We had all our asset owner and vendor partners in the Dept. of Energy research project rightly say we need names for the forthcoming tools. So let us introduce the first: Bandolier.
Bandolier will be a set of security audit templates that you will run on Nessus and other popular vulnerability scanners to compare control system devices (HMI, Historians, Realtime servers, OPC clients and servers, ICCP servers, …, almost anything with a Windows or *nix OS) to a best practice, gold standard configuration developed specifically for the appropriate applications on that system. You can think of this as a control system application extension to the NIST SCAP concept.
In the project we will be developing at least 20 audit templates, and our asset owner partners have first selection for about half of those. Which means we still are looking for additional interesting candidate systems. Take a look at this Bandolier Overview and let us know if you have a system you would like included in the project. We have plenty of candidates but are trying to include newer systems that will be widely deployed and can in fact be hardened.
UPDATE: An asset owner asked why only newer systems that can be hardened. Mainly because the audit files will identify if the best practice config is implemented. If a system can’t be patched or hardened and is a vulnerable state, it is of little value to verify that it is in a vulnerable state.