Document

advertisement
Enhancing
Network Scanning
For
Discovering Vulnerabilities
(ENSDV)
by
Raymond Cordova MEIA
University of Colorado at Colorado Springs, Colorado, 2010
A Thesis
Submitted to the Faculty of the Graduate School
University of Colorado at Colorado Springs
Partial Fulfillment of the Requirements
for the degree of
Master of Engineering in Information Assurance
Department of Computer Science
2010
ii
Thesis for the Master of Engineering Degree in
Information Assurance
by
Raymond Cordova
has been approved for the
Department of Computer Science
by
_______________________________________________________
Advisor: Dr. C. Edward Chow
_______________________________________________________
Dr. Jugal K. Kalita
_______________________________________________________
Dr. Rory Lewis
_____________________
Date
iii
ENSDV
Enhance
Network Scanning for
Discovering Vulnerabilities
Master of Engineering, Information Assurance
Thesis directed by Associate Dean Professor C. Edward Chow
Department of Computer Science
iv
Enhance
Network Scanning for
Discovering Vulnerabilities
(Master of Engineering, Information Assurance)
Thesis directed by Associate Dean Professor C. Edward Chow
Department of Computer Science
Abstract
With the advent of the 911 terrorist attack and the subsequent identification of the
vulnerabilities of our most critical systems that include the power grid, directives from
government entities such as Homeland Security, has coined the term “Smart Grid” to
describe Industrial Control Systems (ICS) as a power grid of the near future; an
intelligent, self-healing, real-time system. The ongoing effort to develop secure
communications products and technologies specifically designed to operate reliably in
harsh environments around the world must be used for mission critical applications..
The methodology and prevention of attacks to ICS networks is by far one of the most
important projects since the creation of the Internet. It should be noted that the
number of vulnerabilities can be exploited and the critical nature of an exploit is much
more than that of Internet and computer based vulnerabilities. With this in mind,
enhanced network scanning for discovering vulnerabilities becomes an important
v
research area. This thesis proposes to show that the Nessus vulnerability and
compliance check scanner can be enhanced to discover network vulnerabilities. Many
vulnerabilities require the development of plug-ins written specifically to address
issues not addressed by the standard set of subscription plug-ins. Developing and
creating new plug-ins can enhance the Nessus scanner to discover vulnerabilities and
check for compliance of policies. Integrating the new plug-ins with the standard set
improves on the standard scanner as shown in reporting results.
vi
Acknowledgements
I would like to take the opportunity to sincerely thank Dr, Edward Chow for the
support, his tireless efforts, the valuable time he spends in consultation, the
encouragement he has provided, and the direction to guide me through the challenging
coursework at UCCS. This is my opportunity to thank Dr. Chow, being that he does
so much for others, generously giving his time and providing help and motivation. I
truly appreciate Dr. Chow for the person that he is.
I would also like to thank Renaud Deraison from Tenable Nessus for providing the
ProfessionalFeed version of the Nessus scanner for the experiments and research.
Without his contribution, this research would not have been possible.
vii
Table of Contents
Abstract
iv
Acknowledgements
vi
Table of Contents
vii
List of Figures
ix
List of Scripts
xi
Tables
xi
Appendices
xi
Chapter1
Industrial Control Systems Recommended Guidelines,
1
Standards and Regulations in Emerging Technology
Chapter 2
5
Emerging Technology
2.1
Wireless Comes of Age
9
2.2
Vulnerabilities
10
Chapter 3
13
Nessus Scanning
3.1
Bandolier Related Work
14
3.2
Compliance Checks
14
3.3
Compliance Checks Versus Vulnerability Scan
15
3.4
Development Approach
16
3.5
Extending Bandolier with Nessus Credentialed Scanning
21
3.6
Nessus Quick Reference Installation and Upgrade Guide
22
3.6.1
Nessus Background
23
3.6.2
OS Support
24
3.6.3
Prerequisites
25
viii
3.6.4
Installation
26
3.7
Upgrading Unix/Linux
39
3.8
Upgrading Windows
52
3.9
Nessus Directory Configuration
53
3.10
Nessus Server Manager and Client Interface
55
3.11
Changing Default Nessus Port
56
3.12
Registering the Nessus Installation
57
3.13
Adding User Accounts
57
3.14
Host-Based Firewalls
61
3.15
Other Operating System Configuration
62
3.16
Policy Compliance Plug-ins
63
3.17
Patch Auditing
64
3.18
Netstat Port Scanner
65
3.19
Reporting
66
3.20
Nessus Scanner Use
69
3.21
Nessus User Configuration Tab
70
3.22
Nessus Policy Configuration Tab
71
3.23
Nessus Scan Tab
72
3.24
Nessus Report Tab
73
3.25
Customize Policies
74
3.26
Nessus Scan Performance Metrics
81
Chapter 4
92
Lessons Learned
4.1
SCADA Access
92
4.2
Meter and Development Kit Procurement
92
4.3
Nessus Scanner
94
4.4
Digital Bond Bandolier Project Compliance
96
Check Plug-ins
ix
4.5
Nessus Attack Scripting Language (NASL)
97
4.6
VMware
98
102
Chapter 5
Future Direction
5.1
Texas Instruments Development Kit
102
5.2
Automatically Patching Failed Compliance Checks
102
5.3
Shared Plug-ins
103
5.4
OS Extensions
103
5.5
System Alert for Detecting Plug-in Removal
103
106
Chapter 6
Conclusion
109
References
List of Figures
Figure 2-1.
ICS Security
7
Figure 2.2
Emerging Technology Physical Challenges
7
Figure 2.3
Smart Metering Scope
8
Figure 2.3
Wired and Wireless Options
8
Figure 3.1
Windows Nessus Download Files
35
Figure 3.2
Windows Nessus Welcome Screen
36
Figure 3.3
Windows Nessus License Agreement
37
Figure 3.4
Windows Nessus Destination Folder
37
Figure 3.5
Windows Nessus Setup Type
38
Figure 3.6
Windows Nessus Install Dialog
38
Figure 3.7
Windows Nessus Completion Dialog
39
Figure 3.8
Windows Server Manager Configuration
56
x
Figure 3.9
Activated Windows Server Manager Dialog
58
Figure 3.10
Nessus User Management Dialog
59
Figure 3.11
Nessus Add/Edit User Dialog
60
Figure 3.12
Nessus Client Login User Dialog
61
Figure 3.13
Configuration Screen for Credentials
63
Figure 3.14
Policy Compliance Plug-ins
64
Figure 3.15.
Example plug-in Selection of Operating System and
65
Application Security Scans
Figure 3.16
Customize Policy Edit
66
Figure 3.17
Report Example of the iepeers_dll_0day.nasl plug-in and
67
Windows Compliance Checks on an un-patched XP virtual
machine
Figure 3.17.1 Report Example of the SSH Remote Root Login Compliance
68
Check on a Fedora Core 12 virtual machine
Figure 3.18
Nessus User Tab
70
Figure 3.19
Nessus Policy Tab
71
Figure 3.20
Nessus Scan Tab
72
Figure 3.21
Nessus Report Tab
73
Figure 3.22
Prototype Layout
82
Figure 3.23
Nessus Scan Performance Times on Prototype
84
Figure 3.24
Nessus Non-credential Scan Performance Times on ISSG
87
Lab
xi
Figure 3.25
Nessus Non-Credentialed Scan on ISSG Lab
88
Figure 3.26
Nessus Credentialed Scan on ISSG Lab
89
Figure 4.1
Successful Nessus Database Rebuild and Re-index
96
Figure B.1
Itron OpenWay® Solution
115
Figure B.2
CC2530 ZDK Development Kit Cost
120
List of Scripts
Script 3.1
XP “iepeers.dll” 0-day Vulnerability Script
74
Script 3.2
XP USB Storage Devices Disabled Compliance Check
78
Audit Script
Script 3.3
XP CDROM Auto-play Disabled Compliance Check Audit
80
Script
Script 3.4
Fedora 12 SSH Remote Root Login Disabled Compliance
81
Check Audit Script
Tables
Table 1. Prototype Nessus Scan Time
83
Table 2. ISSG Nessus Scan
85
Appendices
Appendix A Security Descriptors
112
Appendix B Selected Vendor Smart Meters
113
1
Chapter 1 Introduction
Industrial Control System
Recommended Guidelines,
Standards and Regulations in the
Emerging Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards
and Technology (NIST) promotes the U.S. economy and public welfare and provides
technical leadership for the nation’s measurement and standards infrastructure.
Specific requirements and methodologies for information system categorization are
described in Technology (NIST) FIPS 199.
The requirements for addressing
minimum security controls for a system are described in NIST SP 800-53
(Recommended Security Controls for Federal Information Systems) and NIST FIPS
200 (Minimum Security Requirements for Federal Information and Information
System). ITL responsibilities include the development of technical, physical,
2
administrative, and management standards and guidelines for the cost-effective
security and privacy of sensitive unclassified information in the nation’s computer
systems that have emerged to provide control of industrial control networks.
In the emerging stages of development, inexpensive Internet Protocol (IP) devices
began replacing proprietary isolated systems running proprietary control protocols
using specialized hardware and software. The possibility of cyber security
vulnerabilities and incidents increased as ICS began adopting Internet solutions to
promote corporate business systems connectivity and remote access capabilities [15].
A different approach was needed to address the issues [14]. These new design
implementations using industry standard computers, operating systems (OS) and
network protocols began to resemble Internet systems. These Internet integration
solutions provided the needed capabilities, but it also introduced a multitude of
vulnerabilities, problems, and issues and provided significantly less isolation for ICS
from the outside world creating a greater need to secure these systems.. As mentioned
earlier, the ITL standards set forth in the NIST 800 series documents is a challenging
and daunting task [9]. This task is coupled with securing Internet access to ICS
systems, isolating the ICS, and providing a secure, safe, reliable control system. It is
interesting to note how emerging technologies have lowered the infrastructure costs
and use existing physical entities and infrastructure.
As these AMI/AMR solutions are implemented, there must be a controlled effort to
ensure security is built in so as not to produce results similar to the problems
3
encountered by the staggering growth of the Internet which produced undesirable
circumstances in which services were the most important factor.
Many commercial venders have recognized the demand for specialized products
such as hardened servers, routers and Ethernet switches, Encrypted Receiver
Transmitter (ERT) Meters, and a variety of other devices to complete the
communications backbone solution for the smart grid. The development of a Smart
Grid has focused on Security, being that the new ICS will inherently have all of the
vulnerabilities of Internet and computer based systems. It will be critical for the smart
grids to provide confidentiality, integrity and availability to ensure the critical
infrastructure is not compromised in the event of a catastrophic failure, cyber event or
and unforeseen disaster. Authoritative entities have produced the NIST 800-82 Guide
to Industrial Control Systems Security (ICS) [11 [15] in an effort to provide guidance
to establish secure industrial control systems (ICS). The methodology and prevention
of attacks to ICS networks is by far one of the most important projects since the
creation of the Internet. The wide variety of available hacking tools has the
Information Technology industry in a precarious state of insecurity, whereas efforts to
prevent the unauthorized use of the ICS network is of critical importance and is one
of the most important aspects of protecting smart grid computing systems. This is a
task that will take systems administrator, security administrators and utility
employees into a new realm of Security to defend the ICS network against those
attacks and unforeseen events. It should be noted that the number of vulnerabilities
4
that can be exploited and the critical nature of an exploit is much more than Internet
and computer based vulnerabilities.
Instead, not only does the development of
Supervisory Control and Data Acquisition (SCADA) systems, ICS or Smart Grids
take conventional computer based vulnerabilities into account, but also new and
ambiguous vulnerabilities that are being identified are unique to the critical smart grid
industry. Policies and processes exist with new vulnerabilities being discovered daily
and new tools, code, procedures and processes are generated daily address any
deficiency in the development of the smart grid systems. There can only be strict
adherence to the requirements and ongoing System Development Life Cycle and
Security Development Lifecycle to continually ensure security in the ICS networks.
In this manner, security can be built into the systems that are critical to the safe
operation of critical infrastructure components.
5
Chapter 2 Emerging Technology
There have been many problems associated with the rapid growth of the Internet.
The vulnerabilities associated with the Internet are well known problems that
introduce a critical security problem to ICS. Many of the solutions to prevent these
vulnerabilities have been no more than a band-aid fix that are not at all ideal in their
implementation. Many of the solutions to the problems have only introduced other
problems that introduce other security risks. With all the problems that currently
effect the IP based technology, it becomes imperative to follow the directives set forth
by the NIST 800 series documents. It becomes a monumental task to secure an
already vulnerable IP-based system and to secure emerging technology. Emerging
technology solutions have inherent vulnerabilities in their own implementations. It
seems reasonable to expect emerging technologies will require all the traditional tasks
of security updates, patches, updates and upgrades as will as providing System
Development Life Cycle activity of the emerging technologies implemented to
provide solutions to ICS. As the emerging technologies are implemented, care must
be given to the implementation and infrastructure with a focus on three components;
availability, integrity, and confidentiality of the ICS are critical and must be strictly
adhered to in order to provide a safe and secure system.
The implementation of security in the leaf products of the various AMI/AMR
devices becomes a major task of providing a reliable and safe solution of gathering
6
information from millions of end points. As is the case with any emerging
technology, new solutions have inherent vulnerabilities, and the Advanced Metering
Infrastructure/Advanced Metering Readers (AMI/AMR) is not an exception. These
smart meters must be considered as a device that can be used to gain access to the
larger infrastructure, the SCADA power grid. Therefore, every precaution must be
taken to protect the meters since these smart meters are a potential gateway to the
more critical SCADA power grid infrastructure.
Several problems are associated with the securing smart meters. These meters must
update usage statistics for, which include but are not limited to several resources,
such as gas, water, and electricity. It is critical that every effort to maintain security
for these devices becomes a normal practice in order to provide a safe and secure
system.
The following figures illustrate the infrastructure, physical challenges, scope, and
wired and wireless solutions:
 See Figure 2.1 for an illustration of securing a typical ICS [2].
 Figure 2.2 shows the challenge of physical security [2].
 See Figure 2.3 for the scope of the smart metering system [16].
 Figure 2.4 shows a typical ICS infrastructure with wired and wireless
solutions [16].
7
Securing Control Networks
5/29/2009
Smart Grid Education Workshop / Chow
10
Figure 2.1 ICS Security
Figure 2.2 Emerging Technology Physical Challenges
Graphics use permission granted from Dr. Edward Chow, UCCS, 2010
8
Figure 2.3 Smart Metering Scope [16]
Figure 2.4 Wired and Wireless Options [16]
9
2.1
Wireless Comes of Age
The use of radio technology to provide wireless solutions with such devices as
mobile phones, laptop computers and common consumer equipment make the use of
wireless technologies a feasible option for solutions to provide business capabilities
and remote access to ICS. Many types of wireless communications are usually
distinguished by the frequency band, the standards used, and the primary application.
Many wireless applications such as ZigBee, Bluetooth and ZWave have been
implemented as computing and telecommunications solutions in markets such as home
automation and building control, SCADA systems and even livestock control. Many
other commercial options for low power radio have been specifically developed,
evolved and emerged as viable solutions for utility communications. Emerging
implementations include the M-Bus standards used for smart metering in northern
Europe, the Wavenis solution used for water metering in France and the Trilliant
platform being used by some utilities in Canada. Utilities in America and Australia
offer a specific Smart Energy profile with ZigBee which was developed to provide
smart metering connectivity to home area networks.
The low-power mesh infrastructure design bounces packets of data through a series
of nodes to reach their target. This type of network topology offers the protection of
avoiding potential single points of failure in a network. This is critical in the design of
the solution. This type of mesh network increases the power consumption of every
fully functional node. Each node must be able to receive and transmit data to and from
10
other close proximity nodes whenever data transfers are required. Some mesh based
devices will be configured as non-repeating “end” devices to facilitate lower power
consumption.
2.2
Vulnerabilities
Definition: A Vulnerability Class is a category of weakness which could adversely
impact the operation of the Smart Grid. A “vulnerability” can be leveraged to cause
disruption or influence the Smart Grid [7].
Millions of homes and businesses are using smart meters that are riddled with
security bugs that could bring down the power grid. Of particular concern, these new
smart electricity meters are being implemented despite vulnerabilities that can open
the door to power -grid botnets that have been identified in several vendor smart meter
devices. The smart meters provide two-way communications between electricity users
and collection devices that ultimately connect to the power plants that serve them.
Utilities in Seattle, Houston, Miami, and elsewhere are hurriedly implementing them
as part of a plan to make the power grid more efficient. Funded by billions of dollars
from President Obama's economic stimulus package, utility organizations have
continued to install the smart meters. Other organizations throughout Europe are also
spending heavily on the new technology. The problem becomes evident when meters
needed to make the smart grid work are built on buggy software that's easily hacked.
Mike Davis, a senior security consultant for IOActive has identified several issues
with the smart meter software. These issues are critical to the security of the smart grid
11
with the vast majority of them use no encryption and ask for no authentication before
carrying out sensitive functions. There is no validation or authentication when
performing software updates or severing customers from the power grid. Mike Davis
has said the vulnerabilities are ripe for abuse. The smart meters have the capability to
switch on/off hundreds of thousands of homes at the nearly the same time. This can
introduce problems with the power company being able to gracefully deal with power
demands or surges. The vulnerability in the devices [13] is susceptible to a worm
designed by Mike Davis and the IOActive colleagues to show authoritative agencies
the reality of the problem. The worm self-propagates across a large number of one
manufacturer's smart meter. Once the device becomes infected, the device is under the
control of the malware developers similarly to the way infected PCs are under the
spell of bot herders. It is at this point that the attackers can “own” the devices and send
instructions to turn power on or off and divulge power usage statistics or sensitive
system configuration settings. The worm is able to spread quickly and exploits an
automatic update feature in the meter that runs on peer-to-peer technology. The peerto-peer technology doesn't use code signing or any other measure to ensure the update
is authorized, but instead uses a routine known as interrupt hooking, which adds
additional code to the device's operating system. There has been no public disclosure
of verified models of smart meters that are designed with these vulnerabilities.
Researchers and engineers decline to identify the models or the manufacturers but will
only elaborate to state that most of the models suffer from the same poor design.
Companies manufacturing the smart meter devices for smart grids include GE Energy,
12
The ABB Group, Sensus Metering, Itron and Landis+Gyr. The embedded platforms
are not designed for security. One deficiency that has been identified as common
among many of the meters is the use of well-known insecure programming functions,
such as memcpy() and strcpy(). These are two of the most common sources of
exploitable software bugs. In many cases, the devices use general purpose hardware
and software that aren't designed for highly targeted or mission critical systems. This
is the nightmare of the smart grid security initiative. Envision a malicious hacker that
has the unique identifier that's printed on your meter.
A security company named ControlScan maintains a database listing vulnerabilities
found in the more common problems found in the Internet infrastructure. The database
lists 34,762 total vulnerabilities that have been identified by ControlScan [14]. This
list cannot reflect all the problems in ICS/Internet infrastructure.
Additional vulnerability problems and the potential impact listed in a Vulnerability
Classes website [3] attempts to list many that may not be as obvious as those listed in
the ControlScan database.
By 2015, utilities in more than two-dozen US states expect to have almost 52 million
customers outfitted with the bidirectional smart meters, according to the Edison
Electric Institute, which represents power companies. Some of those deployments are
already completed and many more will be completed in the next few years. Due
consideration must be given to all the issues of ICS/Internet integration. Attention is
now focused to the Tenable Nessus Vulnerability and Compliance scanner solution.
13
Chapter 3 Nessus Scanning
Information on numerous common vulnerabilities has been presented. These are the
well known common problems but some may not be so obvious to newly trained
ICS/Internet personnel. The problems introduced into the AMI/AMR systems from
Internet and networking vulnerabilities pose a daunting task of identifying and
securing the infrastructure. Many problems are readily apparent and there are those
that are not so easily identified. It would be impossible to manually identify and
mitigate the issues. Nessus has provided a tool to assist in identifying problems in
AMI/AMR technology. Nessus is an active scanner featuring high speed discovery,
configuration auditing, asset profiling, sensitive data discovery and vulnerability
analysis. It is a popular vulnerability scanner that offers many features to help assess
the security of control system networks, devices, servers and workstations. Basic
vulnerability scanning has crashed many control system devices and applications but
new features and techniques make it possible to scan control system networks with
minimal impact to critical systems such as SCADA. This “safe” feature makes
Nessus an ideal candidate for use with SCADA systems.
Tenable Nessus and Digital Bond have formed a collaboration to extend the scanner.
Nessus is part of the following Digital Bond Racks:

