From: Mark Wolfgang (moonpie@moonpie.org)
Date: Wed Jul 09 2003 - 16:27:55 EDT
Most of the SCADA/EMS/DCS audits I've done have been more risk-based
(policy driven) than technical approaches due to the chance of
crashing some old system that can't handle a bunch of SYN packets.
The technical auditing I've done use many of the same tools as a
normal pen test, but I'll be a LOT more gentle and specific in what
I'm doing. I won't even portscan operational systems...no
thanks...don't want the liability. Of course there are systems in a
SCADA network that aren't absolutely critical for plant operations
(such as PI servers) that can be hammered pretty hard using
traditional methods.
I try to think of SCADA as "system", much like any other information
system. It
has traditionally spoken more obscure protocols, such as modbus, ICCP,
and DNP, but is moving to more common protocol stacks such as
IP. This is sort of dangerous, in that now all of the IP based
vulnerabilities accompany this migration. Of course, security by
obscurity was never a good approach anyway.
-Mark
On Wed, Jul 09, 2003 at 11:19:42AM -0600 or thereabouts, Alfred Huger wrote:
>
>
> Hey all,
>
> Does anyone out there know of any commercial or free SCADA auditing tools?
> I've looked around and found very little and while I know there are
> private tools out there I am interested in hearing about those which the
> public can get their hands on.
>
> Some resources I have found which are pretty decent are:
>
> http://scada.trinux.org/
> http://grouper.ieee.org/groups/1525/SCADA%20Security/Rtcrypto=SCADA-code.ppt
> http://www.plantdata.com/SCADA%20Security%20Strategy.pdf
> http://www.io.com/~mdfranz/papers/franz-API-future-of-scada-security.ppt
> http://grouper.ieee.org/groups/sub/wgc3/c37sections/clause5/clause5_3_security/Substations%20communications%20system%20security%20D1r2.pdf
>
>
> -al
>
> Alfred Huger
> Symantec Corp.
>
> ---------------------------------------------------------------------------
> The Lightning Console aggregates IDS events, correlates them with
> vulnerability info, reduces false positives with the click of a button, anddistributes this information to hundreds of users.
>
> Visit Tenable Network Security at http://www.tenablesecurity.com to learn
> more.
> ----------------------------------------------------------------------------
>
-- Risk accepted by one is imposed on all http://moonpie.org --------------------------------------------------------------------------- The Lightning Console aggregates IDS events, correlates them with vulnerability info, reduces false positives with the click of a button, anddistributes this information to hundreds of users. Visit Tenable Network Security at http://www.tenablesecurity.com to learn more. ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:36 EDT