ICS Asset Detection

When assessing an ICS/SCADA Environment’s security posture, one of the first steps is to identify Hosts running across the network. Unfortunately, in an OT environment, active scanning may be detrimental to normal operations and therefore passive scanning is key. This dashboard leverages information collected from Tenable Industrial Security on passively detected operating systems within the network, which can assist security teams in measuring and reducing cyber risk.

ICS is a term which describes hardware and software that are connected to a network to support critical infrastructure. Some of the most commonly used terms used in ICS are:

• Programmable Logic Controllers (PLCs)
• Remote Terminal Units (RTU)
• Intelligent Electronic Device (IED)
• Human Machine Interface (HMI)

These connected control systems manage the operation of critical equipment within power plants, water and waste treatment plants, transport industries, and more. This convergence of OT and Information Technology (IT) has raised concerns of security as the systems can now be targeted by bad actors.

These emerging threats are only going to become more prevalent, which increases the importance of Cyber Exposure. A very important step in securing an organization’s ICS environment is to know what is active on the network and develop an adequate asset list. Using Industrial Security and Tenable.sc an analyst is able to quickly and efficiently comb through the data and see many attributes of a networks health. Tenable.sc provides several dashboards that provide insight into different aspects of vulnerability and asset detection; for example, how and which SCADA protocols are used, and which types of systems are active on the network.

The OT Asset Detection dashboard provides Host Detection information detected passively by the Nessus Network Monitor and Industrial Security. The dashboard uses multiple passive fingerprinting techniques to identify operating systems. These criteria include methods from TCP header analysis to application-level identification.

The dashboard and components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards, and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Security Industry Trends.

The dashboard requirements are:

• Tenable.sc 5.9.0
• Nessus Network Monitor 5.8.1
• Industrial Security 1.3.1

Tenable.sc Continuous View® (Tenable.sc CV™) along with Tenable Industrial Security enable organizations to accurately identify, investigate and prioritize vulnerabilities for critical infrastructure and operational technology. A vulnerability assessment identifies and prioritizes weaknesses that can become the pathway for adversaries to compromise control systems and disrupt critical processes. Comprehensive dashboards and reports simplify stakeholder communication. Industrial Security has comprehensive asset identification, which identifies thousands of OT and IT devices, applications and protocols, including PLCs, RTUs, HMIs, SCADA gateways, desktop computers and network devices. By passively scanning the ICS network, security teams are able to fingerprint the many devices that are on the network as well as identify vulnerabilities associated with said devices.

Listed below are the components included with this dashboard. 

ICS Asset Detection - Host Summary 

This table displays the names of the ICS devices that are visible within the network. This will allow an organization to keep track of their inventory that is active on their network. Nessus Network Monitor watches for specific calls from these devices to identify them. Then they are sent to IS and lastly Tenable.sc.

ICS Asset Detection - History of Total Assets

This Area Chart will assist an organization in knowing the history of assets within the network. Within an organization's environment, it is imperative to be aware of the number of devices that are active on the network. Lower asset counts could mean unexpected change of equipment or an unexpected equipment failure. This component shows how many assets have been in the organization over a period of 90 days.

ICS Network Utilization and Topology - Included Class C Subnets

This table assists an ICS organization in understanding the scope of its network by grouping all the IP addresses discovered passively by NNM into representative Class C subnets. This information can assist an organization in detecting any unauthorized subnets or rogue devices. Note that if the organization has a very large network, this component can be modified to present Class B subnets, if desired. The Total column displays the number of detections. The number of detections may be greater than the number of hosts in each subnet, as each host may have been detected multiple times.

ICS Asset Detection - System Types

This matrix component presents indicators of detected ICS System Types. By reviewing the activity, an analyst can better understand network communications, assess risk, and identify any potential problems within the SCADA network. Clicking on a highlighted indicator will bring up the vulnerability analysis screen to display details and allow further investigation.

ICS Asset Detection - SCADA Protocol Activity

This matrix component presents indicators of detected network activity related to SCADA protocols, and activity on standard ports used by SCADA protocols. This activity might include internal and external connections, encrypted sessions, service detections, and even detections of vulnerabilities. By reviewing the activity, an analyst can better understand network communications, assess risk, and identify any potential problems within the SCADA network. Clicking on a highlighted indicator will bring up the vulnerability analysis screen to display details and allow further investigation.