feat(security): v2.1.0 — IEC 62443 GAP-003 CLOSED: mTLS OT segment (SR 3.1)

Implement mutual TLS for Modbus TCP OT segment — all 3 IEC 62443 gaps now CLOSED.
SL-2 readiness: ~65% → ~85%

Component 1 — PKI / Certificates:
- infrastructure/certs/gen_certs.sh: openssl script for CA + gateway client + stunnel proxy certs
- .gitignore: exclude *.key, *.pem, *.srl from commits (private keys MUST NOT be committed)

Component 2 — stunnel mTLS proxy:
- infrastructure/docker/stunnel-ot.conf: stunnel client config (TLS 1.3, verify=2, ECDHE ciphers)
- infrastructure/docker/docker-compose.yml: add bessai-stunnel service (profile: ot-security)
  Architecture: Gateway → TCP:502 (bess-net) → stunnel → TLS 1.3:8502 → Inversor BESS

Component 3 — UniversalDriver TLS native support:
- src/interfaces/ot_tls_config.py: OtTlsConfig.from_env() + build_ssl_context()
  Env vars: OT_MTLS_ENABLED, OT_CA_CERT_PATH, OT_CLIENT_CERT_PATH, OT_CLIENT_KEY_PATH
- src/drivers/modbus_driver.py: optional tls_context/tls_ca_cert/tls_client_cert/tls_client_key
  params in UniversalDriver.__init__() — fully backwards compatible

Tests:
- tests/test_ot_tls_config.py: 9 passed, 1 skipped (openssl not in PATH on Windows CI)
- Suite: 419 passed, 5 skipped — 0 failures, 0 errors (+9 vs v2.0.0)

Documentation:
- docs/compliance/iec_62443_sl2_certification_path.md: GAP-001/002/003 marked CLOSED, readiness ~85%

Author: BESS Solutions

.gitignore

@@ -104,3 +104,15 @@ out/
 .DS_Store
 Thumbs.db
 desktop.ini
+
+# ---------------------------------------------------------------------------
+# IEC 62443 GAP-003: OT PKI — private keys MUST NOT be committed
+# Run: bash infrastructure/certs/gen_certs.sh to regenerate locally
+# ---------------------------------------------------------------------------
+infrastructure/certs/*.key
+infrastructure/certs/*.pem
+infrastructure/certs/*.srl
+# CA key is especially sensitive
+infrastructure/certs/ca.key
+# Public certs are safe to commit (no secret material)
+# infrastructure/certs/*.crt  ← intentionally NOT ignored

docs/compliance/iec_62443_sl2_certification_path.md

@@ -20,15 +20,15 @@ Based on the existing `iec62443_sl2_gap.md` analysis:
 
 | Domain | Current Status | Gap |
 |---|---|---|
-| Authentication (SR 1.1) | API key auth implemented | Needs MFA for management access |
-| Audit logging (SR 2.8) | Structured logs via structlog | Log forwarding to SIEM needed |
+| Authentication (SR 1.1) | API key auth implemented | ✅ MFA via TOTP (GAP-001 CLOSED v2.0.0) |
+| Audit logging (SR 2.8) | Structured logs via structlog | ✅ Loki SIEM forwarding (GAP-002 CLOSED v2.0.0) |
 | Software integrity (SR 3.2) | SLSA Level 2 + cosign | Not formally evaluated by auditor |
 | Vulnerability disclosure (SR 2.12) | `SECURITY.md` exists | No formal PSIRT process |
 | Patch management (SR 2.2) | Dependabot + CI | Formal patch SLA document needed |
-| Communication integrity (SR 3.1) | TLS enforced (Ingress) | mTLS for OT segment not implemented |
+| Communication integrity (SR 3.1) | TLS enforced (Ingress) | ✅ mTLS OT segment (GAP-003 CLOSED v2.1.0) |
 | Network segmentation (SR 5.2) | Docker network isolation | Formal network diagram needed |
 
-**Estimated SL-2 readiness:** ~65%
+**Estimated SL-2 readiness:** ~85%  *(was 65% before v2.0.0–v2.1.0)*
 
 ---
 
@@ -49,12 +49,12 @@ Based on the existing `iec62443_sl2_gap.md` analysis:
 
 **Duration:** 6–10 weeks (parallel to Phase 1 tail)
 
-| Gap | Remediation | Owner |
-|---|---|---|
-| MFA for management | Implement TOTP for admin dashboard via `pyotp` | Engineering |
-| SIEM log forwarding | Add Fluentd/Loki output target for audit logs | Engineering |
-| mTLS for OT segment | Add mutual TLS config to Modbus TCP wrapper | Engineering |
-| Formal network diagram | Create `docs/architecture/network_diagram.md` with OT zones | Engineering |
+| Gap | Remediation | Owner | Status |
+|---|---|---|---|
+| MFA for management | TOTP for admin dashboard via `pyotp` | Engineering | ✅ CLOSED v2.0.0 |
+| SIEM log forwarding | Loki output via OTel Collector | Engineering | ✅ CLOSED v2.0.0 |
+| mTLS for OT segment | stunnel proxy + `ot_tls_config.py` + `gen_certs.sh` | Engineering | ✅ CLOSED v2.1.0 |
+| Formal network diagram | Create `docs/architecture/network_diagram.md` with OT zones | Engineering | 🔲 Pending |
 
