Make your Asset Scanning Active for Deeper Understanding and Better OT Cybersecurity

In an earlier blog, we discussed the importance of passive asset monitoring to discover and understand the functions of assets in an Industrial Control System (ICS) network. Passive monitoring silently analyzes network traffic through a span port or tap to identify assets and traffic patterns. Perfectly safe, it doesn’t generate any additional network traffic and introduces no risk of disruption of critical processes.

But there are limitations. Passive monitoring requires a lot of time to collect requisite asset data as it must wait for network traffic to be generated to and from each asset to create a baseline profile. In addition, taps and span ports are not always available throughout the network, creating blind spots and limiting visibility across the entire OT environment. 

So, what’s the solution?  Active scanning!

Where passive monitoring “listens” to the normal flow of traffic, active scanning generates and sends test traffic into the network directed at the assets. This method is very effective in gathering not only basic profile information such as device name and type, and IP and MAC address, it also can obtain more granular configuration data such as make and model, firmware version, OS patch levels, and more. This additional information not only provides operators with more knowledge about how it’s assets are operating, it also enables cybersecurity and risk management solutions to deliver a finer level of accuracy in alert generation, risk scores, and more.

Drawbacks to Active Scanning

But there is no free lunch and active scanning doesn’t come without a cost. Historically, ICS operators have been reluctant to pay the price. Here are six reasons why: 

1. Network Traffic Limitations

Generating and sending packets directly to assets, active scanning can be faster at collecting data than its passive counterpart, but it also runs the risk of saturating a network with additional traffic. In cases where network traffic is already near capacity, there is little tolerance for more.  

     2. Legacy Assets

In the typical IT environment, workstations and servers are frequently patched, updated, and even replaced. Not so in the OT world. PLCs, machines, and other assets often operate for many years – even decades. Current knowledge about these “ancient” legacy assets – for example, the protocols and operating systems they employ – might be lacking. In such cases, it is hard to understand what these old-timers are doing, if they are still active, and what sort of cyber risk they represent. 

     3. Lack of Uniformity

Unlike the IT world where endpoints are overwhelmingly uniform – Windows-based or MAC OS workstations, Linux servers, etc. – ICS networks tend to connect assets from a wide variety of vendors, some not even active anymore. These assets host a diversity of operating systems, firmware levels, and communication protocols. Therefore, an effective active scan would need to understand all of the potential variations to elicit the information it needs.  

     4. Too Much Noise

ICS assets like programable logic controllers (PLCs) and safety instrumented systems (SISs) – particularly legacy equipment – can be overwhelmed by too many network queries or they may malfunction due to unexpected communication protocols. Active scanning introduces an element of risk to smooth operation. 

     5. Not Continuous

Active scanning does not monitor the network 24/7. While passive scans are “always on,” active scans are initiated only periodically or on-demand, preferably when normal traffic flow is moderate. Also, adding new assets or changing asset parameters will not be registered between active scans.  

     6. Listening But Not Speaking

Some assets do what they are told, but don’t initiate communications. Active scanning might not detect devices that are in listen-only mode. Besides discovering them, it needs to find a way to “converse” with them to obtain the information it needs. 

Getting Active

Active scanning has come a long way. Today, a great deal of experience dealing with legacy and modern asset types from a wide variety of vendors is programmed into an active scanner’s capabilities. Active scanning can communicate in a great deal of protocols with “ancient” assets as well as the latest ones to hit the market. 

Leading active scanners, like the aptly named Active Scanner product by Radiflow, have learned how to deal with network traffic limitations, employing various techniques to limit and time the amount of traffic they generate so as not to overwhelm network capacities and asset capabilities. They are aware of the traffic needs of the operation and keep the number and frequency of queries below any network-traffic threshold and the operational limits of individual assets. Some examples of the many special techniques employed by Radiflow’s Active Scanner include the ability to perform targeted scans rather than querying the entire network. Targets can be certain networks segments, specific groups of industrial assets (e.g., PLCs), a defined IP ranges, silent devices, and other groupings. Active Scanner never uses brute force or exploit-based discovery methods on industrial assets as these might introduce excessive risk to operations. Active Scanner, uses safe active query methods – communicating with OT assets using their native protocols – to minimize the chance of service interruption (exhaustively tested in Radiflow Labs).

Scan results are saved by Active Scanner and made available for download in various formats (PCAP, CSV, JSON), to integrated Radiflow products such as iSID and CIARA as well as to non-Radiflow products for deeper analysis. 

We notice that operators are rapidly adopting risk management solutions. Active Scanner obtains and delivers the rich and granular data that solutions – like Radiflow’s CIARA – ingest to generate highly accurate risk analyses.  

Passive and Active Together

The nirvana of asset data collection combines passive monitoring and active scanning of ICS networks.  Passive monitoring collects real-time asset data 24/7 while periodic active scanning deepens the data, improving the performance of asset management, threat detection, risk management, and other systems. 

Complementing Radiflow’s industry-leading iSID passive monitoring, its latest product, Active Scanner, enables operators to achieve this nirvana, maximizing visibility across the entire OT environment and collecting the richest data for a wide variety of cyber and other purposes.