Control System Security Assessment Rack

Application Security Assessment Rack

Web Application Security Assessment Rack
14
3.1
Bandolier Related Work
Digital Bond is currently involved in a research project known as Bandolier [17]. It
documents the optimal security configurations for control system application
components. Programs are written into audit files that can be used in security tools
such as Nessus. Policy compliance checks allow asset owners to verification that the
system is in the optimal security configuration for both operating systems and
application security settings. Bandolier audit files are used at initial deployment to
determine baseline configuration and compliance with NIST standards. Bandolier is
funded by the Department of Energy (DOE) and is Objective 1 of a larger effort
known as the Cyber Security Audit and Attack Detection Toolkit.
3.2
Compliance Checks
Using guidance from NIST and other industry organizations, Tenable Network
Security has developed best practice compliance checks for many operating systems
and common Internet applications such as databases and web servers. The Bandolier
project is developing files specifically for control system applications that reside on a
variety of Windows, Linux, and Unix platforms. The Bandolier audit files can be used
with Nessus compliance plug-ins to perform security scans and to compare a
deployed control system component to the best practice security settings and then
identify any variances. The Nessus compliance plug-ins are available to Nessus
ProfessionalFeed customers at a cost of $1200 a year with access to new plug-ins,
customer support, and access to the SCADA plug-ins that Digital Bond [6] developed
for Tenable. Compliance plug-ins provides the Nessus Vulnerability Scanner with the
15
ability to audit a system against a secure configuration as described in the policy
compliance file. Bandolier created files can be used with the Nessus Vulnerability
Scanner to audit security configurations of the twenty-plus control systems
applications that are part of the project. Although Nessus is the de-facto standard for
vulnerability scanning, there are other tools available that can perform similar
functions. Digital Bond will also make the compliance checks available in the
XCCDF and OVAL formats used by NIST's Security Content Automation Protocol
(SCAP). To provide maximum benefit and reusability for the community, all SCAP
validated scanners will be able to use the Bandolier audit files.
3.3
Compliance Checks versus
Vulnerability Scans
An important difference exists between compliance checks and traditional
vulnerability scanning in Nessus. Each has its own distinct purpose and value; i.e.,
vulnerability scanning relies on signatures of “known bad things”. The scanning tests
typically send packets to the device under scan that have caused many control system
applications to crash or operate improperly. On the other hand, compliance checks
compare a system against the “known good”, hardened configuration. This process is
facilitated by creating an authenticated administrator connection to the system and
inspecting its configuration.
Different methods are used to determine what services are running on a
workstation or server. Vulnerability scans send a packet to each TCP and UDP port
16
to evaluate the response to determine if the port was open. Unfortunately, simple port
scanning has caused numerous poorly written control system applications to fail. On
the other hand, compliance checks connect to the workstations or servers as an
authenticated administrator to get a list of the services running and return this
information via the administrative connection. It should be noted that an application
that would crash on a port scan would not crash when the same information was
collected by a compliance check.
Compliance checks can read and evaluate files which makes the number and types of
checks available almost limitless to provide the capability of checking many built-in
settings at the operating system level. The following examples do not represent the
full array of checks that are available but are meant to only highlight the capability of
the checks. Note that the examples start with basic service evaluation to very specific
application configuration inspection.
3.4
Development Approach
Step 1: Select the control system applications for project participation.
The development of a methodology to enhance the Nessus Scanning solution is
flexible that enhanced scans can target conventional network systems and ICS control
servers and computers. In this context, control system refers to any server or
workstation whether it is connected to ICS or conventional LANs or WANs. The
focus is to develop a systematic methodology that can be used in currently
implemented systems and future implementations. The following are factors that
17
make a control system application more applicable for a systematic enhanced
scanning methodology to detect and discover vulnerabilities:

Select a control system application running on a relatively current operating
system. Exclude systems running Windows 98 or NT.

Select a control system application or component that can be secured.
Applications that cannot be patched or configured in a highly vulnerable
manner will be of little use. The audit can and will only verify it is an insecure
state.

Select a control system application that is widely deployed. Human Machine
Interfaces (HMI) or operator consoles are ideal candidates because this will
allow a quick and consistent audit of many HMI workstations. Similarly, if the
same Distributed Control System (DCS) is being used at many power plants
the systems than that DCS would be an ideal choice.

Select a critical control system application. A critical control server is a good
candidate for a compliance policy file even if there is only a primary and
backup server. The compliance policy file will identify any changes to the
secure configuration.

Similar control system application components with different configurations
can have their own compliancy policy. Permissions on different systems could
be quite different even though an HMI might run the exact same software as
an engineering workstation.

