From: Digital Bond’s SCADA Security Portal – Nessus for ICS Training

Posted on 2012/08/20


a quick re-post from Digital Bond's SCADA Security Portal http://www.digitalbond.com/2012/08/20/nessus-for-ics-training/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+digitalbond%2FoLPM+%28Digital+Bond%29

Nessus for ICS Training by Dale G Peterson

BandolierIf you are attending the EnergySec Summit, Sep 25 – 27 in Portland, or if you are in the area, learn how to best use Nessus with your SCADA or DCS at our half day training course on the 25th. Space is limited to 20 students so register soon.

Most people download Nessus, select the Safe Checks, and run the tool. Big mistake. This runs Nessus in a much more intrusive mode than is necessary or recommended for control systems and provides a fraction of the information that Nessus can gather. In terms of impact it is the difference between running a port scan and running netstat. In terms of information it’s the difference between getting 10% and 100% of the missing Microsoft security patches.

A big part of the class will teach students how to use and customize the compliance auditing plugins in Nessus. Our (free) Bandolier Security Audit Files for systems from ABB, Alstom Grid, Emerson, OSIsoft, SISCO, Telvent, … use this plugin.

At the class you will learn how to:

  • How to use Nessus credentialed scanning for other purposes such as patch status, service information, loaded software, default password checks, …
  • Configure and run Bandolier to audit a control system component – – a PI Server
  • Customize individual audit tests for your environment. For example you will learn how to change the approved services, logging policy or password policy in Bandolier
  • Write new audit tests on your own
  • How to use Bandolier and Nessus to meet certain NERC CIP requirements

There are so many little configuration settings leading to capabilities in Nessus that go unused and are perfect for control systems. One of my favorite unused feature is checking for the myriad of default Oracle passwords. There are plugins for this, but it only works if you enter the SID in the Database Settings Preferences.

As an added benefit, Project Basecamp lead and PLC security guru Reid Wightman will be teaching the class.

Posted in: reading