We’re Doing It The Hard And Wrong Way
Part 3 of my OT asset inventory series. Part 1: Wrong! “You Can’t Protect What You Don’t Know”. Part 2: What Does “Know” Mean?
There are three automated approaches to creating and maintaining an OT asset inventory. Here’s the surprise – – the passive monitoring of network traffic that kicked off the OT asset inventory product segment, and still dominates, is the worst of the three. It’s the least complete; it’s the least accurate; and it’s the least detailed.
Passive monitoring of network traffic via a span port on a switch or a network tap began as a detection tool, IDS for OT. A side benefit was information about what was on the network.
Passive was, and for many asset owners still is, the key word. Don’t install anything on my ICS computers! Don’t put any traffic on my OT network! It works today, don’t touch it. The skiddishness was warranted in some situations where IT had caused outages on fragile ICS systems and components.
Passive monitoring has its place in asset management. The place is to detect when there is something new on the network. Something that is not in the asset inventory. Or if there is a conflict between the network traffic and the asset inventory.
From 2016 – 2020 the OT detection / asset inventory vendors would preach that they were passive and “active” was dangerous. In side conversations they would admit that probing / scanning / sending request packets could be done safely and would provide much better information.
This active scanning is not like a
Tenable Nessus or Rapid 7 scanner sending all sorts of packets to a device and seeing the response. It is properly formatted administrative or management requests to gather system information. Similar to engineering workstation communication with a PLC or a controller.
This active scanning provides detailed and accurate information. What firmware is being run, what patches have been applied, what software has been installed, what interface cards are in the device, etc. Unauthorized changes can be identified when this is tied into change management. Activity in support tickets can be verified before closed. And much more.
Indegy, acquired by Tenable in 2019, was the first to have and promote active scanning. They were a bit too early for the market to accept it. Now most of the OT detection / asset inventory solutions have an optional active scanning component. OT asset management products like those from Hexagon and OT Base lean more heavily and promote more this method to develop a richer asset inventory and more of the asset management functions.
An OT cyber asset could proactively report its asset inventory details to the asset inventory / management solution. This third approach is still rare in OT. Typically only seen when an agent is deployed on the cyber asset. With the right protocols, an agent shouldn’t be required.
The benefits to inbound reporting are easily understood by the ICS community. It is similar to the benefits of report by exception or unsolicited response as compared to polling. There still could be periodic active scanning, but it could be less frequent while still retaining current information in the asset inventory.
As more components get an IP address, whether this be smart sensors and actuators or more IIoT devices, inbound reporting will become more important and valuable.
Tiered Active Scanning and Inbound Reporting
A highly accurate and current set of information for most OT cyber assets is often already available in the ICS. This could be a database or flat configuration file stored in one of the management components. Hexagon, née PAS, has been downloading and parsing these files from DCS for many years to provide an extremely detailed asset inventory of supported systems.
If this information already exists, then it is simply a means of sharing it with the relevant parts of the asset management solution.
When you look at the methods for creating and maintaining an OT asset inventory and the full spectrum of OT asset management, you see we are still in the early days.
Update: On 2 Dec 2023 I changed “a Tenable or Rapid 7 scanner” to “a Nessus or Rapid 7 scanner”. Tenable has a variety of active solutions as well as passive solutions, and I meant their most well known product, Nessus. I also added that Indegy was acquired by Tenable. Both these changes were at Tenable’s request, and they are clearer so I had no issue making this update.