Security assessments of industrial control systems (ICS) have many similarities and many important differences with assessments of enterprise networks. Over the past fifteen years Digital Bond has developed an effective ICS or SCADA Security Assessment methodology that maximizes the tools and methodologies in the IT world, but modifies and augments these with our control system tools and techniques.
It is true that a simple Nessus or nmap scan can bring down a critical control system application. However, isn’t this something you should know and address before an attacker or an IT Department staffer gains access to the SCADA or DCS and inevitably starts with these tools? Digital Bond leverages the redundancy in control systems and closely coordinates with the asset owner so a representative sample of ICS assets and applications can be vigorously tested. (Read our white paper on Digital Bond’s Control System Scanning Methodology)
Digital Bond has a large library of open source assessment tools, from broad based scanners to specific application, protocol or exploit code. In addition, Digital Bond has developed control system specific proprietary tools as an offshoot of our research that have been responsible for identifying the first SCADA vulnerabilities reported and processed by US-CERT.
Many vendors have given assessments a bad name by simply running scanning tools, adding their name and logo to the output file, and submitting the modified output as a report. The scanning tool output typically contains a large amount of false positives and incorrectly risk-rated findings. Now the asset owner is stuck trying to explain why these findings are not really a problem or applicable. Digital Bond provides all tool output on a DVD, but we analyze the findings to focus on what is real and important.
While scanning and exploit typically are the high-profile part of ICS Security Assessment, they are only part, and often not the most important part, of an assessment. Digital Bond also includes a review of administrative and technical security controls by interview and inspection.
Partial List of SCADA Security Assessment Activities
- Analysis of the firewall, router and switch configurations
- Analysis of the operating systems configurations
- Analysis of the SCADA, DCS, and EMS security configurations
- Analysis of the IP-based field device configuration
- Interviews with managers, operators, engineers and system administrators
- Review of all applicable security policies and related documents
- Review and audit of key procedures such as change control, backup, incident detection and recovery
- Analysis of availability related to component failure and widespread disaster
- Analysis of the ability to recover from a cyber attack
- Analysis of the physical security of cyber assets
- Much more from our methodology checklist …
The information from the controls analysis combined with the scanning and exploits provides a complete view of the current security posture and allows Digital Bond to provide a prioritized list of the vulnerabilities and corresponding recommendations for remediation. The focus of the assessment report is the most efficient path to risk reduction to a level acceptable to management.
Throughout the process Digital Bond encourages active participation by the asset owner to facilitate knowledge transfer and to help Digital Bond incorporate the business judgement and cultural considerations into the prioritization and recommendation of findings.
- Final report and briefing informs management of risks
- Prioritized findings and recommendations to maximize improvement of security posture
- Find and close security gaps before they are exploited
- Compensating controls for vulnerabilities that cannot be directly addressed
Digital Bond provides an executive briefing, a technical briefing, a written report, and a DVD with all the raw data from all the tests. One of the main benefits of the report is our prioritized list of the vulnerabilities. Often by quickly addressing the most significant vulnerabilities a company can greatly increase the security of their control system.
Image by bulliver