Vendor System Vulnerability Testing Test Plan
Abstract
The Idaho National Laboratory (INL) prepared this generic test plan to provide clients (vendors, end users, program sponsors, etc.) with a sense of the scope and depth of vulnerability testing performed at the INL’s Supervisory Control and Data Acquisition (SCADA) Test Bed and to serve as an example of such a plan. Although this test plan specifically addresses vulnerability testing of systems applied to the energy sector (electric/power transmission and distribution and oil and gas systems), it is generic enough to be applied to control systems used in other critical infrastructures such as the transportation sector, water/waste water sector, or hazardous chemical production facilities. The SCADA Test Bed is established at the INL as a testing environment to evaluate the security vulnerabilities of SCADA systems, energy management systems (EMS), and distributed control systems. It now supports multiple programs sponsored by the U.S. Department of Energy, the U.S. Department of Homeland Security, other government agencies, and private sector clients. This particular test plan applies to testing conducted on a SCADA/EMS provided by a vendor. Before performing detailed vulnerability testing of a SCADA/EMS, an as delivered baseline examination of the system is conducted, to establish a starting point for all-subsequent testing. Themore »
- Authors:
- Publication Date:
- Research Org.:
- Idaho National Lab. (INL), Idaho Falls, ID (United States)
- Sponsoring Org.:
- USDOE
- OSTI Identifier:
- 911786
- Report Number(s):
- INEEL/EXT-05-02613
INEEL/MIS-05-02613; TRN: US200801%%233
- DOE Contract Number:
- DE-AC07-99ID-13727
- Resource Type:
- Technical Report
- Country of Publication:
- United States
- Language:
- English
- Subject:
- 45 - MILITARY TECHNOLOGY, WEAPONRY, AND NATIONAL DEFENSE; CONFIGURATION; CONTROL SYSTEMS; DATA ACQUISITION; DISTRIBUTION; ELECTRIC POWER; ENERGY MANAGEMENT SYSTEMS; PRODUCTION; RECOMMENDATIONS; SECURITY; TESTING; TRANSPORTATION SECTOR; VULNERABILITY; WATER
Citation Formats
Davidson, James R. Vendor System Vulnerability Testing Test Plan. United States: N. p., 2005.
Web. doi:10.2172/911786.
Davidson, James R. Vendor System Vulnerability Testing Test Plan. United States. https://doi.org/10.2172/911786
Davidson, James R. 2005.
"Vendor System Vulnerability Testing Test Plan". United States. https://doi.org/10.2172/911786. https://www.osti.gov/servlets/purl/911786.
@article{osti_911786,
title = {Vendor System Vulnerability Testing Test Plan},
author = {Davidson, James R},
abstractNote = {The Idaho National Laboratory (INL) prepared this generic test plan to provide clients (vendors, end users, program sponsors, etc.) with a sense of the scope and depth of vulnerability testing performed at the INL’s Supervisory Control and Data Acquisition (SCADA) Test Bed and to serve as an example of such a plan. Although this test plan specifically addresses vulnerability testing of systems applied to the energy sector (electric/power transmission and distribution and oil and gas systems), it is generic enough to be applied to control systems used in other critical infrastructures such as the transportation sector, water/waste water sector, or hazardous chemical production facilities. The SCADA Test Bed is established at the INL as a testing environment to evaluate the security vulnerabilities of SCADA systems, energy management systems (EMS), and distributed control systems. It now supports multiple programs sponsored by the U.S. Department of Energy, the U.S. Department of Homeland Security, other government agencies, and private sector clients. This particular test plan applies to testing conducted on a SCADA/EMS provided by a vendor. Before performing detailed vulnerability testing of a SCADA/EMS, an as delivered baseline examination of the system is conducted, to establish a starting point for all-subsequent testing. The series of baseline tests document factory delivered defaults, system configuration, and potential configuration changes to aid in the development of a security plan for in depth vulnerability testing. The baseline test document is provided to the System Provider,a who evaluates the baseline report and provides recommendations to the system configuration to enhance the security profile of the baseline system. Vulnerability testing is then conducted at the SCADA Test Bed, which provides an in-depth security analysis of the Vendor’s system.b a. The term System Provider replaces the name of the company/organization providing the system being evaluated. This can be the system manufacturer, a system user, or a third party organization such as a government agency. b. The term Vendor (or Vendor’s) System replaces the name of the specific SCADA/EMS being tested.},
doi = {10.2172/911786},
url = {https://www.osti.gov/biblio/911786},
journal = {},
number = ,
volume = ,
place = {United States},
year = {Sat Jan 01 00:00:00 EST 2005},
month = {Sat Jan 01 00:00:00 EST 2005}
}