The number of malicious attacks on corporate and federal computer systems is constantly increasing. In today’s tumultuous cyber environment, it’s imperative to find the weak spots in your vital assets and take corrective action before attackers get the chance to damage or steal your sensitive data.
Conducting a network vulnerability assessment (VA) on your industrial organization has changed from being a beneficial activity into a necessary one. Tripwire’s skilled team of security professionals identifies weaknesses and prioritizes them for remediation. We collect data from automated vulnerability scanners, proprietary tools and manual assessment efforts to create a normalized list of identified exposures.
Vulnerabilities are then manually validated in order to determine:
- If the respective, reported vulnerability represents an actual exposure
- How an exposure may impact systems on the network
- If mitigating factors or prerequisites may prohibit a vulnerability from being exploited in certain conditions
Better, Deliberate Assessments
Raw VAs that come from tools or online services typically identify thousands of granular vulnerabilities and rate them according to technical severity. Tripwire’s VAs are different: We take both technical aspects and your mission-critical processes into consideration. The result is, our recommendations address your IT architecture and business functions, and if needed, offer multiple alternatives to remediate issues.
At Tripwire, we strive to improve our customers’ vulnerability management programs. Our strategic guidance helps organizations prevent future vulnerabilities— making our VAs calculated tools for enhancing overall network security.
The world of control systems is increasing in complexity, making it difficult to determine who is authorized to access information. As the threats to businesses increase, so does the need for security. ICS security is focused on preventing intentional or unintentional interference with the proper operation of a plant.
Achieving NERC CIP Compliance
Versions 5, 6 and 7 of the NERC CIP standards present new and rigorous challenges to organizations, but compliance can be simplified by approaching them in three phases: planning, transition and implementation. A non-comprehensive list of other standards that may apply includes ISA/ IEC 62443, ISO27001 and the NIST Framework as a result of Executive Order 13636. All of these pertain to ICS critical infrastructure. Because these standards keep evolving, fully embracing them may seem a daunting task, but it is very possible using the correct approach.
Tripwire Professional Services for NERC CIP Compliance:
- CIP 002-5.1 Planning and Gap Identification
- CIP 003-011 Version 5 Planning and Implementation
- CIP Version 3–5 Gap Analysis
- Development of Functional Categories
- Development of New Policies and Procedures
- Establishment of Baseline Configurations
- Planning for Configuration Change Monitoring
- Planning for Active Scanning of BES Assets
- Planning for Physical Security Assessments CIP 014
- Developing Role-based Training Programs
SCADA Security Solutions for Critical Infrastructure
Tripwire is the leading provider of SCADA security solutions and other cybersecurity services for the utility industry—including providers of power, telephone, water and other transmission and distribution services.
Our expertise includes penetration and vulnerability assessments, control system security, and smart grid security design. We provide solutions to meet mandates and standards such as the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) 002-014 and Nuclear Energy Institute (NEI) 08-09 guidelines.
We understand vulnerabilities within:
- Energy Management Systems (EMS)
- Supervisory Control and Data Acquisition (SCADA) solutions
- Real-time Control System (RCS) architectures
- Distributed Control Systems (DCS)
This knowledge makes Tripwire uniquely qualified to ensure system integrity and availability. In the utility industry, security solutions revolve around maintaining the integrity of critical infrastructures. Unfortunately, energy and utility systems have become prime targets for both terrorists and cybercriminals. The smallest vulnerability can seriously threaten the environment, the economy, national or global security and even public health.
Any attack on the utility sector has the potential to cause mass disruption and panic. Cyberattacks on smart grids and other systems are much more common than the public realizes; most attacks are simply shielded from media dissemination.
Research shows that attempts to penetrate and manipulate our nation’s most critical infrastructures are on the rise. It will only take one massive outage or contamination to shine an unwanted spotlight on the industry’s weaknesses.
Utility companies need to have standardized practices in place to deal with incidents, protect data and secure systems. Prevention is about more than firewalls and antivirus software, though. Organizations must proactively address their vulnerabilities to stay a step ahead of hackers.
Maintaining Secure Process Control Systems Without Risk of Disruptions
Tripwire’s cybersecurity expertise within process control environments is secondto- none. We’ve worked extensively with enterprises within the oil and gas, power and utilities, chemical, food and beverage and pharmaceutical industries.
