As Dale and I were discussing Bandolier on the recent podcast, we identified an important concept that we haven’t completely covered here in the blog or SCADApedia–extending Bandolier with additional Nessus credential checks. Example: the Bandolier security audit files can audit services but not open ports. Not on their own anyway, but once you’ve configured a Nessus scan policy for Bandolier, you’re only one click away from including open port information in the report.
But port scanning on control system networks is dangerous! When you’re using the Bandolier security audit files, though, you’re already making an authenticated connection. With one checkbox, you can also return the open TCP and UDP ports using the “netstat” scanner option–a much safer, reliable, and thorough option for auditing open ports. The title of this blog at Tenable summarizes it well: How to perform a full 65,535 UDP and TCP port scan with just 784 Packets. (Don’t get me wrong, traditional port scanning has it’s place, but the “netstat” scanner is an excellent source of information for routine scans.)
Another credentialed scanning function in Nessus is patch auditing. For an even more complete picture of your security posture, use the local security checks to return information about missing patches. This one never ceases to amaze me. If you’ve never used it before, then brace yourself–you will have missing patches! In addition to the normal OS patches, these checks also look at other applications including client software that is often overlooked.
Even if there are not audit files for your particular control system application, you can use the same policy compliance plugins used by Bandolier. Tenable provides audit files for a variety of operating systems and applications for many different standards and benchmarks. They won’t be tested specifically with your control system applications like the Bandolier files but may still be useful in assessing where you’re at in terms of general security configuration.
I started a SCADApedia article about the Nessus Credentialed Scanning with some more information and screenshots. The Bandolier documentation will be getting some updates as well. Finally, all of these topics have NERC CIP applicability so stay tuned for more information and resources on that front (maybe even a generic NERC CIP audit file and scan policy documentation!).