[SCADASEC] Regarding "Bandolier"

Bob Radvanovsky rsradvan at unixworks.net
Fri May 30 12:28:52 CDT 2008 

Something that I found unusual was a summary provided by Dale Peterson at the recent ieRoadmap conference here in Chicago, IL just 2 days ago.  He gave a presentation about a new product that was funded by DOE money.  The product is called "Bandolier".  Ironically, I found this on the "Unfettered" blog on the Control Global magazine's posting this morning.  Ironic?  Perhaps.

But...what I found most interesting was something that Joe Weiss had pointed out:

"... It seems to be a good approach to identifying vulnerabilities in control system computers. The severity ratings for Bandolier are a good idea but the approach does not go far enough. Since these ratings are used for compliance reporting, it potentially could cost companies a significant amount of money without an accompanying risk reduction. The missing piece is the impact on the process or facility. I see two issues with the Bandolier approach- the first is the classification of non-critical computers as “severe”. The second is how Bandolier is used in the overall context of securing the facility. Many of the Major and Moderate control system cyber incidents I have identified in my incident database would not have been identified using an approach like Bandolier as they were not caused by traditional computer vulnerabilities but represented failures, omissions, or errors in design, configuration, or implementation of required programs and policies."

My question is this, and a rather simple one: is it possible to have a vulnerabilities checker (such as Bandolier) to consistently find "anti-problems"?  Meaning...that Bandolier would find only the areas that we already know about and those that we don't?  Second, what does the Bandolier product do with regards to "false positives"?  A "false positive" is where an automated/semi-automated vulnerabilities checkers finds a problem, when there really is no problem at all (nor ever was a problem, either).  Without knowing more about this product, or seeing firsthand what this product does, I'd pose these 2 questions about the functionality of the Bandolier product.

And last, but not least, doesn't Industrial Defender (a.k.a. Verano) have (or had) a product that does something similar?

I pose this question to the list openly...come one and all.  I could be wrong, but I think oe might be onto something here.

-rad

DISCLAIMER:  This is merely an observational commentary from what I received -- in summary -- at the ieRoadmap conference these past 2 days.  In Dale's defense (as well as those who presented), they had 30 minutes to give a presentation, of which 15 minutes reserved for the actual presentation, the other 15 minutes were reserved for Q&A from the Roadmap WG and conference attendees.

More information about the scadasec mailing list