Nessus 3 SCADA Plugins

Tenable has released 32 plugins for Nessus 3 which specifically test SCADA devices. These plugins were the result of a four month research contract between Tenable Network Security and Digital Bond. This blog entry details how to obtain the plugins, strategies for using them with Nessus and strategies for using them in concert with Tenable products such as the Security Center and Passive Vulnerability Scanner.

Availability and Compatibility

All Direct Feed and Security Center users will receive these plugins through a plugin update. The SCADA plugins are only available to Tenable Direct Feed or Security Center customers. Other compatibility notes to consider:

• The plugins are designed to work only with Nessus 3
• Some of the plugins require local checks, but many are network probes
• Nessus 3 Windows users will see the new "SCADA" family after they update their plugins.
• If you use the Nessus 3 OS X client, the UNIX GTK client or NessusWX, you will see the SCADA plugins and family after you connect to a Nessus 3 scanner subscribed to the Direct Feed or being managed by the Security Center.

Tenable customers should contact our support group at Tenable if they require assistance obtaining these plugins. Below are screen shots of how the plugins look under the Nessus 3 for Windows GUI, the Nessus 3 OS X GUI and NessusWX:

SCADA Plugin Functionality

The plugins reside in their own family named "SCADA". Each plugin is listed below with a short description:

• Areva/Alstom Energy Management System - Identifies if the remote host is running an Areva/Alstom EMS Server.
• DNP3 Binary Inputs Access - Read binary inputs using DNP3 from RTU/IED.
• DNP3 Link Layer Addressing - Determines link layer address of DNP3 station by iterating through likely values.
• DNP3 Unsolicited Messaging - Determines whether the DNP3 outstation supports unsolicited responses.
• ICCP/COTP Protocol - COTP (ISO 7073) is running on the host and may be part of an ICCP server, MMS application, or substation automation device that uses IEC61850/UCA.
• ICCP/COTP TSAP Addressing - Determines a Connection Oriented Transport Protocol (COTP) Transport Service Access Points (TSAP) value on an ICCP server by trying possible values.
• LiveData ICCP Server - Identifies hosts running a LiveData ICCP server.
• Matrikon OPC Explorer - Identifies hosts running Matrikon's OPC Explorer tool. These hosts may also have additional diagnostic tools and trust relationships.
• Matrikon OPC Server for ControlLogix - Identifies hosts running a Matrikon OPC Server for Allen-Bradley ControlLogix PLC.
• Matrikon OPC Server for Modbus - Identifies hosts running a Matrikon OPC Server for Modbus devices and used to access data from PLCs, RTUs, and IEDs. OPC servers are commonly used in SCADA and DCS systems to exchange data between different vendor systems and disparate applications.
• Modbus/TCP Coil Access - Modbus uses a function code of 1 to read "coils " in a Modbus slave. Coils represent binary output settings and are typically mapped to actuators. The ability to read coils may help an attacker profile a system and identify ranges of registers to alter via a "write coil" message.
• Modbus/TCP Discrete Input Access - The Modbus protocol function code of 2 reads discrete inputs from Modbus slaves. The ability to read discrete inputs may help an attacker profile a system.
• Modicon Modbus/TCP Programming Function Code Access - Finds hosts with the proprietary Modbus/TCP function code 126 active. An attacker that is able to gain network access to devices like this may be able to reprogram PLC logic or otherwise impact the integrity of physical processes.
• Modicon PLC CPU Type - Uses an SNMP Get Request to obtain the Model Information of a Modicon PLC.
• Modicon PLC Default FTP Password - Checks for the default FTP username and passwords on a Modicon PLC.
• Modicon PLC Embedded HTTP Server - Finds Modicon PLCs running an embedded HTTP server used for configuration or monitoring.
• Modicon PLC HTTP Server Default Username/Password - Tests HTTP servers on Modicon PLCs for the default user name and password.
• Modicon PLC IO Scan Status - Uses an SNMP Get Request to obtain the scan status of a Modicon PLC.
• Modicon PLC Modbus Slave Mode - Uses an SNMP Get Request to obtain the Modbus mode. The Modbus mode is either direct, gateway, unit or some combination of these three types. The Modbus mode could help an attacker determine the type of attack necessary against the PLC.
• Modicon PLC Telnet Server - Tests Modicon PLC Telnet servers for the default user name and password.
• Modicon PLC Web Password Status - Uses an SNMP Get Request to obtain the Web Password Status of a Modicon PLC.
• National Instruments Lookout - Identifies hosts running the National Instruments Lookout Application.
• OPC DA Server - Identifies hosts running the OPC Data Access Server.
• OPC Detection - Finds hosts with OPC application components installed.
• OPC HDA Server - Identifies hosts running an OPC Historical Data Access Server.
• Siemens S7-SCL - Identifies hosts that contain Siemens S7-SCL Development Tool(s).
• Siemens SIMATIC PDM - Identifies hosts running the Siemens SIMATIC PCS 7 PDM Application.
• Siemens-Telegyr ICCP Gateway - Identifies hosts running a Siemens Telegyr ICCP Gateway server.
• Sisco OSI/ICCP Stack - Identifies hosts running a Sisco OSI/ICCP stack, and most likely acting as an ICCP server.
• Sisco OSI Stack Malformed Packet Vulnerability - Identifies hosts running a version of the Sisco OSI stack that can be crashed by a malformed packet.
• Tamarack IEC 61850 Server - Identifies hosts that may be running an IEC 61850 server developed by Tamarack Consulting, Inc.
• Telvent OASyS System - Identifies hosts running a Telvent OASyS Server.

