Bandolier: Auditing Control System Security with the Nessus Vulnerability Scanner
DOE Roadmap Vision
In
10 years control systems for critical applications will be designed, installed, operated, and maintained to survive an intentional cyber assault with no loss of critical function.
Goals:
Measure and assess security posture Develop and integrate protective measures Detect intrusion and implement response strategies Sustain security improvements
�DOE Roadmap and Bandolier
Goal
Measure and Assess Security Posture
Milestones
Helps meet all mid-term milestones for goal:
Asset owners performing self-assessments of control systems Metrics available for benchmarking security Asset owners performing compliance audits of control systems
Challenge
Addresses the Roadmap challenge of limited ability to measure and assess cyber security posture and partially addresses the challenge of no consistent cyber security metrics.
�Identifying the Problem
How do we establish an optimal / best possible secure configuration for our control system servers and workstations? How do we verify that this configuration has not changed over time? Can we do this using existing security tools at a low or no additional cost?
�The Solution: Bandolier
�Nessus Compliance Checks
Safer than traditional scanning
Secure management connection, not a scan
Evaluates the known good rather than the known bad Customizable for local security policy Exporting to OVAL/XCCDF for use in other vulnerability scanners and security tools
�Multiple Levels of Testing
�Audit File Structure
Customizable Each
for site-specific policies
application component has two files
Baseline OS File Application-specific File
Can
be used individually or in tandem
�Example: Baseline Operating System Checks
<item> name: "Minimum password length value: 8 </item> <custom_item> type: FILE_CHECK description : "Permission and ownership check /etc/passwd file: "/etc/passwd owner: "root group: "root mode: "644 </custom_item>
�Example: Application Specific Checks
<custom_item> type: FILE_CONTENT_CHECK description: "Determine if permissions are set correctly for the RealTime Server (bobjAcknowledge)" value_type: POLICY_TEXT value_data: "c:\program files\ControlSystemApp\config\Realtime.cfg" regex: "bobjAcknowledge.*" expect: "bobjAcknowledge, Permission - Control_SCADA" </item> <custom_item> type: FILE_CONTENT_CHECK description: "Verify that interactive logins are disabled for the ems user file: "/etc/passwd expect: "ems:x:0:15:SCADA Super User:/lg/:.* regex: "ems:x:0:15:SCADA Super User:/lg/:/sbin/nologin </custom_item>
10
�Bandolier Audit Files: Alpha Release
TelventOASyS
DNA 7.5
Engineering Station (Windows Server 2003) Historical Server (Windows Server 2003) RealTime Server (Windows Server 2003) XOS Workstation (Windows XP)
Siemens
Spectrum Power TG 8.2
SCADA Host Server (Linux) SCADA Workstation (Windows XP) Web Host (Windows Server 2003)
11
�Bandolier Audit Files: Coming Soon
Audit Files for These Control System Applications
ABB Ranger AREVA e-terra Emerson Ovation Invensys Wonderware Matrikon OPC Server OPC Foundation UA Server OSIsoft PI SNC-Lavalin ECS GENe
12
�Using the Bandolier Audit Files for Nessus
Prerequisites
Digital Bond Site Subscription ($100/year) Nessus Professional Feed Subscription ($1,200/year)
Many organizations already have a Nessus subscription
Operational
Requirements
UNIX/Linux Hosts
SSH Connection (TCP Port 22) root account or set of credentials that can use su or sudo SMB Connection (TCP Port 445) Administrator credentials
Windows Hosts
13
�Interpreting the Audit Results
Nessus Scan Results
Non-compliant Inconclusive Compliant
Additional Information
Severity Rating Category (based on ISA99 Foundational Requirements) Link to page on Digital Bond site
More documentation Validation and remediation information
14
�Report Example
15
�Summary
Establishes optimal security configurations for control system servers and workstations Allows an asset owner or operator to verify the secure configuration has not changed over time Delivers at least twenty audit files for use in Nessus and other scanners Alpha release audit files available
16
�More Information
SCADApedia
Articles
www.scadapedia.com
Digital
Bond Website and Blog Us
www.digitalbond.com
Contact
[email protected]
17
�Questions?
Jason Holcomb Security Consultant and Researcher Digital Bond, Inc. [email protected]
18
