Software-only active OT asset discovery that scales
Identify and inventory your digital OT assets without installing a ton of network appliances
The first generation of ICS Detection products rely on “passive sniffing” to infer asset identity and configuration. Not only is that unreliable — think about guessing device make & model by MAC address. It is also costly because hardware appliances and discovery networks need to be installed all over the place. It simply doesn’t scale.
OTbase by Langner brings proven IT asset discovery technology (targeted and credentialed device queries) to OT, using OT’s dedicated protocols such as Ethernet/IP, Modbus, Profinet, and others.
Now you can discover OT devices just like IT asset management products used to for the IT side. All that using a small-footprint, software-only technology that supports routing and slashes deployment cost.
OTbase Discovery automatically discovers:
– Hardware make & model
– Installed operating system or firmware version
– Serial number
– Installed software applications & versions
– Installed security patches
– Network topology
– I/O modules installed on the PLC or RTU backplane
– Decentral field buses & peripherals “behind” PLCs
Secure de-central asset discovery with 24h update cycles
The unique discovery technology used by OT-BASE allows you to securely inventory thousands of networks with 24h accuracy. A swarm of autonomous discovery nodes (no appliances, no agents) that are embedded in your process network periodically probe your devices for configuration changes. Results are sent outbound to OT-BASE Asset Center as an encrypted file. This way you don’t have to open firewalls for inbound traffic, and you can even discover behind data diodes and DMZs.
Approaches like Langner’s active communication with the devices, combined with manual entry and adjustment, is what will lead to the single source of truth asset inventory.”
- NSecure de-centralized architecture
- NNo hardware appliances
- NSelective probing
- NRemote discovery
- NAutomatic 24h update cycle
- NNo software agents
“Passive Sniffing” of OT networks is obsolete for creating an asset inventory
The first generation of ICS Detection tools use so-called packet sniffers (deep packet inspection of realtime network traffic) to build asset inventories. While this technology may deliver useful results for detecting anomalies in network traffic, it is lousy for determining device identity and configuration details such as firmware versions.
OTbase Discovery takes a completely different approach. Just like software packages from the large automation vendors, it utilizes legitimate ICS and IT protocols which were specifically designed for obtaining device metadata. Some of these protocols are Modbus, Ethernet/IP, Profinet, Profibus, DeviceNet, and SERCOS.
As another example, OTbase Discovery enumerates your computer software configurations by using credentialed access via the Windows Remote Management (WinRM) interface. This way you get the foundation for establishing tight configuration baselines, software lifecycle management, and vulnerability management.
You also don’t need to worry if your investment in an OT asset management product is secure in the face of increasing adoption of encrypted ICS protocols (Secure Modbus, Secure DNP3, Secure Ethernet/IP, …), which will make deep packet inspection useless.
The Selective Probing technology used by OTbase Discovery comes with the added benefit that it doesn’t have juicy realtime processing requirements. Therefore, resource requirements are sparse, making it feasible to have OTbase Discovery engines run on existing HMI stations or engineering servers.
See also: Why passive scanning doesn’t scale >
Download the OT-BASE asset discovery evaluation software
Check out OT-BASE Asset Discovery in your own environment. Fully functional 90-day trial for MS-Windows 7 or higher.
Learn about OTbase Discovery from these videos:
Enabling OT Resilience