity on local network +- No encryption on sensor data transmission +- No firmware signing — anyone on the network can push a malicious update +- Serial/UART debug ports left enabled in production + +### Hardening Checklist + +**Immediate (do now):** +- [ ] Disable OTA update or set OTA password: `ArduinoOTA.setPassword("strong_password")` +- [ ] Remove hardcoded WiFi credentials: use WiFiManager library or config portal +- [ ] Add basic auth to web configuration interface +- [ ] Disable serial debug output in production firmware: `#define DEBUG 0` + +**Short-term (this week):** +- [ ] Segment IoT devices onto dedicated WiFi SSID/VLAN +- [ ] Disable mDNS if not needed: remove `MDNS.begin()` from firmware +- [ ] Implement HTTPS on ESP32 web server (self-signed cert is better than HTTP) +- [ ] Use MQTT with TLS + username/password (not anonymous) +- [ ] Set WiFi to WPA3 if access point supports it + +**Medium-term (this month):** +- [ ] Implement firmware signing: verify updates before flashing +- [ ] Add hardware watchdog timer to detect and recover from crashes +- [ ] Consider ESP32 secure boot (eFuse-based, one-time programmable) +- [ ] Move sensitive config to NVS encrypted partition +- [ ] Conduct wireless scan to ensure no rogue devices on IoT VLAN + +--- + +## Cross-Reference + +For biological monitoring of the systems these controllers manage, see the companion workspace: **[Aquaponics Anomaly Monitor](../aquaponics-anomaly-monitor/)** + +A compromised controller can spoof sensor readings. If your anomaly monitor shows sudden perfect readings after a period of fluctuation, consider whether the data is real or whether the controller has been tampered with. When in doubt: **verify sensor data against physical observation** (look at the fish, look at the plants, smell the water). + +--- + +## Domain Accuracy Note + +The Unitronics vulnerabilities and CISA advisory references are current as of March 2026. The Raspberry Pi and Arduino/ESP32 hardening steps reflect standard security practices. PLC-specific firmware capabilities vary by model and version — consult Unitronics documentation for your specific hardware. **This guide should be reviewed by an OT security practitioner before use in production environments.** If you identify inaccuracies or missing CVEs, please open an issue.