Let’s first talk about asset discovery in general and why it is useful, even critical, to most organisations.
What Is Asset Discovery?
Asset discovery is the ability to provide visibility of all devices located within an organisation with limited or no human interaction. Most organisations would start off manually maintaining a list of their devices or assets in a shared document such as an Excel spreadsheet, making changes whenever a new device is either acquired or depreciated.
This process is manageable when organisations are relatively small and not that complex. However, this method becomes very flawed when organisations or networks begin to grow. One of the main pain points with this methodology is time. Keeping these lists updated can become a full-time job in some cases.
However, most organisations have caught on to the fact that device management is a critical part of not only their operations process but also their security process, and not having visibility or knowledge of devices on their network could open them up to potential security weak points. For example, how do you know which devices need to be patched if you don’t know they are there?
With that being said, there are a few methods organisations can adopt to assist in this regard, and to be honest, most organisations most probably have already purchased software solutions that could assist.
A good example of this would be along the lines of a SIEM or log management solution. Most mid- to large-size organisations should have some form of log management solution in place for either fulfilling a compliance requirement or maintaining good security practices. These tools can usually provide some form of asset discovery functionality without any additional cost – the difference being what level they provide out-of-the-box and how much they can be customised to fit the organisation’s processes.
Standard Asset Discovery vs Passive Asset Discovery?
Let’s now look at the standard asset discovery process and the potential pitfalls it harbors.
Standard asset discovery methodologies usually involve a solution going out over a network and polling endpoint devices with which they come into contact. This could be something as basic as doing a ping across the network and seeing which devices respond; it could get as complex as discovering devices attempting to log in to devices in order to pull back a full inventory of connected applications.
Although this approach can be effective, it does require a level of insecurity in that organisation firewalls will need to allow both outgoing and incoming requests across the network. This approach also likely affects the network. Traffic is being broadcast around the network to the devices in scope, thereby slowing networks down in a lot of cases.
Another approach and arguably a slightly better one could be using something as simple as listening for traffic already being broadcast around a network e.g. syslog messages being created from the devices themselves. This approach does remove the threat of network bandwidth consumption but does rely on the organisation making sure that all devices are enabled to send syslogs.
Personally, I prefer the latter option, as it not only reduces the network consumption but also requires firewall configurations that are more secure by allowing traffic in one direction and usually only on one dedicated port, such as UDP 514.
Let’s Talk About Passive Asset Discovery
This now brings us to most probably the best approach I can recommend: passive asset discovery via syslog.
Both the standard and the passive asset discovery syslog approach entail that a syslog message is captured by a log management solution and an asset is automatically created based on the data contained within the syslog itself e.g. new source IP.
This data would be considered live data as the log management solution would have to be listening when the syslog is broadcast in order to create the asset. If the log management solution missed the syslog for any reason, then the asset would never be created. Sadly, this is a common occurrence in large organisations. Discovering a missing syslog asset two months later could mean that attackers could have exploited and compromised business assets during that period.
Fortunately, passive asset discovery enables organisations to create assets using not only live broadcast syslog data but also historical data. Having a passive discovery methodology provide the ability to pull in asset data from alternate data sources such as archived syslog messages. Even better would be having the ability to schedule this functionality to only poll through archived data at a pre-defined date/time in order to reduce the load on the log management solution.
Another use case involves enabling organisations that are located across different geographic regions being able to copy over the local syslog’s archives to a head office repository and then have the head office scan the archived logs for any new devices listed in the syslog’s. This could help identify any potential security breaches or just help maintain the asset repository manifest from a head office perspective.
Asset Discovery in an ICS Environment
Now, if you take that approach and adopt it towards an ICS environment, the benefits could be massive.
Imagine being able to gather the syslog data from all of the OT devices, even the preferred ‘no touch’ devices, such as a PLC (which is usually found in level 0 or level 1 of the OT Purdue model) and have them moved securely into the IT organisation for the IT log management solution then to passively scan the logs and create the assets without the need to open up connectivity between IT and OT.
This is a great step towards bridging the IT and OT world without compromising security barriers.
The IT organisation could then utilise their resources and expertise in asset management and security best practices and alert OT of any new devices discovered unexpectedly. IT could also monitor for potential patterns of interest that OT should be aware of and again alert if the severity level goes above the organisation’s level of acceptability.
Without passive asset discovery functionality, this cross-functional team methodology would be really hard to achieve and could ultimately cost the organisation a lot more money and resources by potentially having two teams doing the same job within the organisation.
To learn more about passive asset discovery though Tripwire Log Center for Industrial Control Systems, click here.