Digital Bond has spent the last few months developing SCADA plugins for the very popular Nessus vulnerability scanner in a research project funded and assisted by Tenable Network Security. We are proud to announce the first set of plugins is now released and available in Tenable’s Direct Feed.

Tenable Network Security has a detailed blog entry that names and describes the plugins, compatibility with Nessus 3, and how to get the plugins. It is definitely worth a read. We will be providing additional information on how to use these plugins in your SCADA security assessments to the resource section in the upcoming weeks.

For now let’s talk about categorizing the SCADA plugins. The most obvious way to categorize the SCADA plugins is by protocol and product. There are protocol plugins for Modbus TCP, DNP3, OPC and ICCP. (The include files that simulate some or all of the protocol will be very helpful for future plugins) There are product plugins for Areva, Matrikon, Siemens, Telvent, Sisco, Modicon and others. One obvious approach is to select the plugins based on the protocols and products in your system.

A second way to categorize the plugins is by function:

• Discovery / Recon - Plugins that identify what SCADA devices and applications are on the host systems being scanned.
• Configuration - Plugins that identify vulnerable configurations or discover information about the configuration. Some of these are basic, but important such as checking if the default password has been changed. Others are quite complex such as guessing the TSAP value in the COTP of an ICCP server.
• Known Vulnerabilities - Just as Nessus will identify missing patches in Microsoft, Apache and other applications, these plugins will determine if the host is running a SCADA application with a published vulnerability.  

Note that none of the categories include zero-day vulnerability discovery. Nessus is not designed to find new vulnerabilities. It is not a fuzzer like Wurldtech’s Achilles or Mu’s product. However, it does happen occassionally when a host or application does not handle unexpected packets and data correctly.  

This is just the tip of the iceberg on what is possible. For example, we would like to add a set of plugins for Allen Bradley PLC’s and a set of plugins for HMI. If you have any ideas on what would be useful to the community send me an email.