SCADA, ICS Specfic Testing Tools and Methodologies

Question

I have been contracted to perform a security risk assessment that relates specifically to ICS and SCADA systems. I have performed many IT security risk assessments, however, I am new to assessing these types of environments specifically. I am familiar with ICS like devices and I believe I have a cursory understanding of functionality and some of their inherent challenges.

My question is for those who do this everyday, work in such an environment or have assessed an ICS environment before.

Are there specific tools that are useful in this type of assessment that are not obvious? I have done some searching and have read through the NIST standards for assessing ICS. I have also found the DHS tool CSET (which looks to be more of a self-assessment tool, but may have some useful features like the diagramming tool).

Also, is there a specific standard that is generally followed for this type of engagement?

Before anyone steps up on their security guy soapbox, this entity is well aware that this is my first ICS engagement and that I have been assessing unique IT environments for many years. I also have strong back-support from my team that is highly experienced in this type of engagement. I'm sure they will have many ideas for me as well, I just wanted to put this out there for public comment.

Thanks!

Reader's Digest:

What specific tools exist for Scada / ICS assessment?

What specific standards are generally acceptable for a Scada / ICS risk assessment?

Answer 1

Obviously, I recommend the SamuraiSTFU project for study, including the Penetration Testing with SmartGrid & SCADA training. Took mine from Justin Searle last week.

What I learned is that domain knowledge in several areas is key.

1. Security posture audits, e.g., BITS FISAP, CIP CVA, IT COBIT, COSO, VisibleOpsSec. Typically, the cliche CISSP fits well here as a prerequisite (i.e., 5 years of experience in information security management and risk management with the capability to be driven by continual learning/improvement and possessing a strong ethical framework/backbone)
2. Network capture assessments (the new Syngress Press title, "Applied Network Security Monitoring" and the past summer's release from NoStarch, "The Practice of Network Security Monitoring" are great places to start as they explain how to implement SecurityOnion, an Ubuntu distro specially designed for these engagements). Reliable, repeatable FPC (e.g., Netsniff-NG) to gather Tenable PVS and PRADS data that feed Squert might be all that is necessary, although certainly you can take this much further with the CERT NetSA Security Suite, NetWitness, Lancope, Arbor, 21CT, et al
3. Network penetration testing (many books and resources on this subject, particularly popular and relevant is Offensive Security -- the team that makes Kali Linux). CAVEAT EMPTOR: you probably want to convert any production networks to lab networks by using VMware Converter or similar. Testing on live, production industrial control or automation systems is contraindicated
4. Web and application penetration testing (many books but I usually recommend TAOSSA -- the Art of Software Security Assessment -- and resources such as OWASP). In my opinion, it does not matter which tools you use but if you plan to fault inject then you should be an expert at OWASPBWA and Web Security Dojo (e.g., Checkmarx, Contrast Security, Burp Suite Professional, NTOSpider, Netsparker, Appscan, sqlmap, et al) and if you plan to fuzz then you should be an expert on the OSCP/OSCE labs and CertifiedNOP (e.g., Zulu, GPF/EFS, PFF, ImmDbg, Sulley, gdb, MSF, et al). By "expert", I mean that you should be able to find 95 percent or more of the whole-system vulnerabilities and be able to take them to full exploitation (typically about one thousand practice sessions per target). Additionally, I should note that some platforms and frameworks require even more specialized knowledge and tools (e.g., mobile apps, Flash/Silverlight, Ajax, Web Services, etc)
5. Embedded systems and Radio frequency reversing and penetration testing (to get started you might want to check out the Bus Pirate for serial sniffing or RTL-SDR/HackRF plus GNURadio/RFCat for RF MIJI -- meaconing, interference, jamming, and interception). Note the most difficult piece of this process is the actual hardware acquisition. RTU, PLC, and similar device testing can be a budget sink. Carefully select a sampling of devices by putting them into a lab (as described under Network penetration testing above) and never putting them back into production (i.e., an "early retirement")
6. Firmware reversing and penetration testing (strong knowledge of cryptography as well as self-modifying/integrity-checking code is usually necessary -- tools such as binwalk, IDA Pro or other disassemblers/decompilers, and related tools/resources)