Skip to main content
OSTI.GOVU.S. Department of Energy Office of Scientific and Technical Information
U.S. Department of Energy
Office of Scientific and Technical Information
 

Vendor System Vulnerability Testing Test Plan

Technical Report ·
DOI:https://doi.org/10.2172/911786· OSTI ID:911786
The Idaho National Laboratory (INL) prepared this generic test plan to provide clients (vendors, end users, program sponsors, etc.) with a sense of the scope and depth of vulnerability testing performed at the INL’s Supervisory Control and Data Acquisition (SCADA) Test Bed and to serve as an example of such a plan. Although this test plan specifically addresses vulnerability testing of systems applied to the energy sector (electric/power transmission and distribution and oil and gas systems), it is generic enough to be applied to control systems used in other critical infrastructures such as the transportation sector, water/waste water sector, or hazardous chemical production facilities. The SCADA Test Bed is established at the INL as a testing environment to evaluate the security vulnerabilities of SCADA systems, energy management systems (EMS), and distributed control systems. It now supports multiple programs sponsored by the U.S. Department of Energy, the U.S. Department of Homeland Security, other government agencies, and private sector clients. This particular test plan applies to testing conducted on a SCADA/EMS provided by a vendor. Before performing detailed vulnerability testing of a SCADA/EMS, an as delivered baseline examination of the system is conducted, to establish a starting point for all-subsequent testing. The series of baseline tests document factory delivered defaults, system configuration, and potential configuration changes to aid in the development of a security plan for in depth vulnerability testing. The baseline test document is provided to the System Provider,a who evaluates the baseline report and provides recommendations to the system configuration to enhance the security profile of the baseline system. Vulnerability testing is then conducted at the SCADA Test Bed, which provides an in-depth security analysis of the Vendor’s system.b a. The term System Provider replaces the name of the company/organization providing the system being evaluated. This can be the system manufacturer, a system user, or a third party organization such as a government agency. b. The term Vendor (or Vendor’s) System replaces the name of the specific SCADA/EMS being tested.
Research Organization:
Idaho National Laboratory (INL)
Sponsoring Organization:
USDOE
DOE Contract Number:
AC07-99ID13727
OSTI ID:
911786
Report Number(s):
INEEL/EXT-05-02613; INEEL/MIS-05-02613
Country of Publication:
United States
Language:
English

Similar Records

Cyber Security Testing and Training Programs for Industrial Control Systems
Conference · Wed Feb 29 23:00:00 EST 2012 · OSTI ID:1044208
US-CERT Control System Center Input/Output (I/O) Conceputal Design
Technical Report · Mon Jan 31 23:00:00 EST 2005 · OSTI ID:911878
ATC Security Vulnerability Assessment
Technical Report · Tue Mar 24 00:00:00 EDT 2009 · OSTI ID:950020

Related Subjects

45 MILITARY TECHNOLOGY, WEAPONRY, AND NATIONAL DEFENSE
CONFIGURATION
CONTROL SYSTEMS
DATA ACQUISITION
DISTRIBUTION
ELECTRIC POWER
ENERGY MANAGEMENT SYSTEMS
PRODUCTION
RECOMMENDATIONS
SECURITY
TESTING
TRANSPORTATION SECTOR
VULNERABILITY
WATER