NERC CIP Scan Policies

The NERC Critical Infrastructure Protection standards are the regulations for cyber security for electric power control systems.  The set of nine standards (CIP-001 through CIP-009) are applied to designated critical electric infrastructure, and mandate specific requirements for compliance. The CIP-007 standard deals specific with Systems Security Management, and more specifically the requirements that must be adhered to on a per-cyber asset basis. NERC CIP-007 R8 requires an annual “cyber vulnerability assessment” of all cyber assets with the electronic security perimeter (ESP). This is actually a very minimal cyber security audit of ports, services and controls for default accounts.

Tenable Network Security’s Nessus vulnerability scanner is used extensively in both ICS security and IT security communities. However it is often only used in the default scan policy. Not only does this miss many of the features of Nessus, it also makes the scanning more intrusive and potentially damaging to an ICS. As part of the Department of Energy funded Bandolier project, Digital Bond has released NERC CIP scan policies specifically for NERC CIP-007 R8 . The Nessus scan policies follow these key principles:

  • Credentialed scanning is used whenever possible to minimize impact and improve information accuracy.
  • Plugins that do not provide the required information for the NERC CIP requirements are disabled. This reduces the typical plugins in a scan down from the default 45,000+.

Using NERC CIP Scan Policies

To use the NERC CIP Scan Policies:

Nessus Policies Screen Upon Import of Policies

Nessus Policies Screen Upon Import of Policies

  1. Download the NERC CIP Scan Policy
  2. Import the applicable NERC CIP Scan Policy for your systems. This is done by clicking on the “Import Policy” button on the Nessus Policy page and selecting the appropriate policy (Windows, Linux/Unix, or Both). It’s simple and intuitive.
  3. Edit the imported policy and add administrator credentials. Select the policy; click the Edit button; select the Credentials tab; and add the administrators credentials. Remember to save the change to the policy by clicking the submit button.
  4. For Unix/Linux checks, ensure that the “Linux 007-R8 Addendum.audit” compliance check file is loaded within the policy.
    1. Go to” Preferences”.
    2. Scroll through the plugin menu, and select “Unix Compliance Checks”.
    3. Load the CIP7-R8-UnixLinux-Addendum.audit file.*

*Please note that due to a bug in Nessus, if you make changes and re-upload any policy file, it must be renamed before being re-uploaded.  Otherwise, the file will not load correctly.

Nessus Preferences for the Unix Compliance Checks

Setting up the Linux Addendum File

Once the policy is imported and edited to add credentials it is ready to use.

Note on administrator credentials: many organizations that have an Active Directory domain will create an administrator level account just for scanning. The account is disabled except when authorized scanning is taking place.  This is good practice, as it separates user activity from scanning activity, making monitoring easier.

NERC CIP-007 R8 Vulnerability Assessment Scan Policy

NERC CIP-007 R8 requires an annual “cyber vulnerability assessment” of all cyber assets with the electronic security perimeter (ESP). This is actually a very minimal cyber security audit of ports, services and controls for default accounts.

Digital Bond’s scan policy for this CIP requirement gathers all of the information available from Nessus that is applicable for the vulnerability assessment — and no more. The last three words in the previous sentence are very important. Most asset owners do not want to show a NERC CIP auditor a full Nessus scan because this is unnecessary and increases compliance risk.

The NERC CIP-007 R8 Vulnerability Assessment Scan Policy does the following:

List of Open Ports

Port scanning to determine open ports has two problems for ICS systems. First, port scanning has been known to crash many SCADA and DCS applications, more often because developers have not performed adequate negative testing. Second, port scanning can be very inaccurate, especially for UDP ports.

Nessus credentialed scanning overcomes these problems by using a netstat command, which lists out every port in use on the system, regardless of whether it is blocked by a network or host firewall, is listening only on certain interfaces, or is a UDP port that is not well understood by a port scanner. The information is gathered via WMI for Windows systems and over SSH for Unix systems, both of which are very standard methods of interface for control systems.

  • Combined Linux and Windows Port Scanner Settings

    Combined Linux and Windows Port Scanner Settings

    Windows – Use the Netstat WMI Scan under the General Tab of the policy

    • Output will be shown as plugin ID 34220 in the report.  Ensure that the word ‘all’ is in the ‘port scan range’ box
  • Unix/Linux Variants- Use the Netstat SSH Scan under the General Tab of the policy
    • Output will be shown as plugin ID 14272 in the report.  Ensure that the word ‘all’ is in the ‘port scan range’ box
    • Additionally, the Linux-Unix addendum audit file has a fail check that will show the output of an “lsof -i”.  This is very important to tie process to port.  Check Plugin ID 21157.
    • Additionally, the Linux-Unix addendum audit file has a fail check that will show the output of an “netstat -an”.  This is very important to tie process to port.  Check Plugin ID 21157.

