As we’re getting closer to a beta release of the Bandolier audit files, it’s a good time to look at how they can fit into asset owner security strategies. I often bring up personal experience when talking about this project. Back in the days when I had security responsibility for control systems, it was difficult to determine an optimal security configuration for the workstations and servers — certainly at the OS level and even more so at the application level.

So why is it so challenging to take the necessary steps to secure these servers and workstations? There are a variety of reasons, most of them stemming from availability concerns. Here are some examples I have seen:

1.) Fear of voiding a vendor support agreement by making any changes to the delivered configuration
2.) General fear of breaking something — “it ain’t broke, don’t fix it” mentality
3.) Uncertainty regarding what ports and services are required by the application(s)

All of these can be summarized as “fear of the unknown”. This is something that even the best “top down” security guidance (i.e. NERC CIP, SP800-53, ISA99, etc…) does not address. Bandolier helps fill this gap by using a practical, “bottom-up” approach to define and audit an optimal security configuration at a very nuts and bolts level. This is something I wish was available for some of my previous responsibilities and is why I think it is an exciting project.

I don’t mean to take anything away from the standards efforts because they are good and necessary. In many cases the Bandolier audit files can help address specific parts of the standards. But based on my experience and the feedback we’re getting, there are a lot of asset owners out there looking for something more specific. Where servers, workstations, and control system applications are concerned, Bandolier is helping meet that need.