Two terms that have become more prevalent as threats to industrial control systems (ICS) have become more amplified are “passive” and “active” methods of asset discovery for monitoring. But cybersecurity isn't the only factor underscoring the importance of asset discovery; the practice just good network hygiene—which is critical to modern industrial network viability. After all, how can you know which devices need to be patched or otherwise serviced if you don’t know they are there?
Dean Ferrando of Tripwire, a supplier of cybersecurity software, notes that most organizations start off by manually maintaining a list of devices or assets in a shared document, such as an Excel spreadsheet, and make changes whenever a new device is either acquired or depreciated. This process is manageable when organizations are relatively small and not that complex. But it becomes a very flawed approach when organizations or networks begin to grow. "Keeping these lists updated over time can become a full-time job in some cases,” he says.
With this in mind, let’s look more closely at the two methods of asset discovery.
Active methods, also known as standard asset discovery, commonly use software that polls devices across a network—the classic ping-and-response process. But they can also use discovering devices that attempt to log into devices in order to pull back a full inventory of connected applications, Ferrando says.
The problem with active methods is that they can slow down the network as all those contact attempts are broadcast to the devices. This is clearly a problem for time-sensitive networks like an industrial control system (ICS), which is why there is clearly a trend toward passive methods of asset discovery.
The passive asset discovery approach, which essentially listens for traffic being broadcast around a network, removes the issue of network bandwidth consumption, notes Fernando. However, it also requires that all devices be enabled to send syslogs. “I prefer this option, as it not only reduces the network consumption, but also requires firewall configurations that are more secure by allowing traffic in one direction—and usually only on one dedicated port,” he adds.
The syslog approach can be used with active and passive methods. It requires a syslog message to be captured by a log management system, and automatically creates an asset based on the data contained within the syslog itself. Used in this “active” manner, that data would be considered live data because the log management solution must be listening when the syslog is broadcast in order to create the asset. “If the log management solution missed the syslog for any reason, then the asset would never be created," Fernando says. "Sadly, this is a common occurrence in large organizations. Discovering a missing syslog asset two months later could mean that attackers could have exploited and compromised business assets during that period.”
All of which gives an additional edge to passive asset discovery methods, as they can use historical network data—e.g. archived syslog data—for asset discovery.
With regard to asset discovery in an ICS environment, Ferrando says, “Imagine being able to gather the syslog data from all of your operations devices—even the preferred ‘no touch’ devices such as a PLC, which is usually found within level 0 or level 1 of the OT Purdue model—and have them moved securely into the IT organization for the IT log management solution to then passively scan the logs and create the assets without the need to open up connectivity between IT and operations. This is a great step towards bridging the IT and OT world without compromising security barriers.”
With such a connection, Ferrando says IT could then use its resources and expertise in asset management and security best practices to alert OT of any new devices discovered unexpectedly. IT could also monitor for potential patterns of interest that OT should be aware of, and again alert them if the severity level goes above the organization’s level of acceptability.
This kind of cross-functional team methodology would “be really hard to achieve” without passive asset discovery functionality, Ferrando says. And it could ultimately cost the organization a lot more money and resources by potentially having two teams doing the same job.