Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

ICS Asset Detection

by Cesar Navas
April 19, 2019

When assessing an ICS/SCADA Environment’s security posture, one of the first steps is to identify Hosts running across the network. Unfortunately, in an OT environment, active scanning may be detrimental to normal operations and therefore passive scanning is key. This dashboard leverages information collected from Tenable Industrial Security on passively detected operating systems within the network, which can assist security teams in measuring and reducing cyber risk.

ICS is a term which describes hardware and software that are connected to a network to support critical infrastructure. Some of the most commonly used terms used in ICS are:

  • Programmable Logic Controllers (PLCs)
  • Remote Terminal Units (RTU)
  • Intelligent Electronic Device (IED)
  • Human Machine Interface (HMI)

These connected control systems manage the operation of critical equipment within power plants, water and waste treatment plants, transport industries, and more. This convergence of OT and Information Technology (IT) has raised concerns of security as the systems can now be targeted by bad actors.

These emerging threats are only going to become more prevalent, which increases the importance of Cyber Exposure. A very important step in securing an organization’s ICS environment is to know what is active on the network and develop an adequate asset list. Using Industrial Security and Tenable.sc an analyst is able to quickly and efficiently comb through the data and see many attributes of a networks health. Tenable.sc provides several dashboards that provide insight into different aspects of vulnerability and asset detection; for example, how and which SCADA protocols are used, and which types of systems are active on the network.

The OT Asset Detection dashboard provides Host Detection information detected passively by the Nessus Network Monitor and Industrial Security. The dashboard uses multiple passive fingerprinting techniques to identify operating systems. These criteria include methods from TCP header analysis to application-level identification.

The dashboard and components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards, and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Security Industry Trends.

The dashboard requirements are:

  • Tenable.sc 5.9.0
  • Nessus Network Monitor 5.8.1
  • Industrial Security 1.3.1

Tenable.sc Continuous View® (Tenable.sc CV™) along with Tenable Industrial Security enable organizations to accurately identify, investigate and prioritize vulnerabilities for critical infrastructure and operational technology. A vulnerability assessment identifies and prioritizes weaknesses that can become the pathway for adversaries to compromise control systems and disrupt critical processes. Comprehensive dashboards and reports simplify stakeholder communication. Industrial Security has comprehensive asset identification, which identifies thousands of OT and IT devices, applications and protocols, including PLCs, RTUs, HMIs, SCADA gateways, desktop computers and network devices. By passively scanning the ICS network, security teams are able to fingerprint the many devices that are on the network as well as identify vulnerabilities associated with said devices.

Listed below are the components included with this dashboard. 

ICS Asset Detection - Host Summary 

This table displays the names of the ICS devices that are visible within the network. This will allow an organization to keep track of their inventory that is active on their network. Nessus Network Monitor watches for specific calls from these devices to identify them. Then they are sent to IS and lastly Tenable.sc.

ICS Asset Detection - History of Total Assets

This Area Chart will assist an organization in knowing the history of assets within the network. Within an organization's environment, it is imperative to be aware of the number of devices that are active on the network. Lower asset counts could mean unexpected change of equipment or an unexpected equipment failure. This component shows how many assets have been in the organization over a period of 90 days.

ICS Network Utilization and Topology - Included Class C Subnets

This table assists an ICS organization in understanding the scope of its network by grouping all the IP addresses discovered passively by NNM into representative Class C subnets. This information can assist an organization in detecting any unauthorized subnets or rogue devices. Note that if the organization has a very large network, this component can be modified to present Class B subnets, if desired. The Total column displays the number of detections. The number of detections may be greater than the number of hosts in each subnet, as each host may have been detected multiple times.

ICS Asset Detection - System Types

This matrix component presents indicators of detected ICS System Types. By reviewing the activity, an analyst can better understand network communications, assess risk, and identify any potential problems within the SCADA network. Clicking on a highlighted indicator will bring up the vulnerability analysis screen to display details and allow further investigation.

ICS Asset Detection - SCADA Protocol Activity

This matrix component presents indicators of detected network activity related to SCADA protocols, and activity on standard ports used by SCADA protocols. This activity might include internal and external connections, encrypted sessions, service detections, and even detections of vulnerabilities. By reviewing the activity, an analyst can better understand network communications, assess risk, and identify any potential problems within the SCADA network. Clicking on a highlighted indicator will bring up the vulnerability analysis screen to display details and allow further investigation.

Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.