Complementary to the current Passive Vulnerability Scanner SCADA plugins

Tenable customers who have also implemented the Passive Vulnerability Scanner (PVS) can now perform both active and passive SCADA network monitoring. Similar SCADA plugins for the PVS have been available since mid-2006. These offer no impact to the monitored network and effectively identify all devices which speak Modbus, ICCP and DNP3.

Organizations can tailor their vulnerability monitoring programs by using a combination of active SCADA scanning with these new Nessus plugins and passive monitoring with the PVS. Many organizations are required to perform annual vulnerability scans, which must be scheduled to avoid
impacting the production network. Using the PVS throughout the year meets the requirement for scanning, without impacting the network.

SCADA Device Active Scanning Strategies

As with all vulnerability scanning of devices which control physical equipment, consider the following strategies:

• If you have a SCADA test lab, start scanning those devices to identify any potential impact.
• When scanning operational SCADA devices, ensure that a second device is available for "fail over" and also ensure that the device operators are informed of the scheduled scanning.
• If you have access to data from a Passive Vulnerability Scanner, consider tailoring your scan to more robust device such as operating systems which were produced in the last five years.
• For configuring Nessus scans to be "safe", make sure scan polices have "safe checks" enabled and "thorough tests" disabled. Tenable has previously blogged about "safe checks" usage for Nessus.
  

For more strategies to consider for scanning SCADA networks with Nessus and these new SCADA plugins, Tenable recommends reading a white paper from Digital Bond entitled "Scanning Control Systems".

Working with the Security Center

Tenable customers who use the Security Center to manage one or more Nessus scanners in a SCADA environment should consider the following strategies:

• The new SCADA plugins will readily produce data that can be leveraged into dynamic asset lists. This can help create various lists of devices by active protocol (ICCP, DNP3, .etc) as well as function or even "Area of Responsibility".
• For each asset list, a separate vulnerability analysis can be conducted. Separate asset types will likely have different "top 10" vulnerabilities or configuration issues.
• Once separate asset lists are created, the components for each group can be displayed in three dimensions with the Tenable 3D Tool (demo video).
• Perhaps one of the most interesting types of analysis on "older" networks is to discover SCADA devices that are no longer needed, were failed to be decommissioned or deployed in locations that are not protected. 
• For NERC compliance, this process can help make sure the list of "Critical Cyber-Security Assets" is accurate and does not include too many hosts or ignores others.
• If intrusion detection events or the Log Correlation Engine is also in use, an event analysis for security, compliance and even network management issues can be conducted.

For More Information

Tenable recommends the following resources for learning more about SCADA security monitoring:

• Digital Bond blog
• Tenable White Paper: Protecting Critical Infrastructure (free download)
• Tenable White Paper: Real-Time Compliance Monitoring (covers NERC regulations. Contact sales to request a copy)

I'd also like to recommend the S4 conference (PDF brochure) coming up in January of 2007 in Miami. This is a technical conference and covers a wide variety of SCADA security topics.