Assessing the security of SCADA devices has always been a challenging task. SCADA devices are used in several critical infrastructure industries, including power plants, manufacturing, chemical processing, and nuclear reactors. Thus, the high availability and security of these devices are of the utmost importance. The challenge lies in assessing the security of SCADA devices without causing any adverse effects. The special purpose-built systems often operate within a limited scope and use protocols that are specific to the tasks being performed, such as Modbus, OPC, and DNP3.
In 2006, Tenable Network Security released the first Nessus® vulnerability scanner and Tenable Passive Vulnerability Scanner (PVS) SCADA plugins (you can read the original release notes for PVS in a post titled "SCADA Network Monitoring" and the original release for Nessus titled "SCADA Checks For Nessus 3"). In April 2011, a new round of SCADA plugins were released for Nessus (covering devices from Movicon, 7-Technologies, and more).
Tenable is now pleased to announce the availability of additional SCADA plugins for Nessus ProfessionalFeed, Tenable SecurityCenter, and PVS users. Tenable's research team worked alongside SCADA experts from Digital Bond to test and identify a wide variety of common SCADA devices. The plugins were announced at Digital Bond’s S4 Conference on SCADA security held on January 19, 2012. Note: Digital Bond’s Dale Peterson joined us on the Tenable Network Security podcast episode 110 and spoke about the new plugins and SCADA security.
Below is a sample of some of the new SCADA plugins:
- DNP3 Link Layer Addressing - Determines link layer address of DNP3 station by iterating through likely values.
- DNP3 Unsolicited Messaging - Determines if the DNP3 outstation supports unsolicited responses.
- ICCP/COTP Protocol - Determines if COTP (ISO 7073) is running on the host and may be part of an ICCP server, MMS application, or substation automation device that uses IEC61850/UCA.
- Matrikon OPC Explorer - Identifies hosts running Matrikon’s OPC Explorer tool. These hosts may also have additional diagnostic tools and trust.
- Modbus/TCP Coil Access - Prevents Modbus using a function code of 1 to read “coils” in a Modbus slave. Coils represent binary output settings and are typically mapped to actuators. The ability to read coils may help an attacker profile a system and identify ranges of registers to alter via a “write coil” message.
- Modicon Modbus/TCP Programming Function Code Access - Finds hosts with the proprietary Modbus/TCP function code 126 active. An attacker that gains network access to devices like this may be able to reprogram PLC logic or otherwise impact the integrity of physical processes.
- Modicon PLC Telnet Server - Tests Modicon PLC Telnet servers for the default username and password.
- National Instruments Lookout - Identifies hosts running the National Instruments Lookout Application.
- OPC DA Server - Identifies hosts running the OPC Data Access Server.
- Siemens S7-SCL - Identifies hosts that contain Siemens S7-SCL Development Tool(s).
- Siemens SIMATIC PDM - Identifies hosts running the Siemens SIMATIC PCS 7 PDM Application.
- Siemens-Telegyr ICCP Gateway - Identifies hosts running a Siemens Telegyr ICCP Gateway server.
- Cisco OSI Stack Malformed Packet Vulnerability - Identifies hosts running a version of the Cisco OSI stack that can be crashed by a malformed packet.
- Telvent OASyS System - Identifies hosts running a Telvent OASyS Server.
You can find full descriptions of all plugins in the SCADA family on the Nessus plugins page. Tenable is ready to help answer questions regarding your specific SCADA security concerns. Our solutions offer a very robust and accurate way to discover and report about the security issues on your SCADA network, without any adverse effect. For more information, download the paper titled "Protecting Critical Infrastructure: SCADA Network Security Monitoring" from the resources section of the Tenable website.