For businesses large and small, digital operations technology has become a key driver of efficient production. But honestly, do you still exercise full control over your OT assets? If you are like most asset owners, you probably don’t know exactly how many PLCs, RTUs, operator stations, network switches and so on you operate, let alone their exact hardware configuration, and software or firmware versions.
Not maintaining a complete and accurate OT asset inventory comes with a price, and affects multiple use cases. Just as one example, think about cyber security. For many years, asset inventory lists at the very top of the SANS critical cyber security controls. Now while few people doubt the value of asset inventories, why is almost nobody doing it right? The tough technical problem that most people struggle with is automated OT asset discovery.
Passive Scanning
The first generation of OT asset discovery products tries to crack the nut by what is usually called Passive Scanning. In this category we find vendors such as Claroty, Nozomi, SecurityMatters, and about 25 others.
The term passive scanning is a bit technically incorrect as no network scanning takes place. Instead, a network appliance sniffs all network traffic and parses it for data that can be used to identify endpoints and traffic patterns.
Unfortunately, metadata required for asset discovery is deeply hidden in the wire traffic. Finding the information that can be used to identify device make and model, firmware version etc. are a task as difficult as finding a needle in a haystack and doesn’t always yield accurate results.
Some vendors sell proprietary appliances, while others allow you to pick appropriate hardware of your choice. In any case, this technology requires that the network sensors digest all network traffic in the first place, which is usually accommodated by port mirroring in every network.
There are some technical limitations to this approach. Silent devices will not be detected. Software applications and security patches won’t be detected with any reasonable level of accuracy. As an example, think about security patches installed — or not installed — that you need to know about for your vulnerability management. Also, network topology at layers one and two might be hidden from your view.
Selective Probing
The alternative to passive scanning is selective probing, which is implemented in products by Langner, as well as in those from large automation vendors such as Rockwell, Siemens, and Honeywell.
Selective probing means that networked OT devices, including network switches and routers, are probed using legitimate protocols and access credentials. It leverages the fact that virtually every relevant protocol in the OT space has capabilities for querying metadata from product identity over firmware versions to location.
Examples are Modbus, Ethernet/IP, Profinet, and DNP3. The same applies to IT protocols used within OT, such as SNMP and Windows Management Instrumentation. As an example, SNMP allows you to discover network topology, which is an extremely useful feature that you wouldn’t want to miss without a very good reason. WMI allows you to accurately enumerate all your operating system versions, application software, and security patches. Lastly, even proprietary protocols from Siemens, GE and others have specific functions to query metadata, and they are certainly used by the asset discovery products from these vendors. There are even protocols specifically designed for the sole purpose of discovering configuration details, such as the Link Layer Discovery Protocol, or the Cisco Discovery Protocol.
In practice, selective probing works like this. Rather than constantly analyzing all network traffic, the discovery solution sends the appropriate probing calls once, and then collects and processes the responses. This action is usually repeated every 24 hours. Unlike parsing all network traffic for device metadata, responses to these probes only contain the asset information that we’re actually interested in.
So not only is selective probing very targeted, it also consumes only a tiny fraction of processing power and memory. For this reason, the asset discovery engine can co-exist with other industrial software such as HMI on existing hardware.
If you are looking for an OT asset discovery solution, consider selective probing as an alternative to passive scanning. Selective probing comes with the following benefits:
- it detects silent devices
- it reliably enumerates firmware versions, software applications and security patches
- it accurately maps network topology, including layer 1 and layer 2 characteristics
- and it doesn’t require costly hardware appliances.
Check out our OT-BASE asset management system which uses selective probing.