Our team of IT and OT experts is skilled at protecting systems that run under pressure, temperature and dynamic flow control. Such operations are all potential targets for intrusion with massive destructive capabilities, as recognized by the Chemical Facility Anti-Terrorism Standards (CFATS) and other security guidelines.
Our technology allows manufacturers to keep their operations running within specified parameters, and maximize their profitability while maintaining high quality and safety standards. Tripwire offers a range of customized services to protect production. We understand vulnerabilities within:
- Distributed control systems (DCS)
- Programmable logic controllers (PLCs)
- Network devices
Process control systems are increasingly linked to external networks, so their security is a rapidly growing concern. The same holds true for SCADA systems.
Professionals in the field are concerned that their SCADA systems are at high risk. Without encryption or the right security in place, grid infrastructures can be exposed. This can have wide-reaching adverse consequences, not only for the organization, but for the community and economy that depends on their goods or services.
Insightful, Experienced Guidance
Tripwire’s proprietary assessment methodologies provide the most comprehensive vulnerability and risk assessments possible—without the risk of disruption that can occur with traditional IT security assessment methods.
Our clients include independent system operators (ISO), regional transmission operators (RTO), investor-owned utilities (IOU), gas companies, nuclear facilities, municipalities and rural electric cooperatives.
ICS/SCADA and various types of other control systems are used in many functions in the utilities industry and within a variety of architectures. For example, in electric power companies, different types of ICS/SCADA are used to support power generation, transmission and distribution functions.
ICS/SCADA is also used to support pipeline operations for gas companies, and water control systems use ICS/ SCADA to monitor and control a variety of functions. There are many factors that drive the need to assess the level of risk within the ICS/SCADA and the operational systems it supports. The greatest is simply the fiduciary responsibility that officers of a utility company have to their shareholders and the public. The need to perform regular assessments increases as these operational systems become less isolated and risks increase.
In the past, most crucial utility networks were isolated from the corporate network, and layers of insulation existed between the ICS/SCADA and the Internet and its multitude of cyberthreats. However, over the past half-decade the lines between closed operational networks and Internet-based corporate networks have blurred. Now, the staff and administrators in most utility companies have access to the ICS/SCADA systems from their desktops, as well as to corporate information services (such as email).
Most contemporary utility corporate networks also provide numerous points of access from the Internet to support marketers, billing specialists, consumers and regulators. This increasingly open and complex architecture has dramatically increased security risks. The risks cannot be eliminated, only identified then reduced to an acceptable level.
Securing the ICS/SCADA environment and the network in whole requires solid network architecture design with isolation by zones to reduce risks from affecting the entire network, secure configurations throughout the network, the use of complex passwords or more secure authentication methods, and solid policies and procedures to create consistency in the way the network is administered and maintained.
Regular review of vulnerabilities and risks, as well as administration practices, is absolutely necessary to identify new risks and reduce them to acceptable levels. In addition, regular assessment helps to measure progress toward the organization’s security management goals.
Services requested most frequently by Tripwire’s utility customers include:
NERC CIP compliance services
We do more than meet minimum standards for compliance purposes. Our consulting services are tailored to the unique needs of every client, ensuring that critical infrastructure is comprehensively protected.
EMS/SCADA security solutions
Our understanding of EMS/ SCADA systems is unmatched in the industry. We recognize everyday challenges, from optimization and energy efficiency to grid security and situational awareness.
Control system security assessments
Our engineers assess industrial automation and control systems to identify current gaps and address potential vulnerabilities, carefully inspecting computers, applications, operating systems, networks and more.
Vulnerability and penetration assessments
It’s crucial to test your defenses systematically. Tripwire’s highly-skilled cybersecurity experts utilize a combination of tactical and strategic approaches to uncover weaknesses in our clients’ IT systems.
Application security services
New threats appear every day. Whether a threat originates internally or externally, new vulnerabilities can pop up unnoticed. Tripwire can help you protect your core applications and improve their resiliency.
Smart grid security services
New technologies can make grids more susceptible to cyberattacks. To ensure missioncritical services keep running, Tripwire’s engineers evaluate every angle and customize a smart grid cybersecurity roadmap to meet your specific requirements.
