Software-only active OT/ICS asset discovery that scales
Identify, inventory, and manage your digital OT/ICS assets without installing a ton of network appliances
The first generation of ICS detection products relied on “passive sniffing” to infer asset identity and configuration. Not only is that unreliable — think about guessing device make & model by MAC address. It is also costly because hardware appliances and discovery networks need to be installed all over the place. It simply doesn’t scale.
OT-BASE by Langner brings proven IT asset discovery technology (targeted and credentialed device queries) to OT, using OT’s dedicated protocols such as Ethernet/IP, Modbus, Profinet, and others.
Now you can discover OT devices just like IT asset management products used to for the IT side. All that using a small-footprint, software-only technology that supports routing and slashes deployment cost.
– Hardware make & model
– Installed operating system or firmware version
– Serial number
– Installed software applications & versions
– Installed security patches
– Network topology
– I/O modules installed on the PLC or RTU backplane
– Decentral field buses & peripherals “behind” PLCs
Secure de-central asset discovery with 24h update cycles
The unique discovery technology used by OT-BASE allows you to securely inventory thousands of networks with 24h accuracy. A swarm of autonomous discovery nodes (no appliances, no agents) that are embedded in your process network periodically probe your devices for configuration changes. Results are sent outbound to OT-BASE Asset Center as an encrypted file. This way you don’t have to open firewalls for inbound traffic, and you can even discover behind data diodes and DMZs.
Approaches like Langner’s active communication with the devices, combined with manual entry and adjustment, is what will lead to the single source of truth asset inventory.”
- NSecure de-centralized architecture
- NNo hardware appliances
- NSelective probing
- NRemote discovery
- NAutomatic 24h update cycle
- NNo software agents
Why “Passive Sniffing” of OT/ICS networks is obsolete
The first generation of ICS discovery tools use so-called packet sniffers (deep packet inspection of realtime network traffic) to build asset inventories. While this technology may deliver useful results for detecting anomalies in network traffic, it is lousy for determining device identity and configuration details such as firmware versions.
OT-BASE Asset Discovery takes a completely different approach. Just like software packages from the large automation vendors, it utilizes legitimate ICS and IT protocols which were specifically designed for obtaining device metadata. Some of these protocols are Modbus, Ethernet/IP, Profinet, Profibus, DeviceNet, and SERCOS.
As another example, OT-BASE Asset Discovery enumerates your computer software configurations by using credentialed access via the Windows Management Instrumentation (WMI) interface. This way you get the foundation for establishing tight configuration baselines, software lifecycle management, and vulnerability management.
You also don’t need to worry if your investment in an OT asset management product is secure in the face of increasing adoption of encrypted ICS protocols (Secure Modbus, Secure DNP3, Secure Ethernet/IP, …), which will make deep packet inspection useless.
The Selective Probing technology used by OT-BASE Asset Discovery comes with the added benefit that it doesn’t have juicy realtime processing requirements. Therefore, resource requirements are sparse, making it feasible to have OT-BASE Asset Discovery engines run on existing HMI stations or engineering servers.
See also: Why passive scanning doesn’t scale >
Download the OT-BASE asset discovery evaluation software
Check out OT-BASE Asset Discovery in your own environment. Fully functional 90-day trial for MS-Windows 7 or higher.
Learn about OT-BASE Active Discovery from these videos:
Enabling OT Resilience