SCADA Articles on SCADA World

Nessus 3 SCADA Plugins

2010-01-26 12:35:15views: 926Nessus

Nessus 3 SCADA Plugins

Tenable has released 32 plugins for Nessus 3 which specifically test SCADA devices. These plugins were the result of a four month research contract between Tenable Network Security and Digital Bond. This blog entry details how to obtain the plugins, strategies for using them with Nessus and strategies for using them in concert with Tenable products such as the Security Center and Passive Vulnerability Scanner.

Availability and Compatibility

All Direct Feed and Security Centerusers will receive these plugins through a plugin update. The SCADA plugins are only available to Tenable Direct Feed or Security Center customers. Other compatibility notes to consider:

  • The plugins are designed to work only with Nessus 3
  • Some of the plugins require local checks, but many are network probes
  • Nessus 3 Windows users will see the new "SCADA" family after they update their plugins.
  • If you use the Nessus 3 OS X client, the UNIX GTK client or NessusWX, you will see the SCADA plugins and family after you connect to a Nessus 3 scanner subscribed to the Direct Feed or being managed by the Security Center.

Tenable customers should contact our support group at Tenable if they require assistance obtaining these plugins. Below are screen shots of how the plugins look under the Nessus 3 for Windows GUI, the Nessus 3 OS X GUI and NessusWX:

SCADA Plugin Functionality

The plugins reside in their own family named "SCADA". Each plugin is listed below with a short description:

  • Areva/Alstom Energy Management System - Identifies if the remote host is running an Areva/Alstom EMS Server.
  • DNP3 Binary Inputs Access - Read binary inputs using DNP3 from RTU/IED.
  • DNP3 Link Layer Addressing - Determines link layer address of DNP3 station by iterating through likely values.
  • DNP3 Unsolicited Messaging - Determines whether the DNP3 outstation supports unsolicited responses.
  • ICCP/COTP Protocol - COTP (ISO 7073) is running on the host and may be part of an ICCP server, MMS application, or substation automation device that uses IEC61850/UCA.
  • ICCP/COTP TSAP Addressing - Determines a Connection Oriented Transport Protocol (COTP) Transport Service Access Points (TSAP) value on an ICCP server by trying possible values.
  • LiveData ICCP Server - Identifies hosts running a LiveData ICCP server.
  • Matrikon OPC Explorer - Identifies hosts running Matrikon's OPC Explorer tool. These hosts may also have additional diagnostic tools and trust relationships.
  • Matrikon OPC Server for ControlLogix - Identifies hosts running a Matrikon OPC Server for Allen-Bradley ControlLogix PLC.
  • Matrikon OPC Server for Modbus - Identifies hosts running a Matrikon OPC Server for Modbus devices and used to access data from PLCs, RTUs, and IEDs. OPC servers are commonly used in SCADA and DCS systems to exchange data between different vendor systems and disparate applications.
  • Modbus/TCP Coil Access - Modbus uses a function code of 1 to read "coils " in a Modbus slave. Coils represent binary output settings and are typically mapped to actuators. The ability to read coils may help an attacker profile a system and identify ranges ofregisters to alter via a "write coil" message.
  • Modbus/TCP Discrete Input Access - The Modbus protocol function code of 2 reads discrete inputs from Modbus slaves. The ability to read discrete inputs may help an attacker profile asystem.
  • Modicon Modbus/TCP Programming Function Code Access - Finds hosts with the proprietary Modbus/TCP function code 126 active. An attacker that is able to gain network access to devices like this may be able to reprogram PLC logic or otherwise impact the integrity of physical processes.
  • Modicon PLC CPU Type - Uses an SNMP Get Request to obtain the Model Information of a Modicon PLC.
  • Modicon PLC Default FTP Password - Checks for the default FTP username and passwords on a Modicon PLC.
  • Modicon PLC Embedded HTTP Server - Finds Modicon PLCs running an embedded HTTP server used for configuration or monitoring.
  • Modicon PLC HTTP Server Default Username/Password - Tests HTTP servers on Modicon PLCs for the default user name and password.
  • Modicon PLC IO Scan Status - Uses an SNMP Get Request to obtain the scan status of a Modicon PLC.
  • Modicon PLC Modbus Slave Mode - Uses an SNMP Get Request to obtain the Modbus mode. The Modbus mode is either direct, gateway, unit or some combination of these three types. The Modbus mode could help an attacker determine the type of attack necessary againstthe PLC.
  • Modicon PLC Telnet Server - Tests Modicon PLC Telnet servers for the default user name and password.
  • Modicon PLC Web Password Status - Uses an SNMP Get Request to obtain the Web Password Status of a Modicon PLC.
  • National Instruments Lookout - Identifies hosts running the National Instruments Lookout Application.
  • OPC DA Server - Identifies hosts running the OPC Data Access Server.
  • OPC Detection - Finds hosts with OPC application components installed.
  • OPC HDA Server - Identifies hosts running an OPC Historical Data Access Server.
  • Siemens S7-SCL - Identifies hosts that contain Siemens S7-SCL Development Tool(s).
  • Siemens SIMATIC PDM - Identifies hosts running the Siemens SIMATIC PCS 7 PDM Application.
  • Siemens-Telegyr ICCP Gateway - Identifies hosts running a Siemens Telegyr ICCP Gateway server.
  • Sisco OSI/ICCP Stack - Identifies hosts running a Sisco OSI/ICCP stack, and most likely acting as an ICCP server.
  • Sisco OSI Stack Malformed Packet Vulnerability - Identifies hosts running a version of the Sisco OSI stack that can be crashed by a malformed packet.
  • Tamarack IEC 61850 Server - Identifies hosts that may be running an IEC 61850 server developed by Tamarack Consulting, Inc.
  • Telvent OASyS System - Identifies hosts running a Telvent OASyS Server.

