ASSET IDENTIFICATION AND INVENTORY
Background: Claroty, Gravwell, Nozomi Networks and Security Matters competed in the ICS Detection Challenge at S4x18 last month. The Challenge took actual packet captures from a midstream oil & gas company, anonymized the packets, and used these packets and crafted attack packets to test the ICS Detection class of products in two areas: Asset Identification and Attack / Incident Detection. The Challenge was put together by Dale Peterson, Eric Byres, Ron Brash and aeSolutions.
Highlights:
- This class of product, as advertised, will help an owner/operator in creating and maintaining an asset inventory.
- Coverage of ICS protocols and devices is limited at this time. Where there is coverage, basic asset inventory, at the IP and vendor identification level, is done reasonably well by Claroty, Nozomi and Security Matters. Where there isn’t coverage, owner/operators will require manual entry and manuel inventory maintenance.
- Sending a legitimate periodic information request, most ICS apps do this for trouble shooting and initiation, to gather information will greatly help your asset inventory if only passive measures are used.
- The level of detail in the asset inventory and the ability to create useful diagrams varies and should be an important part of your evaluation.
- Claroty won the Asset Identification phase by identifying the largest number of assets (device type and vendor) with a score of 23, followed by Nozomi and Security Matters with a score of 20. Nozomi clearly provided the most detail in their asset inventory and was the only competitor to identify the key SCADA system. Security Matters did the best in identifying CVE’s for the asset inventory.
Only a small percentage of the ICS owner/operator base are at a security maturity level to benefit from the capabilities of the 20+ companies offering ICS Detection solutions. All that listening and ICS intelligence used for attack and incident detection can also be used for creating and maintaining an asset inventory, something that most ICS owner/operators struggle with. A lot of the early interest and wins in the detection space are coming from the asset inventory features, and we are seeing more of the promotion and product marketing focusing on this aspect of the product.
The Asset Identification testing of the Challenge was as realistic as it gets.
- The packet captures were taken from live midstream oil/gas ICS. They included a pipeline SCADA and terminals with different cyber assets.
- The midstream company did not generate any special request packets that would generate responses to help populate the asset inventory.
- In the real world there likely would be more packets available, but this isn’t as of much value as you would think because the network traffic varies little except during a maintenance activity or incident.
All three of the ICS solutions (Claroty, Nozomi and Security Matters) identified a high percentage of the cyber assets, at a basic IP level, that had sent or received packets in the packet captures. The concept of the technology works, and it will surely get better over time.
The time to create the asset inventory after the packet captures was intentional kept short so that we were seeing the product results rather than the skill of the team. The packet captures were also provided blind to the competitors. These are artificial constraints. An asset owner would have the advantage of knowing a large portion of what was in their ICS, and they would be creating and maintaining the asset inventory over time.
Identifying Assets
Asset identification information submitted in this phase was in general limited to IP address and MAC address. In rough numbers, the following level of detail was provided by the three competitors:
- IP Address: 750 assets (the minimum required to identify an asset)
- Manufacturer: 425 assets (note some were incorrect and it appeared most relied on the MAC address)
- MAC Address: 425 assets
- Device Type: 350 assets (PLC, computer, very broad categorization)
- Asset Name: 75 assets
- OS / Firmware Version: 60 assets
- Product Model: 50 assets
Most of the detail provided by all three competitors came from the Allen Bradley PLC assets, which is not surprising because this is a widely used device with a widely used protocol.
The Schneider Electric (nee Telvent) OASyS DNA SCADA that monitored and controlled the pipeline was perhaps the most critical ICS. All of the vendors identified the computers and terminal servers involved in the SCADA by IP Address, but only Nozomi reported that these components were part of an OASyS DNA SCADA. Even with Nozomi, it appears this was done by analyzing the names of the computers, such as HMI using the OASyS XOS term. In all cases significant editing and adding of information would be required.
Most other systems, such as leak detection, flow computers and meters, were in the inventory as IP address, MAC address and little else.
Level of Asset Inventory Detail
This is an area where Nozomi exceled, although there is still much room for improvement. The Rockwell Automation / Allen Bradley case is a good example. All three competitors identified these assets by IP address, and all had good detail (model number, serial number, version number) for the Logix PLC’s. Nozomi was the only competitor to identify the PanelViews (model and OS) and Stratix Switches (model and firmware version). The others listed the Stratix switches as Cisco, which is not “wrong” since Stratix is a private labelled Cisco switch. This would however likely cause confusion in the Ops team when they go looking for Cisco switches.
Additional detail could have been gathered if we had captured packets when administrative request packets were sent. A protocol such as CIP (EtherNet/IP) can query the PLC’s for any detail you would want in an asset inventory. If you are planning on using a product like this for asset inventory, consider proactively initiating these packets when the asset inventory is first being created and periodically after that to verify and update the inventory.
Missed Assets
Working with the owner operator’s asset inventory we knew that there were Siemens S7 PLC’s at the tank farms, and we knew the names of those PLC’s. None of the competitors included these PLC’s in their submitted asset inventory. Why? Because the packet capture did not collect data going to the tank farm.
This is a deficiency in the product category, not any of these solutions. A passive device will only have a chance of creating asset inventory if it sees packets going to and from these cyber assets. (Which is why I believe the segment will end up with Active / Passive solutions it matures).
My Conclusions
- The asset inventory aspect of these solutions is going to improve as they add more intelligence for the ICS communications, applications and devices. Today there is still a large amount of manual entry required.
- It will be something that a non-trivial percentage of asset owners will deploy in the three to five years whether they use the detection features or not.
- Most will add an active capability and/or pull data from other repositories to address the limitations of the passive only approach.
Scoring
The scoring was not as problematic in the Asset Identification phase of the competition as it was in the Detection phase. We had a near complete inventory, so it was easy to identify if an answer was correct.
The biggest deficiency in the scoring in this phase was the uncertainty of how much the level of detail in the answer should affect the score. The decision was made not to reward additional and impressive detail, because it was not clearly identified in advance that this would be rewarded and how it would be rewarded in the score. Also, it appears that some of the competitors didn’t provide answers because they thought more specificity was required.