Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

ICS Network Utilization and Topology

by Cesar Navas
April 18, 2019

Understanding the network topology is a critical first step in understanding the security posture of an ICS/SCADA environment. Due to the criticality of the ICS/SCADA devices, these devices cannot be scanned using traditional active scanning methods. This dashboard leverages information collected from Industrial Security to passively detect operating systems, protocols, and applications used on the ISC network.

ICS is a term which describes hardware and software that are connected to a network to support critical infrastructure. Some of the most commonly used terms used in ICS are:

  • Programmable Logic Controllers (PLCs)
  • Remote Terminal Units (RTU)
  • Intelligent Electronic Device (IED)
  • Human Machine Interface (HMI)

These connected control systems manage the operation of critical equipment within power plants, water and waste treatment plants, transport industries, and more. This convergence of OT and Information Technology (IT) has raised concerns of security as the systems can now be targeted by bad actors.

An organization should always be aware of their Network Topology to keep an eye on the types of devices that are in the network, and to determine whether there has been a potential unauthorized connection into the Network. Using Tenable.sc along with Tenable Industrial Security, an analyst can monitor network traffic and identify the most active users/devices as well as most active ports.

Information on recent network changes as well as indicators of systems by type will assist the organization in maintaining accurate inventory and detecting rogue devices or unauthorized users. Information on the most active systems, ports, and protocols will help in tracking regular activity as well as discovering any unusual event.

Understanding the network topology enables a customer to build out a view of what is communicating on the customer's networks. The ICS Network Utilization and Topology dashboard assists an organization in determining how at risk the ICS network is. This dashboard provides an analyst with top hosts with internal connections to and from other hosts as well as a count of hosts separated into their respective class C subnet. Vulnerability counts along with the most talkative TCP/UDP ports is also highlighted. Lastly, system types as well as protocol activity is identified using data from Industrial Security.

The dashboard and components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards, and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Security Industry Trends.

The dashboard requirements are:

  • Tenable.sc 5.9.0
  • Nessus Network Monitor 5.8.1
  • Industrial Security 1.3.1

Tenable.sc Continuous View® (Tenable.sc CV™) along with Tenable Industrial Security enables organizations to accurately identify, investigate and prioritize vulnerabilities for critical infrastructure and operational technology. Vulnerability assessment identifies and prioritizes weaknesses that can become the pathway for adversaries to compromise control systems and disrupt critical processes. Comprehensive dashboards and reports simplify stakeholder communication. Industrial Security has comprehensive asset identification, which identifies thousands of OT and IT devices, applications and protocols, including PLCs, RTUs, HMIs, SCADA gateways, desktop computers and network devices. By passively scanning the ICS network, security teams are able to properly fingerprint the many devices that are on the network as well as identify vulnerabilities associated with said devices.

Listed below are the components included with this dashboard. 

ICS Network Utilization and Topology - Top Hosts with Most Internal Connections to Other Hosts

This table presents information on the hosts with the most passively detected internal connections to other hosts (Internal Client Trusted Connection). The table is sorted so that the host with the highest count of detections is at the top. This information can assist an organization in understanding who is talking to whom, as well as detecting any unauthorized or suspicious host connections. The Total column displays the number of detections. The number of detections may not equal the number of other hosts to which this host is connecting to, as some detections may include multiple hosts, and multiple connections to the same host that may have been detected. Note that only passively detected internal host connections will be displayed, and this may not include all possible internal connections.

ICS Network Utilization and Topology - Top Hosts with Most Internal Connections from Other Hosts

This table presents information on the hosts with the most passively detected internal connections from other hosts (Internal Server Trusted Connection). The table is sorted so that the host with the highest count of detections is at the top. This information can assist an organization in understanding who is talking to whom, as well as detecting any unauthorized or suspicious host connections. The Total column displays the number of detections. The number of detections may not equal the number of other hosts connecting to this host, as some detections may include multiple hosts, and multiple connections from the same host may also have been detected. Note that only passively detected internal host connections will be displayed, and this may not include all possible internal connections.

ICS Network Utilization and Topology - Included Class C Subnets

This table assists an ICS organization in understanding the scope of its network by grouping all the IP addresses discovered passively by NNM into representative Class C subnets. This information can assist an organization in detecting any unauthorized subnets or rogue devices. Note that if the organization has a very large network, this component can be modified to present Class B subnets, if desired. The Total column displays the number of detections. The number of detections may be greater than the number of hosts in each subnet, as each host may have been detected multiple times.

ICS Asset Detection - System Types

This matrix component presents indicators of detected ICS System Types. By reviewing the activity, an analyst can better understand network communications, assess risk, and identify any potential problems within the SCADA network. Clicking on a highlighted indicator will bring up the vulnerability analysis screen to display details and allow further investigation.

ICS Asset Detection - SCADA Protocol Activity

This matrix component presents indicators of detected network activity related to SCADA protocols, and activity on standard ports used by SCADA protocols. This activity might include internal and external connections, encrypted sessions, service detections, and even detections of vulnerabilities. By reviewing the activity, an analyst can better understand network communications, assess risk, and identify any potential problems within the SCADA network. Clicking on a highlighted indicator will bring up the vulnerability analysis screen to display details and allow further investigation.

ICS Network Utilization and Topology - Most Talkative Ports

This table presents the most talkative ports that were detected to be open by various passive scanning techniques. The table is sorted so that the ports with the highest number of detections are at the top. This table displays ports that are detected to be open, not necessarily ports that are being actively used. To reduce the network attack surface, open ports that are not being used should be disabled. The data in this table does not count against the Tenable.sc licensing.

Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.