 ### Phase 3 — Formal Audit (Q2–Q3 2026)
 

infrastructure/certs/gen_certs.sh

@@ -0,0 +1,120 @@
+#!/usr/bin/env bash
+# =============================================================================
+# BESSAI Edge Gateway — OT PKI Certificate Generator
+# IEC 62443-3-3 SR 3.1: Communication Integrity via mutual TLS
+# GAP-003 REMEDIATION
+# =============================================================================
+# Usage:
+#   bash infrastructure/certs/gen_certs.sh
+#
+# Output (in infrastructure/certs/):
+#   ca.key              — CA private key          (SECRET — never commit)
+#   ca.crt              — CA root certificate     (safe to commit)
+#   gateway-client.key  — Gateway private key     (SECRET — never commit)
+#   gateway-client.crt  — Gateway certificate     (safe to commit)
+#   gateway-client.csr  — CSR (intermediate)      (safe to commit/discard)
+#   modbus-proxy.key    — Proxy private key       (SECRET — never commit)
+#   modbus-proxy.crt    — Proxy certificate       (safe to commit)
+#   modbus-proxy.csr    — CSR (intermediate)      (safe to commit/discard)
+#
+# Requirements: openssl (ships with Git for Windows / WSL / macOS / Linux)
+# =============================================================================
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+OUT_DIR="$SCRIPT_DIR"
+
+# Certificate validity — 10 years (edge devices have infrequent rotations)
+VALIDITY_DAYS=3650
+
+# Organization info (customize per deployment)
+COUNTRY="${BESSAI_CERT_COUNTRY:-CL}"
+ORG="${BESSAI_CERT_ORG:-BESSAI-Solutions}"
+SITE_ID="${BESSAI_SITE_ID:-edge-001}"
+
+echo "════════════════════════════════════════════════════"
+echo "  BESSAI OT PKI Generator — IEC 62443 GAP-003"
+echo "  Site: ${SITE_ID}  |  Org: ${ORG}"
+echo "════════════════════════════════════════════════════"
+
+# ── 1. CA Root (BESSAI-OT-CA) ─────────────────────────────────────────────────
+echo ""
+echo "[1/3] Generating BESSAI-OT-CA root certificate..."
+
+openssl genrsa -out "${OUT_DIR}/ca.key" 4096 2>/dev/null
+
+openssl req -new -x509 \
+    -key "${OUT_DIR}/ca.key" \
+    -out "${OUT_DIR}/ca.crt" \
+    -days "${VALIDITY_DAYS}" \
+    -subj "/C=${COUNTRY}/O=${ORG}/CN=BESSAI-OT-CA-${SITE_ID}" \
+    -addext "basicConstraints=critical,CA:TRUE,pathlen:0" \
+    -addext "keyUsage=critical,keyCertSign,cRLSign"
+
+echo "    ✅ CA: ${OUT_DIR}/ca.crt"
+
+# ── 2. Gateway Client Certificate ─────────────────────────────────────────────
+echo ""
+echo "[2/3] Generating gateway client certificate..."
+
+openssl genrsa -out "${OUT_DIR}/gateway-client.key" 2048 2>/dev/null
+
+openssl req -new \
+    -key "${OUT_DIR}/gateway-client.key" \
+    -out "${OUT_DIR}/gateway-client.csr" \
+    -subj "/C=${COUNTRY}/O=${ORG}/CN=bessai-gateway-${SITE_ID}"
+
+openssl x509 -req \
+    -in "${OUT_DIR}/gateway-client.csr" \
+    -CA "${OUT_DIR}/ca.crt" \
+    -CAkey "${OUT_DIR}/ca.key" \
+    -CAcreateserial \
+    -out "${OUT_DIR}/gateway-client.crt" \
+    -days "${VALIDITY_DAYS}" \
+    -extfile <(printf "extendedKeyUsage=clientAuth\nsubjectAltName=DNS:bessai-gateway,DNS:localhost") \
+    2>/dev/null
+
+echo "    ✅ Gateway client cert: ${OUT_DIR}/gateway-client.crt"
+
+# ── 3. Modbus Proxy (stunnel) Server Certificate ──────────────────────────────
+echo ""
+echo "[3/3] Generating modbus-proxy (stunnel) server certificate..."
+
+openssl genrsa -out "${OUT_DIR}/modbus-proxy.key" 2048 2>/dev/null
+
+openssl req -new \
+    -key "${OUT_DIR}/modbus-proxy.key" \
+    -out "${OUT_DIR}/modbus-proxy.csr" \
+    -subj "/C=${COUNTRY}/O=${ORG}/CN=bessai-modbus-proxy-${SITE_ID}"
+
+openssl x509 -req \
+    -in "${OUT_DIR}/modbus-proxy.csr" \
+    -CA "${OUT_DIR}/ca.crt" \
+    -CAkey "${OUT_DIR}/ca.key" \
+    -CAcreateserial \
+    -out "${OUT_DIR}/modbus-proxy.crt" \
+    -days "${VALIDITY_DAYS}" \
+    -extfile <(printf "extendedKeyUsage=serverAuth\nsubjectAltName=DNS:bessai-stunnel,DNS:localhost") \
+    2>/dev/null
+
+echo "    ✅ Proxy server cert: ${OUT_DIR}/modbus-proxy.crt"
+
+# ── Summary ───────────────────────────────────────────────────────────────────
+echo ""
+echo "════════════════════════════════════════════════════"
+echo "  PKI generation complete."
+echo ""
+echo "  Certificates generated in: ${OUT_DIR}"
+echo ""
+echo "  ⚠️  PRIVATE KEYS — DO NOT COMMIT:"
+echo "     ca.key  gateway-client.key  modbus-proxy.key"
+echo ""
+echo "  Next steps:"
+echo "    1. docker compose --profile ot-security up -d"
+echo "    2. Set in .env:"
+echo "       OT_MTLS_ENABLED=true"
+echo "       OT_CA_CERT_PATH=infrastructure/certs/ca.crt"
+echo "       OT_CLIENT_CERT_PATH=infrastructure/certs/gateway-client.crt"
+echo "       OT_CLIENT_KEY_PATH=infrastructure/certs/gateway-client.key"
+echo "════════════════════════════════════════════════════"

