1) Ping Utility
The tools used above are mentioned by several credible websites that deal with SCADA systems and infrastructure which include:
1) SCADA HACKER:
2) Idaho National Laboratory:
3)Tenable Security: http://www.tenable.com/sites/drupal.dmz.tenablesecurity.com/files/uploads/documents/whitepapers/SCADA%20Network%20Security%20Monitoring.pdf
4) Digital Bond:
5) US Department of Energy: http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/Introduction_to_SCADA_Security_for_Managers_and_Operators.pdf
Compliance - The Need for Vulnerability Assessment
NERC CIP 005-3 specifically mentioned the following:
Cyber Vulnerability Assessment — The Responsible Entity shall perform a cyber vulnerability assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually.
The vulnerability assessment shall include, at a minimum, the following:
R4.1. A document identifying the vulnerability assessment process;
R4.2. A review to verify that only ports and services required for operations at these access points are enabled;
R4.3. The discovery of all access points to the Electronic Security Perimeter;
R4.4. A review of controls for default accounts, passwords, and network management community strings;
R4.5. Documentation of the results of the assessment, the action plan to remediate or mitigate vulnerabilities identified in the assessment, and the execution status of that action plan.
NERC CIP 007-3 specifically mentioned the following:
Cyber Vulnerability Assessment — The Responsible Entity shall perform a cyber vulnerability
assessment of all Cyber Assets within the Electronic Security Perimeter at least annually. The
vulnerability assessment shall include, at a minimum, the following:
R8.1. A document identifying the vulnerability assessment process;
R8.2. A review to verify that only ports and services required for operation of the Cyber
Assets within the Electronic Security Perimeter are enabled;
R8.3. A review of controls for default accounts; and,
R8.4. Documentation of the results of the assessment, the action plan to remediate or
mitigate vulnerabilities identified in the assessment, and the execution status of that
NERC CIP 005-3: http://www.nerc.com/files/cip-005-3.pdf
NERC CIP 007-3: http://www.nerc.com/files/cip-007-3.pdf
From the experience i gathered doing assessments on SCADA networks and systems, i came out with the below methodology.
Policy and Plugins stage
Now that we have determined the IP | Hostname | OS | Open Ports | Services, its time to sit down with the system owners and find out more about the systems/servers. Take a couple of minutes to go through the workstation and look at the Add/Remove programs to determine what software/applications are installed. This is needed in order to customize the Nessus policy and plugins settings. An example is to check if there's a database installed. If there is, what brand? version? This is to eliminate the unwanted plugins and retain only the necessary ones.
Never Ever use the Nessus Default Settings when performing a VA scan. By default, it will use huge bandwidth and unlimited amount of TCP connections to the host at a time and this can potentially cause Denial of Service issues such as System Reboot, Blue Screen and Application Hang.
The Nessus Scan Default Settings. Note the 'Unlimited' connections. This needs to be throttled. In my case, the following settings was used:
Max Hosts per Scan: 5
Max Simultaneous TCP Sessions Per Host: 15
Max Simultaneous TCP Sessions Per Scan: 5
*The above settings were used for Windows XP and Windows 7 OS. Anything below such as Win NT 4.0, the following settings was used:
Max Simultaneous TCP Sessions Per Host: 5
Max Simultaneous TCP Sessions Per Scan: 1
Digital Bond has a project that greatly helps to perform a Nessus scan to comply against NERC CIP 007-3. You can refer to the following links below:
You can read more about it on how it assist on complying to NERC CIP 007-3.
However, do review the plugins selected by this customized policy. This scanning policy to comply specifically to NERC CIP 007-3 is good but i need to mention that this is a baseline policy to check what is necessary to comply to NERC CIP 007-3 but it did not include the additional plugins to check for other applications and OS vulnerabilities. You may need to select additional plugins to fulfill your VA requirements and using Digital Bond's NERC CIP 007 Nessus policy is a good baseline to start with.