The list of open ports can then be compared to the list of ports required for operation for each cyber asset.  If the report does not output the appropriate plugin numbers, it’s likely that the credentials were invalid.

Nessus Report Screen, showing Netstat Portscanner

Nessus Report Screen, showing Netstat Portscanner

List of Running Services

The credentialed scan will also identify all active and inactive services on the cyber asset.  Windows services are much simpler to gather, as there is a plugin specifically for enumerating services.  Unix systems require a combination of several other plugins to gather similar information, specifically by intentionally failing some Unix Compliance Checks, attached in an addendum file.

Output from Windows Plugin ID# 10456

Output from Windows Plugin ID# 10456

Windows

  • Windows SMB Service Enumeration (plugin 10456)
    • Shows Active and Inactive Services in a simple list
  • Microsoft Windows SMB Service Config Enumeration (Plugin 44401)
    • Includes more detailed service configurations than 10456

Unix\Linux Variants

  • Software Enumeration (SSH) (Plugin 22869)
    • Uses a platform specific command to enumerate the installed software on the Unix\Linux system
    • This is the closest plugin to an actual enumeration of services
  • Linux-Unix Audit Addendum (Plugin 21157)
    • A Failed Check shows the output of a “cat /etc/services”, which shows the configured services on the box.
    • A Failed Check shows the output of a “ps -ef”, which shows the the current running process, which tend to include any running services
Nessus Fail Check for ps -ef

Nessus Fail Check for ps -ef. Fail checks are used to display information and are not actual failures.

Controls for Default Accounts

There are numerous plugins to identify default accounts and the common security controls used for them. It’s important to note that many controls for default accounts will be specific to how the system was designed, and may not be captured here.  Also note that many plugins will not report UNLESS they see something configured improperly.

Controls for Default Accounts should also include changing of default passwords.  One of the best ways to check this is by enabling the entire “Default Unix Accounts” plugin family. However, there are consequences associated with this plugin family. If your system has automatic lockout of accounts after a certain period of time, or has other security measures in place that monitor login attempts, you could adversely affect your system. The “Default Unix Accounts” plugin family should be reviewed and evaluated against your current operating environment before being used in an assessment.

The important plugins are below.  Please note that several plugin will not report results UNLESS there is something to report.

Nessus Report Page for Windows, Listing Plugin Results

Nessus Report Page for Windows, Listing Plugin Results

Windows

  • SMB Use Host SID to Enumerate Local Windows Users (Plugin 10860)
  • Users Information: Never changed password (Plugin 10898)
  • Microsoft Windows ‘Administrators’ Group User List (Plugin 10902)
  • Local Users Information: Disabled Accounts (Plugin 10913)
  • Local Users Information : User has Never Logged One (Plugin 10915)
  • Local Users Information : Passwords never expire (Plugin 10916)
  • Users Information: Guest account belongs to a Group (plugin 10917)
  • Microsoft Windows Domain User Information (Plugin 10892)
  • Microsoft Windows SMB: Obtain the Password Policy (Plugin 17651)
  • Microsoft Windows SMB Blank Administrator Password (Plugin 26918)
  • Microsoft Windows SMB Registry: Autologon Enabled (Plugin 10412)
Nessus Report Page for Unix/Linux, Listing Plugin Results

Nessus Report Page for Unix/Linux, Listing Plugin Results

Unix (Via the Linux-Unix Audit Addendum, Plugin 21157)

  • A Failed Check shows the output of a “cat /etc/passwd”, which shows the configured configured users on the system
  • A Failed Check shows the output of a “cat /etc/group”, which shows the configured configured groups on the system
  • A Failed Check shows the output of a “cat /etc/hosts.equiv”
  • A Failed Check shows the output of a “cat /etc/ssh/sshd_config”
  • A Failed Check shows the output of a “passwd -a -S”, which shows extended info on the users and passwords
  • A Failed Check shows the output of a “passwd -a -s”, which shows extended info on the users and passwords.  The lower case ‘s’ allows for Solaris
  • A Failed Check shows the output of a “pwck”, which shows extended info regarding users.

Other Valuable Information 
In addition to the plugins above to get started on a vulnerability assessment, there are a few other housekeeping and settings plugins to enable as well.  These have been enabled in the downloaded files, so don’t remove anything that is standard in the provided files unless you are familiar with how Nessus scans. Other valuable information that is often required when reviewing the plugins above are:

  • Nessus Scan Information (Plugin 19506)
  • Operating System Detection
    • Windows – OS identification (Plugin 11936)
    • Unix\Linux – OS Identification : SSH (Plugin 25287)
  • Various Service Pack Detection Plugins
  • WMI Firewall Enumeration (Plugin 45052)