This article was updated on September 12, 2019.
Hardly a week goes by without alarming headlines regarding cyberattacks and data breaches. Thankfully many of them don’t target industrial networks, but it’s clear that cyber threats are a top concern for executives.
CISOs are looking for ways to assess and manage OT risk and are asking both IT and OT leaders for help.The reality, however, is that their staff generally don’t have the tools needed to stay on top of ICS cyber security and operational risks.
At the fundamental level, good cyber security requires knowing your network, knowing your assets and knowing when things change. Until recently tools for easily visualizing and documenting the industrial network have been few and far between.
Nozomi Networks products lead a class of relatively new passive industrial network monitoring technologies that easily tackle the challenges of real-time network monitoring and creating up-to-date asset inventories.
Let’s look at Guardian’s network visualization and asset inventory capabilities – knowing that improving system visibility at this level improves cyber resiliency and goes a long way towards managing the OT risk that is on executives’ minds.
Network Visualization Improves Situational Awareness and Speeds Troubleshooting
Passive industrial network monitoring tools work by being connected to a SPAN or mirror port of a switch or router and observing network communications. Nozomi Networks Guardian, for example, is a “no process risk” solution that is readily deployed.
As soon as installation is complete, Guardian starts analyzing the ICS network traffic and builds an interactive visualization of it. Operators and cyber security staff see the industrial network nodes visualized, often for the first time. They quickly perceive aspects of their ICS that they weren’t previously aware of, and can easily drill down to find more information.
An extensive amount of useful information is available, such as:
- A macro view of the entire industrial control network, including all entities with an IP or MAC address that communicate on the network. This includes
- Assets and nodes with IP or MAC addresses
- Devices without IP addresses, such as those that communicate at Layer 2 of the OSI model (e.g. a substation device that uses the GOOSE protocol)
- Nested devices, such as serial devices behind gateways
- The network topology showing zones, protocols used to communicate between the zones, and VLANs
- The protocols used to communicate to and from nodes
- A mapping of all network connections including sessions and links
- The ability to drill down on any endpoint or connection to see detailed attributes
- Network traffic information such as throughput, protocols and open TCP connections
- A view of multiple, geographically distributed industrial sites, when deployed with the Nozomi Networks Central Management Console
- Printable and exportable versions of the network structure and its details, in multiple file formats
A Fast and Easy Way to Inventory your ICS
Another security fundamental provided by Guardian is automated asset inventory. Developing and maintaining a centralized OT system inventory is a very difficult and time-consuming project. Guardian dramatically addresses this challenge by non-intrusively identifying assets, keeping them up-to-date, and monitoring them in real-time.
Dedicated Asset Views make it easy to visualize, find and drill down into asset information. Assets, including common industrial devices, are presented:
- Grouped visually, as per the Purdue model
- In list views
- In detailed, single asset views
Many attributes are tracked for each asset, including device name, type, serial number, firmware version, product name and components. It is also easy to add metadata for assets, such as location or site.
Guardian also captures context about each device, such as how it is being used. For example, it recognizes when a Cisco switch (as indicated by its MAC address) is being used as a Siemens Scalence Switch (the PROD vendor). This important attribute leads to lower false positives in anomaly detection and vulnerability identification, as compared to products that don’t recognize encompassing systems.
Changes to hardware, software and devices are communicated via alerts which quickly bring potential cyber incidents or process risks to the attention of appropriate staff.
Accurate Asset Inventory Results in Accurate Cyber Security Alerts
Nozomi Networks believes that asset accuracy is an important basis for cyber security alerts and policies. We designed our solution to not just infer information about assets, instead it validates details and provides precise descriptions.
In comparison with other passive ICS monitoring systems, Guardian stands out in terms of:
- Providing a high level of detail about each asset
- Completely validating the details of an asset, such as the manufacturer, before naming it
- Differentiating between MAC vendors and PROD vendors
- Giving priority to local MAC addresses over those assigned by routers
- Identifying components as being part of another system, such as a control system
Here’s an example of how accurate asset information provides the detail needed to make a cyber security alert truly helpful. Another passive ICS monitoring solution might provide an alert that says:
“TCP ports were scanned”.
By contrast, the same alert from Guardian indicates:
“xxxxx.xxxscada.local, Telvent OASYSDNA Host tried to discover services on target IPS: 101 connection attempts with 0 successful connections in less than 10 seconds, also target 10.xx.xx.xx’ (x’s for further anonymization).”
Reduce OT Risk with Network Visualization and Asset Inventory
While cyber threats like Triton, Industroyer and WannaCry frequent the news, there is reason to be optimistic about improving industrial cyber security. New solutions that are easy and safe to deploy, and that provide comprehensive ICS cyber security, are now available.
The Nozomi Networks solution, for example, provides complete visibility to OT networks and their risk exposure. Its network visualization dashboards and automated asset inventory provide the fundamental information needed for accurately identifying and remediating ICS cyber security risks.
Our products also consolidate information from many industrial sites in a single monitoring toolset and they provide a common platform to facilitate IT/OT convergence.
If you’re worried about OT cyber risk, request a demo today to find out how our products can help your organization improve operational visibility, reduce cyber risks and enhance reliability.