We see a lot of confusion and misinformation in the market when it comes to understanding active technologies for OT. Here’s what you need to know.
“Active” is a big buzzword in industrial cybersecurity these days. But what is it? How does it work? Is it safe? Do you even need it?
“Active,” in terms of device queries, means you query a device in its native communication protocol, which is an important distinction when considering an industrial cybersecurity solution. In fact, there are two key questions to ask about any cybersecurity solution you're considering for your operational technology (OT) environment:
- Is the solution’s approach best-suited for your industrial control environment?
- Is it passive, active or hybrid?
To unpack the nuances of the terminology, let’s look at this analogy:
Imagine you’re in a restaurant in a foreign country where you do not speak the native language.
Even though you can’t speak the language, you still glean some information from other patrons. You can make an educated guess about a person’s age, for example, and maybe you may even look at facial expressions to determine an individual’s mood or disposition.
That’s similar to the behavior we expect from firewalls and network monitoring solutions that are not specific to industrial control systems (ICS) when they're placed in industrial networks. These types of solutions will spot MAC addresses, associate network protocols with ports, etc. However, harvesting information this way doesn’t give you enough detail for comprehensive asset tracking or vulnerability management.
Now, getting back to our foreign country restaurant analogy: let’s assume you understand the language and you can listen to conversations. You hear people talking about what they eat and their favorite foods in general or perhaps they’re comparing their experience to other restaurants they’ve recently visited.
That’s like parsing network traffic. You understand everything being said but you are not interested in most of these conversations. What you really want to know is where each person lives, what school they attended, when they were born, etc. You want specific details about specific people.
These details are elusive even under the best circumstances and it takes time to get the information you want just by listening. Typically, the exact information you want won’t come up naturally or spontaneously.
When dealing with ICS, industrial control vendors use different communication protocols or “languages.” Typically, vendors even have different protocols based on the specific device model, but let's say you’ve figured that out. You understand every bit and byte of industrial communication protocols. Turns out, that only gets you halfway to where you want to be.
To secure all the information you want, you need to “actively” ask. And that's the secret sauce.
Returning to our restaurant analogy: if you want to find out specific information about someone, you ask them questions. You might pointedly ask someone their age (uptime), where they attended school (firmware versions), where they live (hardware configuration), etc.
And while you probably wouldn’t go up to random patrons in a restaurant and start asking them personal questions, you can query industrial control systems because they don’t typically use encryption or authentication.
What do we mean when we talk about active technologies for OT?
We see a lot of confusion and misinformation in the market about active technologies for OT. Active, in this context, is about querying devices using their native communication protocols. It’s not port scanning, knocking, banner grabbing, exploiting or leveraging vulnerabilities of any sort, It’s not querying devices in a way that can make them unstable.
Tenable is unique because our technology listens on the network and speaks, at the device level, the native communication protocols ICS vendors’ engineering stations use.
Why do we do it? How do we leverage the collected data? How do we know which dialect of a certain protocol should be used? And how do we address the devils in the tech details of this groundbreaking technology? For answers to these and other OT-related cybersecurity questions, watch our webinar, Tenable and Indegy: the First Unified, Risk-Based Platform for IT and OT Security.