Inspect logs, research security bulletins, investigate network anomalies for
potential problems that may possible cause disruptions or outages. This step is
18
needed to assess the proper operation of the target system. Several different
processes are performed.
Step 2: Develop secure, hardened configurations for each control system
application component
This step is extremely important. The goal is to create a standard configuration for
each control system application component for each of the components, e.g. HMI,
Historian, Realtime Server, and OPC Server. Deployed control system application
components will be measured against the standard, Scan with existing plug-ins and
patch any discovered vulnerability. The ideal scenario is for the system administrator,
SCADA administrator or DCS vendor to assist in this step. Digital Bond's research
team, system administrators, the vendor and asset owner users would work together to
define the “gold” standard for Bandolier. Consensus guidelines have been used as a
starting point for operating system and common Internet applications, such as web
servers, database applications, and security configuration settings. Modifications are
made as needed for the control system application to function properly, and then the
control system application specific ideal security settings are defined.
Step 3: Perform a baseline scan
After the “gold” standard is defined, perform a baseline scan. Any vulnerability
discovered or non-compliance should be corrected and the scan run again till all
problems are resolved with the direct fee plug-ins supplied by Nessus. After all
problems have been resolved, the scan should be assigned as the original “gold”
standard.
19
Step 4: Develop Plug-ins for Newly Discovered Issues and Checks for
Compliance
Not all Bandolier audit templates are developed to measure the same level of security.
A particular HMI’s gold standard may be much more secure than another HMI’s gold
standard because the vendor may have leveraged operating system security features
and build security features into one and not the other. Bandolier templates attempt to
identify the best possible security setting for each individual control system
application component.
As of May 1, 2010, Tenable Nessus 35.414 plug-ins performs a high level of
comprehensive checks. Nessus is not a tool that can “cover all the bases” but is a tool
designed to “cover” a large portion of problems that are nearly impossible to discover
manually. With this in mind, there are problems that may be unique to the
organization and a need for customized plug-in to enhance the scanning tool to
discover vulnerabilities and check for compliance.
Customized plug-ins created to enhance the scanning capability to address any issue
is a critical step that must be done correctly. The plug-ins can be written to output a
specific message for vulnerability discovery or indicate compliance. Any
vulnerability or compliance check file must be written to comply with the Nessus
general guidelines. See step 4.1 for Nessus plug-in guidelines.
Step 4.1 Methodology to Create Nessus plug-in
Nessus plug-ins are created according to the guidelines in the Nessus Attack Scripting
Language (NASL) [5]. The guidelines are used for the scanner to make use of full
20
functionality and to ensure the enhanced plug-in behaves properly, especially on
critical computers connected to critical systems. There are three guidelines to follow.
•
execute only if necessary
•
use other script results by use of dependencies
•
share by saving to KB, upload report results and
plug-ins
By following this methodology, the Nessus community reaps many benefits.
Discussion forums, support, knowledge base, documentation and users all benefit
from the collaboration.
Step 5: Test New Plug-ins Before Releasing to Production Environment
Skip this step if no new enhanced plug-ins have been developed. Otherwise, the
system administrator will gather information on the system and will create the
vulnerability and compliance policy files on the secured and hardened configuration.
Each test task on each system should be thoroughly tested. Ideally, the plug-ins
should be tested in a similar lab environment or test equipment. A prototype with
virtual machines can be used as a test bed to determine plug-ins are behaving and not
causing problems to the environment. Badly written plug-ins can cause serious
problems.
Step 6: Perform “Post-Gold” Scan
Perform another scan to discover any vulnerabilities and checks for compliance. This
scan should indicate full compliance with the “gold” standard previously defined in
step 2. Any failures indicated in the scan report will need to be resolved and repeat
and begin step 3 and scan till all issues are resolved. At this point in time, the target
system “gold” scan and “post-gold scan can be compared in the Nessus scanner by
21
selecting the option within the Report GUI interface. The “post-gold” scan should be
run at prescribed intervals to discover if any unauthorized changes have occurred
since the last :gold: baseline scan. The ‘gold” standard documentation and processes
may need modification at this step if new plug-ins are written or other standards have
been updated with new configuration. Repeat the development approach for other
target systems that are participating in the project.
3.5
Extending Bandolier with Nessus
Credentialed Scanning
The Bandolier security audit files provide a view of the internal security
configuration. Some desirable audit results are not available directly from the audit
files or compliance checks. Nessus Credentialed Scanning options are a safe, reliable
method to assess control system servers and workstations. Plug-ins are available to
audit missing patches at both the operating system and application levels, including
some often-overlooked client applications. Enhanced plug-ins are created to target
specific vulnerabilities or compliance checks,
Other authenticated scanning options include the "netstat" port scanner that is a safe
way to enumerate open ports without a traditional port scan that has been known to
crash some control system applications. This is an extremely important fact since the
control system of a Smart Grid cannot crash under any circumstance, especially an
administrator invoked scanning task Unix systems use the command netstat -an to
return the results. Windows systems use WMI to return the same information.
22
Nessus offers additional information when credentials are provided to authenticate
to the remote host. The credential checks are useful when used in conjunction with a
full vulnerability scan and is a safer scanning option to use with fragile control system
hosts.
The Nessus scan policy provides user credentials input to connect to a remote server
or workstation. Nessus is allowed to authenticate to a remote host to use the built-in
operating system functionality to run tests that have been defined by the user in the
scan policy. Selected configuration screenshots are included below.
The Nessus scanner uses Server Message Block (SMB) for Windows hosts that
require the ability to communicate with the remote host on TCP port 445. The defined
user account in the scan policy requires administrator privileges.
The Nessus scanner relies on Secure Shell (SSH) TCP port 22 for Unix and Linux
hosts. Root access is facilitated through either the root account or an account capable
of using su or sudo.
3.6
Nessus Quick Reference Installation and
Upgrade Guide
Nessus Installation Guide
This guide provides commands as a general guideline to install and upgrade Nessus
on supported OS platforms. Detailed information, manuals, documentation,
knowledgebase and support is available at http://www.nessus.org/nessus/ website.
23
3.6.1 Nessus Background
Nessus is a powerful, up-to-date and easy to use network security scanner endorsed
by professional information security organizations such as the SANS Institute. Nessus
provides the ability to perform remote and local audits on a specific target machines
for vulnerabilities, compliance specifications, content policy violations and more. A
given network can be scanned remotely or locally to determine if it has been broken
into or misused in some way. Nessus provides:
•
Intelligent Scanning – attempt to validate vulnerability through exploitation
when possible
•
Modular Architecture – The client/server architecture provides flexibility
•
CVE Compatible –links to CVE for administrators to retrieve further
information, references to Bugtraq (BID), OSVDB and vendor security alerts
•
Plugin Architecture – easily add your own tests, select specific plugins or
choose an entire family. Nessus nessusd plugins are available at
http://www.nessus.org/plugins/index.php?view=all.
•
NASL – The Nessus scanner includes NASL (Nessus Attack Scripting
Language). Security checks can also be written in the C programming language.
•
Up-to-date Security Vulnerability Database – focus on development of security
checks for newly disclosed vulnerabilities is updated daily.
•
Tests Multiple Hosts Simultaneously – ability to test a large number of hosts
concurrently. Smart Service Recognition – Nessus will recognize a FTP server
running on a non-standard port (e.g., 31337) or a web server running on port
8080 instead of 80.
24
•
Tests Multiple Hosts Simultaneously – ability to test a large number of hosts
concurrently. Smart Service Recognition – Nessus will recognize a FTP server
running on a non-standard port (e.g., 31337) or a web server running on port
8080 instead of 80.
•
Multiple Services – Nessus will identify and test all web servers running on a
host (e.g., one on port 80 and another on port 8080), of them.
•
Plugin Cooperation – unnecessary checks are not performed
•
Complete Reports – report what security vulnerabilities exist on your network,
the risk level and how to mitigate by offering solutions.
•
Full SSL Support –ability to test services offered over SSL
•
Smart Plugins (optional) –determines which plugins should or should not be
launched against the remote host. This option is called “optimization”.
•
Non-Destructive (optional) –enable the “safe checks” option of Nessus, which
will make Nessus rely on banners rather than exploiting real flaws to determine
if a vulnerability is present.
•
Open Forum –https://discussions.nessus.org/.
3.6.2 OS Support
Nessus is available and supported for a variety of operating systems and platforms:
 Red Hat ES 4 (i386), and ES 5 (i386 and x86-64)
 Fedora Core 10 (i386 and x86-64) [Compatible with Fedora 9]
 Fedora Core 11 (i586 and x86-64)
 Fedora Core 12 (i586 and x86-64)
25
 Debian 5 (i386 and x86-64)
 FreeBSD 7 (i386 and x86-64)
 Ubuntu 8.04 (i386 and x86-64)
 Ubuntu 8.10 (i386 and x86-64)
 Ubuntu 9.10 (i386 and x86-64)
 Mac OS X 10.4 / 10.5 (i386, x86-64, ppc)
 Windows XP, Server 2003, Server 2008, Vista and Windows 7
(i386 and x86-64)
 SuSE 9.3 (i386)
 SuSE 10.0 (i386 and x86-64)
 Solaris 10
3.6.3 Prerequisites
 Minimum of 1 GB RAM
 2-4GB RAM for larger scans of multiple networks
 Pentium 3 processor running at 2 GHz or higher
 Mac OS X dual-core Intel® processor running at 2 GHz or higher
 Nessus can be run under a VMware instance, enumeration and operating
system identification will be negatively affected if Network Address
Translation (NAT) is used
 Nessus Unix requires several libraries that typically do not require separate
installation. It should be noted the following are required:
o OpenSSL (e.g., openssl, libssl, libcrypto)
26
o zlib
o GNU C Library (i.e., libc)
 Nessus Windows performance can be affected by changes to Microsoft
Windows XP SP-2 and should be installed on a server product from the
Windows Server 2003 family or higher for increased performance and scan
reliability
3.6.4 Installation
It may take several minutes the first time Nessus updates and processes the plug-ins.
The web client connection will not be available until plugin processing ha completed.
Download the latest version of Nessus from http://www.nessus.org/download/. All
commands must be performed with system root privileged user. The following
sections provide installation instructions for the Nessus server on all supported
platforms. Special installation instructions are noted following the example. Platform
Installation Instructions follow:
3.6.4.1 Red Hat ES 4 (32 bit), ES 5 (32 and 64 bit)
3.6.4.1.1 Install Command
Use one of the appropriate commands below that corresponds to the
version of Red Hat:
# rpm -ivh Nessus-4.x.x-es4.i386.rpm
# rpm -ivh Nessus-4.x.x-es5.i386.rpm
# rpm -ivh Nessus-4.x.x-es5.x86_64.rpm
3.6.4.1.2 Sample Output
27
# rpm -ivh Nessus-4.2.0-es4.i386.rpm
Preparing...
########################################### [100%]
1:Nessus
########################################### [100%]
nessusd (Nessus) 4.2.0. for Linux
-Please run /opt/nessus//sbin/nessus-adduser to add a user
-Register your Nessus scanner at
http://www.nessus.org/register/ to obtain all the newest plugins
- You can start nessusd by typing
/sbin/service nessusd start
#
3.6.4.2 Fedora Core 10 (32 and 64 bit), 11 (32 and 64 bit) and 12 (32
and 64 bit)
3.6.4.2.1 Install Command
Use one of the appropriate commands below that corresponds to the
version of Fedora Core:
# rpm -ivh Nessus-4.x.x-fc10.i386.rpm
# rpm -ivh Nessus-4.x.x-fc10.x86_64.rpm
# rpm -ivh Nessus-4.x.x-fc11.i386.rpm
# rpm -ivh Nessus-4.x.x-fc11.x86_64.rpm
# rpm -ivh Nessus-4.x.x-fc12.i386.rpm
# rpm -ivh Nessus-4.x.x-fc12.x86_64.rpm
28
3.6.4.2.2 Sample Output
# rpm -ivh Nessus-4.2.0-fc10.i386.rpm
Preparing...
###########################################
[100%]
1:Nessus
###########################################
[100%]
nessusd (Nessus) 4.2.0. for Linux
-Please run /opt/nessus//sbin/nessus-adduser to add a user
-Register your Nessus scanner at
http://www.nessus.org/register/ to obtain all the newest plugins
You can start nessusd by typing
/sbin/service nessusd start
#
3.6.4.3 SuSE 9.3, 10
3.6.4.3.1 Install Command
Use one of the appropriate commands below that corresponds to the
version of SuSE:
# rpm -ivh Nessus-4.x.x-suse9.3.i586.rpm
# rpm -ivh Nessus-4.x.x-suse10.0.i586.rpm
3.6.4.3.2 Sample Output
# rpm -ivh Nessus-4.2.0-suse10.0.i586.rpm
29
Preparing... ################################## [100%]
1:Nessus ##################################
[100%]
Nessusd {Nessus} 4.2.0. for Linux
-Please run /opt/nessus//sbin/nessus-adduser to add a user
- Register your Nessus scanner at
http://www.nessus.org/register/ to obtainall the newest plugins
- You can start nessusd by typing
/etc/rc.d/nessusd start
#
3.6.4.4 Debian 5 (32 and 64 bit)
3.6.4.4.1 Install Command
Use one of the appropriate commands below that corresponds to the
version of Debian:
# dpkg -i Nessus-4.x.x -debian5_i386.deb
# dpkg -i Nessus-4.x.x -debian5_amd64.deb
3.6.4.4.2 Sample Output
# dpkg -i Nessus-4.2.0-debian5_i386.deb
Selecting previously deselected package nessus.
(Reading database ... 36954 files and directories
currently installed.)
Unpacking nessus (from Nessus-4.2.0-debian5_i386.deb) ...
Setting up nessus (4.2.0) ...
30
nessusd (Nessus) 4.2.0. for Linux
- Please run /opt/nessus/sbin/nessus-adduser to add a
user
- Register your Nessus scanner at
http://www.nessus.org/register/ to obtain all the newest plugins
- You can start nessusd by typing
/etc/init.d/nessusd start
#
Note: Nessus comes with an empty plugin set by default. The Nessus
daemon cannot be started until Nessus has been registered and a
plugin download has occurred. If you attempt to start Nessus without
plugins, the following output is returned:
# /etc/init.d/nessusd start
Starting Nessus : .
# Missing plugins. Attempting a plugin update...
Your installation is missing plugins. Please register and
try again.
