ICS Asset Inventory and Network Diagrams, Part 1
Before implementing any anomaly detection product or security controls, it’s necessary to have comprehensive network diagrams. This requires defining, inventorying, and categorizing the computer systems and applications within the industrial control system (ICS), as well as the networks within—and interfacing to—the ICS.
In an ideal world the inventory and diagrams would be 100% complete, automatically generated, continuously updated, and integrated with other tools. They’d contain everything you’d want to know about the asset, be accessible to all that need the data, and secure from those that don’t. Unfortunately, the current situation is that network information usually consists of multiple, out-of-date, and incomplete documents in a wide variety of formats. Different internal departments often maintain different inventory lists.
Generating an asset inventory presents many challenges. The information is difficult to gather, consolidate and maintain. Systems are highly distributed, and often reside on a variety of small, isolated networks. There are usually a wide variety of products, and many different proprietary protocols.
It is possible to manually gather and maintain an inventory for a small facility or packaged machine. However, manual methods would be time consuming and cost prohibitive for most plants. Automated tools can passively and actively scan networks and generate documentation that is 50 – 80% complete. Semi-automated tools can gather data from existing tools and integrate the data into a common database. In general, there are three methodologies to discover and gather information about ICS assets. These include passive, active, and configuration parsing.
Passive monitoring silently analyzes network traffic to identify endpoints and traffic patterns. It creates no additional network traffic and has virtually no risk of disrupting critical processes. Passive monitoring is only able to identify active devices on the network; it cannot find dormant devices because there is insufficient traffic to analyze and detect.
Active monitoring works by sending test traffic into the network and polling endpoints. Active monitoring can be very effective in gathering device profile information. For instance, in ICS networks with validated systems and/or packaged OEMs where network traffic may be sporadic, active scanning can be faster than passive monitoring in collecting data, but it increases the risk of endpoint malfunction.
Some asset discovery and monitoring solutions now blend elements of both active and passive methodologies. They can maximize visibility into the ICS and enable security teams to deploy the right approach for each network segment.
Configuration parsing automatically retrieves device configuration files from the system and parses the files to find detailed information. Configuration parsing typically runs as a service or script on ICS computers, and reports to a centralized server or console.
An alternative approach is semi-automated asset inventory. Semi-automated methods passively collect data from sources, parse and aggregate the data, and produce an inventory database and/or spreadsheet. They are non-intrusive; provide deep information gathering; are quick, affordable, and scalable; and require no extra hardware. However, they do require additional effort to gather and aggregate the data.
Automated tools are useful, but costly and time consuming to deploy. Semi-automated methods can be a more effective way to develop an asset inventory quickly. aeSolutions has developed a methodology for asset owners to gather ICS inventory data using existing tools and store them in a central database for analysis and reporting.
Related : Why is an accurate ICS Asset Inventory so critical?
Video recording comes an excerpt of our Subject Matter Experts presenting on the topic.