audit

ICS Tools - Auditing and Signatures

Developed as a community asset

Advisories

• ICS-Advisory-Project - The ICS Advisory Project is an open-source project to provide DHS CISA ICS-CERT Advisories data in Comma Separated Value (CSV) format to support vulnerability analysis for the OT/ICS community.

Organizational Assessment Tools

• DHS CSET - The Cyber Security Evaluation Tool (CSET®) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets. It was developed under the direction of the DHS National Cyber Security Division (NCSD) by cybersecurity experts and with assistance from the National Institute of Standards and Technology. This tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.
• ENISA SARP - Beta version of a tool to assess risk management requirements.
• ENISA CSIRT Maturity - This tool helps CSIRTs to self-assess their team’s maturitylogo maturity in terms of 44 parameters of the SIM3 model.
• JPCERT J-CLICS - J-CLICS (Check List for Industrial Control Systems of Japan; a self-assessment tool for security) consists of "Check List" which helps understanding the status of security measure implementation in ICS, and "Guidance" which provides detailed measures for each question in the Checklist.
• BSI LARS - Light and Right Security ICS (LARS ICS) is a free tool that makes it easier for small and midsize enterprises involved in industrial control systems to take their first steps towards achieving cyber security. It provides organisations with questions they can use to assess the current state of their own cyber security and recommends the safeguards they should implement next (and in which areas). All safeguards are assigned to corresponding parts of the standards and procedures of IT-Grundschutz, ISO 27001, IEC62443, and the BSI ICS Security Compendium, which facilitates the transition to using a holistic management system for information security.

Auditing / Scanning

• Bandolier Security Audit Files - These audit files are used with the Nessus scanner’s compliance plugins to audit the security settings of control system components. A typical control system will have over 1,000 security settings including the OS settings, database and webserver settings, and the SCADA or DCS application settings. Digital Bond worked with the vendors, such as ABB, AREVA, Emerson, OSIsoft, Telvent, …, to identify the optimal security settings for their systems. Bandolier Security Audit Files are very useful at FAT to insure the system is installed in an optimal security configuration and periodically to verify the configuration has not degraded.
• PI-Security-Audit-Tools - The PI Security Audit Tools project is a [PowerShell] framework to baseline the security configuration of your PI System. The module (PISysAudit) can be executed locally or remotely to validate the security configuration of various PI System components: PI Data Archive, PI AF Server, PI Vision, SQL Server and the hosting OS [based on Digital Bond Bandolier Security Audit Files].
• Configuration Hardening Assessment PowerShell Script (CHAPS) - CHAPS is a PowerShell script for checking system security settings where additional software and assessment tools, such as Microsoft Policy Analyzer, cannot be installed.
• Portaledge - The OSIsoft PI Server is an extremely popular historian that aggregates and correlates process data. In Portaledge, Digital Bond has created modules to aggregate security events and correlate these events to detect cyber attacks. There are a variety of modules including modules that meet the NERC CIP monitoring requirements.
• NSA GRASSMARLIN - GRASSMARLIN provides IP network situational awareness of industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks to support network security. Passively map, and visually display, an ICS/SCADA network topology while safely conducting device discovery, accounting, and reporting on these critical cyber-physical systems. Now Deprecated, so mirrored here.
• Misc SCADA Tools - A collection of miscellaneous SCADA tools written in python.
• PLCscan - Tool for scan PLC devices over s7comm or modbus protocols.
• s7scan - Replacement for PLCscan.
• modscan - Tool to scan modbus devices and gather information.
• modbus-scanner - Live scanner that looks for register changes via modbus.
• Metasploit Modules for OPC UA - New Metasploit modules for assessing the security of OPC UA deployments, paper
• OPC-UA Exploitation Framework - Advanced OPC-UA framework for vulnerability research & exploitation
• Open PHA - Open PHA™ is a HAZOP and LOPA software tool. Open PHA™ provides an easy to use, light-weight platform for performing HAZOP and LOPA analysis. Includes the ability to perform a Security PHA Review directly in the PHA study (description: https://www.kenexis.com/security-pha-review-spr-open-pha/)
• Industrial Security Auditing Framework - ISAF aims to be a framework that provides the necessary tools for the correct security audit of industrial environments.
• Shodan - Shodan is the world's first search engine for Internet-connected devices
• Censys - Another search engine for Internet-connected devices
• ZoomEye - Chinese search engine for Internet-connected devices
• FOFA pro - Chinese search engine for Internet-connected devices
• Zhifeng - Chinese search engine for internet-connected IoT/ICS assets
• Ditecting - Chinese search engine for Industrial Control System Devices
• BinaryEdge - Another project focused on collecting, analyzing and classifying internet wide data
• kamerka - Build interactive map of ICS devices from Shodan
• kamerka GUI - A GUI for Kamerka from above forming the "Ultimate Internet of Things/Industrial Control Systems reconnaissance tool."
• splonebox - splonebox is an open source network assessment tool with focus on Industry Control Systems. It offers an ongoing analysis of your network and its devices. A modular design allows writing of additional plugins.
• CHAPS - Configuration Hardening Assessment PowerShell Script, a script for checking Windows system security settings where additional software and assessment tools cannot be installed (e.g. Industrial Control System (ICS) environments)
• WES-NG - Windows Exploit Suggester - Next Generation, a tool based on the output of Windows' systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported.
• Siemens Simatic PCS 7 Hardening Tool - Powershell script for assessing the security configurations of Siemens - SIMATIC PCS 7 OS client, OS Server or Engineering station
• General Electric CIMPLICITY Hardening Tool - Powershell script for assessing the security configurations of windows machines in the CIMPLICITY environment
• Hello Proto - Banner Grabbing - banner grabbing tools for ICS protocols
• Modbus Recon Functions - Modbus tool to poke a device for valid functions
• SSASS-E - Safe Secure Autonomous Scanning Solution for Energy Delivery Systems (SSASSE). Note: UIUC was involved in this project and there are a bunch of great nuggets in the code.
• HVACScanner - Locates Honeywell/Tridium/Niagara HVAC JACEs/Controllers via HTTP fingerprints/strings.
• ICS Security Scripts - Various industrial security scripts.
• Caldera for OT Plugins - A collection of plugins that extend Caldera to the Operational Technology (OT) environment. The Caldera for OT plugins enable adversary emulation in the OT environment.