To register, please visit http://www.nessus.org/register/
3.6.4.5 Ubuntu 8.04, 8.10 and 9.10 (32 and 64 bit)
3.6.4.5.1 Install Command
Use one of the appropriate commands below that corresponds to the
version of Ubuntu:
# dpkg -i Nessus-4.x.x-ubuntu804_i386.deb
31
# dpkg -i Nessus-4.x.x-ubuntu804_amd64.deb
# dpkg -i Nessus-4.x.x-ubuntu810_i386.deb
# dpkg -i Nessus-4.x.x-ubuntu810_amd64.deb
# dpkg -i Nessus-4.x.x-ubuntu910_i386.deb
# dpkg -i Nessus-4.x.x-ubuntu910_amd64.deb
3.6.4.5.2 Sample Output
# dpkg -i Nessus-4.2.0-ubuntu804_amd64.deb
Selecting previously deselected package nessus.
(Reading database ... 32444 files and directories
currently installed.)
Unpacking nessus (from Nessus-4.2.0-ubuntu804_amd64.deb)
...
Setting up nessus (4.2.0) ...
- Please run
/opt/nessus/sbin/nessus-adduser
to add a user
- Register your Nessus scanner at
http://www.nessus.org/register/ to obtain
all the newest plugins
- You can start nessusd by typing
/etc/init.d/nessusd start
#
3.6.4.6 Solaris 10
32
3.6.4.6.1 Install Command
# gunzip Nessus-4.x.x-solaris-sparc.pkg.gz
# pkgadd -d ./Nessus-4.x.x-solaris-sparc.pkg
The following packages are available:
1 TNBLnessus The Nessus Network Vulnerability
Scanner
(sparc) 4.2.1
Select package(s) you wish to process (or 'all' to process
3.6.4.6.2 Sample Output
# gunzip Nessus-4.2.1-solaris-sparc.pkg.gz
# pkgadd -d ./Nessus-4.2.1-solaris-sparc.pkg
The following packages are available:
1 TNBLnessus The Nessus Network Vulnerability
Scanner
(sparc) 4.2.1
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:1
Processing package instance <TNBLnessus> from
</tmp/Nessus-4.2.1-solaris-sparc.pkg>
The Nessus Network Vulnerability Scanner(sparc) 4.2.1
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
33
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.
This package contains scripts which will be executed with
super-user permission during the process of installing this package.
Do you want to continue with the installation of
<TNBLnessus> [y,n,?]
Installing The Nessus Network Vulnerability Scanner as
<TNBLnessus>
## Installing part 1 of 1.
(output redacted)
## Executing postinstall script.
- Please run
/opt/nessus/sbin/nessus-adduser
to add a user
- Register your Nessus scanner at
http://www.nessus.org/register/
to obtain all the newest plugins
- You can start nessusd by typing
/etc/init.d/nessusd start
Installation of <TNBLnessus> was successful.
# /etc/init.d/nessusd start
#
34
Note: Ensure the latest Solaris Recommended Patch Cluster from Sun
is installed to eliminate any library compatibility errors.
3.6.4.7 FreeBSD 7 (32 and 64 bit)
3.6.4.7.1 Install Command
Use one of the appropriate commands below that corresponds to the
version of FreeBSD:
# pkg_add Nessus-4.2.0-fbsd7.tbz
# pkg_add Nessus-4.2.0-fbsd7.amd64.tbz
3.6.4.7.2 Sample Output
# pkg_add Nessus-4.2.0-fbsd7.tbz
nessusd (Nessus) 4.2.0 for FreeBSD
Processing the Nessus plugins...
[##################################################]
All plugins loaded
- Please run
/usr/local/nessus/sbin/nessus-adduser
to add an admin user
- Register your Nessus scanner at
http://www.nessus.org/register/ to obtain
all the newest plugins
- You can start nessusd by typing
/usr/local/etc/rc.d/nessusd.sh start
#
35
Note: Nessus recommends customization of the provided
configuration file for your environment as described in Appendix B.
3.6.4.8 Windows
3.6.4.8.1 Download Nessus
Nessus 4.2 is available for Windows XP, Server 2003, Server 2008,
Vista and Windows 7. The latest version of Nessus is available at
http://www.nessus.org/download/. Distribution file sizes and names
vary slightly and are approximately 12 MB in size. Select the
appropriate file and save to a temporary file location. Double click the
file to begin the installation process.
Figure 3.1 Windows Nessus Download Files
3.6.4.8.2 Installation
Install Nessus using an administrative account. Any errors related to
permissions, “Access Denied” or errors suggesting an action occurred
due to lack of privileges indicate an account with a lack of
administrative privileges. Use of the command line run cmd.exe utility
36
with “Run as…” can resolve required privilege errors. The default
settings can be used for most installations. See Figure 3.1 through 3.7
for the Windows installation process.
Figure 3.2 Windows Nessus Welcome Screen
37
Figure 3.3 Windows Nessus License Agreement
Figure 3.4 Windows Nessus Destination Folder
38
Figure 3.5 Windows Nessus Setup Type
Figure 3.6 Windows Nessus Install Dialog
39
Figure 3.7 Windows Nessus Completion Dialog
3.7
Upgrading Unix/Linux
This section explains how to upgrade Nessus from a previous Nessus installation.
The following table provides upgrade instructions for the Nessus server on all
previously supported platforms. Previously created configuration settings and users
will remain intact. Special upgrade instructions are provided in a note following the
example. Platform upgrade instructions follow:
3.7.1 Red Hat ES 4 (32 bit), ES 5 (32 and 64 bit)
3.7.1.1 Upgrade Commands
# service nessusd stop
40
Use the appropriate command below that corresponds to
the version of Red Hat:
# rpm -Uvh Nessus-4.x.x-es4.i386.rpm
# rpm -Uvh Nessus-4.x.x-es5.i386.rpm
# rpm -Uvh Nessus-4.x.x-es5.x86_64.rpm
restart the nessusd service
# service nessusd start
3.7.1.2 Sample Output
# service nessusd stop
Shutting down Nessus services: [ OK ]
# rpm -Uvh Nessus-4.2.0-es4.i386.rpm
Preparing...
########################################### [100%]
Shutting down Nessus services:
1:Nessus
########################################### [100%]
nessusd (Nessus) 4.2.0 for Linux
Processing the Nessus plugins...
[##################################################]
All plugins loaded
- Please run
/opt/nessus/sbin/nessus-adduser
to add an admin user
41
- Register your Nessus scanner at
http://www.nessus.org/register/ to
obtain all the newest plugins
- You can start nessusd by typing
/sbin/service nessusd start
# service nessusd start
Starting Nessus services: [ OK ]
#
3.7.2 Fedora Core 10 (32 and 64 bit), 11 (32 and 64 bit)
and 12 (32 and 64 bit)
3.7.2.1 Upgrade Commands
# service nessusd stop
Use the appropriate command below that corresponds to
the version of Fedora Core:
# rpm -Uvh Nessus-4.x.x-fc10.i386.rpm
# rpm -Uvh Nessus-4.x.x-fc10.x86_64.rpm
# rpm -Uvh Nessus-4.x.x-fc11.i386.rpm
# rpm -Uvh Nessus-4.x.x-fc11.x86_64.rpm
# rpm -Uvh Nessus-4.x.x-fc12.i386.rpm
# rpm -Uvh Nessus-4.x.x-fc12.x86_64.rpm
Restart the nessusd service with the following command when
the upgrade is complete:
# service nessusd start
42
#
3.7.2.2 Sample Output
# service nessusd stop
Shutting down Nessus services: [ OK ]
# rpm -Uvh Nessus-4.2.0-fc10.i386.rpm
Preparing...
########################################### [100%]
Shutting down Nessus services:
1:Nessus
########################################### [100%]
nessusd (Nessus) 4.2.0 for Linux
Processing the Nessus plugins...
[##################################################]
All plugins loaded
- Please run
/opt/nessus/sbin/nessus-adduser
to add an admin user
- Register your Nessus scanner at
http://www.nessus.org/register/
to obtain all the newest plugins
- You can start nessusd by typing
/sbin/service nessusd start
# service nessusd start
43
Starting Nessus services: [ OK ]
#
3.7.3 SuSE 9.3, 10
3.7.3.1 Upgrade Commands
# service nessusd stop
Use the appropriate commands below that corresponds to
the version of SuSE:
# rpm -Uvh Nessus-4.x.x-suse9.3.i586.rpm
# rpm -Uvh Nessus-4.x.x-suse10.0.i586.rpm
Restart the nessusd service with the following command the
upgrade is complete:
# service nessusd start
3.7.3.2 Sample Output
# service nessusd stop
Shutting down Nessus services: [ OK ]
# rpm -Uvh Nessus-4.2.0-suse10.0.i586.rpm
Preparing...
########################################### [100%]
Shutting down Nessus services:
1:Nessus
########################################### [100%]
nessusd (Nessus) 4.2.0 for Linux
Processing the Nessus plugins...
44
[##################################################]
All plugins loaded
- Please run
/opt/nessus/sbin/nessus-adduser
to add an admin user
- Register your Nessus scanner at
http://www.nessus.org/register/
to obtain all the newest plugins
- You can start nessusd by typing
/sbin/service nessusd start
# service nessusd start
Starting Nessus services: [ OK ]
#
3.7.4 Debian 5 (32 and 64 bit)
3.7.4.1 Upgrade Commands
# /etc/init.d/nessusd stop
Use the appropriate commands below that corresponds to
the version of Debian:
# dpkg -i Nessus-4.x.x-debian5_i386.deb
# dpkg -i Nessus-4.x.x-debian5_amd64.deb
# /etc/init.d/nessusd start
3.7.4.2 Sample Output
# /etc/init.d/nessusd stop
45
# dpkg -i Nessus-4.2.0-debian5_i386.deb
(Reading database ... 19831 files and directories
currently installed.)
Preparing to replace nessus 4.2.0 (using Nessus-4.2.0debian5_i386.deb) ...
Shutting down Nessus : .
Unpacking replacement nessus ...
Setting up nessus (4.2.0) ...
nessusd (Nessus) 4.2.0. for Linux
Processing the Nessus plugins...
[##################################################]
All plugins loaded
- Please run
/opt/nessus/sbin/nessus-adduser
to add an admin user
- Register your Nessus scanner at
http://www.nessus.org/register/ to
obtain all the newest plugins
- You can start nessusd by typing
/etc/init.d/nessusd start
# /etc/init.d/nessusd start
Starting Nessus : .
#
46
3.7.5 Ubuntu 8.04, 8.10 and 9.10 (32 and 64 bit)
3.7.5.1 Upgrade Commands
# /etc/init.d/nessusd stop
Use the appropriate commands below that corresponds to
the version of Ubuntu:
# dpkg -i Nessus-4.x.x-ubuntu804_i386.deb
# dpkg -i Nessus-4.x.x-ubuntu804_amd64.deb
# dpkg -i Nessus-4.x.x-ubuntu810_i386.deb
# dpkg -i Nessus-4.x.x-ubuntu810_amd64.deb
# dpkg -i Nessus-4.x.x-ubuntu910_i386.deb
# dpkg -i Nessus-4.x.x-ubuntu910_amd64.deb
# /etc/init.d/nessusd start
3.7.5.2 Sample Output
# /etc/init.d/nessusd stop
# dpkg -i Nessus-4.2.0-ubuntu810_i386.deb
(Reading database ... 19831 files and directories
currently installed.)
Preparing to replace nessus 4.2.0 (using Nessus-4.2.0ubuntu810_i386.deb) ...
Shutting down Nessus : .
Unpacking replacement nessus ...
Setting up nessus (4.2.0) ...
47
nessusd (Nessus) 4.2.0. for Linux
Processing the Nessus plugins...
[##################################################]
All plugins loaded
- Please run
/opt/nessus/sbin/nessus-adduser
to add an admin user
- Register your Nessus scanner at
http://www.nessus.org/register/ to
obtain all the newest plugins
- You can start nessusd by typing
/etc/init.d/nessusd start
# /etc/init.d/nessusd start
Starting Nessus : .
#
3.7.6 Solaris 10
3.7.6.1 Upgrade Commands
# /etc/init.d/nessusd stop
# pkginfo | grep nessus
The following is example output for the previous command
showing the Nessus package:
application TNBLnessus The Nessus Network
Vulnerability Scanner
48
To remove the Nessus package on a Solaris system, run the
following command:
# pkgrm <package name>
# gunzip Nessus-4.x.x-solaris-sparc.pkg.gz
# pkgadd -d ./Nessus-4.2.0-solaris-sparc.pkg
The following packages are available:
1 TNBLnessus-4-2-0 TNBLnessus
(sparc) 4.2.0
Select package(s) you wish to process (or 'all' to
process
all packages). (default: all) [?,??,q]: 1
# /etc/init.d/nessusd start
3.7.6.2 Sample Output
# /etc/init.d/nessusd stop
# pkginfo | grep nessus
application TNBLnessus The Nessus Network
Vulnerability Scanner
# pkgrm TNBLnessus
(output redacted)
## Updating system information.
Removal of <TNBLnessus> was successful.
# gunzip Nessus-4.2.1-solaris-sparc.pkg.gz
# pkgadd -d ./Nessus-4.2.1-solaris-sparc.pkg
49
The following packages are available:
1 TNBLnessus The Nessus Network Vulnerability
Scanner
(sparc) 4.2.1
Select package(s) you wish to process (or 'all' to
process
all packages). (default: all) [?,??,q]: 1
Processing package instance <TNBLnessus> from
</export/home/cbf/TENABLE/Nessus-4.2.1-solarissparc
pkg>
The Nessus Network Vulnerability Scanner
(sparc) 4.2.1
## Processing package information.
## Processing system information.
13 package pathnames are already properly installed.
## Verifying disk space requirements.
## Checking for conflicts with packages already
installed.
## Checking for setuid/setgid programs.
This package contains scripts which will be executed
with super-user
permission during the process of installing this
package.
50
Do you want to continue with the installation of
<TNBLnessus> [y,n,?]
Installing The Nessus Network Vulnerability Scanner as
<TNBLnessus>
## Installing part 1 of 1.
(output redacted)
## Executing postinstall script.
- Please run
/opt/nessus/sbin/nessus-adduser
to add a user
- Register your Nessus scanner at
http://www.nessus.org/register/ to obtain
all the newest plugins
- You can start nessusd by typing
/etc/init.d/nessusd start
Installation of <TNBLnessus> was successful.
# /etc/init.d/nessusd start
#
Note: Uninstall the existing version and then install the newest
release to upgrade Nessus on Solaris. This process does not
remove configuration files or files that were not part of the original
installation. Ensure the latest Solaris Recommended Patch Cluster
from Sun encounter library to avoid compatibility errors.
51
3.7.7 FreeBSD 7 (32 and 64 bit)
3.7.7.1 Upgrade Commands
# killall nessusd # pkg_info
This command lists all the packages installed and
their descriptions. The following is example output for the
previous command showing the Nessus package:
Nessus-4.0.2 A powerful security scanner
Remove the Nessus package using the following command:
# pkg_delete <package name>
Use one of the appropriate commands below that corresponds to
the version of FreeBSD:
# pkg_add Nessus-4.2.0-fbsd7.tbz
# pkg_add Nessus-4.2.0-fbsd7.amd64.tbz
# /usr/local/nessus/sbin/nessusd -D
3.7.7.2 Sample Output
# killall nessusd
# pkg_delete Nessus-4.0.2
# pkg_add Nessus-4.2.0-fbsd7.tbz
nessusd (Nessus) 4.2.0. for FreeBSD
Processing the Nessus plugins...
[##################################################]
All plugins loaded
52
- Please run
/usr/local/nessus/sbin/nessus-adduser
To add an admin user
- Register your Nessus scanner at
http://www.nessus.org/register/ to
obtain all the newest plugins
- You can start nessusd by typing
/usr/local/etc/rc.d/nessusd.sh start
# /usr/local/nessus/sbin/nessusd -D
nessusd (Nessus) 4.2.0. for FreeBSD
Processing the Nessus plugins...
[##################################################]
All plugins loaded
#
Note: Uninstall the existing version and then install the newest
release to upgrade Nessus on FreeBSD. This process does not
remove configuration files or files that were not part of the original
installation.
3.8 Upgrading Windows
3.8.1 Upgrade Nessus 4.0 to 4.0.x
This upgrade process will ask if the user wants to delete everything in the
Nessus directory. If you choose “Yes” for this option, an uninstall process
53
will remove previously created users, existing scan policies, scan results and
the scanner will become unregistered.
3.8.2 Upgrade from Nessus 3.0 to 3.0.x
Direct upgrades from Nessus 3.0.x to Nessus 4.x are not supported. An
upgrade to version 3.2 can be used as an interim step to ensure that vital scan
settings and policies are preserved.
If scan settings do not need to be kept, uninstall Nessus 3.x first and then
install a fresh copy of Nessus 4. Consult the Nessus 3.2 Installation Guide for
more information to upgrade to 3.2 as an interim step. The guide can be found
ath
the
Tenable
website
at
http://www.tenablesecurity.com/documentation/nessus_3.2_installation_guide
.pdf
3.8.3 Upgrading from Nessus 3.2 and later
Upgrades from Nessus 3.2 or later are supported. Download the Nessus 4
package and install it without uninstalling the existing version to preserve all
previous vulnerability scan reports and policies and will not be deleted.
3.9 Nessus Directory Configuration
3.9 Nessus Major Directories
3.9.1 Windows

