Owners conducting a NERC Cyber Vulnerability Assessment have a requirement to annually verify ports and services. On Windows and Unix based systems, it is trivial and safe to pull a list of listening ports and the configured services thanks to commands like netstat, sc query, and others (you can even do it through Bandolier credentialed scanning!). But, network and automation devices often don’t have these commands readily available, and these devices tend to be the most sensitive to port scans (or owners are simply not willing to risk the scans due to unknowns).
So, because of the potential frailty of certain devices, coupled with the operational risk, owners choice is limited; Schedule an expensive outage to scan the devices, potentially interrupting the business of electric power? Or attempt to scan the devices online, take other risk mitigation measures, and hope for the best? As responsible stewards of bulk electric system reliability, the risk of the unknown more often outweighs the benefit.
I’d like to float another option, cloning the devices and running scans within a test lab. The objective is to identify network, system, and device configurations that could affect the output of the scans. Then, document the reasoning behind a scan of the clone being representative (or even equal) to a scan of the original, including any assumptions or other conditions. [Read more…]