Deciphering the difference between the two types of asset discovery can be critically important to your industrial control system operations, as well as your IT and operations connections.
Two terms which have become more prevalent across industry as the threats to industrial control systems (ICS) have become amplified are “passive” and “active” methods of asset discovery for monitoring. But it’s not just cybersecurity driving the importance of asset discovery, it’s just good network hygiene—which is critical to modern industrial network viability. After all, how can you know which devices need to be patched or otherwise serviced if you don’t know they are there?
Dean Ferrando of Tripwire, a supplier of cybersecurity software, notes that most organizations start off “manually maintaining a list of devices or assets in a shared document such as an Excel spreadsheet, making changes whenever a new device is either acquired or depreciated. This process is manageable when organizations are relatively small and not that complex. However, this method becomes very flawed when organizations or networks begin to grow. Keeping these lists updated over time can become a full-time job in some cases.”
With this in mind, let’s look more closely at the two methods of asset discovery.
“Active” methods, also known as standard asset discovery, commonly use software that polls devices across a network—the classic ping-and-response process. But they can also use “discovering devices that attempt to log in to devices in order to pull back a full inventory of connected applications,” says Ferrando.
The problem with active methods is that they can slow down the network as all those contact attempts are broadcast around the network to the devices. This is clearly a problem for time sensitive networks like an ICS. Which is why there is clearly a trending preference for passive methods of asset discovery.
Ferrando notes that the passive asset discovery approach, which essentially listens for traffic being broadcast around a network, removes the threat of network bandwidth consumption; however, it also requires that all devices be enabled to send syslogs. “I prefer this option, as it not only reduces the network consumption, but also requires firewall configurations that are more secure by allowing traffic in one direction—and usually only on one dedicated port,” he adds.
The syslog approach can be used with active and passive methods and requires that a syslog message be captured by a log management system, with an asset being automatically created based on the data contained within the syslog itself. Used in this “active” manner, that “data would be considered live data, as the log management solution would have to be listening when the syslog is broadcast in order to create the asset,” says Ferrando. “If the log management solution missed the syslog for any reason, then the asset would never be created. Sadly, this is a common occurrence in large organizations. Discovering a missing syslog asset two months later could mean that attackers could have exploited and compromised business assets during that period.”
All of which gives an additional edge to passive asset discovery methods, as they can use historical network data—e.g., archived syslog data—for asset discovery.
Looking more specifically at asset discovery in an ICS environment, Ferrando says, “Imagine being able to gather the syslog data from all of your operations devices, even the preferred ‘no touch’ devices, such as a PLCs—which usually found within level 0 or level 1 of the OT Purdue model—and have them moved securely into the IT organization for the IT log management solution to then passively scan the logs and create the assets without the need to open up connectivity between IT and operations. This is a great step towards bridgingthe IT and OT worldwithout compromising security barriers.”
With such a connection, Ferrando says IT could then “use its resources and expertise in asset management and security best practices and alert OT of any new devices discovered unexpectedly. IT could also monitor for potential patterns of interest that OT should be aware of and again alert if the severity level goes above the organization’s level of acceptability.”
This kind of cross-functional team methodology would “be really hard to achieve” without passive asset discovery functionality, says Ferrando. And it could “ultimately cost the organization a lot more money and resources by potentially having two teams doing the same job.”
No comments:
Post a Comment