Bandolier Security Audit Files are designed to help asset owners and vendors identify and audit optimal security configuration for control system servers and workstations. In this Department of Energy funded project, Digital Bond partners with leading control system application vendors to establish practical security configuration guidance for SCADA, DCS, and other industrial control system components. Digital Bond then creates and distributes specialized security audit files that can be used with the Nessus vulnerability scanner. Bandolier, in conjunction with Nessus, is the most widely used security tool in industrial control systems.
Bandolier Security Audit Files can also aid with security compliance efforts, including the NERC CIP standards. This page focuses on the specific NERC CIP requirements that Bandolier can help test and provide audit evidence for NERC CIP.
Individual Bandolier audit tests primarily assist with CIP-007 requirements. According to its purpose statement, CIP-007 “requires Responsible Entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets, as well as the non-critical Cyber Assets within the Electronic Security Perimeter(s).” The Bandolier audit files can be a valuable tool for validating secure configuration settings for servers and workstations that are considered Critical Cyber Assets or that exist within the Electronic Security Perimeter.
CIP-007-1 R1: Test Procedures
R1. Test Procedures — The Responsible Entity shall ensure that new Cyber Assets and significant changes to existing Cyber Assets within the Electronic Security Perimeter do not adversely affect existing cyber security controls. For purposes of Standard CIP-007, a significant change shall, at a minimum, include implementation of security patches, cumulative service packs, vendor releases, and version upgrades of operating systems, applications, database platforms, or other third-party software or firmware.
R1.1. The Responsible Entity shall create, implement, and maintain cyber security test procedures in a manner that minimizes adverse effects on the production system or its operation.
R1.2. The Responsible Entity shall document that testing is performed in a manner that reflects the production environment.
R1.3. The Responsible Entity shall document test results.
The Frequently Asked Questions (FAQs) for Cyber Security Standards Standards (CIP-007-1) document describes in more detail the type testing intended by this requirement:
- Basic “port scans” to identify open/available services
- File integrity checking to identify change in size of certain files
- Review of active user accounts subsequent to changes to the system
- Validate security-related functions: access controls, audit functions, file protection
- Test for malicious logic in source code
- Review technical documentation to determine security features
- Review source code if available for application security
- The Bandolier security audit files can be a valuable part of the testing procedures outlined in this requirement because they audit a server or workstation’s security configuration, or “cyber security controls” as described in the standard language
- Much of the testing described in the NERC CIP FAQ is available either from the Bandolier security audit files directly or additional credentialed scanning features in Nessus
- Because the Bandolier audits use an authenticated management connection rather than traditional vulnerability scanning methods, the risk for adverse effects as described in R1.1 are minimal.
- Reports from the audit templates can generally be saved in a variety of formats that can provide the documentation required by R1.3.
- EXAMPLE: After an update has been applied, a Bandolier audit can be performed to validate that the defined security best practice has not changed.
CIP-007-1 R2: Ports and Services
R2. Ports and Services — The Responsible Entity shall establish and document a process to ensure that only those ports and services required for normal and emergency operations are enabled.
R2.1. The Responsible Entity shall enable only those ports and services required for normal and emergency operations.
R2.2. The Responsible Entity shall disable other ports and services, including those used for testing purposes, prior to production use of all Cyber Assets inside the Electronic Security Perimeter(s).
R2.3. In the case where unused ports and services cannot be disabled due to technical limitations, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk.
- The Bandolier development approach includes working with the application vendor to define the minimum set of services and processes required for the application to properly function. This intelligence is included in the audit files. Additional port auditing options are available using the Nessus authenticated port scanning option.
- The Bandolier audit files report on the status of known services or processes.
CIP-007-1 R5: Account Management
R5. Account Management — The Responsible Entity shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access.
R5.1. The Responsible Entity shall ensure that individual and shared system accounts and authorized access permissions are consistent with the concept of “need to know” with respect to work functions performed.
R5.1.1. The Responsible Entity shall ensure that user accounts are implemented as approved by designated personnel. Refer to Standard CIP-003 Requirement R5.
R5.1.2. The Responsible Entity shall establish methods, processes, and procedures that generate logs of sufficient detail to create historical audit trails of individual user account access activity for a minimum of ninety days.
R5.1.3. The Responsible Entity shall review, at least annually, user accounts to verify access privileges are in accordance with Standard CIP-003 Requirement R5 and Standard CIP-004 Requirement R4.
R5.2. The Responsible Entity shall implement a policy to minimize and manage the scope and acceptable use of administrator, shared, and other generic account privileges including factory default accounts.
R5.2.1. The policy shall include the removal, disabling, or renaming of such accounts where possible. For such accounts that must remain enabled, passwords shall be changed prior to putting any system into service.
R5.2.2. The Responsible Entity shall identify those individuals with access to shared accounts.
R5.2.3. Where such accounts must be shared, the Responsible Entity shall have a policy for managing the use of such accounts that limits access to only those with authorization, an audit trail of the account use (automated or manual), and steps for securing the account in the event of personnel changes (for example, change in assignment or termination).
R5.3. At a minimum, the Responsible Entity shall require and use passwords, subject to the following, as technically feasible:
R5.3.1. Each password shall be a minimum of six characters.
R5.3.2. Each password shall consist of a combination of alpha, numeric, and “special” characters.
R5.3.3. Each password shall be changed at least annually, or more frequently based on risk.
The Bandolier audit files can verify if default accounts have been renamed and/or disabled. (R2.1)
Default application accounts, where possible, are identified and audited by the templates. (R2.1)The Bandolier audit files measure operating system password characteristics on Windows and Unix systems (R3)
The Bandolier audit files, where possible, measure the password characteristics at the application level. (R3)
CIP-007-1 R4: Malicious Software Prevention
R4. Malicious Software Prevention — The Responsible Entity shall use anti-virus software and other malicious software (“malware”) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s).
R4.1. The Responsible Entity shall document and implement anti-virus and malware prevention tools. In the case where anti-virus software and malware prevention tools are not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk.
R4.2. The Responsible Entity shall document and implement a process for the update of anti-virus and malware prevention “signatures.” The process must address testing and installing the signatures.
Using Nessus Credentialed Scanning in conjunction with Bandolier can help audit the status of malware prevention software. Nessus has plugins that can identify if anti-virus software is present and verify that signature databases are updated. Nessus can report on this for the following list of anti-virus products:
- ESET NOD32
- Trend Micro
- Windows Live OneCare
Nessus also has a plugin (#45051) that will find any anti-virus software using WMI. Nessus audit files are available for specific anti-virus products that can ensure that the software is set to execute during boot-up and is actually running. The audit files are available for the following products:
- CA eTrust
- Trend Micro
CIP-007-1 R8: Vulnerability Assessment
R8. Cyber Vulnerability Assessment — The Responsible Entity shall perform a cyber vulnerability assessment of all Cyber Assets within the Electronic Security Perimeter at least annually. The vulnerability assessment shall include, at a minimum, the following:
R8.1. A document identifying the vulnerability assessment process;
R8.2. A review to verify that only ports and services required for operation of the Cyber Assets within the Electronic Security Perimeter are enabled;
R8.3. A review of controls for default accounts; and
R8.4. Documentation of the results of the assessment, the action plan to remediate or mitigate vulnerabilities identified in the assessment, and the execution status of that action plan.
- The Bandolier audit files are not a complete vulnerability assessment but can add contribute to the assessment process.
- The Bandolier development approach includes working with the application vendor to define the minimum set of services and process required for the application to properly function. This intelligence is included in the audit templates. (R8.2)
- Where possible, the audit templates report on the status of default operating system and application accounts. (R8.3)