21 November, 2006

More Scanning - Be Careful

Soon it won't matter if we crash our systems in a controlled scan.

With more and more scanners rolling out SCADA modules it is more and more likely that your systems will get scanned without the operators and engineers knowing it is happening.

This would be very bad. MUSecurity is more likely be used by legitimate operators (as opposed to Nessus or metasploit with lower barriers to acquisition and use) but IT operators should be very careful about how they use their new tools.

Despite the fact that I advocate the proper use of scanning I am very conservative about how to go about doing it. Thorough pre testing and comprehensive change control are absolutely essential.

CNI Operator is right PLC's, Historians and other SCADA/ACS/DCS sub-systems respond very unpredictably to the most basic connections. There are different design criteria for the endpoints in ACS than in the normal IT world. As I have said before in many ways they are lagging the IT world by several years in terms of some forms of connectivity. These facts often make them far more sensitive to unanticipated connections and packets than other systems would be. They do indeed crash with stimuli that would be harmless to almost anything else.

NMAP can be a DOS tool for SCADA systems.

In the long run this makes it more important to scan but if you are in IT beware how you go about it. These are not the types of systems where an apology can absolve you after a screw up. It won't be a funny story to tell later.

Also don't fool yourself into believing everything is ok just because the scan doesn't find anything. It is only one piece of the puzzle.


Update:
Background

but

Ultimately Rich is right. Just be careful.

Digg it

1 comment:

Alex said...

Great story. We used to do a ping sweep of all our IPs before we performed our monthly scan. Well, one month right as our scans went off - the phone system went down. Completely.

This happens again, and we figure it's no accident, so we remove the phone system IP address from Nessus.

Happens *again* the next month.

Turns out, we forgot to remove the Phone Sys IP from the ping sweep - just pinging this ancient phone system would cause it to fall over like a three year old on a bike with no training wheels.h

Just a little anecdote to reinforce your point.