Packets of Interest (2015-07-24)
I've been doing a lot of reading and video watching on securing industrial control and automation systems (ICAS) (sometimes referred to as SCADA systems) so this POI has a few links related to that and ends with a link to an editorial piece about privacy and why privacy matters to us all.
SCADA and ICS for Security Experts: How to avoid Cyberdouchery (Blackhat 2010)⌗
This is a funny but also educational and truthful presentation by James Arlen that every IT person needs to watch if they intent to work with and gain any credibility with their counterparts in Operations Technology (OT).
Digital Bond Quickdraw SCADA IDS Signatures⌗
Quickdraw is a set of IDS/IPS signatures for Snort (and other IDS/IPS software that understands the Snort rule language) that deals specifically with ICAS protocols such as DNP3, Modbus/TCP, and EtherNet/IP. The rules appear to be generic in nature and not focused on any particular ICAS vendor equipment.
Digital Bond also wrote Snort preprocessors for DNP3, EtherNet/IP, and Modbus/TCP which some of the rules depend on. I tried browsing through Digital Bond's diffs to Snort 220.127.116.11 but they are very hard to read because the diffs were generated in an unclean source tree. Because of this, I didn't put much effort into comparing their preprocessors with the native DNP3 and Modbus/TCP preprocessors which have been a part of Snort since 2.9.2. It's unclear to me whether Digital Bond's signatures will work out of the box with the native Snort preprocessors.
Digital Bond Bandolier⌗
Bandolier is a set of audit files for the Nessus vulnerability scanner that are focused on SCADA and DCS servers and workstations. The audit checks are developed by Digital Bond in conjunction with the ICS vendors which include ABB, Emerson, Matrikon, OSIsoft, Siemens, and Telvent (Schneider). Depending on which vendor, there are audit files for engineering workstations, operator workstations, application servers and historians.
When the audit files are loaded into Nessus, a "low impact" scan is performed to assess the security posture of the workstations and servers relative to what the audit files say the posture should be.
A Sidebar on Digital Bond⌗
I don't have any affiliation with them. I read about them in a book.
It doesn't look like their Snort signatures or Nessus audit files files have been updated recently. However, I believe they're still interesting.
- They're an interesting source of information for IT folks to learn about securing various ICS vendor systems
- ICAS systems stay in production for decades so unlike in the IT world, there's still good value in being able to audit and secure older software systems because they absolutely are still out there today
- Some (many?) of the application level checks in the Nessus audit files are likely still relevant in more current versions of the software
- The Snort rules for the ICAS protocols are just as relevant now as they were when they were created
If you've got nothing to hide⌗
A great editorial written by a fellow named Jacques Mattheij on why privacy really does matter, even if you think you have nothing to hide. This is a very relevant topic right now due to the threat that everyone's privacy is under as our lives become more and more digital.
Disclaimer: The opinions and information expressed in this blog article are my own and not necessarily those of Cisco Systems.