Complementary to the current Passive Vulnerability Scanner SCADA plugins

Tenable customers who have also implemented the Passive Vulnerability Scanner (PVS) can now perform both active and passive SCADA network monitoring. Similar SCADA plugins for the PVS have been available since mid-2006. These offer no impact to the monitored network and effectively identify all devices which speak Modbus, ICCP and DNP3.

Organizations can tailor their vulnerability monitoring programs by using a combination of active SCADA scanning with these new Nessus plugins and passive monitoring with the PVS. Many organizations are required to perform annual vulnerability scans, which must be scheduledto avoid
impacting the production network. Using the PVS throughout the year meets the requirement for scanning, without impacting the network.

SCADA Device Active Scanning Strategies

As with all vulnerability scanning of devices which control physical equipment, consider the following strategies:

  • If you have a SCADA test lab, start scanning those devices to identify any potential impact.
  • When scanning operational SCADA devices, ensure that a second device is available for "fail over" and also ensure that the device operators are informed of the scheduled scanning.
  • If you have access to data from a Passive Vulnerability Scanner, consider tailoring your scan to more robust device such as operating systems which were produced in the last five years.
  • For configuring Nessus scans to be "safe", make sure scan polices have "safe checks" enabled and "thorough tests" disabled. Tenable has previously blogged about "safe checks" usage for Nessus.

For more strategies to consider for scanning SCADA networks with Nessus and these new SCADA plugins, Tenable recommends reading a white paper from Digital Bond entitled "Scanning Control Systems".

Working with the Security Center

Tenable customers who use the Security Center to manage one or more Nessus scanners in a SCADA environment should consider the following strategies:

  • The new SCADA plugins will readily produce data that can be leveraged into dynamic asset lists. This can help create various lists of devices by active protocol (ICCP, DNP3, .etc) as well as function or even "Area of Responsibility".
  • For each asset list, a separate vulnerability analysis can be conducted. Separate asset types will likely have different "top 10" vulnerabilities or configuration issues.
  • Once separate asset lists are created, the components for each group can be displayed in three dimensions with the Tenable 3D Tool (demo video).
  • Perhaps one of the most interesting types of analysis on "older" networks is to discover SCADA devices that are no longer needed, were failed to be decommissioned or deployed in locations that are not protected. 
  • For NERC compliance, this process can help make sure the list of "Critical Cyber-Security Assets" is accurate and does not include too many hosts or ignores others.
  • Link:

SCADA Articles

Using Free Tools To Detect Attacks On SCADA Networks
2015-05-09 14:28:25views: 1864

ICS/SCADA experts say open-source network security monitoring software is a simple and cheap way to catch hackers targeting plant operations. Operators at Natanz nuclear facility in Iran might well have caught Stuxnet before it spread and sabotaged operations at the plant if they had been watching the wires for anomalous network traffic, a pair of ICS/SCADA experts say.

Hackers gain full control of critical SCADA systems
2015-05-09 14:04:07views: 1964

Russian researchers have found vulnerabilities in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems. The vulnerabilities were discovered by researchers who over the last year probed popular and high-end ICS and SCADA systems used to control everything from home solar panel installations to critical national infrastructure.

SCADA Attacks Double in 2014
2015-05-06 07:17:15views: 1731

Annual threat report from Dell Security shows not only a significant surge in the number of attacks on retail credit card systems, but industrial SCADA systems as well, which are much more likely to go unreported.
For Dell to report an annual surge in point-of-sale (POS) attacks aimed at payment card infrastructures might not be such a surprise to people who pay any attention to the news.

The Industrial Software Revolution Begins Now
2013-10-16 11:33:59views: 2311

Invensys is kicking off the conference “The Industrial Software Revolution Begins Now” and underscoring the ‘revolution’ concept with the release of its Wonderware InTouch 2014 and Wonderware System Platform 2014 software.

Integrating Video into HMI/SCADA
2012-06-29 10:19:55views: 2594

The useful integration of video with industrial control systems has been a reality for a few years, but a burst of applications and installations is on the horizon. Cheaper bandwidth, wide availability of Internet protocol (IP) cameras, and greater familiarity with industrial Ethernet networks seem to be driving user interest.

AdvancedHMI - a different approach to HMI development
2012-06-14 10:46:48views: 1856

AdvancedHMI base package is a free software used to build HMIs that display information residing in a PLC. You will find it to be one of the fastest platforms to build an HMI with. The software takes advantage of the Visual Basic .NET development environment so effort is focused on the core software and not reinventing a development environment.

Web Services and SCADA
2012-06-12 23:06:33views: 1413

Web services can be another method for connectivity to SCADA and MES systems. They can retrieve tomorrow's weather, the price of stocks or commodities, the time of sunrise and sunset, and a slew of other publicly-available resources.

SCADA virtualisation with WinCC Version 7
2011-12-21 12:01:11views: 1353

As automation solutions become increasingly complex, it follows that the effort required to maintain both hardware and software will also increase. PCs must be provided with suitable specification and operating systems to support the applications.

Cloud-Based SCADA Systems: The Benefits and Risks
2011-12-20 22:57:31views: 969

Cloud computing is a hot topic. As people become increasingly reliant on accessing important information through the Internet, the idea of storing or displaying vital real-time data in the cloud has become more commonplace. With tech giants like Apple, Microsoft, and Google pushing forward the cloud computing concept, it seems to be more than just a passing trend.

An alternative to DCS or PLC/SCADA
2011-10-04 13:46:22views: 922

Traditionally, users have had a choice between a DCS or a PLC/SCADA approach when selecting a control system for use in process control applications. A key benefit of traditional DCSs was that the suppliers took a ‘systems approach’ and it was designed for large scale applications.