Here is the top ten list for Digital Bond’s work in 2006.  These are the items we believe made the biggest positive impact to the SCADA security community.

Again this year we are tremendously proud of many of our SCADA asset owner consulting clients who made substantial improvements in their security postures.  Many of these clients would crack our top ten list, but of course there is no interest or benefit in going public and saying your SCADA system is highly secure.

So cue the graphics and music - - here is our list:

10. Project LOGIIC Implements Digitial Bond Data Dictionary

We developed a data dictionary as a small part of a previous HSARPA research contract.  This allowed a SEM to identify security events in SCADA application logs, and we used Telvent’s OASyS DNA as an example.  This data dictionary was successfully integrated into ArcSight as part of Project LOGIIC.  Proof of concept, and all that is needed to greatly expand this is a little money and some sample logs.  

9. New Digital Bond Website

We needed a better way to share papers, presentations, tools and other SCADA security resources with the community.  We now can restrict content to subscribers and even further restrict the most sensitive tools to vetted asset owners.  The SCADApedia infrastructure is built and is being populated with a first set of content that will be available to all.

There are a lot of little benefits such as a better blog feed, blog categories, a dedicated server, scalable fonts for readability, and better ways to highlight new content.  In 2007, the community should find this an easier way to access a growing set of content. 

8. SCADA Security Blog 

The blog was very active in 2006.  I hope it helped and was interesting to our readers.  Thanks to all those who commented.

7. Scanning Control Systems White Paper

After many years of hearing from experts that you shouldn’t scan control systems, and after seven years of actively scanning control systems without affecting operation, we laid out our methodology and reasons for scanning in detail in a white paper.

Grab it before it moves to Subscriber Only content. 

6. SCADA IDS Signatures Even More Widely Implemented

One of our disappointments in 2006 was we did not make much progress in developing new SCADA IDS signatures, but the good news is the current set of Modbus, DNP3 and ICCP servers are supported by a growing number of IDS/IPS vendors.

McAfee added the ICCP signatures; Tenable added the signatures in their Passive Vulnerability Scanner; Fortinet added the Modbus TCP and DNP3 signatures to their IDS/IPS; and those are just the latest.  Now the IDS signatures are in almost every network IDS/IPS.  Not bad for a DHS investment of $100K.

5. Field Device Protection Profile and Plain English Guide

We delivered a Common Criteria Protection Profile for the next generation of RTU’s and PLC’s for PCSRF.  This document specifies the functional and assurance requirements for vendors to build and test to.  Now admittedly the Common Criteria efforts probably will not go anywhere in the SCADA world for some time, so this is somewhat of a dead on arrival document.

That said, the Common Criteria is a well thought out list of requirements that is actually a thing of beauty if you can learn the language.  So rather than let the work languish, we created a Plain English Version of the Protection Profile that provides useful input for vendors and those looking to issue an RFP.

4 SCADA Honeynet, Part 1

In 2006 we developed a virtual SCADA honeynet that is a very realistic portrayal of a popular PLC.  The honeynet exposes a Modbus TCP interface with a realistic set of points, a http management interface, ftp management interface, SNMP MIB and a basic telnet capability.  For easy deployment, we have packaged it a VMware server image.  There have been a few delays, but we now have all the necessary approvals from our sponsor and the images and documentation completed.  It will be up on our subscriber site the first week in January.

3 SCADA Honeynet, Part 2 

Digital Bond has had multiple SCADA honeynets in a variety of environments since August 1.  Some are exposed directly to the Internet via Verizon wireless service and others are in substations on a wlan access point.  This gives us some hard data as opposed to FUD that will be published on the web site and in an S4 paper.   

2 Vulnerability Disclosure

We finally woke up and realized all those vulnerabilities we had been reporting to SCADA vendors since 2000 with very mixed, and usually disappointing, results should also have been submitted to US-CERT / CERT.  The new result - - vendors responding to CERT “discussions” and issuing patches rather than stonewalling, US-CERT vulnerability notes that were vague but notified asset owners they needed to patch, and a lot of heated discussions. We now notify US-CERT at the same time as a vendor when a vulnerability is discovered, and our consulting clients have approved this after discussing the pro’s and con’s. 

Matt drove this issue in 2006 and got a passionate discussion started in the SCADA security community.

Admittedly a bit of an overlap with our other Top Ten list. 

1 Nessus SCADA Plugins

Partnering with Tenable Network Security, we were able to add 32 SCADA plugins to the most popular vulnerability scanner, Nessus.  Now Nessus will identify SCADA systems, check for weak configurations such as default passwords, and identify SCADA systems with published vulnerabilities.  There is a lot more to do here, but this is a big first step to helping asset owners identify not only Microsoft vulnerabilities, but also DNP3, ICCP, OPC, Modicon, … vulnerabilities.

I was tempted to include S4 because we have done most of the work this year.  Based on the papers I’m sure S4 will crack the top 3 in 2007.