Rumor is spreading that an OT asset management system needs help from an ICS detection product in order to detect new devices in your networks. Let’s correct this misconception.
Imagine that a network attached device stays silent. It doesn’t spontaneously emit traffic; well at least it didn’t so far.
A silent device will not be detected by a passive ICS detection solution that draws all its intelligence from deep packet inspection. Where there’s no traffic, there’s no detection.
Different with an active OT discovery solution as it is part of the OT-BASE OT Asset Management software. OT-BASE Asset Discovery actively probes networks periodically. There is no way for a device to stay silent because it must at least respond to low-level ARP and ICMP requests. Gotcha!
That means that a silent device will be discovered by OT-BASE within 24 hours at the latest. No help necessary. Think of it like a guard on 24 hour patrol.
Now let’s discuss the more common case that a new device is introduced to a network and does emit traffic. Can an OT asset management system discover such a device without the help from passive scanning?
This new device will be discovered pretty much in realtime, right after its very first interaction with other devices.
Even though OT-BASE Asset Discovery doesn’t engage in deep packet inspection of SPAN port traffic, it does constantly listen to broadcasts. The first ARP request of a new device will instantly trigger a discovery probe that will result in detailed information about the new device, such as make and model, installed firmware, serial number etc.
Imagine OT-BASE Asset Discovery like a hawk that is circling over your networks, ready to catch its prey in the moment that a new device shows signs of life.
The bottom line
An OT asset management system can work in concert with an ICS detection product. However, the idea that ICS detection could and should help the asset management system in detecting new devices on the network has no merit.
What ICS detection can provide is information on suspicious activity that the OT asset management system doesn’t pick up. However it appears that such information is best processed in an enterprise SIEM environment where both ICS detection and OT asset management feed into.
See it for yourself, today
You can verify the capabilities of the OT-BASE Asset Discovery software for yourself using the free evaluation version. Check it out today in your lab environment.