infrastructure/docker/docker-compose.yml

@@ -8,12 +8,16 @@
 #   prometheus        — Metrics scraper (monitoring profile)
 #   grafana           — Metrics + Logs dashboard (monitoring profile)
 #   bessai-loki       — Grafana Loki SIEM (monitoring profile, IEC 62443 GAP-002)
+#   bessai-stunnel    — mTLS proxy OT segment (ot-security profile, IEC 62443 GAP-003)
 #
 # Profiles:
-#   (default)   — gateway + otel-collector  (requires real INVERTER_IP in .env)
-#   simulator   — modbus-simulator + gateway-sim + otel-collector (dev mode)
-#   monitoring  — prometheus + grafana + loki (add to any profile for dashboards)
-#                 Set LOKI_ENDPOINT=http://bessai-loki:3100/loki/api/v1/push
+#   (default)    — gateway + otel-collector  (requires real INVERTER_IP in .env)
+#   simulator    — modbus-simulator + gateway-sim + otel-collector (dev mode)
+#   monitoring   — prometheus + grafana + loki (add to any profile for dashboards)
+#                  Set LOKI_ENDPOINT=http://bessai-loki:3100/loki/api/v1/push
+#   ot-security  — stunnel mTLS proxy (IEC 62443 SR 3.1 — Communication Integrity)
+#                  Requires: bash infrastructure/certs/gen_certs.sh  (first time)
+#                  Set: OT_MTLS_ENABLED=true  OT_CA_CERT_PATH=...  (in .env)
 #
 # Usage:
 #   # Development mode (with Modbus simulator):
@@ -24,6 +28,10 @@
 #   docker compose -f infrastructure/docker/docker-compose.yml \
 #     --profile simulator --profile monitoring up --build
 #
+#   # Production with mTLS (IEC 62443 GAP-003):
+#   docker compose -f infrastructure/docker/docker-compose.yml \
+#     --profile ot-security up -d
+#
 #   # Access:
 #   #   /health    → http://localhost:8000/health
 #   #   /metrics   → http://localhost:8000/metrics
@@ -43,7 +51,8 @@ volumes:
   otel-data:
   prometheus-data:
   grafana-data:
-  loki-data:  # IEC 62443 GAP-002: SIEM audit log persistence
+  loki-data:
+    # IEC 62443 GAP-002: SIEM audit log persistence
 
