CIP-002 Identification of Critical Cyber Assets Report

by Cody Dumont
January 23, 2014

For organizations that are required to be NERC compliant, SecurityCenter can lead the way to compliance. The first focus area is the “Identification of Critical Cyber Assets”. SecurityCenter uses Log Correlation Engine (LCE), Passive Vulnerability Scanner (PVS), and Nessus to identify the assets. When using the complete Tenable family of products, an organization can easily identify all critical assets and all associated assets.

Using LCE and PVS, SecurityCenter can track network protocol usage, allowing for easy identificationof known SCADA TCP & UDP ports. When PVS is deployed, a non-intrusive approach can be taken to identify vulnerabilities on sensitive systems. Nessus can add a more in-depth vulnerability discovery using credentialed scans of the SCADA control systems.

This report contains several chapters used to dynamically identify critical assets and associated devices. There are two chapters to identify the hosts and vulnerabilities discovered. There is also an executive summary chapter with indicator style components used to identify TCP/UDP port usage commonly seen in SCADA environments and the normalized events collected by LCE.

The report is available in the SecurityCenter 4.7 report app feed, an app store of dashboards, reports, and assets.
The requirements are:

  • SecurityCenter 4.7.1
  • Nessus 5.2.4
  • PVS 4.0
  • LCE 4.2.1 - Optional
  • TenableNetFlowMonitor - Optional
  • TenableNetworkMonitor - Optional

Chapters

Executive Summary - This chapter provides a series of tables displaying summary counts of vulnerabilities by common strings found in the plugin name, and the normalized LCE events. The other tables included are a summary of SCADA vulnerabilities and hosts with vulnerabilities identified using the SCADA plugin family.

SCADA Standard Protocol Ports - The standard protocol ports chapter lists the ports for protocols that are considered industry standards and are used by multiple vendors. This chapter provides a list of TCP/UDP ports identified as standard ports for SCADA control systems. The chapter contains an indicator table for the identified ports. There is a 25 day IP trend by port usage count. Polling of the line trend is calculated every 24 hours. There is also an iterator for each series of ports. The iterator identifies all IP addresses that are used with SCADA, and then reports the port summary.

Vendor Specific Ports - This chapter identifies systems by SCADA vendor. The vendor list has been created by Digital Bond Inc. Digital Bond has organized the SCADA vendor list by ports, allowing for this chapter to create components using the matrix table, trend graph, and iterator to allow for analysis of data. The chapter contains an indicator table for the identified vendors. There is a 25 day IP trend by port usage count. Polling of the line trend is calculated every 24 hours. There is also an iterator for each series of ports by vendor. The iterator identifies all IP addresses that are used with SCADA, and then reports the port summary.