Bandolier has definitely ramped up to full speed! I cannot mention names yet but the first assessments are complete and we are actively developing Nessus audit files.

One of the key parts of Bandolier is working with the vendors and asset owners to define a secured, “gold standard” system. We are looking at all levels – from the operating system, to the supporting applications, and finally into the control system application itself. As we go through each level, we are verifying that the system is in a secure state and defining the settings that can be audited. Through this process, some natural categories have emerged:

1. General Operating System Checks – general best practice checks for things like password settings, file permissions, dangerous services, etc…
2. Application-specific Operating System Checks – examples include checking for a minimal set of services based on what is necessary for operation of the application
3. Supporting Application Checks – general best practice checks for web servers, database servers, LDAP, etc…
4. Application-specific checks – examples include looking into configuration files or registry entries for settings that affect security, checking application file ownership and permissions, etc…

The real challenge is in the fourth category. It requires an understanding of how each of the control system apps function so we have spent a lot of time with manuals, CBTs, and talking to vendors. It requires the biggest time investment but also contains the most value.

We still have a lot of work to do, but I’m pleased with how this project is progressing and am looking forward to getting these practical tools into the hands of asset owners. I’ll be sharing our progress and challenges along the way so stay tuned.