     # ── Services ──────────────────────────────────────────────────────────────────
 services:
@@ -90,7 +99,7 @@ services:
       - "8000:8000" # /health and /metrics HTTP endpoints
       - "8080:8080" # Dashboard UI → http://localhost:8080
     volumes:
-      - ../../dashboard:/app/dashboard:ro  # serve static assets
+      - ../../dashboard:/app/dashboard:ro # serve static assets
     networks:
       - bess-net
     depends_on:
@@ -195,7 +204,7 @@ services:
       - bess-net
     depends_on:
       - prometheus
-      - bessai-loki  # IEC 62443 GAP-002: Loki datasource
+      - bessai-loki # IEC 62443 GAP-002: Loki datasource
     logging:
       driver: "json-file"
       options:
@@ -216,7 +225,7 @@ services:
       - ../loki/loki-config.yaml:/etc/loki/loki-config.yaml:ro
       - loki-data:/loki
     ports:
-      - "3100:3100"  # Loki push API + query API
+      - "3100:3100" # Loki push API + query API
     networks:
       - bess-net
     healthcheck:
@@ -230,3 +239,45 @@ services:
       options:
         max-size: "5m"
         max-file: "2"
+
+  # ── bessai-stunnel — mTLS proxy OT segment (ot-security profile) ────────────
+  # IEC 62443-3-3 SR 3.1: Communication Integrity — GAP-003 CLOSED
+  #
+  # Architecture:
+  #   Gateway → TCP:502 (plain, inside bess-net) → stunnel → TLS 1.3 → Inversor
+  #
+  # Prerequisites (first time):
+  #   bash infrastructure/certs/gen_certs.sh
+  #
+  # Required env vars (.env):
+  #   INVERTER_IP          — IP of the real BESS inverter (e.g. 192.168.1.100)
+  #   OT_MTLS_ENABLED=true — activates TLS path in UniversalDriver
+  bessai-stunnel:
+    image: dweomer/stunnel:5.72
+    container_name: bessai-stunnel
+    profiles: [ "ot-security" ]
+    restart: unless-stopped
+    environment:
+      INVERTER_IP: "${INVERTER_IP:-192.168.1.100}"
+    volumes:
+      # TLS certificates (generated by gen_certs.sh — keys are gitignored)
+      - ../../infrastructure/certs/gateway-client.crt:/etc/stunnel/gateway-client.crt:ro
+      - ../../infrastructure/certs/gateway-client.key:/etc/stunnel/gateway-client.key:ro
+      - ../../infrastructure/certs/ca.crt:/etc/stunnel/ca.crt:ro
+      # stunnel OT configuration
+      - ./stunnel-ot.conf:/etc/stunnel/stunnel.conf:ro
+    ports:
+      - "502:502" # Modbus TCP plain inbound — only reachable within bess-net
+    networks:
+      - bess-net
+    healthcheck:
+      test: [ "CMD", "sh", "-c", "kill -0 $(cat /var/run/stunnel4/stunnel.pid 2>/dev/null) 2>/dev/null || exit 1" ]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 5s
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "5m"
+        max-file: "2"

infrastructure/docker/stunnel-ot.conf

@@ -0,0 +1,55 @@
+; =============================================================================
+; BESSAI Edge Gateway — stunnel mTLS proxy for OT segment
+; IEC 62443-3-3 SR 3.1: Communication Integrity
+; GAP-003 REMEDIATION
+; =============================================================================
+;
+; Architecture:
+;   Gateway (Python, Modbus TCP plain)
+;     → bessai-stunnel:502   (TCP, plain, inside bess-net — trusted)
+;       → INVERTER_IP:8502   (TLS 1.3, mutual auth)
+;
+; The gateway never handles TLS itself — the proxy is fully transparent.
+; Only the stunnel container holds the private key material.
+;
+; Run:
+;   docker compose --profile ot-security up -d bessai-stunnel
+; =============================================================================
+
+; ── Global settings ──────────────────────────────────────────────────────────
+pid = /var/run/stunnel4/stunnel.pid
+foreground = yes
+output = /dev/stdout
+
+; Minimum TLS version: 1.2 (1.3 preferred; IEC 62443 SR 3.1 requires ≥ TLS 1.2)
+sslVersion = TLSv1.3
+
+; Cipher suites — prefer forward secrecy (ECDHE)
+ciphers = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
+
+; ── OT Modbus service ─────────────────────────────────────────────────────────
+[modbus-ot]
+
+; Client mode: stunnel connects OUT to the inverter, wrapping in TLS
+client = yes
+
+; Accept plain Modbus TCP from the gateway (inside Docker bess-net only)
+accept  = 0.0.0.0:502
+
+; Forward to the real inverter over mTLS
+; INVERTER_IP is substituted by the Docker env var at container start
+connect = ${INVERTER_IP}:8502
+
+; — Client identity (gateway certificate) —
+cert = /etc/stunnel/gateway-client.crt
+key  = /etc/stunnel/gateway-client.key
+
+; — CA to validate the inverter server certificate —
+CAfile = /etc/stunnel/ca.crt
+
+; Strict server cert verification (verify=2 checks cert + CA chain)
+verify = 2
+
+; Connection timeout (seconds)
+TIMEOUTconnect = 10
+TIMEOUTidle    = 300