Digital attacks continue to weigh on the minds of industrial cybersecurity (ICS) professionals. In a 2019 survey, 88% of ICS experts told Tripwire they were worried about what a digital attack could mean for their industrial organization. The rate was even higher for those working in the manufacturing and oil & gas sectors at 89% and 97%, respectively.
Such widely held concern suggests a need for industrial organizations to make greater investments in their digital security posture. Those efforts should begin with strengthening your asset discovery capabilities, an integral part of knowing what’s on your network. David Bisson put it this way in a post for the State of Security:
Organizations can’t protect ICS devices, systems, and networks including those responsible for controlling critical infrastructures if they’re unaware of their existence. Otherwise, they simply use ignorance to assume that they’re secure, thereby placing them into a position of reacting to security incidents instead of proactively defending against them. Even if they are aware of these devices, industrial organizations can still expose themselves to risk by not consistently implementing security measures such as configuration controls.
An incomplete picture of what’s on your network means you might not know which security flaws make your assets a target for digital attackers and which changes might affect the network. This knowledge is especially crucial in today’s evolving threat landscape. Indeed, IBM X-Force revealed in February 2020 that attacks against ICS systems and OT assets had increased by over 2000% since 2018. On top of that, knowing what assets are on your network is usually the first step on your way to complying with any security framework for industrial organizations.
You need to build a complete picture of what’s on your network using asset discovery. But it’s not so simple. Industrial organizations need to choose which specific method of asset discovery to employ They have two main choices: active and passive discovery.
Active discovery involves interacting with the network via different methods. Most commonly, you send out queries using a native ICS protocol. This helps you to manually collect information on the assets that are connected to the industrial network.
Active discovery is the most comprehensive means of data collection by far. It can get basic information like an asset’s device name, IP and MAC address as well as more granular configuration data such as make and model, firmware versions, installed software/versions and OS patch levels. That being said, active discovery’s queries do create additional traffic, potentially contributing to network latency.
Rather than actively sending out queries to discover connected assets, you can use switched port analysers (SPANs) or network test access points (TAPs) to passively analyse a copy of the network’s traffic. This method of data collection does have its benefits. Most notably, it is not disruptive; passive discovery doesn’t create any additional traffic, so there’s no additional network latency. Not only that, but under passive discovery, you can simply connect/disconnect to the network without additional infrastructure.
Passive discovery isn’t a perfect solution, however. For one thing, it’s less comprehensive than active discovery, because you’re not using queries to profile the network. You also need to wait for assets to generate traffic so that you can passively analyse them, so the process can take some time. Lastly, there’s the additional risk that a power failure in an appliance could prevent traffic from flowing through, thus producing a packet loss that camouflages the asset.
But Wait, There’s One More Asset Discovery Method!
Fortunately, you’re not bound to choose between passive and active discovery. You can do both under a hybrid discovery model. One way method would be to passively collect information from traffic that’s generated on the network while sending out active queries on a needed basis. Using this hybrid method will give you the most comprehensive information possible via continuously monitoring the network, all without disrupting the network or adding to the network latency.
Tripwire’s Industrial Appliance (TIA) can help your industrial organization acquire visibility over all industrial assets by running Tripwire Industrial Visibility (TIV). It does this by providing industrial organizations with two deployment choices—SPAN ports and a forthcoming bump-in-the-wire option—to conduct active, passive and/or hybrid asset discovery on their network. Best of all, both of those deployment methodologies come equipped with hardware bypasses to prevent the drop of packages in case of a power failure. (You’ll be able to configure this setting in an upcoming TIA-OS.)
Click here to learn more about how Tripwire can improve your visibility into your organization’s industrial environment.