Device security evaluations
What devices do you allow on your network? What kinds of access do these products have? We can help you embrace new technologies while documenting the policies and procedures that will keep your network secure.
Advanced persistent threat (APT) services
Hackers can gain access to your network and remain there, undetected, for longer than you might think. At Tripwire, we create robust solutions that mitigate the risk of an APT attack and protect your valuable data.
By analyzing different protocols, our team can identify both violations and abnormalities. Sometimes, all it takes is an unexpected value or a strange option to signal a cyberattack.
Phase 1: ICS/SCADA Architecture Review, Asset Inventory and ICS/Isolation Review
Tripwire security engineers will meet with the ICS/SCADA managers and technical staff to acquire an in-depth understanding of the system/network architecture design. Interviews and documentation reviews will be focused to gain knowledge concerning information flow within the system, installation and administration procedures, operational methodology and existing security safeguards.
The interviews will identify:
- A conceptual overview of network and serial information feeds into the control center
- A conceptual overview of physical and third-party access points in the control center
- Location and operational information on sensors and devices
- Known or suspected issues with devices, operational functionality, unauthorized logical or physical access
- Operations or communication issues during incidents or system events
The architecture review will also include a review of planned authentication services, access controls, domain or tree structures, auditing processes, audit review procedures and any design issues that may impact recommendations which will be developed later.
In addition, we review the use of proprietary or open standards protocols, types and use of RTUs and systems that perform alarming, as well as other utility-specific design issues. Tripwire will request a physical tour of the facilities to identify any physical issues that could influence the security controls requirements.
As Tripwire meets with the manager and staff, we will also perform a walkdown of the facility (or facilities) and capture a definitive list of assets and asset metadata in order to develop a full asset inventory. The assessment of ICS/ SCADA systems will be accomplished through a combination of:
- Manual inspection
- Network traffic analysis
- Review of CAM tables or other network-level sources
- Audit log data
Some scanning activity may be performed, but only on systems or devices known to be immune to network issues from scanning. The review will consider the actual data flow throughout the ICS/ SCADA system and application architecture, as well as the protections provided by the network itself.
Tripwire evaluates systems to be aligned with industry best practices using NIST or other guidelines. Each area will be reviewed for the following criteria:
- Architectural review and recommendations
- Administrative complexity
- Authentication and authorization
- Secure host builds, configuration management and extraneous services
- Information leakage
- Vulnerability identification
- Patch level/patch management
- Backup and recovery
The review will, at a minimum, include system configuration reviews for each unique operating system and functional server. The effort may also include an analysis of password complexity and configurations of remote monitored systems. The configuration reviews and other technical evaluation tasks will be accomplished by a knowledgeable engineer for the applicable operating systems and technical environment.
Once we understand the architecture, implementation of controls and operational philosophy of the installation, Tripwire can develop threat models and assess the control prioritization schemes to protect the implementation.
Tripwire will identify gateways between the ICS/SCADA network and the business systems, and evaluate the security controls, logging implementation and other factors to determine the effectiveness of the separation of the ICS/SCADA network from the outside. Within the ICS/SCADA network, we will examine the configuration of key devices and controls to determine internal protections within the system configuration.
During the technical assessment, areas of analysis are usually broken down into more manageable tasks as identified below:
- Microsoft systems/Windows environment
- Unix/Linux systems
- Routers and switches
- SCADA applications
- HMI and other control and operational mechanisms
Tripwire evaluates systems to be in line with industry best practices using NIST or other guidelines. Each area will be reviewed for the following criteria:
- Architectural review and recommendations
- Administrative complexity
- Authentication and authorization
- Secure host builds/configuration management/extraneous services
- Information leakage
Phase 2: Network Vulnerability Analysis
Tripwire will meet with your network managers and engineers to conduct a review of the network and security architecture design of the your network. The effort will be to obtain a comprehensive understanding of the architecture—both external, internal and the controls that have been implemented to provide appropriate levels of network traffic segregation, monitoring and control.
This phase of the assessment will include interviews to understand the network design, operational policies and network management infrastructure, as well as your business and technical requirements for the networks under review.
