Combining Passive and Active Detection in OT and IoT to Enhance Cyber Resilience

Combining Passive and Active Detection in OT and IoT to Enhance Cyber Resilience

Historically, for security sensors monitoring OT networks and ICS systems in critical infrastructure, the only allowed end user approach was the passive approach. To minimize risk, the conditions of OT networks made it that such devices could not be actively involved in monitoring.

Real-time passive monitoring provides visibility of these networks without interfering with traffic and disrupting operations. Knowing what is communicated on your network, along with when and how, is beneficial for asset inventory, vulnerability management, operational visibility, and defense against cyberattacks. But in the ever-evolving cyber threat landscape, passive monitoring alone may not be sufficient.

In this blog, we will discuss ways to enhance passive monitoring, including active monitoring, and the benefits of these various methodologies. We’ll cover how the Nozomi Networks platform offers a comprehensive approach to monitoring to enable organizations to secure their OT and IoT systems.

Configuration Files and External Data Integrations Can Enhance Passive Monitoring

To enhance passive monitoring, system configuration files, if available, can be imported to enrich asset inventory. The configuration file is a snapshot of static information bound to a specific system. Of course, there are limitations. Configuration files are not always available because some vendors do not share this information and if the information is not current, then the files are outdated.  

OT and ICS environments also contain a multitude of technologies from external third-party vendors. External data integrations are required to consolidate information on the third-party vendor assets with existing asset information to keep the asset inventory up to date. The challenge with bringing in external data is that it relies on third-party technology that might not always be available, and different sources might have different levels of accuracy.

The benefit of passive monitoring is that it provides continuous network monitoring by relying on existing communication. However, passive monitoring has limitations that could affect accurate asset inventory, vulnerability assessment and visibility of non-communicating devices. Active monitoring addresses some of the limitations of passive monitoring.

Active Detection in OT & IoT

Introducing active monitoring into OT and IoT environments requires a cultural shift. Pure scanning implies throughput increase and a bad use of CPU cycles of the endpoints, affecting the network performance and stability.

Some solutions tackle the issue of increased throughput and bad use of CPU cycles associated with pure scanning through active detection via active queries and active detection by endpoint sensor.

Active Detection via Active Queries and Endpoint Sensor

Unlike classic scanning, active detection via active queries aims to interrogate devices based on the knowledge of their protocol capabilities, leveraging special messages and instructions that are known to return useful information, while not affecting device stability. This is a must for embedded devices, where agent-based solutions cannot be hosted.

Active detection via active queries is suitable when OT/IoT embedded devices are in use and when IT devices are in use and endpoint sensor can’t be used.  With active detection via active queries, you get the following benefits:

  • Maximum visibility on embedded devices
  • Enhanced visibility on Windows / Linux / macOS devices
  • Enhanced vulnerability assessment. For example, a CCTV camera’s vendor, product name and firmware version are not available through passive detection. By actively fetching this information, vulnerabilities are calculated.

Now let’s discuss active detection via endpoint sensor. Having an endpoint sensor boosts visibility all the way to the endpoint, combining network detections, traffic monitoring in the installed machine, and asset detections. This sensor adds capabilities that would not be possible without sitting on the target machine. The bulk network monitoring offered by a passive monitoring is then complemented by local monitoring, transforming the target machines into sensors themselves, including the possibility to run active detection via active queries (which we mentioned above) from the endpoint itself.

With active detection via an endpoint sensor, you get the following benefits:

  • Unique host-based detections, providing for maximum visibility on Windows / Linux / macOS devices
  • Enhanced vulnerability assessment
  • Full local visibility by using traffic monitoring directly from endpoint sensor, without relying on switches or taps
  • Full visibility for assets not communicating over the network via an offline data collection
  • All the benefits of "Active detection by active queries” as they can be run from the endpoint

Combining the Power of Passive & Active Detection for OT & IoT with Nozomi Networks

The Nozomi Networks platform combines both passive and active monitoring to provide maximum visibility and protection without compromising the stability of the networks and the endpoints.

Nozomi Guardian and Remote Collector sensors provide passive monitoring of your OT and IoT environments. When configured in passive mode, they process mirrored traffic on your network without generating additional traffic. Guardian leverages our knowledge base of over 200 protocols and thousands of devices for more accurate asset identification, vulnerability assessment, network statistics and behavioral analysis.  

Guardian also supports the importation of configuration files. With knowledge of the schema of the configuration files for major automation vendors, asset and network information can be mapped for a more accurate asset inventory. Standardized configuration files like SCD (used for IEC 61850 substation asset identification and configuration) are also supported. Asset information from external sources, including asset management solutions, can be integrated into Guardian for more up-to-date information on third-party assets.

Guardian Air also makes it possible to passively monitor wireless networks. Data from Guardian Air can be integrated with Vantage for comprehensive visibility.

Bulk network monitoring offered by Guardian/Remote Collectors monitors the network passively, as enabler. Local endpoint-based network monitoring is enabled by Arc, which enables to edge communication monitoring from the devices it is installed on, helping overcome any switch reconfiguration limitations, and transforming any supported endpoint into a Nozomi Networks sensor.  

Active detection by active queries is done by Smart Polling in the Nozomi Networks platform. Smart Polling can also be used from endpoints secured by Arc, giving unprecedented reach for segmented networks where Guardian interfaces are not allowed to poll the process/IoT network.

Additional unique host-based detections are added by Arc to complement network-based ones to give maximum accuracy and context, such as Sigma rules, user-activity correlation, and USB’s physical access detections. Data Integrations and Configuration file imports can be used as a plus.