Robotics

• Aztarna - A footprinting tool for robots

IDS Signatures / Scripts

• Quickdraw Snort - mirror: v4.3.1 - The Quickdraw IDS signature download includes the Modbus TCP, DNP3, EtherNet/IP, and ICS Vulnerability signatures. Each category is in its own rules file, and Digital Bond recommends only adding the signatures appropriate for your control system. See the pcap quickdraw section for test pcaps.
• Quickdraw Suricata Signatures for EtherNet/IP - A set of EtherNet/IP IDS rules for use with Suricata.
• RAPSN SETS - RAPSN SETS (Recognizing Anomalies in Protocols of Safety Networks: Schneider Electric‘s TriStation) is a set of rules for the Intrusion Detection System (IDS) Snort. They have been developed for Schneider Electric‘s proprietary TriStation protocol and are published under Mozilla Public License Version 2.0.
• Cisco Talos Snort IDS Rules - These are a handful of community rules that correspond to the SCADA Strangelove default credentials. More community rules are available here
• ARMORE - ARMORE was developed to be an open-source software solution that will aid asset owners by increasing visibility, securing communications, and inspecting ICS communications for behavior that is not intended. Built around Bro and Linux.
• EDMAND - EDMAND Anomaly detection framework. Built around Bro.
• AIUS - AIUS Repository (EDMAND/CAPTAR combination). Built around Bro.
• ML NIDS For ICS - Machine learning techniques for Intrusion Detection in SCADA Systems.
• DNP3 Attack Detection System - Simple packet dissector that detects anomalous DNP3 traffic by analysing its parameters.

IDS Extensions

• Profinet for Suricata - Profinet extensions for Suricata

IoC Tools

• FireEye IoC Editor - IOCs are XML documents that help incident responders capture diverse information about threats, including attributes of malicious files, characteristics of registry changes and artifacts in memory. The IOC Editor provides an interface for managing data, including: 1) Manipulation of the logical structures that define the IOC, 2) Application of meta-information to IOCs, including detailed descriptions or arbitrary labels, 3) Conversion of IOCs into XPath filters, and 4) Management of lists of “terms” used within IOCs.

(creative commons license)