Complete and accurate asset data is foundational to security and compliance. However, collecting this data in an OT environment is more challenging than in IT environments, due to unique operational requirements. To achieve this, a careful blend of approaches is essential for comprehensive and operationally safe OT asset data collection. Watch this video featuring Greg Valentine, SVP of Solutions Engineering at Industrial Defender, to learn more about how we safely gather the most complete data while supporting operations with our best-in-class integrated data approach.
"Accurate, complete asset data is essential to ensure that industrial companies can defend systems against today’s challenging threat environment. Quick, convenient access to this information also enables plants to keep up with growing compliance requirements. […]
Information collection should be automated to the maximum extent possible, with methods that allow frequent, non-disruptive detection of system changes. Passive network scanning methods are useful, but they don’t capture all the required information and don’t see isolated devices. Complete, accurate asset information requires a blend of data collection approaches that include intelligent active scanning to capture and monitor device configurations, agents within devices to capture anomalous activities, and bidirectional integration with other systems that can provide relevant asset information."
-- Snitkin, S. (2023). Complete, Accurate Asset Information Is the Foundation for Secure Industrial Operations. ARC Advisory.
The cornerstone of security and compliance in operational environments is reliable OT asset data. Understanding of your OT environment begins with an asset inventory. If that’s limited to simply knowing what devices are present on your network, you need to go deeper.
To manage your OT assets and cyber risks, you need detailed information about each endpoint, such as software versions, configurations, vulnerabilities, patches, firewall rules, and PLC key switch positions. This requires an integrated approach to data collection, combining passive and active methods, and offering both agent-based and agentless options.
Industrial Defender takes an integrated data collection approach, tailored to your specific environment, providing the most effective and operationally safe way to gain deep insights into your OT environment.
One of Industrial Defender’s major strengths is the diversity of techniques available for data collection. The capability to distinguish between devices and apply tailored approaches is crucial in operational technology (OT) environments. Many organizations will have sensitive asset, PLCs for example, that nobody wants to look at cross-eyed for fear it'll fall over. We have an approach for that. Other devices are more robust, more stable, and for those we have approaches to have more conversations with the device, including communication through the device’s native protocol. The ability to gather an array of data elements and properties significantly benefits security and compliance.
Manual Ingestion: Let’s begin with a technique that isn't automated from the start: manual ingestion. Many companies still manually document device information within their OT environments. Staff members walk the plant, logging data in spreadsheets periodically—monthly or quarterly. By importing this data into our system, companies can consolidate what might otherwise be hundreds or even thousands of spreadsheets. Within our interface, they can easily query data and generate reports, reducing the complexity of managing manually collected data and assessing it in combination with other system data.
Passive Monitoring: Now, let’s talk about passive monitoring, often seen as the 'easy button' by many organizations. This method involves monitoring network traffic to identify all devices present, their characteristics, and the protocols they use. If firmware details are transmitted over the network, our system can identify the firmware version as well. Passive monitoring can also be targeted to a specific device, tracking its communications and the data transmitted to and from it. While this approach may not yield a large volume of configuration data, it provides valuable, actionable insights. It simply requires plugging our sensor into a SPAN port or network tap to observe network traffic.
Active methods: Passive is a common way for us to get started with an organization and for initial asset discovery. It will tell you all the devices we see and their protocols. And then you can onboard those devices into a more active conversation. From there, these devices can be onboarded into a more active dialogue. We take a very OT-specific approach when implementing active methods, proven to be operationally safe and effective since 2006.
We offer several options for active monitoring.
Native Polling & OT Protocols
One such option is what we call native polling, which leverages the most common OT protocols—DNP3, Modbus, ENIP/CIP, Delta V, Siemens, Step 7, and others. If a device understands any of these protocols, then it can respond to queries in a way that is both secure and aligned with OT operational norms. We ask simple questions like, "Tell me about yourself," and the device provides the information. Our system is adept at receiving, logging, and utilizing this data. This method represents the safest way to have an active conversation with OT devices, using the OT protocols themselves.
IT Protocols & Agentless
Not to be confused with IT approaches like scans that can disrupt operations, we can leverage IT protocols to collect information, frequently with network devices. We also refer to this as an agentless approach. For instance, we can SSH into your firewalls and switches, which are critical for understanding and managing your network configurations. We also utilize Telnet and SNMP. Additionally, we can receive and log syslog from devices, focusing on the key value pairs you need to monitor. These are IT-based protocols employed to achieve similar outcomes as OT protocols. We can even perform HTML screen scraping for OT devices that only offer an HTML output screen, extracting field values from these screens and logging that data as well.
Agent-based Methods
Let’s delve into the use of agent technology. We've been deploying agents for well over a decade. Our agents operate on a variety of platforms, including Windows, Linux, Unix, and even Solaris, underscoring our long-standing expertise in agent technology. There are notable advantages to using agents over agentless methods.
For instance, although it is feasible to use SSH to connect to Linux or Unix machines to gather configuration data, or WinRM, which utilizes PowerShell, to collect information from Windows systems, choosing agent-based methods offers significant benefits. While the data collected through agentless methods is approximately 90% similar to that obtained via agents, agents are able to capture fully comprehensive data. Agents are always active, collecting data in real time and allowing continuous monitoring.
We ensure that agents never consume more than 1% of CPU capacity and provide you with the ability to manage the network bandwidth used between the agent and our sensor. In contrast, using WinRM to query a Windows machine remotely offers no such control over resource usage; the Windows system uses whatever resources it needs to respond to the query.
Moreover, agents are instrumental in security monitoring. They continuously scan for security events such as failed authentication attempts—whether it's a potential brute force attack or unauthorized USB device usage. With an agent in place, any such incidents are instantly reported within the user interface, enabling immediate alert generation and response.
A Unique Portable Approach for Difficult Assets – Industrial Defender Reach
Industrial Defender Reach is an alternative solution that mirrors the output of our traditional agent, without the installation requirements. Unlike WinRM, which provides about 90% of the data that an agent would, Reach delivers an output that is identical to that of an agent.
The key advantage of Reach is its simplicity and non-intrusiveness. There is no need for a permanent installation on your Windows machines—it operates through a simple binary. Users can execute this binary with a double-click, which then generates an output file. This file can be seamlessly imported into our system, providing the same quality of data as if an agent were running on the device.
Reach is designed with sensitivity and discretion in mind. It does not install any services or run continuously in the system memory. After execution, it leaves no active footprint—it merely resides on the desktop or server, making it an ideal choice for environments where minimal interference with the host system is critical.
Database Integration: To round out our data collection methods, we offer database integration. If a client has an existing database where they have been storing relevant information, we can craft a set of queries to extract this data and populate our solution. Once the initial data integration is complete, we leverage our automated solutions to continually collect this data on a daily basis. This process ensures that all stored information is seamlessly integrated and updated within our system, utilizing the various automated techniques we have discussed. This approach not only streamlines the data aggregation process but also enhances the overall efficiency and accuracy of data management within our solution.
Trustworthy OT asset data is the bedrock of OT security and compliance.
At Industrial Defender, we understand the crucial need for complete and accurate OT asset data to ensure operational resilience. Our suite of data collection methods is designed to cater to the specific requirements of different asset types and operational scenarios in OT environments. From agent and agentless to active and passive and more, different approaches can be leveraged for precise data collection without disrupting operations. By integrating these diverse methods, we offer a scalable and flexible solution that enhances both the security and efficiency of OT environments, demonstrating our commitment to maintaining the highest standards of operational integrity.
