4 Online Scanning Methods That Won’t Take Your Plants Down
It’s hard to believe it’s already been a week since I presented at S4x19 on assessment tools for ICS environments. After a brief introduction weighing the risks posed by traditional online tools versus the risk of doing nothing, I walked through four online scanning techniques that offer low impact, high value results. I know these can work because I’ve used them across hundreds of assessments over the last 10 years. This post will focus more on the techniques than the actual tools themselves—the tools can be traditional IT security tools like vulnerability scanners, DIY scripts using native commands, or any of the ICS-focused security tools in that burgeoning product space. The important thing is that you use these techniques to get to the ground truth so you can understand the risk in your ICS. This is not meant to be a comprehensive list – someone at the session on Monday asked about passive tools such as network sniffing. This is certainly valuable, and we use it on most of our assessments, but it didn’t really meet the ‘high-value, low-impact’ criteria we wanted to focus on for the presentation and this post.
1. Authenticated / Credentialed Scanning
Traditional vulnerability scanning involves sending a lot of probes out over the network and then, based on how it responds, making inferences by interacting with a service enough to be able to pull back bits of information such as service fingerprints and version information.
Alternatively these scanners can perform an authenticated or credentialed scan using the native protocols of the operating system. Using native Windows authentication or SSH for a Linux or Unix system, the scanners can use built-in OS functionality to login and then pull key information using native commands and APIs. Compared to a manual interrogation, this is a much lower impact on resources – both network resources and computing resources on the machine itself.
The other thing that can happen very efficiently and effectively over these credentialed scans is a full patch audit. Without the credentials to log into the system in question, you're going to see what's exposed to the network. But once you authenticate the device, you can pull in all ports and services data, as well as all of the patch levels. All of this represents high-value information for understanding vulnerabilities and the attack surface for a trade-off of minimal resources at the network and host levels.
For more information on how this is handled with Tenable’s Nessus scanner, review this post.
2. Configuration Auditing
Configuration auditing answers a different question than vulnerability scanning—rather than answer “how vulnerable is the system?”, it answers “Is the system optimally configured to resist attack regardless of vulnerabilities?”. It does this by starting with a baseline “known good” state and then using some of the same techniques that credentialed scanning uses to validate that state in a pass/fail manner. This can encompass everything from password policies to network configuration settings to file permissions. This is especially powerful if it is customized for your environment, but there are plenty of good baseline configuration policies available to use as a starting point.
3. Using Native OS Command
For various reasons, there are times when using any third-party tool is not possible or not allowed. In these cases, we can manually emulate some of the things that a credentialed scan does by interacting directly with the operating system using native commands and tools. We can still get to the high-value system information, just in a more manual approach. A good example of this is using a tool like Windows’ systeminfo.exe. The output from this tool can be used to derive current patch levels and thus vulnerability. There are many others and equivalents in the Linux/Unix world as well. While this will do in a pinch, or for a one-time assessment, the real value comes from automating and scripting these native tools.
4. Using Native ICS Protocols and Tools
Some ICS protocols and management tools have built-in functionality for operational purposes that can be used for security evaluation. Protocols such as DNP3 and EthernetIP have function calls that allow you to interrogate for system details like hardware and firmware versions. Other systems, for example some SCADA and DCS vendor products, have management interfaces that can help enumerate the entire configuration using native capabilities. ICS security product vendors are latching on to this technique as well because it can be a powerful, and sometimes the best and only, way of safely getting to the control system components and assets that are closer to Layer 1.
A Note on Vulnerability Ratings
When using automated tools like vulnerability scanners, you will get some representation of level of vulnerability that is typically based on CVSS. The trouble is that this rarely tells the full story, particularly in ICS environments. For example, it's not going to tell you what the impact is to the industrial process. It could be that you have a low-rated vulnerability that has a critical impact to the ICS, or on the other end of the spectrum you could have a critical-rated vulnerability that has little or no impact on the process. It’s important to understand these ratings in the context of the system before you begin prioritizing remediation actions.
Key take away? You can leverage the utility of some IT security tools – like a vulnerability scanner – but keep in mind that they're not going to tell the full story or give the full picture when it comes to prioritizing ICS remediation efforts.