The information collected in the network review will be utilized to provide recommendations and guidelines for network security optimization, as well as to potentially recommend network security controls to complement host-level security controls. Tripwire’s network assessment methodology ensures that all necessary information for successful risk analysis is captured, and all potential issues are identified.
Following the initial review, Tripwire will meet with your firewall and VPN administrators and network administrators to conduct a cooperative hands-on review of firewall configurations associated with the major network segments.
In addition, we may also conduct reviews of selected router and network switch configurations that have an active role in network architecture definition and enforcement. This review will focus on ensuring that firewall systems and other network devices have been deployed and configured according to industry best practices, and to determine if they adequately enforce the intended network and security architectures.
The last component of the security assessment phase is an examination of monitoring and control infrastructure to understand how you’re able to identify and take action on anomalies and malicious activities detected at the network perimeter—or within the network itself.
External vs Internal Networks
In the context of this assessment, the terms “internal” and “external” are relative to the OT/IT boundary—with internal representing the OT side. While Tripwire’s methodologies are nearly identical for an internal network assessment and an external network assessment, the goals and objectives of the assessments differ if the network under test in an internal or Internetfacing network.
The goal of an external network security assessment is to identify security risks and vulnerabilities that may exist in your external network and systems, evaluate the risk associated with any identified vulnerabilities, and to develop strategies and recommendations to resolve these issues and reduce risks to an acceptable level.
Tripwire will conduct a controlled assessment to identify weaknesses in the external security perimeter of your network. Where potential vulnerabilities are identified, Tripwire will validate them and eliminate false positive results from the reported findings.
Initial efforts of the assessment team will be to identify vulnerabilities in systems that can be reached directly from the Internet and to logically map the gateway topology. The ultimate goal is to determine if unauthorized access is possible to your internal systems.
Specific goals of external testing:
- Identify external points of access to your networks
- Identify vulnerabilities in externallyaccessible systems
- Identify potential vulnerabilities in network access controls, firewalls, routers, and the designed network topology, even if they don’t immediately provide access to the internal network
- Determine through analysis if it might be possible to combine the identified vulnerabilities and the network design and topology to gain access to the internal network from the Internet
The assessment will be accomplished across the Internet, from the Tripwire test labs, which are protected from intrusion by a combination of firewalls, router filters, and system-level controls (such as host-level firewalls with intrusion detection and encrypted logons). Vulnerabilities of multiple components will be compared with the gateway architecture to determine if multiple minor weaknesses could be combined into “stepping stones” to create a much greater likelihood of intrusion.
For an internal network VA, Tripwire will analyze data gathered in order to execute appropriate, controlled vulnerability scanning against identified, in-scope systems.
Vulnerabilities generally fall into eight broad categories, as follows:
- Authentication functionality
- Account management
- Service level software
- Web applications
- Core operating systems
- Network level
- Trust domain
For the purposes of assessment, Tripwire will combine the internal and external components into a single phase to reduce staff requirements and flow time to provide a more efficient assessment and achieve the schedule objective without compromising depth of analysis. The Tripwire VA follows a set methodology regardless of whether the assessment is being done on an internal or externally exposed network. The steps are defined as follows:
Internal Information Gathering/ Network Discovery
The assessment typically begins with a network discovery and data collection effort. This is designed to logically map the network, fingerprint in-scope network devices and identify network services which may expose the respective system to elevated levels of risk.
As the systems are scanned and active services identified, Tripwire analysts will probe them in order to uncover information like software versions and configuration data such as available authentication types.
All vulnerability identification activity is carefully coordinated with your staff in order to reduce potential operational impacts such as the triggering of intrusion detection sensors and other network- and host-based security mechanisms.
Manual Vulnerability Validation/ False Positive Elimination
Tripwire will collect data from automated vulnerability scanners, proprietary tools and manual assessment efforts in order to build a normalized list of identified exposures. Vulnerabilities will then be manually validated in order to make a determination of whether the respective, reported vulnerability represents an actual exposure, how that exposure may impact the system, and any mitigating factors which may prohibit the vulnerability from being exploited in certain conditions, or without certain prerequisites (such as authentication credentials).
As with the external assessment, methodologies used to assess the reported vulnerabilities for the internal assessment will vary based upon the nature of the vulnerability being analyzed. The methodologies we employ are chosen for being both viable in the time available, and benign in nature so as to minimize any potential operational impacts on the system.
