The compliance checks use the severity ratings in a different way than a typical Nessus plugin. The result of a compliance check is compliant, non-compliant, or inconclusive. Every check generates one of these results in a report and they get mapped to the traditional Nessus ratings as follows:
High = Non-compliant
Medium = Inconclusive
Low = Compliant
If you have a non-compliant result in an audit check report, there is no further built-in categorization of impact. This makes sense for most systems when it comes to compliance reporting. For example, you may simply be checking “Is this Windows XP machine compliant with the FDCC standard or not?” For Bandolier, however, we anticipate that asset owners looking at a report may appreciate some type of impact or severity rating so they can better understand the risk of a non-compliant check and make good decisions about remediation.
Because the compliance checks are different than traditional vulnerability scanning, a rating system such as the Common Vulnerability Scoring System is overkill. The severity ratings for Bandolier are much simpler. Details and examples are described in the Bandolier Severity Ratings SCADApedia article, but here’s an overview:
Severe – serious potential impact to the control system, could lead to system compromise
Moderate – potential security impact to the control system but not likely to result in system compromise
Informational – checks that provide system information such as role or version
Each check is associated with one of these ratings and will show up in the description field. This means the rating will be visible in both the audit file itself as well as the reports that Nessus generates. Also included in the description field is a link to more information about the check that will be hosted in the Digital Bond subscriber pages.
Our goal is to make the Bandolier compliance checks as useful and valuable to asset owners as possible. I think the internal severity rating adds to the checks on both of those counts.