NERC – (CIP-002) Identification of Critical Cyber Assets

by Cody Dumont
January 2, 2014

For organizations that are required to be NERC compliant, SecurityCenter can lead the way to compliance.  The first focus area is the “Identification of Critical Cyber Assets”.  SecurityCenter uses Log Correlation Engine (LCE), Passive Vulnerability Scanner (PVS), and Nessus to identify the assets.  When using the complete Tenable family of products, an organization can easily identify all critical assets and all associated assets.

Using LCE and PVS, SecurityCenter can track network protocol usage, allowing for easy identification of known SCADA TCP & UDP ports.  When PVS is deployed, a non-intrusive approach can be taken to identify vulnerabilities on sensitive systems.  Nessus can add a more in-depth vulnerability discovery using credentialed scans of the SCADA control systems. 

This dashboard contains several components used to dynamically identify critical assets and associated devices.  The two tables identify the hosts or vulnerabilities discovered.  There are also two indicator style components used to identify TCP/UDP port usage commonly seen in SCADA environments.  The remaining components focus on plugins from Nessus and PVS, and the normalized event from LCE.

The dashboard and its components are available in the SecurityCenter 4.7 Dashboard app feed, an app store of dashboards, reports, and assets.

The dashboard requirements are:

  • SecurityCenter 4.7.1
  • Nessus 5.2.4
  • LCE 4.2.1
  • PVS 4.0
  • LCE Client - Tenable NetFlow Monitor
  • LCE Client - Tenable Network Monitor

Listed below are the included components:

CIP-002 Identification of Critical Cyber Assets - SCADA Vulnerabilities

This component shows the current vulnerabilities in the SCADA plugin family.  Vulnerabilities discovered through active or passive scanning will be displayed.  The data is sorted using the total vulnerabilities discovered.  This component helps address CIP-002 – R1, by identifying vulnerabilities in critical assets. CIP-002 Identification of Critical Cyber Assets - SCADA HostsThis component identifies critical assets, as defined by NERC regulations, and provides a vulnerability summary.   The data is filtered using the SCADA plugin family and sorted based on the risk score.  The systems discovered through active or passive scanning will be displayed.  This component helps address CIP-002 – R1 and R2 by identifying critical assets and associated systems. 

CIP-002 Identification of Critical Cyber Assets - Vendor Specific Ports

This component uses protocol usage detection methods to identify the TCP/UDP ports used.  Using known vendor protocol usage published by Digital Bond, this indicator provides a view into possible hosts communicating with SCADA devices.  To increase the accuracy of this component, a network or asset can be easily added.  For vendors with a wide range of ports, the indicator includes protocol or range as part of the name.  For example, “ABB TCP/10K” refers to TCP ports from 10000 – 10999.  This component helps address CIP-002 – R1 and R2 by identifying critical assets and associated systems. 

CIP-002 Identification of Critical Cyber Assets - SCADA Indicator

This component is a series of indicators for all plugins that are part of the SCADA family.  The indicators are based on common text strings found within the plugin name.  This allows for administrators to easily view vulnerabilities that may be present within a network with a specific context.   An example would be the FTP indicator, which provides the administration with an easy way to find all hosts using SCADA and having some sort of FTP related vulnerability.  This component helps address CIP-002 – R1 and R2 by identifying critical assets and associated systems. When using LCE, Tenable recommends also using the NetFlow and Network Monitor LCE clients to gain a more accurate view into protocol usage. 

CIP-002 Identification of Critical Cyber Assets - SCADA Standard Protocol Ports

This component uses protocol usage detection methods to identify the TCP/UDP ports used.  Using a known protocol usage list published by Digital Bond, this indicator provides a view into possible hosts communicating with SCADA devices.  To increase the accuracy of this component, a network or asset can be easily added.  This component helps address CIP-002 – R1 and R2 by identifying critical assets and associated systems.  When using LCE, Tenable recommends also using the NetFlow and Network Monitor LCE clients to gain a more accurate view into protocol usage. 

CIP-002 Identification of Critical Cyber Assets - SCADA Events

This component provides an indicator of the normalized SCADA events currently supported by LCE.  By reviewing logs from SCADA devices, an administrator can assess risk and identify problems within the SCADA network.  This component helps address CIP-002 – R1 and R2 by identifying critical assets and associated systems.