The 90’s Called – They want their Passive-Only monitoring solutions back

The words Active or Passive can mean many different things, depending on who you ask. Some may say ‘Active’ means it’s ‘blocking’ or preventing things from happening. Other may say it means doing more than listening. For the purposes of this discussion, we’ll use the following definitions:

Passive - Gathering network information only. Having ears.
Active - Leveraging the controllers native protocols to gather more comprehensive information and insights

The Early 90’s

Flashback to the IT world in the early 1990’s.
In case you’re too young or old to remember the 90’s, it was the era where Kodak and Apple introduced the 1st affordable digital camera, the 1st flip-phone was released, and the first portable MP3 player was created. Windows 3.0 was brand new. Linux was still a student project. And the World Wide Web was born.

The world of cybersecurity was still in its infancy. Very few regulations or best practices existed, and even fewer tools were available. Most of the tools used in the industry started out as passive solutions to solve problems. For example, the defacto standard network monitoring tool was tcpdump, a passive only solution. Born shortly after, was SNORT, a passive only solution to detecting attacks, and one of the early Intrusion Detection Systems (IDS) available in the early 90’s.

Real-Time network and system monitoring was mostly accomplished using technologies like SNMP, a passive way to listen to devices pre-configured to send data to a listener. Also, patching the operating system and applications on IT systems was passive- admins had to go to each system individually, and there was no way to centrally push updates to end devices, or interrogate the network for patch levels and vulnerabilities.

If admins want to actively block network traffic, separate, independent systems needed to be installed to accomplish these goals. Windows did not have a built-in firewall yet, managed switches were rare, and most environments used unmanaged switches or hubs. Firewalls were still brand new and expensive. Virus detection software was also new, it passively scanned files and alerted if something was found.

OT Asset Management

The Late 90’s

As everything became more and more interconnected later in the 1990’s, the need for more management, visibility, and security capabilities became apparent. Relying on a passive-only strategy has proven to be insufficient. The need to conduct routine tasks requiring interacting with systems for maintenance, availability, and security, has proven to outweigh any perceived benefits of a passive-only approach to managing an IT environment.

Virus Detection products matured to become Virus and Malware Protection. Intrusion Detection Systems became Intrusion Prevention Systems.

Common examples where an active solution is the only way to solve critical tasks in IT

  • OS Patch level checks
  • Asset inventory
  • Check for open TCP ports
  • View the application configuration
  • Health monitoring of the infrastructure
  • Logging
  • Load Balancing
  • Application and Database security products

Most web application and database security products have an active component available, including things like interacting with web servers on behalf of clients, installing monitoring agents, sending TCP packets to block attacks, etc. Almost all of the aforementioned products started in a passive-only position.

In OT, we see active solutions being used in a variety of areas, even by the manufacturers of the controllers. For example:

  • Rockwell Asset Center
  • Siemens TIA Portal
  • Rockwell RSLogix, RSLinx, Studio 5000, etc..

Actively interrogating the network with ‘Magic Packets’

One example of a product using an active approach to solving a problem, in this case it’s getting an asset inventory, is the PLC/RTU/DCS manufacturers. When the industrial controllers get firmware updates, code changes, tag modifications, etc, an engineer uses the manufacturer-provided Engineering Workstation (EWS) software. For example, Siemens provides TIA Portal, Rockwell provides several options including things like Studio 5000, RSLogix, and FactoryTalk. When the engineer wants to interact or choose a controller to work with, the EWS software send a ‘magic packet’, something akin to a manufacturer-specific ARP broadcast packet. This broadcast packets causes the devices of that specific manufacturer to report back to the software and allows the user to choose which to interact with. This active packet broadcast is utilized by many device manufacturers.

IT OT Cybersecurity

In Siemens TIA Portal, you can send the active broadcast packet and see all of the Siemens PLCs, HMIs, etc. by clicking on ‘Online & Diagnostics’ and then ‘Accessible devices’, as seen below:

Siemens TIA Portal

Similarly, in Rockwell Studio 5000, you can send the active Magic Packet by clicking on ‘Communications’, and then ‘Who Active’:

Rockwell Studio 5000

In order to populate the aforementioned screen with the PLCs and other equipment, the Rockwell software sends the magic packet broadcast, which in turn causes the nodes to reply back, resulting in a list of objects that the user can choose to work with.

After selecting which device to work with, it’s interrogated for details, as seen below:

Rockwell Studio 5000

Rockwell Studio 5000

Indegy’s approach to designing an active solution

I often tell customers that although our product is slick and cool like rocket science, we didn’t actually build the rockets themselves. We use other people’s rockets. The vendors that manufacture the PLCs have already perfected the rocket science. They designed the interaction between the engineering workstation and the industrial devices, allowing operators to actively query the network for devices made by Siemens, Rockwell, or others, and interact safely with them. If there is any issues with using that that rocket science, it will be discovered during the rocket testing phase, by the rocket manufacturers, in their labs. Subsequently, Indegy is simply using those same exact manufacturer-approved rockets to make our product work. Rather than hacking in, or re-inventing the wheel, Indegy simply uses their ‘rockets’, to essentially mimic or impersonate the behavior of an engineering workstation. We do this by leveraging the proprietary industrial protocols exactly as designed by the manufacturers.

So, although we’re showing off rocket-science technology, we can’t take credit for the rockets themselves. That being said, it should add a sense of comfort to know that potential issues with the usage of the proprietary protocols (the rockets) have been vetted and resolved by the actual PLC manufacturers.

OT Asset Management

Buyer Beware

Not all software products with active components are the same. Many were born to solve IT issues and are not designed or suitable for OT networks. There are many instances where users run IT software in their OT environment resulting in issues, and more often than not it’s due to an active component in the software that’s scanning, poking, prodding, or otherwise interacting with the network or connected devices. When assessing solutions, it’s important to consider whether the vendor solves problems using an OT approach, and they are well-versed with the unique challenges of securing an OT environment.

So, what does this mean for your ICS network?

Indegy is the only vendor out there that can offer a true reliable and comprehensive solution that encompasses the best of all worlds: a passive technology to monitor the activity in the network with its state of the art threat detection capabilities with the added value of an active component to provide visibility to physical changes as well as deeper and more credible data about the various devices. Don't take our word for it….try us!