Tenable Security, the folks that provide Nessus and the Nessus feed, recently added support for Digital Bond’s SCADA IDS signatures. There approach is a bit different than a typical IDS.

Tenable calls their product a Passive Vulnerability Scanner (PVS) which is a sniffer that finds data similar to a Nessus vulnerability scan, but entirely through direct and realtime network sniffing. Our SCADA signatures were converted to PVS plugins, and I’m told the system is in production on SCADA sites today.

What I like about this is solution is PVS will automatically recognize what IP addresses are running SCADA client and server protocols and apply the appropriate SCADA signatures. Of course this product addresses the myriad of Microsoft, web server, Unix, DoS, and other common IT security events.

Tenable also offers a SEM type product called the Security Center. This will take in events from the PVS and other sources. Tenable is in the process of using realtime log data generated by the PVS to create correlation rules for our Log Correlation Engine for analysis of SCADA-specific correlation events. So it has some SCADA intelligence now and hopefully this will continue to grow as more signatures, correlation rules and the PCSF SCADA data dictionary moves forward.