\Program Files\Tenable\Nessus
Windows Nessus Subdirectories
 \conf
- Configuration files
54
 \data
- Stylesheet templates
 \nessus\plugins
- Nessus plugins
 \nessus\users\<username>\kbs
- User knowledgebase on disk

- Nessus log files
\nessus\logs
3.9.2 Unix Distributions (Red Hat, SuSe, Debian, Ubuntu, Solaris)

/opt/nessus
Unix Nessus Subdirectories
 ./etc//nessus/
- Configuration files
 ./var/nessus/users/<username>/kbs/
- User knowledgebase on disk
3.9.3 FreeBSD

/usr/local/nessus
FreeBSD Subdirectory

./lib/nessus/plugins/
- Nessus plugins
3.9.4 Mac OS X

/Library/Nessus/run
Mac OS X Subdirectory

/var/nessus/logs/
-Nessus log files
55
3.10 Nessus Server Manager and Client Interfaces
3.10.1. Nessus Server Manager
Use the Nessus Server Manager to start, stop and configure the Nessus server.
The Client interface provides the connection to the server. The server interface
allows you to:

Register your Nessus Server to nessus.org in order to receive updated
plugins

Perform a plugin update

Configure the startup option whenever Windows starts

Manage Nessus users

Start or Stop the Nessus Server
56
Figure 3.8 Windows Server Manager Configuration
3.11 Changing Default Nessus Port
Edit the nessusd.conf file located in C:\Program Files\Tenable\Nessus\conf\ to
change the default port. These configuration directives can be edited to alter the
Nessus service listener and Web Server preferences:
# Port to listen to (old NTP protocol). Used for pre 4.2 NessusClient
# connections :
listen_port = 1241
# Port for the Nessus Web Server to listen to (new XMLRPC protocol) :
57
xmlrpc_listen_port = 8834
Stop the Nessus service via the Nessus Server Manager and restart it.
3.12 Registering the Nessus Installation
Register Nessus by clicking on “Obtain an activation code”. Two options exist.
The Nessus website will offer a HomeFeed and ProfessionalFeed version. The
website is at http://www.nessus.org/plugins/?view=register-info.. A
ProfessionalFeed is required for commercial use and offers plugin updates,
customer support, configuration audits, virtual appliance and more. A HomeFeed
is required for home users and not licensed for professional or commercial use.
Required information is provided and processed and an email that contains an
Activation Code entitles you to either the ProfessionalFeed or the HomeFeed of
plugins. Enter the Activation Code in the appropriate field and click on the
“Register” button. Note that you will be prompted to enter the administrator
username and password. The Nessus Server Manager authorizes the Feed
Activation Code, and takes several minutes to update the Nessus plugins.
Functioanlity in the Nessus Server Manager is disabled until it is activated.
Note: Nessus Security Center is a centralized application that can be used to
manage Activation Codes for several Nessus installations.
3.13 Adding User Accounts
Click on the “Manage Users”button in the “Nessus Server Manager” dialog.
58
Figure 3.9 Activated Windows Server Manager Dialog
59
Click on the “+” button to enter a new username and password.
Figure 3.10 Nessus User Management Dialog
60
Enter the username, the password, the password again, and select
the “Administrator” checkbox to assign administrator credentials to the user.
Figure 3.11 Nessus Add/Edit User Dialog
Clicking the “Edit…” button will allow password maintenance. Click the “-”
button with a user selected will delete the user after confirmation.
61
Figure 3.12 Nessus Client Login User Dialog
3.14 Host-Based Firewalls
It is required that connections be allowed from the Nessus client’s IP address if the
Nessus Server is configured on a host with a personal firewall such as Zone Alarm,
Sygate, Windows XP firewall or any other firewall software. T he default port 8834 is
used for the Nessus Web Server user interface. On Microsoft XP service pack 2 (SP2)
systems, clicking on the “Security Center” icon available in the “Control Panel”
presents the user with the opportunity to manage the “Windows Firewall” settings. To
open up port 8834 choose the “Exceptions” tab and then add port “8834” to the list.
Consult the documentation for configuration instructions for other personal firewall
software.
62
3.15 Other Operating System Configuration
Configuration of other operating systems requires specific parameters for the desired
results. Configuration is very similar for the different supported operating systems.
The Graphical User Interface (GUI) dialogs can be used for the required
configuration. Refer to the installation guides for the particular operating system and
version for a complete detailed guide. The guides can be found at
http://www.nessus.org.
Note: The configuration tasks can be done via Command Line Interface (CLI)
directives. Configuration files can be edited for the desired configuration.
Refer to the installation guides for the particular operating system and version.
The guides can be found at ttp://www.nessus.org.
63
Figure 3.13 Configuration Screen for Credentials
3.16 Policy Compliance Plug-ins
The Policy Compliance plug-ins are also referred to as compliance checks. These are
the mechanisms implemented by which audit files work. They facilitate the means to
audit a variety of settings from baseline operating system security policy to
customized application configuration checks such as those found in the Bandolier
security audit files. Tenable offers operating system audit files for nearly all major
operating systems. See Figure 3.14.
64
Figure 3.14 Policy Compliance Plug-ins
3.17 Patch Auditing
Nessus credential checks can be used to identify missing security patches. Local
security plug-ins will check for missing operating system and application patches that
are commonly overlooked during the security assessment phase. This task is one of
the most critical tasks that are required for securing operating systems and
applications. See Figure 4.3 for an example screenshot.
65
Figure 3.15. Example plug-in Selection of Operating System and Application
Security Scans
3.18 Netstat Port Scanner
Nessus also has the ability to use the authenticated connection to do a "netstat" port
scan. This is a safe way to enumerate open ports without a traditional port scan that
has been known to crash some control system applications. As the name implies, on
Unix systems the command netstat -an is invoked to return the results. For Windows,
WMI is used to return the same information.
66
3.16 Customize Policy Edit
3.19 Reporting
Using a combination of the Nessus credential scanning features can produce a useful
NERC CIP compliance report that often gives more insight into the security posture
of the machine or system. Combining the Bandolier security audit files, netstat port
scanner, and patch auditing can produce a report for inspection by the asset owners.
Here is the report of the custom iepeers.dll 0-day vulnerability [10] [11] plug-in run
against a Windows XP un-patched computer. See Figure 3.17.
67
Figure 3.17. Report Example of the iepeers_dll_0day.nasl plug-in and Windows
Compliance Checks on an un-patched XP virtual machine
68
Figure 3.17.1 Report Example of the SSH Remote Root Login Compliance Check on
a Fedora Core 12 virtual machine
69
3.20 Nessus Scanner Use
Nessus users have a wide range of powerful options whose functionality is critical to
a successful vulnerability scan. Scans can be configured and tailored for specific needs
in each unique environment. As with any function in the Technology industry, there is
the balancing act that must be observed. For instance, “Thorough Tests” can be
selected in the Global Settings menu. This will cause the scanner to behave differently
when executing but can also have a risk of adversely affecting fragile hosts or
services. This will cause the scanner to behave differently with over 900 of the more
than 34,000 plug-ins available with Nessus. The idea is to use the “Thorough Tests”
option only if needed. A system administrator would not select this option if all he
wanted to perform is port enumeration. Or the system administrator could select
“Thorough Tests” and “Enable CGI scanning” options for scanning specific web
applications. These configuration examples show that the options are features in the
scanner that add to its flexibility and robustness.
70
3.21 Nessus User Configuration Tab
The Nessus configuration tab is used to add users and assign permissions. The users
are then restricted to the permissions of their account.
Figure 3.18 Nessus User Tab
71
3.22 Nessus Policy Configuration Tab
Nessus policy configuration tab is used to customize the policy for a scan. Policies
can be configured in a variety of configurations. Plug-ns can be added or removed,
credentials can be supplied, preferences defined and the policy can be named and
described. The entire configuration for a policy customization is done in this tab.
Figure 3.19 Nessus Policy Tab
72
3.23 Nessus Scan Tab
The Nessus Scan Tab is used to select the policy for the scan. The scan is named and
the target or targets are specified. The “Launch Scan” button is then highlighted.
Figure 3.20 Nessus Scan Tab
73
3.24 Nessus Report Tab
The Nessus Report Tab is used to select the report for the scan. The report is selected
and the download button is used to fetch the report from the server. The format is
selected form the dropdown menu. The HTML format is a convenient format for
quickly displaying the results.
Figure 3.21 Nessus Report Tab
74
3.25 Customize Policies
Several factors that make the Nessus Scanner an ideal tool for system administrators
is the ability to customize plug-ins for very specific needs. This fine granularity
enables each plug-in to be used a building block to address the multitude of
vulnerabilities that can be exploited in SCADA systems. Since the integration of the
Internet into ICS, it is difficult to discover all the vulnerabilities that have surfaced in
the system. Nessus includes a list of over 34,000 plug-ins used for discovering
vulnerabilities. However, the case may exist where no plug-in has been written for a
particular case.
At fist glance, it appears like a comprehensive list of plug-ins is available for Nessus
scanning. Research shows that there has not been a plug-in written to address CVE2010-0806 “Peer Objects” component involving access to an invalid pointer upon the
deletion of an object. Otherwise known as an “Uninitialized Memory Corruption
Vulnerability”, exploits have surfaced in the wild in March 2010 [10] [11]. The
following NASL code [5] was written to address this vulnerability.
#
# iepeers.dll 0-day vulnerability script
# (free-after-use
# aka Uninitialized Memory Corruption Vulnerability )
# CVE Reference: CVE-2010-0806
# Written by Raymond Cordova
# Test Script to detect 0-day vulnerability in Internet
Explorer
75
#
include("compat.inc");
if (description)
{
script_id(50003);
script_version("$Revision: 1.0 $");
script_name(english:"iepeers.dll 0-day vulnerability
in Internet Explorer versions 6 or 7");
script_summary(english:"Checks Internet Explorer
version for 0-day free-after-use vulnerability.");
script_set_attribute(attribute:"synopsis", value:
"A older version of Internet Explorer (6 or 7) is
installed on the remote host.");
script_set_attribute(attribute:"description", value:
"A version of Internet Explorer (6 or 7)
is installed
on
the remote host.
Data Execution Protection (DEP)is
enabled by default in IE 8.0 which helps mitigate
attacks against it.
Microsoft recommends that users upgrade to version 8
for better security. Note that there are unconfirmed
reports from Secunia program and computer online
76
scanners report that version 8 is also vulnerable to
the iepeers.dll vulnerability using ActiveX.");
script_set_attribute(attribute:"see_also", value:"
http://blogs.technet.com/msrc/archive/2010/01/14/secur
ity-advisory-979352.aspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE2010-0806
http://www.vul.kr/microsoft-internet-explorer-iepeersdll-use-after-free-exploit-meta
http://www.microsoft.com/technet/security/advisory/981
374.mspx
http://secunia.com/advisories/38860/");
script_set_attribute(attribute:"solution",
value:"Upgrade to Internet Explorer 8." );
script_set_attribute(attribute:"risk_factor", value:
"Medium");
script_set_attribute(attribute:"plugin_date",
value:"2010/03/28");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is a test script
