What is Bandolier?
Bandolier helps asset owners and vendors identify and audit optimal security configuration for control system servers and workstations. In this Department of Energy funded project, Digital Bond partners with leading control system application vendors to establish practical security configuration guidance for SCADA, DCS, and other industrial control system components. Digital Bond then creates and distributes specialized security audit files that can be used with the Nessus vulnerability scanner.
What control system applications have Bandolier security audit files?
Here is a list of the current Bandolier Security Audit Files. If you are interested in Bandolier but do not see your vendor on the list, please contact us.
Who is using Bandolier?
Asset owners and operators use Bandolier to verify that their systems are in an optimal, vendor-supported security configuration – both at the time of delivery to hold the vendors accountable and for ongoing, routine security auditing. Vendors are using Bandolier to help deliver hardened systems. They use Bandolier for acceptance testing and for routine security validation testing in the patch and update process.
What is Nessus?
Nessus is a security scanning tool offered by Tenable Network Security. It is one of the most widely used security tools and is considered a de facto standard for vulnerability scanning. It offers low-impact auditing capability that, when used properly, makes it useful for control system environments. Because of its popularity and features, it was an easy first choice to extend for the Bandolier project.
What is an audit file?
An audit file defines all the tests or checks to run against a server or workstation to determine if it is in the optimal security configuration. For Nessus, the file uses the extension .audit and is loaded into the Nessus scanner.
What are policy compliance plugins?
Nessus has thousands of plugins. One family is referred to as Policy Compliance. These are the plugins that allow you to upload an audit file and provide the Windows and Unix functions necessary to interpret the checks within the audit file.
Is Bandolier available for other scanners?
Digital Bond provides OVAL versions of most of the Bandolier security audit files than can be integrated into 3rd party scanning tools. In our experience, this usually requires involvement from the scanning tool vendor to convert the OVAL XML to their native format.
Can I see a demo of Bandolier and Nessus?
Sure, we made a video just for that.
Won’t Nessus and other security tools crash control system applications?
Traditional vulnerability scanning has been dangerous in control system environments due to aging devices, fragile protocol stacks, and poor development practices. Nessus credentialed scanning and Bandolier, however, offers a much safer way to scan. Once Nessus makes the authenticated connection, it simply reads the security configuration values defined in the Bandolier security audit file and compares each one against the current configuration of the machine it is auditing. It uses built-in operating system functions much like a remote administrator connection has almost no impact on the machine being scanned.
What is optimal security configuration?
Optimal security configuration is the best possible security configuration for a particular control system application component that still allows it to function in a vendor-supported manner. Digital Bond starts with industry guidelines like those from the NIST SCAP program, and then customizes them for each SCADA or DCS component. This is discussed more in this blog post.
Do I have to install software on my control systems servers and workstations to use Bandolier?
No, there is no software, service, or agent required on the control system servers and workstations. Bandolier, in conjunction with the Nessus policy compliance plugins, use built-in operating system functionality and can run on an independent computer. An authenticated session is made over the network, much like an administrator performing routine maintenance.
How much does Bandolier cost?
The Bandolier security audit files are often available at no cost from control system vendors. You can get access to all the Bandolier files and Digital Bond’s other research project results with a Digital Bond site subscription. The cost for this is $100/year. To use the audit files with the Nessus scanner requires their professional feed subscription which is $1200/year.
How are the Bandolier security audit files maintained?
Digital Bond uses project funding from the U.S. Department of Energy for the first set of audit files for each control system vendor. After that, the vendors pay Digital Bond to add applications to the Bandolier program. For updates to existing files, the vendor can choose to develop the audit files themselves, pay Digital Bond to develop the files, or some combination of those two options.
Will using Bandolier make me compliant with the NERC CIP requirements?
No, but it can help with a few specific requirements. First, Bandolier can be used to help with the testing requirements defined in CIP-007. It can also be used to help audit many of the other CIP-007 requirements such as verifying that only those ports and services required for operation are available. Finally, the reports can provide valuable compliance evidence for a NERC CIP audit.
Why am I not seeing any results in my Nessus Bandolier report?
If the audit worked, you should see results in the report. If you have an empty report, there is likely a problem with the scan policy you used. Here are the common problems:
- Invalid user credentials. Double-check the user account and password information entered in the scan policy.
- Insufficient user privileges. The user account defined in the Nessus scan policy should have administrator rights on the target machine. For Windows 7, the user account must either be the built-in administrator account or an account that is a member of the “Domain Admins” group.
- Loading the Bandolier Security Audit File in the wrong section. The Nessus Preferences page shows the Cisco IOS Compliance Checks section by default. You have to choose Windows or UNIX Compliance Checks by clicking the Plugins dropdown menu, then upload the audit file you want to use.
- Remote registry service is disabled on a Windows server or workstation. Nessus relies on the Remote Registry Windows service to perform some of the audit checks but it is often disabled for security reasons. It is disabled by default on Windows 7 workstations. Fortunately, Nessus has a set of plugins that will enable the service long enough to perform the audit and then disables the service upon exit. There are six plugins that have names starting with “SMB Registry:” that are available. You can find them by performing a search for that string or browse to them in the Settings plugin family. In addition to enabling the plugins, you must also go to the Preferences page, select “SMB Registry: Start the registry service during the scan” from the drop-down menu, and click the box to “Start the registry service during the scan”.
Why is my Bandolier audit not working with Windows 7?
Because of the way privileges are handled in Windows 7, a user account in the local “Administrators” group is not sufficient to use in the Nessus scan policy. The scan must use one of the following:
- the built-in local administrator account that is disabled by default; or
- a user account that is in the “Domain Admins” group, assuming the machine is a member of a domain.