A few weeks back while discussing some planned Nessus updates and Bandolier, I said what matters is value and improved security for your control systems, not just running a scan. There are a variety of reasons why you might want to scan your control networks but suffice it to say that you should be scanning with a goal in mind, not just scanning for the sake of scanning. Perhaps you want to identify known vulnerabilities, audit security configuration, or check patch levels. Whatever your goal is, it’s worth taking a look at the Nessus configuration and planning your scans according to that goal.
For people who aren’t working with security tools every day, part of the challenge is just knowing what options exist. Good news: we are documenting these options and their control system relevance over in the SCADApedia. I’ll be highlighting some sections of the Nessus page over the next few posts.
To get started, let’s take a look at the Nessus options that have specific, built-in control system intelligence.
Bandolier is Digital Bond’s DOE-funded effort to develop security audit files for control system applications. These files can help verify that your control system servers and workstations are in an optimal security configuration. How else are you going to identify and audit the thousands of settings buried in your control system applications and underlying operating systems?
The Bandolier audit files use the Nessus policy compliance plugins which we’ll cover in more detail in a later post. They are available to Digital Bond site subscribers or through your vendor support channels. There are files for a variety of SCADA, DCS, and other applications. Check out the current list here and stay tuned for additional applications we’ll be adding soon.
If you’re a regular reader, you’ve likely heard of Bandolier but did you know there is a whole Nessus plugin family dedicated to control systems? The SCADA plugins offer a variety of tests for control system applications and protocols. They are more geared toward a traditional vulnerability assessment rather than the configuration auditing done by Bandolier. Again, we’ll cover those issues in more detail in a later post. For now, check out the list of Nessus SCADA plugins.
One additional resource is the Tenable page dedicated to SCADA. Tenable is the company that makes Nessus as well as other security and log management tools.
So Bandolier and the SCADA plugins are Nessus features that have specific control system application or protocol intelligence. There are many other features of Nessus, however, that we can use to get high value security data with minimal impact in process control environments. I’ll be highlighting these features and their control system relevance in subsequent posts in this series.