Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Are you sure you don’t have a control system on your network?

This blog entry describes many of the recent advances Tenable has made with active and passive detection of supervisory control and data acquisition (SCADA) and industrial control system (ICS) devices on networks.

There has been a dramatic increase in devices and applications that control power, industrial processes, and even our homes. With almost 600 public SCADA vulnerabilities, 214 of them disclosed in 2012, Tenable has kept pace with these advances by developing new forms of detection for Nessus and the Passive Vulnerability Scanner.

A Short Review of Active and Passive ICS Discovery

Nessus finds SCADA and ICS devices through network scanning. It can discover basic services associated with control systems, such as ICCP or Modbus, and can also identify many different types of control systems such as WellinTech KingView or Ecava IntegraXor software. Nessus also finds vulnerabilities in these systems and can highlight exploitable control system devices.

Nessus can also be used to audit the configuration of Unix or Windows systems running common control system software. Digital Bond’s Bandolier project currently offers more than 35 different audit files for major control system vendors.

Tenable’s Passive Vulnerability Scanner (PVS) can identify ICS, SCADA, and control system software through continuous network traffic monitoring. Many types of control system solutions leverage broadcast protocols, proprietary services, or have readily detected banners. As control systems are managed over the network, PVS tracks these devices, ports, and applications. When I hear from customers that they’ve discovered unknown control system devices on their network, it's usually with PVS.

Since PVS is 100% passive, there is no chance of having a SYN packet or a UDP packet taking down a control system. More importantly, PVS sees everything, including communications that happen infrequently. This allows greater discovery and analysis of your ICS network with no impact to production.

Nessus currently has 132 plugins in its SCADA family, and PVS supports 139 plugins. Although there is some commonality, these plugins don’t overlap much. Some ICS devices are readily discoverable with a scan, while others can only be identified with credentialed Windows or Unix local checks. Some devices have broadcasted protocols that are ideal for PVS to discover. For 100% coverage of a network, Tenable recommends a combined active and passive approach.

RuggedOS Telnet Backdoor

A recent SCADA vulnerability that was widely publicized was the announcement of CVE-2012-1803. This vulnerability was a backdoor account placed in RuggedCOM operating systems. Nessus implemented a check for this (plugin ID #58991), and an example output is shown below:

This vulnerability is very critical and easy to exploit.

RuggedOS has had its share of security issues on different protocols. As of now, the following active Nessus checks are available from Tenable for this device:

Johnson Control Scan Example

I’ve been lucky enough to get invited to a wide variety of “SCADA Labs,” “Control Systems Test Rigs,” or here in Washington, DC, “Cyber Critical Infrastructure Test Ranges,” to determine what Nessus is capable of detecting in these environments. These visits are very useful to Tenable because most control system vendors have unique and different types of protocols, operating systems, and user interfaces.

If you start scanning control systems devices, you may be very surprised what you find. I visited a lab recently and found a device that scanned like Windows:

However, this device didn't look anything at all like a laptop, a Dell rack, or anything that resembled a computer. It had embedded Windows in it and lots of Coax cables and serial ports.

Bandolier Configuration Audit of Telvent OASyS

As previously mentioned, Digital Bond has authored and tested a wide variety of Nessus audit policies for leading control system applications. These applications run on Windows or Unix systems. In some cases, Digital Bond has worked with the vendors of these systems to help write Nessus audits in much the same spirit as the Center for Internet Security does to establish best practices.

Below is a screen shot of a partial configuration audit of Telvent OASyS control system application that runs on Windows:

In this case, the audit is testing specific Windows security policy settings that are relevant to the secure operation of the application. Not all control system applications are deployed insecurely, but Digital Bond has encountered many applications that were deployed “out of the box” and not had basic or advanced security hardening.

Hardening control system applications by tightening their security controls offers defense in depth, which makes them resistant to compromise and exploitation. These audits are often accompanied by traditional hardening of Windows and Unix systems through the use of other audit standards such as CIS and the US government’s SCAP content.

Niagara Tridium Detection on an Enterprise Network

Nessus will collect as much information about a scanned IP as possible. As Tenable’s Research team adds support for direct detection of various SCADA devices, detecting control system devices with Nessus becomes easier.

For example, in this screen shot below, Nessus has found a web server running on port 3011 with a web banner of a Niagara Tridium device.

This sort of information can be consumed by Nessus to specifically identify these devices. (Note: When I gathered the data and screen shots for this blog entry in 2012, plugins 67142, 67143, and 67144 to detect Niagara web servers didn’t exist yet.)

At a different site, monitored by Nessus, PVS, and Tenable’s SecurityCenter, a search for any vulnerability text containing the word “Niagara” showed a variety of results:

The first two are Nessus plugins (10107 and 24260) that found Niagara web servers running on ports 80 and 3011. The remaining plugins are from the Passive Vulnerability Scanner. PVS includes a variety of checks specifically for Tridium (Niagara) devices.

It also inadvertently caught a Windows Error message from a system running the niagarad.exe software.

I find this error worth investigating because it indicates a crash in a Windows system that is running Niagara control software. Since this network is also covered by Tenable’s Log Correlation Engine, I ran a query for all events occurring during the past 15 days for the IP address in question.

The 8 errors that occurred were all Windows Error crash reports that were sent to Microsoft concerning the niagarad.exe process. Below is an example log produced by PVS as an error reported by the system running the Niagara software:

Jun 12 08:52:26 pvs: AAA.BBB.CCC.DDD:49192|EEE.FFF.GGG.HHH:80|6|2284|Outbound Microsoft WinErr Message|GET{20}/StageOne/niagarad_exe/0_0_0_0/48971f87/niagarad_exe/0_0_0_0/48971f87/c0000005/0000fcaa.htmLCID=1033&OS=6.1.7601.2.00010100.1.0.48.17514&SM=Dell%20Inc.&SPN=Precision%20WorkStation%20R5500&BV=A03&MID=8BB44017-C558-4958-ACCD-0AC1BA57950A&Queue=1{20}HTTP/1.1{0d}{0a}Connection:{20}Keep-Alive{0d}{0a}User-Agent:{20}MSDW{0d}{0a}Host:{20}watson.microsoft.com{0d}{0a}{0d}{0a}||NONE

One of the issues with ICS and SCADA devices is the difficulty in getting real-time activity logs. PVS continuous monitoring provides an excellent solution to this problem.

Conclusion

For traditional enterprise monitoring teams, keeping track of desktops, servers, firewalls, printers, and other devices is a constant endeavor. When control systems are found on the network, they are often deployed and managed outside of the realm of traditional enterprise IT staff. Solutions such as Nessus and PVS complement each other on the discovery and testing of ICS devices on your network and can help expose the risks associated with these devices.

Tenable has kept pace with new forms of detection for Nessus and PVS through extensive research, hands-on visits to SCADA labs, and partnerships with ICS Threat Intelligence provider Critical Intelligence and Digital Bond. If you are interested in performing this sort of research, please visit Tenable's careers page.

To learn more about our solutions for continuous monitoring of SCADA systems, visit Tenable’s SCADA security solutions page.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training