Given a NIST CSF and UFC 4-10-06 perspective, vulnerabilities and issues identified during this phase can be restated as control omissions or opportunities for enhanced control implementation. These will be documented and included in the assessment report.
Phase 3: ICS/SCADA Security Assessment and Controls GAP Analysis
Given the understanding gained in the first two phases, Tripwire will begin a series of targeted activities to examine the security controls in the ICS/SCADA system. In this phase, Tripwire proceeds device-by-device, system-by-system through the architecture and performs a security review of each component individually and in the context of its place in the architecture.
Tripwire will employ a series of targeted activities focused on specific components of the overall architecture to assess security implications both at the component level and across the system architecture.
The nature of this part of the assessment is to catalog issues with the building blocks of the ICS/SCADA implementation, as choices made in system integration at one end of the system may have security implications elsewhere in the architecture. Generally, each of the tests defined in this section follow the path:
- Information-gathering tests: Attempt to identify live hosts, network topology, operating system, services provided, access control mechanisms, access servers and the interactions between systems
- Generic vulnerability tests: Attempt to determine the presence of known vulnerabilities and to exploit them. This includes vulnerabilities related to legitimately-provided services, such as communication and control interfaces
- Network characteristics and topology tests: Attempt to determine the presence of, and exploit vulnerabilities related to, network topology, network components configuration and design principles and protocol specific characteristics
**Note: These include tests that consider spoofing techniques, protocol-specific tests such as usage of IP options, fragmentation, exploit of trust relationships, protocol encapsulation, routing tricks, and design and implementation flaws in several network protocols and related services
- Misconfiguration tests: Attempt to identify and exploit typical misconfiguration problems
- Backdoor tests: Attempt to identify the presence of backdoors in the infrastructure and exploit them
- Authentication and access control schemes tests: Attempt to subvert authentication and access control mechanisms based on common attacks that exploit the lack of a strict security policy or the enforcement of such
**Note: This includes dictionary and brute force attacks on reusable passwords, exploit of weak authentication schemes, social engineering, and exploit of contingency plan procedures
Using the NIST CSF as a guide, Tripwire will develop a mapping of existing and missing security controls across the ICS/SCADA environment. The resulting product of this phase of the assessment is:
- A set of gaps in the management/ operational controls in the ICS/SCADA system (developed from the Phase 3 activity)
- A set of gaps in the technical implementation of the ICS/SCADA system (developed from the Phase 2 activity with corroboration from the Phase 3 activity)
Phase 4: Documentation of Findings and Recommendations
Tripwire will formally document the effort in the ICS/SCADA Security Assessment Report, which will be the written deliverable for the task. The report will consist of three major sections:
- The ICS/SCADA Architecture Review
- The Security Assessment Findings and Controls Summary
- Observations and Recommendations
Additionally, the asset inventory will be provided as a separate Microsoft Excel file attachment to the document.
The report will be submitted in draft form. ICS/SCADA managers and technical staff will be able to review the report and provide comments and questions. Tripwire will revise the draft and submit a final report to clarify and expand any necessary areas.
The report will, at a minimum, include the following items:
- A description of the methodology used during the assessment
- A description of the ICS/SCADA network and system environment, to include all in/out connections and the level of isolation that was found between the ICS/SCADA and other networks
- Specific identification of vulnerabilities, whether system configurations, network architecture, procedures, policies or any other issues
- Each finding will be accompanied by a description of its potential to impact your operations, an assessment of the level of risk it creates and recommendations to mitigate the risk
Recommendations will be documented clearly and in concise detail. Recommendations will be offered on multiple levels, to include:
- System-level recommendations to counter the existing technical vulnerabilities
- Architecture or network modifications to enhance and support the existing ICS/SCADA system controls
- Policies, implementation guidance, or procedures to minimize future vulnerabilities
The report will provide an action plan to enable you to strengthen the existing ICS/SCADA security posture, as well as the security program in general.
Learn More Today
Let us take you through Tripwire’s vulnerability assessment services and answer any questions you have. Learn how Tripwire’s suite of integrity and vulnerability management products and services can be customized to your specific IT/OT security and compliance needs.