written by Raymond Cordova.");
77
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/IE/Version");
script_require_ports(139, 445);
exit(0);
}
include("global_settings.inc");
include("smb_func.inc");
port = kb_smb_transport();
version = get_kb_item("SMB/IE/Version");
v = split(version, sep:".", keep:FALSE);
if ( int(v[0]) > 5 && int(v[0]) < 8 )
{
if (report_verbosity > 0)
{
report = '\n' +
"Internet Explorer version " + version + " is
installed on the remote host. The iepeers.dll
is vulnerable to exploits. This vulnerability
exploits the “free-after-use invalid object
pointer after object deletion" + '\n';
security_warning(port:port, extra:report);
}
else security_warning(port);
78
exit(0);
}
else exit(0, "Internet Explorer version " + version + "
is installed on the remote host. The iepeers.dll is
vulnerable to exploits.");
Script 3.1 XP “iepeers.dll” 0-day Vulnerability Script
Script 3.1 will scan, detect, report and suggest a solution to the vulnerability, if
found. The methodology used includes the use of previously written code by the use
of a dependency statement in the code. e.g., script_dependencies(). Also, local
Knowledge Base items stored on the local server are accessed for use with
script_require_keys() statement. Utilizing these functions allows for enhancing the
performance and overall effectiveness of the scan.
# Windows Compliance Check for XP computers
# Checks for disabled USB Storage Devices
# Version 2 Windows Compliance Plugin
# Written By Raymond Cordova
<check_type: "Windows" version: "2">
<group_policy: "Audits Windows 2003 Systems for disabled
USB Storage devices.">
<custom_item>
type: REGISTRY_SETTING
79
description: "USB Storage Devices
Are disabled"
value_type: POLICY_DWORD
value_data: 4
reg_key: "HKLM\SYSTEM\CurrentControlSet\
Services\UsbStor"
reg_item: "start"
reg_type: REG_DWORD
</item>
</group_policy>
</check_type>
Script 3.2 XP USB Storage Devices Disabled Compliance Check Audit
Script
80
# Windows Compliance Check for XP computers
# Checks for disabled CDROM autorun
# Version 2 Windows Compliance Plugin
# Written By Raymond Cordova
<check_type: "Windows" version: "2">
<group_policy: "Audits Windows Systems for CD AutoRun
disabled">
<custom_item>
type: REGISTRY_SETTING
description: "CD AutoRun Disabled"
value_type: POLICY_DWORD
value_data: 0
reg_key:"HKLM\SYSTEM\
CurrentControlSet\Services\Cdrom"
reg_item: "AutoRun"
reg_type: REG_DWORD
</item>
</group_policy>
</check_type>
Script 3.3 XP CDROM Auto-play Disabled Compliance Check Audit
Script
81
<check_type:"Unix">
<custom_item>
type:FILE_CONTENT_CHECK
description:"Check if PermitRootLogin is set to no
and not commented for the server."
file:"/etc/ssh/sshd_config"
regex:"^ *[^#]*PermitRootLogin *"
expect:"PermitRootLogin no"
</custom_item>
</check_type>
Script 3.4 Fedora 12 SSH Remote Root Login Disabled Compliance
Check Audit Script
Following the Nessus best practices presented in the NASL Reference Guide [5],
the code was written to address only one vulnerability in each plug-in. In this way,
the plug-in can be used with future or existing plug-ins as a building block that
becomes a building block of a complex collection of plug-ins.
3.26 Nessus Scan Performance Metrics
Nessus scans were performed on the prototype and ISSG lab computers. The
prototype layout is shown in Figure 3.22.
82
Prototype Layout
5/10/2010
ENSDV / Cordova
12
Figure 3.22 Prototype Layout
The Nessus scanner used was version 4.2.1 build 9119 with the
ProfessionalFeed subscription services with updated plug-ins. Full scans were
performed with CGI, Web application tests and thorough testing enabled. Safe
checks were also enabled. Administrator credentials were provided in the Nessus
policy.
83
Prototype Target Machines
Seconds
3Com SSS HP Procurve VXWorks
723
HP Jet Direct Printer
253
Windows 7 Home - physical
565
Windows Server 2003 VM
242
Windows XP Pro un-patched VM
279
Linux Kernel 2.6 VM
Windows XP Pro patched - physical
Table 1. Prototype Nessus Scan Time
874
1153
84
Figure 3.23 Nessus Scan Performance Times on Prototype
Nessus scans were performed on the ISSG lab computers on subnets 128.198.60.0
and 128.198.62.0. The scan discovered 34 machines active on the network. Full scans
were performed with CGI, Web application tests and thorough testing enabled. Safe
checks were enabled. Credentials were not provided in the policy.
85
Target Machines
Seconds
128.198.60.1
128.198.60.127
128.198.60.129
128.198.60.18
128.198.60.181
128.198.60.63
128.198.60.65
128.198.62.1
128.198.62.120
128.198.62.131
128.198.62.184
128.198.62.185
128.198.62.186
128.198.62.2
128.198.62.25
128.198.62.26
128.198.62.3
128.198.62.90
128.198.62.91
128.198.62.92
128.198.62.93
a-212-01.csnet.uccs.edu
a-212-02.csnet.uccs.edu
a-212-03.csnet.uccs.edu
a-212-04.csnet.uccs.edu
ace.csnet.uccs.edu
b2b.csnet.uccs.edu
bilbo.csnet.uccs.edu
gandalf.csnet.uccs.edu
se-a210-05.csnet.uccs.edu
sis.csnet.uccs.edu
viva.csnet.uccs.edu
walden.csnet.uccs.edu
walrus.csnet.uccs.edu
blanca.uccs.edu
Table 2. ISSG Nessus Scan
409
413
412
5830
368
417
402
455
530
1372
429
464
460
461
4864
565
456
586
675
767
701
320
324
385
362
1117
373
466
4233
354
372
5272
781
4587
5666
86
Several factors affect the scan time on the target machines. It appears that the scan
takes longer on machines that have web services installed. The Viva server took
5,272 seconds to complete. The scan appears to have found several web server’s
instances of virtual Apache installations. Older machines such as the physical XP
patched machine on the prototype did not perform well. Several applications and
services installed on this machine have it in an “overloaded” condition. The machine
has a 1GHz PIII with 512 RAM and is very slow when working on a modern
application. Many other factors affecting scan time performance include:
•
Hardware
•
Operating System
•
Applications
•
Services
•
Network Infrastructure
•
Nessus server Host
•
Firewall
•
Passive or Active IDS/IDP
Note: For additional assessment of Nessus scan performance, please refer to
http://www.nessus.org/documentation/index.php?doc=nessus published by Tenable
Nessus [19].
87
Figure 3.24 Nessus Non-credential Scan Performance Times on ISSG Lab
88
Figure 3.25 Nessus Non-Credentialed Scan on ISSG Lab
89
Figure 3.26 Nessus Credentialed Scan on ISSG Lab
90
Results of the two different scans indicate how different configuration can affect
the scan performance. Four machines were targeted:

Athena.csnet.uccs.edu

Blanca.uccs.edu

Gandalf.csnet.uccs.edu

Viva.csnet.uccs.edu
The policy configuration was identical except for the credential configuration in which
credentials were provided for one scan and not the other. It should be noted that
credentialed scanning invokes additional plug-ins for a more comprehensive scan
result. Additionally, scans will only run plug-ins that are pertinent in a cascading
fashion, e.g., if the web application test is enabled and a web application is found on
the target machine, more scan tests will be launched against the target. If no web
application is found, the web tests will terminate and scan time is reduced. .
Figure 3.25 scan result with no credential configuration indicates a shorter period of
time for the scan to complete. Figure 3.26 indicates longer periods of time before the
scan completed. Credentialed scanning took slightly over 36% longer than noncredentialed scanning.
91
92
Chapter 4 Lessons Learned
4.1 SCADA Access
As plans unfolded for research in ICS and Internet integration emerging technology
and security of the systems, several unforeseen issues began to surface. The first
realization of difficulty focused on the problems with procuring a prototype that could
simulate a SCADA infrastructure. When asked about test access to a SCADA test bed,
a quote from an email from Renaud Deraison of Nessus simply states, “That's the
biggest problem with SCADA”, indicating no test scans can be tested on the SCADA
system unless special permission is granted through contract agreement. Ultimately,
no access to any test bed or system could be established because of the stringent
security of the ICS.
4.2 Meter and Development Kit Procurement
While attempting to procure smart meters and collection points for lab testing,
several vendors were hesitant to provide any information about their product for fear
of divulging trade secrets and discovering unknown vulnerabilities. This procurement
proved difficult to implement because of vendors at Byram Labs offered meters at a
cost of nearly $3000 to provide a few meters of different models but the collection
points would cost $900 for an online monitoring service in 6 month time periods.
Other vendors provided meters only for authorized buyers. And others would allow
93
purchase of a smart meter but provided no support for interface support, code
enhancement, development or hardware. It became apparent meters purchased directly
from a vendor would not fulfill thesis research requirements to enhance network
scanning for discovering vulnerabilities.
Several development kits could simulate a “Smart Meter” but cost, interface
hardware, software, and the ambiguity of what is specifically needed made the
decision difficult. Extensive research showed the TI CC2530ZDK MSP2530 ZigBee
and ZigBee Pro development kit to be a good candidate for conducting meaningful
research. The development kit costs $649 and has a “Sample before Buy” program
that allows for users to order different hardware samples for testing in the kit. This kit
allows for testing of several different low-power RF processors and protocol stacks
currently used in TI’s solution for Smart Meters. Also considered was the CC430 that
integrates the latest MSP430F5xx to develop an entire wireless project. However,
more functionality and flexibility is integrated in the MSP2530 development kit with
the more secure Smart Meters using this hardware.
Another candidate development kit is the CC2430 System-on-Chip solution for 2.4
GHz IEEE 802.15.4 / ZigBee. The ZStack library version 2.2.2-1.30 used in the
CC2430 and CC2530 microcontrollers uses an insufficient random Psuedo-RandomNumber-Generator (PRNG) for cryptographic signatures and session keys. PRNG data
repeat every 32,767 samples, and there are at most 16 bits of entropy in any key.
Searching the entire key space is possible without investing a lot of time. The random
numbers must not be used to generate random keys used for security purposes. The
94
flaw is that the PRNG is not cryptographically secure and is that it is seeded from a
random source that has very little entropy. The weakness ought to serve as a
cautionary tale for the untold number of companies working on parts with stimulus
monies that will make up the emerging smart grid. So it became a time consuming
research task to determine if the Zigbee stack shipped with the development kits
CC430 and CC2530 shipped with the latest version 2.3.0 which relies on the fact that
the Zigbee stack in these kits is not flawed.
4.3 Nessus Scanner
The Nessus demo version was selected for the functionality, flexibility,
customizable, powerful, automated, safe scanning tool that it is advertised as. Nessus
boasts it is a centralized invaluable tool for ICS/Internet administrators to simplify the
daunting task of securing the ICS/Internet infrastructure. The decision was made to
test the tool with credentialed scanning and customize plug-ins for enhancing the tool
to add meaningful value. The focus was to identify and focus on a methodology to be
used as a foundation to be used to meet the security requirements of the various
enterprise organizations. The Nessus HomeFeed version was downloaded and it was
soon discovered that the tool functionality is limited to basic scanning. It became
evident the HomeFeed version would not meet the requirements to fulfill research,
methodology and enhancement goals.
Renaud Deraison at Nessus was contacted through email with a request for the
ProFeed version. Project information was provided and Renaud provided a fully
95
functional version of Nessus ProFeed. The ProFeed version provided additional
functionality:

Report comparison

Resolved inconsistencies in the creation of custom plug-ins

Re-index DB inconsistencies

Display issues with plug-ins
The Nessus ProFeed exhibited odd behavior with custom plug-ins.

