Assessing the security of SCADA devices has always been a challenging task. SCADA devices are used in several critical infrastructure industries, including power plants, manufacturing, chemical processing, and nuclear reactors. Thus, the high availability and security of these devices are of the utmost importance. The challenge lies in assessing the security of SCADA devices without causing any adverse effects. The special purpose-built systems often operate within a limited scope and use protocols that are specific to the tasks being performed, such as Modbus, OPC, and DNP3.

In 2006, Tenable Network Security released the first Nessus® vulnerability scanner and Tenable Passive Vulnerability Scanner (PVS) SCADA plugins (you can read the original release notes for PVS in a post titled "SCADA Network Monitoring" and the original release for Nessus titled "SCADA Checks For Nessus 3"). In April 2011, a new round of SCADA plugins were released for Nessus (covering devices from Movicon, 7-Technologies, and more).

Tenable is now pleased to announce the availability of additional SCADA plugins for Nessus ProfessionalFeed, Tenable SecurityCenter, and PVS users. Tenable's research team worked alongside SCADA experts from Digital Bond to test and identify a wide variety of common SCADA devices. The plugins were announced at Digital Bond’s S4 Conference on SCADA security held on January 19, 2012. Note: Digital Bond’s Dale Peterson joined us on the Tenable Network Security podcast episode 110 and spoke about the new plugins and SCADA security.

Below is a sample of some of the new SCADA plugins:

Previously, I've blogged about Digital Bond's effort (project Bandolier) to produce Nessus audit polices for a wide variety of control system devices and applications. Digital Bond recently published alpha releases of audit files for Siemens Spectrum Power and Televent OASyS DNA systems. These audit polices are available to Digital Bond Site Subscription users and work with the Nessus Direct Feed or ProfessionalFeeds. Below is a screen shot of example results against an audit of an OASyS DNA system:

For more information on project Bandolier and other control system security information, please visit Digital Bond's web site and their SCADApedia.

Digital Bond has recently announced control system configuration audit policies that are being developed for the Nessus vulnerability scanner. These policies can be used to audit operating systems running a variety of control system applications and components. The initial list includes:

• Telvent OASyS DNA Realtime Server (7.5) - Windows Server 2003
• Telvent OASyS DNA Historian (7.5) - Windows Server 2003
• Telvent OASyS DNA XOS (7.5) - Windows XP
• Telvent OASys DNA Engineering Station (7.5) - Windows Server 2003
• Siemens Spectrum Power TG SCADA Host (8.2) - Red Hat Linux
• Siemens Spectrum Power TG SCADA Workstation (8.2) - Windows XP
• Siemens Siemens Spectrum Power TG Web Console (8.2) - Windows Server 2003
• SNC-Lavalin ECS GENe SCADA - Red Hat Linux
• ABB Ranger RDAS (2003) - Tru64 UNIX
• ABB Ranger RAS (2003) - Tru64 UNIX
• ABB Ranger Web Server (2003) - Tru64 UNIX
• ABB Ranger Workstation (2003) - Windows XP
• OSIsoft PI (3.4) - Windows Server 2003
• Audit templates for custom applications used by Bandolier project partners

These audit policies will be available in July to subscribers of Digital Bond's online resources, which include SCADA network IDS signatures, rights to edit and modify a heavily populated SCADA security Wiki (the SCADApedia), and many extremely useful presentations and white papers. If you are responsible for security or continuity of control system networks, Digital Bond's online resources are tremendously valuable. If you are interested in working with Digital Bond to develop audit policies for control systems applications that are not on the above list, please contact them.

Digital Bond developed the original SCADA vulnerability plugins for the Nessus scanner and recently received funding to perform in-depth best-practice configuration hardening research for a wide variety of control system applications. This project is known as Bandolier. Unlike CIS and FDCC which focus on common IT desktop and server technology, developing best practice guidelines for control systems is more difficult because there is a smaller user base, a larger set of technologies and a large variation in how technologies get deployed into production.

