Control System Security -- Project Bandolier

Digital Bond has recently announced control system configuration audit policies that are being developed for the Nessus vulnerability scanner. These policies can be used to audit operating systems running a variety of control system applications and components. The initial list includes:

• Telvent OASyS DNA Realtime Server (7.5) - Windows Server 2003
• Telvent OASyS DNA Historian (7.5) - Windows Server 2003
• Telvent OASyS DNA XOS (7.5) - Windows XP
• Telvent OASys DNA Engineering Station (7.5) - Windows Server 2003
• Siemens Spectrum Power TG SCADA Host (8.2) - Red Hat Linux
• Siemens Spectrum Power TG SCADA Workstation (8.2) - Windows XP
• Siemens Siemens Spectrum Power TG Web Console (8.2) - Windows Server 2003
• SNC-Lavalin ECS GENe SCADA - Red Hat Linux
• ABB Ranger RDAS (2003) - Tru64 UNIX
• ABB Ranger RAS (2003) - Tru64 UNIX
• ABB Ranger Web Server (2003) - Tru64 UNIX
• ABB Ranger Workstation (2003) - Windows XP
• OSIsoft PI (3.4) - Windows Server 2003
• Audit templates for custom applications used by Bandolier project partners

These audit policies will be available in July to subscribers of Digital Bond's online resources, which include SCADA network IDS signatures, rights to edit and modify a heavily populated SCADA security Wiki (the SCADApedia), and many extremely useful presentations and white papers. If you are responsible for security or continuity of control system networks, Digital Bond's online resources are tremendously valuable. If you are interested in working with Digital Bond to develop audit policies for control systems applications that are not on the above list, please contact them.

Digital Bond developed the original SCADA vulnerability plugins for the Nessus scanner and recently received funding to perform in-depth best-practice configuration hardening research for a wide variety of control system applications. This project is known as Bandolier. Unlike CIS and FDCC which focus on common IT desktop and server technology, developing best practice guidelines for control systems is more difficult because there is a smaller user base, a larger set of technologies and a large variation in how technologies get deployed into production.

Many of the Windows based control system applications make use of the DCOM technology and run by default as "Administrator". Many of the audit recommendations for these applications allow users to configure their system so that they do not need to run as an Administrator and also tighten the permissions about who can communicate via DCOM.

Control System Auditing and Monitoring

These audit policies can fit into a variety of uses:

• Perform non-intrusive audits of existing control systems
• Use audit results to demonstrate to an auditor that your control systems are configured against industry best practices
• Audit control systems before they get deployed
• Develop IT strategies to move your control systems from a unmanaged or unhardened state to a more secure state
• Analyze the control systems of a potential acquired asset in a merger
• Prepare for incident response in a control system environment by understanding the configuration of the involved servers

The polices developed by Digital Bond work with Nessus Direct Feed subscriptions and also with Security Center deployments. By combining the audit policies from Digital Bond with the vulnerability and patch audits available with Nessus, an enterprise involved with control system monitoring is better prepared to mitigate risk and conform to compliance reporting requirements.

Enterprise Monitoring

In previous blogs, Digital Bond has discussed how they simply categorize configuration settings as compliant or non-compliant. There has been some discussion in the SCADA community that this may be overly simplistic, and that ratings should use scoring systems such as CVSS.

While the discussion is interesting, Tenable and Digital Bond are presently evaluating configuration audit results based on whether the settings have been set within parameters or not. Other tools such as the  Security Center can perform asset based analysis of systems and classes of vulnerabilties and mis-configurations. This provides a more granular analysis to the enterprise of their risk level.

Organizations can also extend this type of control system monitoring with Tenable's Passive Vulnerability Scanner and Log Correlation Engine. Both products allow for continuous passive monitoring of network traffic and system logs to look for unauthorized change, suspicious activity, compromised systems and access control violations.

A video demonstration of an audit policy developed by Digital Bond used with a Security Center, Nessus, a Passive Vulnerability Scanner and the Log Correlation Engine is available online here.

For More Information

The following links and previous blog entries are available for further information about SCADA and control system auditing:

• Digital Bond website 
• Nessus 3 SCADA plugins   
• Control System Auditing video  (Just click and watch, no registration required!)
• Bandolier -- Tru64 and Nessus Compliance Checks
• Bandolier -- Internal Severity Ratings
• Bandolier -- The Real World
• Bandolier -- Introduction to Compliance Checks