Re-index DB inconsistencies unless the DB is purged and rebuilt

Display issues with plug-ins

Re-named plug-in is run twice if ID is not updated

Re-named plug-in is displayed twice in plug-in dialog window
The solution to rebuild and re-index the database was attempted to resolve the
problems encountered with custom plug-ins. The command “:>"c:\Program
Files\Tenable\Nessus\nessusd.exe" -R 3 was entered in a command prompt. The “–R”
and the number “3” switch options rebuild the database with a complete flush, rebuild
and re-index. The procedure to logout of the client, stop the Nessus server and execute
the command failed. The command prompt immediately returned and the server would
not restart. The installation was repaired through the Control Panel Programs applet
and the server restarted successfully. However, the duplicate plug-ins were still listed
and the scan report indicated two instances of the same plug-in although the plug-ins
were named differently. The underlying cause was the plug-in ID number was
identical in that the ID number was not changed during the renaming procedure. This
96
effectively caused a collision of the plug-ins in the database and the cached plug-in
mechanism. Two mistakes were made. Renaming a plug-in requires the ID to be
changed immediately before the server is restarted or plug-ins are updated through
server manager. The re-index command failed because the server manager window
was still open even though the server was stopped. The server manager window must
be closed prior to rebuilding the DB.
When starting the Nessus Server Manager, the user must wait about a 10-30 seconds
before starting the client. Although the server indicates the service is started, there is
obviously some background process that is still starting that the client depends on to
successfully connect to the server.
Figure 4.1 Successful Nessus Database Rebuild and Re-index
4.4 Digital Bond Bandolier Project Compliance Check
Plug-ins
Preliminary research direction focused on the Bandolier files delivered to Nessus for
SCADA compliance checking. The idea was to investigate the files for a better
97
understanding of scanner use with compliance check audit files. This tool is further
supported by the Digital Bond Bandolier project [6]. Nessus has been approved by
North American Reliability Corp. (NERC) Critical Infrastructure Protection (CIP) as a
tool for scanning SCADA. Plug-ins are custom written to scan SCADA network
systems and require subscription services for full functionality and update service. The
Bandolier project has provided forty 40 new plug-ins specifically written for SCADA
as of May 2010 The plug-ins are pre-compiled Nessus binary (.nbin file extension)
files that could not be analyzed unless they are reverse engineered with an application
similar to IDA Pro. This made it difficult to analyze and research these scripts. Deeper
research revealed many of the “nbin” files are run only as compliance checks for
SCADA vendor specific applications and focus was shifted away from analyzing these
files. Two audit files were disassembled and analyzed. It became evident that it would
not be advantageous to continue in this direction.
4.5 Nessus Attack Scripting Language (NASL)
The Nessus Attack Scripting Language (NASL) [5] is a new language to learn
before any scripting or customizing can be done. The reference manual was studied
and test scripts were written to tune skills for the methodology to write custom scripts.
The NASL interpreter proved to be very unforgiving. A space in the script would
render the script un-executable and could only be discovered by brute force trial and
error until running the mis-behaved script resulted in script errors in the report. Of
particular concern are the Windows Compliance check ID 51126 and Unix
Compliance Check ID 51127 scripts. During the creation of an enhanced script for
98
detecting SSH remote root login, the report indicated a conflict in version 1 and 2 of
the compliance scripts. The windows script worked but the Unix Compliance Check
ID 51127 would report “check_type” not set in the created custom script. Research of
Nessus documentation and discussion boards indicated that “v2” be appended to the
filename and the opening <“check_type : “Unix” version: “2”> and closing
</check_item> tags are required for the version 2 plugin. The Nessus database is reindexed with a nessus –t command to accept changes to any plug-ins. The nessus –D
is used to re-build the database. The Nessus service is restarted and errors persisted.
The script was re-written from scratch with a backward compatible version 1 format
and received a parse error indicating “ “ in line 3. The space was removed and the
script successfully completed. A version 2 script was re-created and fails with the
same indications. The limited resources of discussion boards, limited support,
documentation all indicate the <check_type> tags should be included in version 2 but
clearly do not work for Unix compliance checks. Issues appear to be an unforgiving
syntax error in which a “space” before or after the script statements cause an error at
run time and the version 2 syntax not recognized correctly in Unix Compliance Check
ID 51127. Renaud Deraison of Nessus has confirmed that the version 2 syntax is not
functional in the Unix compliance checks and only works with Windows.
4.6 VMware
The VMware server console was selected as the Virtual Machine solution for
simulation of a computer systems connected to SCADA systems. The VM server
software would not install on the un-supported laptop hardware and had to use VM
99
Workstation or Player trial versions. Four machines were configured as W2K3
unpatched, XP unpatched, Ubuntu 10 beta and Fedora 12 with telnet enabled. The
virtual machines were then scanned and the XP un-patched machine was scanned
successfully with administrator credentials. The W2K3 machine returned with limited
results. It could not fully be scanned with credentials since no domain was defined.
The Ubuntu 10 machine was scanned resulting in no critical vulnerabilities found
since no plug-ins have not been written for the Beta version of Ubuntu 10. Although
there are Ubuntu plug-ins for earlier versions and the scan runs against Ubuntu 10,
earlier version plug-ins are not executed. Fedora 12 was configured with telnet
services and SSH remote root login enabled. Scans produced a report indicating both
risk configurations on Fedora 12.
Difficulties surfaced with the virtual machines. The XP un-patched machine became
corrupt and had to be re-installed. It should be noted no scans were run on the XP
machine prior to the corruption and had been powered down ever since it was created.
It is not known why this occurred.
The Fedora 12 and W2k3 machines lost network connectivity when testing at UCCS.
The Windows 7 laptop performed very well with all 4 virtual machines active.
However, attempting to run a Nessus scan on the virtual machines while connected to
the UCCS wireless campus resulted in no scan run on any virtual machine. Re-testing
on the home prototype wireless LAN successfully completed. Connections on the
“bridged” network adapter needed to be configured as “host only” for successful
100
network connectivity between the host machine and the virtual machines. The
scans were successfully completed at home and UCCS and re-testing proved
successful.
101
102
Chapter 5 Future Direction
5.1 Texas Instruments Development Kits
Research can be continued in a lab setup of Texas Instrument’s MPS2530 microcontrollers. This development kit can be used to assess Texas Instrument’s smart
meters that are currently being used in the United States. The micro-controllers are
advertised as NIST CIP compliant; however, there are vulnerabilities in the MPS2430
series meters. Research and development is needed for the creation of enhanced plugins to check the ZigBee stack version for the Pseudo Random Number Generator
(PRNG) vulnerability. ZigBee stack versions greater than version 2.3 do not exhibit
the (PRNG) vulnerability.
5.2 Automatically Patching Failed Compliance
Checks
In a related area of work, Digital Bond and the Bandolier project have provided 40
specifically targeted compliance plug-ins for SCADA. The plug-ins are Nessus binary
pre-compiled files with a “.nbin” file extension. A possible research project can be
performed to research the compiler for the possibility to integrate the audit file
language with C+ for automatic patching of specific security vulnerabilities. The
compliance check file, registry key, web banner, configuration file, etc. is already
known to the plug-in and it would be matter of changing a value from “yes” to “no”,
103
as such in the case of “PermitRootLogin Yes” for Fedora Core 12. The C+
language is recognized by the Nessus interpreter.
5.3 Shared Plug-ins
As of May, 2010, Tenable Nessus provides 35,414 plug-ins to the scanner that are
updated daily. There are vulnerabilities that have not been addressed by the direct feed
plug-in subscriptions from Tenable. A possible research project can focus on the
methodology presented in this thesis to contribute to the creation of plug-ins to share
among the Nessus community. Many of the plug-ins in the subscription direct feed
services were written by Nessus community users. This can become a great
contribution if an ongoing comprehensive effort is undertaken.
5.4 OS Extensions
The Windows vulnerability and audit files can be tailored for different Operating
Systems (OS). The registry keys being inspected are unique to different OS’s and can
be quickly and easily modified for different versions of Windows. This process entails
determining the correct registry keys and configuration files for inspection for each
OS.
5.5 System Alert for Detecting Plug-in Removal
Lastly, I can envision a project for future work to alert the administrator that a
customized plug-in has been removed form the plug-in directory. However, if the
custom plug-in is uploaded to Nessus direct feed subscription services, the update
104
would download the plug- if non-existent in local directories. This is the Nessus
community idea of sharing.
If it is simply a local custom plug-in not being shared and not uploaded to Nessus,
the code alert project would be interesting to implement. Perhaps some code to
determine if the plug-in directory size decreases could be used as a trigger for the
alert. The directory should only grow. The plug-in cache will already contain a copy
and would still run even if the custom plug-in is removed.
105
106
Chapter 6 Conclusion
As the utility power grid catches up to technology, several inherent problems
surface that are apparently not as visible as most would think. The problems arise from
the cyber net infrastructure that introduces common vulnerabilities that have evolved
from the Internet communication system and computer/network operating systems..
The Committee of Homeland Security and several other regulatory agencies have
heard recommendations [15] [18] from security consultants that have researched the
problems and the devised solutions for the security vulnerabilities in wireless and
cyber infrastructures.
I have surveyed the smart grid technology and related security issues. Research
performed has proved that the available smart meters are insufficient in security
mechanisms to protect the smart grid from what are common Internet and Operating
System vulnerabilities.
It is interesting to note that emerging technology for ICS has finally reached a point
of maturity that security has dictated the need for confidentiality, integrity and
availability in a scope where no compromise can be tolerated. To this end I have
designed and developed Nessus plug-ins to enhance network scanning to discover
vulnerabilities and perform compliance checks. A test-bed prototype consisted of
virtual machines to ensure the enhanced plug-ins “behaved”.
107
I have developed a systematic methodology that can be followed as a foundation
to create new custom plug-ins to tailor the scans for specific ICS/IP or network
environment. The methodology involves writing a plug-in for only one vulnerability,
using Nessus built-in functions to determine if the scan should be run, call other plugins as dependencies to use those results in the current scan, and share the custom plugin with the Nessus community. The Nessus Attack Scripting Language (NASL) very
elegantly accommodates this methodology coding of the attack test script.
The iepeers.dll vulnerability plug-in was written to check for a 0-day vulnerability
discovered in the wild in March 2010.
Discovering 0-day exploits can be a
challenging task or relatively simple. The development approach methodology I
present requires the system administrator be pro-actively checking bulletins,
subscribing to security advisories and staying on top of the issues that arise in the
course of his duties. Or a new vulnerability might be discovered by meticulously
searching logs. The development approach methodology presented in this thesis can
be flexed to encompass unique situations.
Audit file compliance checks were written to enhance the scanner for detecting
compliance for three important issues. The audit file compliance check files and there
fuction are described below:

ssh_remote_root_login.audit detects sshd_config does not allow remote ssh
logins on Fedora Core 12 OS

CD_autorun_disabled_v2.audit detects CDROM autoplay is disabled ion
Windows XP machines
108