Many of the Windows based control system applications make use of the DCOM technology and run by default as "Administrator". Many of the audit recommendations for these applications allow users to configure their system so that they do not need to run as an Administrator and also tighten the permissions about who can communicate via DCOM.

Control System Auditing and Monitoring

These audit policies can fit into a variety of uses:

• Perform non-intrusive audits of existing control systems
• Use audit results to demonstrate to an auditor that your control systems are configured against industry best practices
• Audit control systems before they get deployed
• Develop IT strategies to move your control systems from a unmanaged or unhardened state to a more secure state
• Analyze the control systems of a potential acquired asset in a merger
• Prepare for incident response in a control system environment by understanding the configuration of the involved servers

The polices developed by Digital Bond work with Nessus Direct Feed subscriptions and also with Security Center deployments. By combining the audit policies from Digital Bond with the vulnerability and patch audits available with Nessus, an enterprise involved with control system monitoring is better prepared to mitigate risk and conform to compliance reporting requirements.

Enterprise Monitoring

In previous blogs, Digital Bond has discussed how they simply categorize configuration settings as compliant or non-compliant. There has been some discussion in the SCADA community that this may be overly simplistic, and that ratings should use scoring systems such as CVSS.

While the discussion is interesting, Tenable and Digital Bond are presently evaluating configuration audit results based on whether the settings have been set within parameters or not. Other tools such as the  Security Center can perform asset based analysis of systems and classes of vulnerabilties and mis-configurations. This provides a more granular analysis to the enterprise of their risk level.

Organizations can also extend this type of control system monitoring with Tenable's Passive Vulnerability Scanner and Log Correlation Engine. Both products allow for continuous passive monitoring of network traffic and system logs to look for unauthorized change, suspicious activity, compromised systems and access control violations.

A video demonstration of an audit policy developed by Digital Bond used with a Security Center, Nessus, a Passive Vulnerability Scanner and the Log Correlation Engine is available online here.

For More Information

The following links and previous blog entries are available for further information about SCADA and control system auditing:

• Digital Bond website 
• Nessus 3 SCADA plugins   
• Control System Auditing video  (Just click and watch, no registration required!)
• Bandolier -- Tru64 and Nessus Compliance Checks
• Bandolier -- Internal Severity Ratings
• Bandolier -- The Real World
• Bandolier -- Introduction to Compliance Checks

If you are using Nessus to audit a control system network, Digital Bond has recently released a set of guidelines (part 1, 2 and 3) for securing OPC servers. These guidelines include three Nessus configuration audit policies (for use with Direct Feed subscriptions) to test OPC servers running under Windows XP Pro, Windows 2000 and Windows 2003. The guidelines and audit files are available to Digital Bond content subscribers.

OPC stands for "Object-linking and embedding for Process Control". This is a set of Microsoft technologies which leverages OLE, DCOM and COM for use in automation and controls. The need for OPC arose because each time a new control system was introduced it likely had a proprietary method to interact with it. Having a common communication standard within OPC simplifies control system design. This makes it easier to write management and monitoring applications which are independent of the actual hardware deployed at the dam, on the pump, on the oven, at the generator and so on.

However, securing these technologies is not a simple process. Doing things such as adding firewall rules or attempting to have services or processes not run with administrator credentials can easily break "out of the box" OPC deployments. The content produced by Digital Bond can help any organization that wishes to harden their Windows control systems by letting them understand how OPC works and where it can be hardened.

To use these OPC policies, you should not only be subscribed to the Digital Bond content, but also be either a Nessus Direct Feed or Security Center customer.

Previously, Digital Bond and Tenable have collaborated to produce SCADA vulnerability checks for Nessus Direct Feed and Security Center users. I also had the chance to interview Digital Bond's CEO, Dale Petersen, in a podcast. Tenable also offers a 30 minute webinar on SCADA network monitoring with Tenable solutions.