Digital Bond Research Projects
From SCADApedia
Digital Bond is a control system consulting and research practice. Their research projects are funded by Government Agencies, vendors and groups of asset owners. All of Digital Bond's research results are made available as subscriber content on Digital Bond's website. The cost to subscribe is $100 per year.
Contents |
Bandolier
Bandolier is developing security audit files for use in the Nessus Vulnerability Scanner and other popular scanners. Digital Bond, the vendor and asset owners users collaborate to identify the optimal security settings in the operating system and all applications for a specific control system component, such as Vendor A's HMI Version 3.2 running on Windows XP running. After capturing these optimal security settings, or the "gold standard", Digital Bond creates a Bandolier audit files.
Asset owners can use a scanner and the applicable audit file to compare a deployed control system component to the gold standard. Any variations will be noted in the test report. The compliance audit approach in Bandolier tests for goodness rather than badness and is much less intrusive or likely to cause a problem as compared to a vulnerability scan.
Bandolier is funded by the US Department of Energy.
Honeynet
The SCADA Honeynet is a security tool that can be used by asset owners as an early warning attack detection system and by researchers to analyze the quantity and quality of the threat to control systems. The SCADA Honeynet is distributed as two virtual machine images that run on a Linux platform. The target image looks to an attacker like a popular PLC. It is a high interaction, very realistic target. The honeywall image collects the attack information and manages the SCADA Honeynet.
The SCADA Honeywall, a derivative of the SCADA Honeynet, monitors a physical device (e.g. a PLC or other control system device) instead of the virtual PLC used in the SCADA Honeynet.
The initial development of the SCADA Honeynet was funded by the UK CPNI. Subsequent enhancements and ongoing maintenance is funded by Digital Bond.
IDS Signatures
Digital Bond's control system IDS signatures will detect attacks using the control system protocols such as unauthorized writes, repeated reboots for a DoS attack, and some fuzzing or overflow attacks. Signature based IDS sensors can integrate Digital Bond's SCADA IDS Signatures for Modbus TCP, DNP3 and ICCP. The signatures were developed for the Snort IDS, but they have been integrated by most of the commercial IDS vendors as well.
The Modbus TCP and DNP3 IDS signatures were funded by the US Department of Homeland Security. The ICCP signatures were funded by SecureWorks and Digital Bond.
Nessus Plugins
Digital Bond developed over thirty plugins for the Nessus Vulnerability Scanner and continues to develop plugins as time permits. These plugins identify control system default passwords, missing control system application patches, reconnaissance information and weak configuration settings.
The initial Nessus Plugin development was funded by Tenable Network Security, the developer of the Nessus Vulnerability Scanner.
Portaledge
Portaledge is a project to convert OSIsoft's PI Server and other control system historian into a security event management (SEM) system that aggregates security events from all data sources and correlates these events to detect cyber attacks. PI already has the capability to aggregate and correlate data and is widely deployed in the energy sector. PI users will not need to deploy new systems or purchase a SEM to detect attacks to control systems.
The output of Portaledge will be Advanced Computing Engine (ACE) templates that will identify meta events, a sequence or recipe of security events from multiple data sources that indicate an attack is underway. PI users can import these ACE templates to activate the attack detection capability.
Portaledge is funded by the US Department of Energy.
Quickdraw
Quickdraw is the project name for Digital Bond's Passive PLC Security Log Generator application. Most PLC's and field devices generate and log little or no security events that are helpful to detect attacks and for after incident investigations. Quickdraw is an application that listens to traffic to and from a field device and creates the security log events a field device should create and log. Security events are then sent from Quickdraw to historians, SEM's or other log aggregators. Quickdraw will initially generate 50 security log events for 10 different field devices.
Quickdraw is funded by the US Department of Homeland Security.
Assessment Tools
Digital Bond makes a portion of their security assessment tools available to vetted subscribers. They also use the vetted subscriber distribution channel to distribute control system assessment tools developed by other researchers.
