Free, open-source security audit tool for industrial control systems. IEC 62443 & NIS2 compliance assessment in under 30 minutes.
READ BEFORE USE
-
Audit Scope: This tool audits a single workstation, NOT an entire ICS/SCADA system. For full IEC 62443 compliance, you need system-wide assessment including zones, conduits, and network architecture.
-
No Liability: The author takes NO RESPONSIBILITY for any consequences of running this tool or implementing its recommendations. Use at your own risk.
-
Test First: We strongly recommend running ICScheck in a test environment before using it on production systems.
-
OT Context: Some findings may be flagged as FAIL but could be acceptable in OT environments where security measures must not interfere with Essential Functions (per IEC 62443-3-3, Clause 4.2).
A lightweight PowerShell tool that automatically audits your SCADA/HMI/DCS workstation against IEC 62443 and NIS2 security requirements.
No cybersecurity expertise required. Run the script, get a compliance report.
| System Type | Examples |
|---|---|
| SCADA | Siemens WinCC V7/V8, TIA Professional, WinCC Unified, AVEVA InTouch, Rockwell FactoryTalk View SE |
| HMI | Siemens Comfort Panels, Rockwell PanelView |
| DCS | Siemens PCS7 |
| BMS | Building automation systems |
| PLC/PAC | Any Windows-based engineering station |
| Framework | Region | Status |
|---|---|---|
| IEC 62443-3-3 | 🌍 Global | ✅ Supported |
| NIS2 Directive | 🇪🇺 EU | ✅ Supported |
| NIST CSF | 🇺🇸 USA | 🔜 Coming soon |
Run as Administrator on your ICS workstation:
git clone https://github.com/icscheck-tool/icscheck.git
cd icscheck/src
powershell -ExecutionPolicy Bypass -File "ICScheck.ps1"Note: The
-ExecutionPolicy Bypassflag is required because most ICS systems have restricted PowerShell execution policies. This only affects the current script execution and does not change system settings.
Alternative (if git is not available):
- Download ZIP from GitHub
- Extract to any folder
- Right-click
ICScheck.ps1→ "Run with PowerShell" (as Administrator)
The tool will:
- Scan your system configuration
- Check against 36+ security controls
- Generate an HTML compliance report
- Provide remediation recommendations
| Category | Checks | IEC 62443 | NIS2 |
|---|---|---|---|
| Access Control | Users, passwords, lockout, UAC, password age/history | FR1 | Art.21(i) |
| Use Control | USB, autorun, screen lock | FR2 | Art.21(g) |
| System Integrity | Antivirus, Defender real-time, updates, Secure Boot | FR3 | Art.21(e) |
| Data Confidentiality | BitLocker, shares, telemetry | FR4 | Art.21(h) |
| Network Security | Firewall, RDP, SMBv1, TLS 1.2+, DCOM hardening | FR5 | Art.21(e) |
| Audit & Logging | Event logs, audit policy | FR6 | Art.21(b) |
| Availability | System Restore, Shadow Copy | FR7 | Art.21(c) |
| WinCC Specific | Users hierarchy, drivers, alarm logging, SQL security | - | Art.21(b) |
After running ICScheck, you will receive:
- Compliance Score - X% aligned with IEC 62443 / NIS2
- Pass/Fail Status - For each security control
- Risk Assessment - Prioritized findings
- Remediation Steps - How to fix each issue
- Export Options - HTML report for auditors
Completed:
- ✅ Core PowerShell audit engine
- ✅ IEC 62443-3-3 mapping (FR1-FR7)
- ✅ NIS2 Article 21 mapping (~80% coverage)
- ✅ HTML report generation (dark/light theme)
- ✅ WinCC V7/V8 deep integration
- ✅ Communication Architecture tree
- ✅ User hierarchy visualization
- ✅ v0.6: Security Level selection (SL-1 to SL-4)
- ✅ v0.6: Safety confirmation prompt before execution
- ✅ v0.6: Comprehensive disclaimers (scope, liability, OT context)
Coming Soon:
- 🔜 Full FR1-FR7 × SL1-SL4 matrix mapping
- 🔜 OT-specific context notes for each check
- 🔜 PDF export
- 🔜 NIST CSF mapping
- 🔜 Scheduled scans
- 🔜 Central dashboard (Pro)
- 🔜 Multi-language support
Contributions are welcome!
Ways to contribute:
- 🐛 Report bugs
- 💡 Suggest new checks
- 📖 Improve documentation
- 🔧 Submit pull requests
MIT License - Use it, modify it, share it. No restrictions.
Łukasz Krzesiński
- 17 years in industrial automation
- 140+ SCADA/HMI/DCS systems delivered
- Certified Siemens SIMATIC specialist
If ICScheck helps you, please:
- ⭐ Star this repository
- 🐛 Report issues
- 📢 Share with colleagues
Secure your ICS. Achieve compliance. Sleep better.
Made with ❤️ for the industrial automation community