SCADA Auditing Tools

From: Matthew Franz (mdfranz@io.com)
Date: Thu Jul 10 2003 - 22:38:40 EDT

• Next message: Peter Wood: "Re: DSL modems used for pen-testing"
• Previous message: Robert Auger: "RE: AkamaiGHost"
• Next in thread: Derek Grocke: "Re: SCADA Auditing Tools"
• Maybe reply: Derek Grocke: "Re: SCADA Auditing Tools"
• Reply: Mark Wolfgang: "Re: SCADA Auditing Tools"
• Maybe reply: Dawes, Rogan (ZA - Johannesburg): "RE: SCADA Auditing Tools"
• Maybe reply: dave brown: "Re: SCADA Auditing Tools"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Back to the original question...

If one were to bracket off on the "normal IT security stuff"--which
existing tools would cover (assuming they didn't bring down the control
system network and life as we know it) it wouldn't be terribly difficult
to write some tools that scanned industrial devices, at least the
Ethernet-enabled ones.

Many of these "obscure" protocols are even less secure than the *least*
secure Internet protocols we know and love. Stuff that formerly ran on
[closed] RS-232/485 or fieldbus (or whatever) networks has been plopped on
top of TCP/IP with no way to do even weak authentication or authorization.
Never mind the oh-so-popular embedded webservers that give out loads of
information about the devices in question (also without
authentication)....

Among security-minded folks in the control system community there is
simultaneous frustration that these vulnerabilities aren't taken being
seriously by users and vendors, yet great fear of releasing any detailed
information about vulnerabilities in applications, protocols, or devices.

And what independent/academic/corporate researcher would release even the
most benign auditing tools due to the fear of being branded a threat to
national security?

- mdf

---------
Hi,

I agree with Mark.
I have had the same experiances with SCADA reviews in that the many of
the risks asssociated in IT/business reviewes are that same.

One thing that you need to be aware of is that generally SCADA networks
have been implemented to be functional not secure and the SCADA
management staff maintain the operational aspects of the systems, rerely
implementing good business proctices and/or proactive monitoring. i.e.
BCP/DRP/BIA/TRA, Intrusion Detection, patching/hotfixes.
This is normally because these systems are built and managed by
engineering staff and because of the operational integrity needs, don't
want the corporate playing around with them...

There are some basic things that should be done within SCADA networks,
but in addition to the things we generally look at, all SCADA enviroments
are different, so you need to keep open minded. i.e. Radio (private,
802.11, etc.), IP tunneling, isolation of business from SCADA networks,
restriction of commands/devives available to the general network,
restrict unauthenticated PBX modems, etc.

Also the hardware manufactureres have not been helpful in providing
devices (RTU,PLC, etc.) which are supportive of these critical systems.

Anyway have fun.
Derek

------------ Original Message --------------
From: Mark Wolfgang <moonpie@moonpie.org>
to: Alfred Huger <ah@securityfocus.com>
cc: pen-test@securityfocus.com
Subject: Re: SCADA Auditing Tools

Most of the SCADA/EMS/DCS audits I've done have been more risk-based
(policy driven) than technical approaches due to the chance of
crashing some old system that can't handle a bunch of SYN packets.

The technical auditing I've done use many of the same tools as a
normal pen test, but I'll be a LOT more gentle and specific in what
I'm doing. I won't even portscan operational systems...no
thanks...don't want the liability. Of course there are systems in a
SCADA network that aren't absolutely critical for plant operations
(such as PI servers) that can be hammered pretty hard using
traditional methods.

I try to think of SCADA as "system", much like any other information
system. It
has traditionally spoken more obscure protocols, such as modbus, ICCP,
and DNP, but is moving to more common protocol stacks such as
IP. This is sort of dangerous, in that now all of the IP based
vulnerabilities accompany this migration. Of course, security by
obscurity was never a good approach anyway.

-Mark

On Wed, Jul 09, 2003 at 11:19:42AM -0600 or thereabouts, Alfred Huger
wrote:
>
>
> Hey all,
>
> Does anyone out there know of any commercial or free SCADA auditing
tools?
> I've looked around and found very little and while I know there are
> private tools out there I am interested in hearing about those which the
> public can get their hands on.
>
> Some resources I have found which are pretty decent are:
>
> http://scada.trinux.org/
> http://grouper.ieee.org/groups/1525/SCADA%20Security/Rtcrypto=SCADA-
code.ppt
> http://www.plantdata.com/SCADA%20Security%20Strategy.pdf
> http://www.io.com/~mdfranz/papers/franz-API-future-of-scada-security.ppt
>
http://grouper.ieee.org/groups/sub/wgc3/c37sections/clause5/clause5_3_secu
rity/Substations%20communications%20system%20security%20D1r2.pdf
>
>
> -al
>
> Alfred Huger
> Symantec Corp.

---------------------------------------------------------------------------
The Lightning Console aggregates IDS events, correlates them with
vulnerability info, reduces false positives with the click of a button, anddistributes this information to hundreds of users.

Visit Tenable Network Security at http://www.tenablesecurity.com to learn
more.
----------------------------------------------------------------------------

• Next message: Peter Wood: "Re: DSL modems used for pen-testing"
• Previous message: Robert Auger: "RE: AkamaiGHost"
• Next in thread: Derek Grocke: "Re: SCADA Auditing Tools"
• Maybe reply: Derek Grocke: "Re: SCADA Auditing Tools"
• Reply: Mark Wolfgang: "Re: SCADA Auditing Tools"
• Maybe reply: Dawes, Rogan (ZA - Johannesburg): "RE: SCADA Auditing Tools"
• Maybe reply: dave brown: "Re: SCADA Auditing Tools"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:36 EDT