USB_storage_disabled_v2.audit detects USB storage devices are disabled
on Windows XP machines
The plug-ins contribute to enhancing the Nessus scanner by detecting special cases
that may otherwise be overlooked. Sharing the results and newly created plug-ins
benefits the family of Nessus users. It is recommended that those responsible for
securing their network follow the methodology presented in this thesis to lay a
foundation for a systematic approach to securing their networks. The methodology
expects the system administrator to perform the most important step to analyze
complicated data to determine the best set of operations by examining granularities in
work processes, programs, network systems and projects to implement network
standards, policies and procedures.. Once a standard is accepted, scanning is begun
and vulnerabilities must be patched. Enhance the scanner with new plug-ins and test in
a prototype. Release into production if the plug-in behaves and scan at scheduled
intervals.
.
109
References
[1] ANSI C12.22: A Smart Grid Standard, Itron Smart Meters.
http://news.itron.com/Pages/ami1_1108.aspx
[2] Chow, Edward Dr., Graphic use granted by permission of Dr. Edward Chow
at UCCS website http://cs.uccs.edu/~cs691/
[3] Common Vulnerabilities and Exposures (CVE)
http://www-arc.com/sara/cve/cve.html
[4] Contactless Radio Frequency Technology Transforming Smart Meters with
Secure Pre-Payment,
http://www.ti.com/rfid/shtml/apps-smartmetering.shtml
[5] Deraison, Renaud, Reference Manual for Nessus Attack Scripting Language,
Version 1.4.0, Manual at website at
http://www.virtualblueness.net/nasl.html
[6] Digital Bond research project.
http://www.digitalbond.com/wiki/index.php/Bandolier#Compliance_Chec
k_Examples
[7] Definition and list of vulnerabilities.
http://www.owasp.org/index.php/Category:Vulnerability
[8] First OMS compliant Wireless M-Bus RF module for smart meters launched
http://www.metering.com/node/16162
110
[9] Guide to Industrial Control Systems (ICS) Security, Supervisory Control
and Data Acquisition (SCADA) systems, Distributed Control Systems
(DCS), and other control system configurations such as Programmable
Logic Controllers (PLC) http://csrc.nist.gov/publications/drafts/80082/draft_sp800-82-fpd.pdf
[10] Information on 0-day vulnerability discovered in the wild March 2010.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0806
[11] Information on 0-day vulnerability discovered in the wild March 2010.
http://secunia.com/advisories/cve_reference/CVE-2010-0806/
[12] Itron Releases OpenWay® Collection Engine with Enhanced Security
Features, February 2009
http://www.itron.com/pages/news_press_individual.asp?id=itr_016976.xm
l
[13] Journal of Energy Security, Making a Secure Smart Grid a Reality, Subparagraph, Weaknesses in the Smart Grid, p. 3-7, October 2009.
http://www.ensec.org/index.php?option= com_content&view=article&id=
218:making-a-secure-smart-grid-areality&catid=100:issuecontent&Itemid=352
[14] SCADA and Control Systems Cyber Security.
http://loftyperch.com/index/use_lang/EN/page/408.html
111
[15] Stouffer,Keith and Falco, Joe and Scarfone, Karen Final Public Draft,
Special Publication 800-82, Recommendations of the National Institute of
Standards and Technology, Guide to Industrial Control Systems (ICS)
Security http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82fpd.pdf
[16] Smart Metering Scope graphic. http://www.energyretail.org.uk/documents/BERRWANCommunicationsOptionsDefinition.p
df
[17] Related work for network scanning. Digital Bond Bandolier project, Website
at http://www.digitalbond.com/wiki/index.php/Bandolier
[18] Weiss, Joseph, “Current Status of Cyber Security of Control Systems”,
Testimony of Joseph M. Weiss Control Systems Cyber Security Expert
before the Committee on Commerce, Science, and Transportation U.S.
Senate March 19, 2009.
[19] Windows and Unix published performance characteristics of Nessus version
4. http://www.nessus.org/documentation/index.php?doc=nessus4
112
Appendix A
A.1 Subject Descriptors
ICS - Industrial Control Systems
ICS - Incident Command System
NIST - National Institute of Standards and Technology
SCADA - Supervisory Control and Data Acquisition
SDL - Secure Development Lifecycle
ANSI - American National Standards Institute
NERC - North American Electric Reliability Corporation
FERC - Federal Energy Regulatory Commission
OMS – Open Metering System
HMI – Human Machine Interface
AMI – Advanced Meter Infrastructure
AMR – Advanced Meter Reading
CIP – Critical Infrastructure Protection
TGB - Tower Gateway Base-Station
ALA - Active Line Access
113
Appendix B
B.1 Selected Vendor Smart Meters
Several vendors have recently released enhanced versions of their smart meter
products. These vendors have been developing Smart Meters in compliance with the
Security Development Lifecycle and several guidelines adopted by the regulatory and
management agencies involved with the process of safely securing the Power Grid.
B.1.1 Itron OpenWay®
Itron has recently released its OpenWay® Collection Engine with Enhanced Security
Features [12]. Itron released the new Smart Meter February 11, 2009 and is leading
the industry with enhanced Smart Meter security. Two key characteristics of
OpenWay® by Itron make this possible: the economies of scale of the OpenWay
radio-frequency based local area network communications module (RFLAN), and the
American National Standards Institute (ANSI) C12.22 open standard protocol [1].
The release and initial shipments of an enhanced security Smart Meters enables strong
authentication and enhanced security for use in Advanced Metering Infrastructure
(AMI) deployments. The current version of OpenWay software is fully compliant with
security and encryption to meet industry and American National Standards Institute
(ANSI) C12.22 standards. The optional enhanced security version exceeds these
114
requirements by providing security consistent with the North American Electric
Reliability Corporation (NERC) Critical Cyber Asset requirements. Based on elliptic
curve cryptography (ECC), Itron is shipping Certicom's AMI 7000® series meters
with communication encryption and key management appliances in OpenWay to
secure end-to-end network messages. The AMI infrastructure receives and passes
information from the OpenWay Collection Engine down to the OpenWay
CENTRON® meter. The OpenWay security architecture, combined with enhanced
signing and encryption capabilities, is designed to meet the two-way command and
control requirements for AMI and Smart Grid network platforms. Itron boasts that
their solution provides strong integrity of control, non-repudiation, availability and
confidentiality. Also, Itron states that they now offer unparalleled network and
metering system security with the release of their optional enhanced security version,
enhancing the energy management and measurement technologies as efforts progress
toward the development of the Smart Grid. Interestingly, the meter provides strong
authentication to support enhanced security, a critical option required for secure
communication. See Figure B.1.
115
Figure B.1 Itron OpenWay® Solution
B.1.2 Texas Instruments Smart Meters with Secure Pre-Payment
Smart electricity, water and gas meters are undergoing extensive development
upgrades to ensure security. Additionally, a new revolution has surfaced for payment.
A contactless radio frequency (RF) chip Transponder IC, the Secure Multi-Purpose
Contactless IC/Module RF-HCT-WRC5-KP22 [4], has been incorporated into the
smart meter with a new capability for a consumer payment card or token. This idea is
transforming smart meters into secure [12] AMI/AMR and pre-payment devices. The
meters are built on high-speed, low-power, secure smart IC platform with industrystandard secure encryption. Several desirable features are included with the meters
listed as follows.
116

Triple DES, SHA-1 crypto-algorithms,

Mutual authentication – authorized tag
ANSI X9.63 session key
and reader complete
transaction

Flexible and configurable memory

Supports up to five applications on one card or token

ISO/IEC 14443 with ISO/IEC 7816 command set support
Radio Frequency enabled pre-paid smart meters give utilities access to a broader
customer base. RF enabled meters with Pre-Payment reduces the risk of non-payment
and offers consumers a new, fast and convenient way to control and pay for services.
Reduction in billing administration costs can be realized with this revolutionary new
idea. Two models of the reader are available, the TRF7960 and TRF7961 TI-RFid™
HF Reader IC. Both offer the following features.

High level of integration and performance

Low-power and small size

Configurable and flexible architecture

Eases hardware and software system design

Low total Bill of Materials (BOM)

ISO/IEC 14443, ISO/IEC 15693 and Tag-it
Several advantages of Contactless RF Pre-Payment can be realized for
consumers. Consumers can now control utility usage and not have utilities
117
turned off unexpectedly. It is expected that consumers will embrace the
convenience of “ 24/7 wave and pay as you go” . Major credit card
companies and banks worldwide are deploying secure contactless technology.
It is a fast and convenient “ tap-and-go”
credit, debit and stored-value
payment application at the retail point of sale. The technology securely stores
and transmits data over short ranges, typically less than 2 inches. Consumers
need only purchase contactless cards from a kiosk or the utility company. The
cards contain a secure contactless RF chip loaded with a pre-paid amount.
The consumer waves the card in front of the meter to activate it and the
amount is loaded into the smart meter and debited from the card. Texas
Instruments offers a complete contactless RF pre-payment solution for Smart
Meters, including tag and reader integrated circuits and microcontrollers. It is
an easy and efficient solution to RF-enable the latest generation of smart utility
meters.
118
B.1.3 Texas Instruments Smart Meters
The Texas Instruments (TI) product line of MSP430 microcontrollers and Low-Power
RF devices provide a solution for low-power wireless networks, including standardbased IEEE 802.15.4 low-cost, low-speed communication devices, ZigBee or other
proprietary networks. The MSP430 product line offers ultra-low power consumption,
power-saving mechanisms, a high-performance 16-bit CPU and integrated analog. The
MSP430 micros-controllers and TI’s Low-Power RF devices provide designers the
ability to achieve low power consumption, long range and reliable performance are
provided at a competitive price. The CC430 family of sub 1 GHz system-on-chip
monolithic devices integrates with the MSP4305xx microcontroller with a flexible
Low-Power RF transceiver.-Based Netwok
B.1.4. System-on-Chip Solutions
Industry’s highest performance, single-chip, low-power RF solution is the CC430. The
CC430 is based on the new 5xx generation of ultra-low-power MSP430
microcontrollers. Designed with a high level of peripheral integration, outstanding
analog performance and ease of use, the 5xx core is paired with the flexible CC1101
sub-1GHz transceiver to deliver the sensitivity and blocking performance required for
a robust communication link in RF environments. The CC430 devices enable the user
to minimize RF power, size, and cost requirements while still maintaining superior
119
application performance. There is also the 8051-based System-on-Chip solution.
TI recommends the CC2430/2431 for IEEE 802.15.4 and ZigBee networks use; the
CC2510/2511 is recommended for 2.4 GHz; and the CC1110/1111 for sub-1 GHz use.
The MSP2530 development kit provides a flexible platform to encompass the majority
of controllers, protocols and devices.
B.1.5 Standard-Based Networks
The IEEE 802.15.4 wireless radio frequency standard for low-power and short-range
applications is ideal for point-to-point or point-to-multipoint networks. The 802.15.4based proprietary network can be upgraded to evolve to a ZigBee-compliant system.
The ZigBee is a low-power wireless network standard that offers mesh networking
and interoperability between different products. ZigBee is a network layer on top of
the IEEE 802.15.4 standard physical and mac layers. Smart metering and home
automation services in Advanced Metering Infrastructure (AMI) profiles and the
Home Automation (HA) profiles are ideal targets for Zigbee.
B.1.6 Proprietary Networks
Texas Instruments (TI) accommodates free software code for building a network. The
SimpliciTI Network Protocol is implemented with a battery operated TI Low-Power
RF System-on-Chip or the MSP430 and an RF transceiver. The SimpliciTI network
protocol is a simple and versatile solution, combining MSP430+CC1101/2500,
CC1110/2510 and DSSS parts to provide solutions for applications such as alarm
systems, smoke detectors and active RF-ID applications.
B.1.7 Development Platforms
120
Texas Instruments (TI) offers several development kits that are available by
donation awards or purchase. Partial kits are available for evaluation via free
download but still require purchase of licenses, software, etc. for full functionality.
Texas Instruments offers the “Sample and Buy” program where developers can order
samples and test as needed. In this way, developers can evaluate the product. The cost
of the development kit can cost from less than a thousand dollars to several thousand
dollars. The TI CC2530ZDK development kit is a good starter candidate for lab use.
The MSP2530 micro-controller is currently used in the TI advertised compliant Smart
Meters.
CC2530ZDK
Name
CC2530 ZigBee Development Kit
Status
ACTIVE
Price (US$) $649.00
Order Options
Order Online
Figure B.2 CC2530 ZDK Development Kit Cost
121
A CC2530ZDK includes:

TI's ZigBee stack, Z-Stack (www.ti.com/z-stack)

2 SmartRF05EB Evaluation Boards

5 SmartRF05 Battery Boards

7 CC2530EM Evaluation Modules

USB Dongle Antennas and batteries IAR EW8051 C-compiler with C-SPY
debugger (30+30 day evaluation license.)
B.1.8 MBUS3 Firmware
On September 28, 2009 in Oslo, Norway, a new firmware feature set was
introduced as MBUS3 [8] to comply with the Open Metering System (OMS)
specification for advanced metering applications. It has been launched by the compact
RF module provider Radiocrafts AS. The new firmware runs on the Wireless M-Bus
module (RC1180-MBUS) for use in AMI/AMR applications. It is the first completely
embedded module solution compliant with the new OMS specification available in the
market in addition to the well established NTA 8130 compliant feature set
(MBUS2).The OMS primary communication interface is based on the Wireless M-Bus
standard (EN 13757-4:2005). It specifies the communication between a multi-utility
communications (MUC) controller or gateway and electricity, gas, water and heat
meters. The specification is becoming widely accepted in Europe. The new MBUS3
122
module can be configured for use as a master (in the MUC), a slave (in the meter
or an actuator), or as a repeater. Several desired features are capable in the MBU3 set.

supports S1, S2, T1 and T2 modes

handles encryption (AES-128) all time critical communication between
the MUC
and the meter

power saving features gives battery lifetimes in excess of 14 years

master module can support up to 64 slaves, all with unique encryption
keys

unique auto-message generation feature

message mailboxes supporting individual communication with several
slaves in parallel

repeater functionality makes up a complete and autonomous repeater
that will store and retransmit slave messages in order to increase the
coverage area of one master (MUC)
The new RC1180-MBUS3 [8] is a surface-mounted high performance transceiver
module measuring only 12.7 x 25.4 x 3.3 mm, and can easily be integrated into any
123
meter. Serial communication is facilitated by a UART interface that is used for
configuration. An antenna connects directly to the RF pin. When used with quarterwave antennas a line-of-sight range of 800 m can be achieved. The new module
supports two-way communication and is capable of valve control and data
acknowledgement. The RC1180-MBUS module has been certified for operation under
the European radio regulations for license-free use in the rapidly growing smart
metering market. This solution provides a complete Wireless M-Bus solution
compliant with the OMS specification in a small compact module form factor that is
easy to integrate into meters and gateways. The Wireless M-Bus stack makes it easy to
add a fully compliant OMS solution to space limited and battery operated meters. It
significantly reduces time-to-market, development, and compliance testing cost.
Download