Using safe active OT scanning, Active Scanner enables full industrial asset discovery in networks lacking port mirroring or passive monitoring, in both standalone or hybrid mode (with iSID).
In hybrid mode, Active Scanner complements the existing passive listening functionality of the iSID industrial threat detection platform with an active scanning component, which provides more comprehensive asset data than would otherwise be picked up in a normal operation cycle, such as modules, PLC version, project version and many others.
Developed specifically for OT networks, Active Scanner, uses safe active query methods – communicating with OT assets using their native protocols – to minimize the chance of service interruption (exhaustively tested in Radiflow labs). The result is a comprehensive security report, complete with all asset data and communication history, as well as a PCAP file for each execution for playing back its underlying communication.
Active Scanner uses targeted scans (rather than querying the entire network, typical to IT scanning solutions) for specific groups of industrial assets (e.g. PLCs), using iSID-collected data, to identify live as well as silent devices, and to collect additional information from existing devices.
Depending on asset type, Active Scanner is able to send proprietary broadcast messages (normally sent by engineering stations) and industrial protocol commands to devices (for both proprietary control plane protocols or open protocols). These communications are detected by iSID, which by listening to the assets’ responses is able to correlate the data with the Asset Management database.
Active Scanner does not require any network reconfiguration to allow a mirrored stream for passive scanning, making it suitable for ICS networks that don’t allow mirrored streaming for IDS deployment. Furthermore, to minimize risk, Active Scanner never uses any brute force or exploit-based discovery methods on industrial assets.
Active Scanner offers targeted scans for discovery and fetching asset information for:
• Protocols: Modbus, CIP, Profinet, SNMP, IT ICMP, NMAP, DNP3, WMI
• Vendors: Schneider Electric Modicon, Allen Bradley, Siemens
• Operating Systems: Windows OS
Active Scanner allows for ad-hoc or scheduled scans, for discovering new assets and changing conditions on the OT network. In both cases the user is able to perform unicast scans of a defined IP range.
Scan results with scanned device parameters are saved to the Active Scanner, available for download in a particular format (PCAP, CSV or JSON), and transmitted to integrated Radiflow products such as iSID and CIARA for deeper analysis. Scan PCAP files for all types of scans are also available for download and can be uploaded directly to iSID.
The Active Scanner dashboard provides an at-a-glance view of the operator’s scanning activity by type, activity and over time.
Active Scanner is deployed either standalone or within a hybrid configuration with iSID (shown; Active Scanner would still be required to run on a separate server).