by Cesar Navas
April 18, 2019
Understanding the network topology is a critical first step in understanding the security posture of an ICS/SCADA environment. Due to the criticality of the ICS/SCADA devices, these devices cannot be scanned using traditional active scanning methods. This dashboard leverages information collected from Industrial Security to passively detect operating systems, protocols, and applications used on the ISC network.
ICS is a term which describes hardware and software that are connected to a network to support critical infrastructure. Some of the most commonly used terms used in ICS are:
- Programmable Logic Controllers (PLCs)
- Remote Terminal Units (RTU)
- Intelligent Electronic Device (IED)
- Human Machine Interface (HMI)
These connected control systems manage the operation of critical equipment within power plants, water and waste treatment plants, transport industries, and more. This convergence of OT and Information Technology (IT) has raised concerns of security as the systems can now be targeted by bad actors.
An organization should always be aware of their Network Topology to keep an eye on the types of devices that are in the network, and to determine whether there has been a potential unauthorized connection into the Network. Using Tenable.sc along with Tenable Industrial Security, an analyst can monitor network traffic and identify the most active users/devices as well as most active ports.
Information on recent network changes as well as indicators of systems by type will assist the organization in maintaining accurate inventory and detecting rogue devices or unauthorized users. Information on the most active systems, ports, and protocols will help in tracking regular activity as well as discovering any unusual event.
Understanding the network topology enables a customer to build out a view of what is communicating on the customer's networks. The ICS Network Utilization and Topology dashboard assists an organization in determining how at risk the ICS network is. This dashboard provides an analyst with top hosts with internal connections to and from other hosts as well as a count of hosts separated into their respective class C subnet. Vulnerability counts along with the most talkative TCP/UDP ports is also highlighted. Lastly, system types as well as protocol activity is identified using data from Industrial Security.
The dashboard and components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards, and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Security Industry Trends.
The dashboard requirements are:
- Tenable.sc 5.9.0
- Nessus Network Monitor 5.8.1
- Industrial Security 1.3.1
Tenable.sc Continuous View® (Tenable.sc CV™) along with Tenable Industrial Security enables organizations to accurately identify, investigate and prioritize vulnerabilities for critical infrastructure and operational technology. Vulnerability assessment identifies and prioritizes weaknesses that can become the pathway for adversaries to compromise control systems and disrupt critical processes. Comprehensive dashboards and reports simplify stakeholder communication. Industrial Security has comprehensive asset identification, which identifies thousands of OT and IT devices, applications and protocols, including PLCs, RTUs, HMIs, SCADA gateways, desktop computers and network devices. By passively scanning the ICS network, security teams are able to properly fingerprint the many devices that are on the network as well as identify vulnerabilities associated with said devices.
Listed below are the components included with this dashboard.
ICS Network Utilization and Topology - Top Hosts with Most Internal Connections to Other Hosts
This table presents information on the hosts with the most passively detected internal connections to other hosts (Internal Client Trusted Connection). The table is sorted so that the host with the highest count of detections is at the top. This information can assist an organization in understanding who is talking to whom, as well as detecting any unauthorized or suspicious host connections. The Total column displays the number of detections. The number of detections may not equal the number of other hosts to which this host is connecting to, as some detections may include multiple hosts, and multiple connections to the same host that may have been detected. Note that only passively detected internal host connections will be displayed, and this may not include all possible internal connections.
ICS Network Utilization and Topology - Top Hosts with Most Internal Connections from Other Hosts
This table presents information on the hosts with the most passively detected internal connections from other hosts (Internal Server Trusted Connection). The table is sorted so that the host with the highest count of detections is at the top. This information can assist an organization in understanding who is talking to whom, as well as detecting any unauthorized or suspicious host connections. The Total column displays the number of detections. The number of detections may not equal the number of other hosts connecting to this host, as some detections may include multiple hosts, and multiple connections from the same host may also have been detected. Note that only passively detected internal host connections will be displayed, and this may not include all possible internal connections.
ICS Network Utilization and Topology - Included Class C Subnets
This table assists an ICS organization in understanding the scope of its network by grouping all the IP addresses discovered passively by NNM into representative Class C subnets. This information can assist an organization in detecting any unauthorized subnets or rogue devices. Note that if the organization has a very large network, this component can be modified to present Class B subnets, if desired. The Total column displays the number of detections. The number of detections may be greater than the number of hosts in each subnet, as each host may have been detected multiple times.
ICS Asset Detection - System Types
This matrix component presents indicators of detected ICS System Types. By reviewing the activity, an analyst can better understand network communications, assess risk, and identify any potential problems within the SCADA network. Clicking on a highlighted indicator will bring up the vulnerability analysis screen to display details and allow further investigation.
ICS Asset Detection - SCADA Protocol Activity
This matrix component presents indicators of detected network activity related to SCADA protocols, and activity on standard ports used by SCADA protocols. This activity might include internal and external connections, encrypted sessions, service detections, and even detections of vulnerabilities. By reviewing the activity, an analyst can better understand network communications, assess risk, and identify any potential problems within the SCADA network. Clicking on a highlighted indicator will bring up the vulnerability analysis screen to display details and allow further investigation.
ICS Network Utilization and Topology - Most Talkative Ports
This table presents the most talkative ports that were detected to be open by various passive scanning techniques. The table is sorted so that the ports with the highest number of detections are at the top. This table displays ports that are detected to be open, not necessarily ports that are being actively used. To reduce the network attack surface, open ports that are not being used should be disabled. The data in this table does not count against the Tenable.sc licensing.