hiring
AAA  AAA 

Security Assessments

Security assessments of control systems have many similarities and many important differences with assessments of enterprise networks. Over the base eight years Digital Bond has developed an effective Control System Security Assessment methodology that maximizes the tools and methodogies in the IT world, but modifies and augments these with our control system tools and methodologies.

It is true that a simple Nessus or nmap scan can bring down a critical control system application. However, isn’t this something you should know and address before an attacker or IT person gains access to the SCADA network and inevitably starts with these tools? Digital Bond leverages the redundancy in control systems and closely coordinates with the asset owner so a representative sample of control system assets and applications can be vigorously tested. (Read our white paper on Digital Bond’s Control System Scanning Methodology )

Digital Bond has a large library of open source assessment tools, from broad based scanners to specific application, protocol or exploit code. In addition, Digital Bond has developed control system specific proprietary tools as an offshoot of our research that have been responsible for identifying the first SCADA vulnerabilities reported and processed by US-CERT. As evidence of our expertise, Tenable Security engaged Digital Bond to write the SCADA security plugins for the Nessus vulnerability scanner.

Many vendors have given assessments a bad name by simply running scanning tools, adding their name and logo to the output file, and submitting the modified output as a report. The scanning tool output typically contains a large amount of false positives and incorrectly risk-rated findings. Now the asset owner is stuck trying to explain why these findings are not really a problem or applicable. Digital Bond provides all tool output on a DVD, but we analyze the findings to focus on what is real and important.

While scanning and exploit typically are the high-profile part of assessment, they are only part, and often not the most important part, of an assessment. Digital Bond also includes a review of administrative and technical security controls by interview and inspection. Some of these activities include:

  • Analysis of the firewall, router and switch configurations
  • Analysis of the operating system configuratons
  • Analysis of the SCADA, DCS, and EMS security configurations
  • Analysis of the IP-based field device configuration
  • Interviews with managers, operators, engineers and system administrators
  • Review of all applicable security policies and related documents
  • Review and audit of key procedures such as change control and backup
  • Analysis of availability related to component failure and widespread disaster
  • Analysis of the physical security of cyber assets

The information from the controls analysis combined with the scanning and exploits provides a complete view of the current security posture and allows Digital Bond to determine a prioritized list of the vulnerabilities and corresponding recommendations for remediation.

Throughout the process Digital Bond encourages active participation by the asset owner to facilitate knowledge transfer and to help Digital Bond incorporate the business judgement and cultural considerations into the prioritization and recommendation of findings.

Key Benefits

  • Final report and briefing informs management of risks
  • Prioritized findings and recommendations to maximize improvement of security posture
  • Find and close security gaps before they are exploited
  • Compensating controls for vulnerabilities that cannot be directly addressed

Deliverables

Digital Bond provides an executive briefing, a technical briefing, a written report, and a DVD with all the raw data from all the tests. One of the main benefits of the report is our prioritized list of the vulnerabilities. Often by quickly addressing the most significant vulnerabilities a company can greatly increase the security of their control system.