Enhance OT Asset Visibility with Safe Active Query

12 Mar 2024

Manage vulnerabilities effectively with essential asset-level data that bridges the information gap from passive network monitoring.

In the realm of operational technology (OT) security, understanding the assets within your infrastructure is paramount. However, achieving comprehensive asset visibility can be challenging, particularly with the traditional passive approach to asset discovery. Let's explore the differences between passive and active discovery methods and how OTORIO's Safe Active Query solution can enhance asset visibility.

Establishing cyber security resilience in industrial environments starts with obtaining full network visibility. Knowing which assets are in the network, tracking changes, identifying asset vulnerabilities, and detecting security gaps are all critical in assessing vulnerabilities and managing cyber risk. However, this is very challenging in a complex industrial environment that includes many assets, involves third-party vendors, and requires maximum availability. The commonly used passive network monitoring fails to provide full asset identification, making Safe Active Query essential for a complete assets inventory, which is the basis for proper analysis and valuable insights.

Passive Discovery

Passive asset discovery relies on monitoring network traffic to identify and catalog connected devices. It's akin to observing the flow of traffic on a highway without actively engaging with the vehicles. While passive methods can provide a baseline understanding of assets, they often fall short in capturing a complete picture, especially in dynamic OT environments where assets may be intermittently connected or hidden from passive scans.

Active Discovery

Active asset discovery, on the other hand, involves actively querying devices to gather information about their presence and characteristics. This method is akin to driving on the highway and interacting with each vehicle to understand its make, model, and passengers. Active discovery can provide more detailed and up-to-date information, enabling organizations to effectively identify and address security risks.

OTORIO's Safe Active Query 

OTORIO's Safe Active Query solution revolutionizes asset discovery by combining the benefits of both passive and active methods while mitigating the risks associated with traditional active querying. Safe Active Query uses intelligent algorithms to query devices in a non-disruptive manner, ensuring operational continuity while enhancing visibility. It provides real-time, accurate insights into OT assets, including those that may be hidden from passive scans or intermittently connected. Transitioning from passive to active discovery with Safe Active Query involves several key steps:

Assessment: Evaluate your current asset discovery methods and identify gaps in visibility and security.

Planning: Develop a transition plan that includes goals, timelines, and resource requirements.

Implementation: Deploy Safe Active Query in a phased approach, starting with a pilot program to assess its effectiveness and refine the process.

Integration: Integrate Safe Active Query with existing security and asset management systems to ensure seamless operation.

Monitoring and Optimization: Continuously monitor and optimize the Safe Active Query implementation to maximize asset visibility and security.


OTORIO’s Platform and Data Collection Methods

OTORIO’s Cyber Risk Management Platform provides unmatched visibility of Industrial Control Systems (ICS) and Cyber-Physical Systems (CPS) in the network. Seamless integration with security, operational, and industrial systems leverages a variety of data collection methods, including Safe Active Querying, passive network monitoring, and processing offline data sources - PCAPs, Logs, FW configurations, Industrial Project Files, etc.

OTORIO’s multi-layered approach ingests information about the assets and the network for a coherent and comprehensive view of the industrial environment, including asset roles within processes. The data collected is then enriched with threat intelligence to identify vulnerabilities and exposure, enabling proactive cyber risk management guided by feasible mitigation steps. 


OTORIO Safe Active Query Use Cases

OTORIO’s Safe Active Query is ideal for a wide range of industrial use cases, including asset inventory management, vulnerability assessment, and compliance monitoring. Its versatility makes it a valuable resource for organizations across various industries:

Asset visibility: ad-hoc and continuous identification of asset inventory automatically mapped to publicly known vulnerabilities enables the tracking of operational environments for both security and operational purposes.

Security posture assessment: automatic collection of asset attributes to identify vulnerabilities, misconfigurations, and exposures, enables better protection against potential attacks. 

Compliance: assessing the adherence of the asset to compliance with industrial security standards based on the collection of security-related asset configurations. 


What Makes OTORIO’s Safe Active Query Safe

The Safe Active Query capability is implemented as a plugin of the OTORIO Platform. It is easy to deploy and does not require a full platform upgrade or any enhancement of this capability. 

OTORIO’s  Active Query uses a non-intrusive approach with granular configuration capabilities to ensure safety and operational continuity. OTORIO  minimizes risks associated with traditional scanning methods by focusing on efficient data collection and analysis.


Control of the Query Level

Each Edge device that runs the Safe Active Query can be configured separately. For Each instance, only specified network segments/IP addresses are queried. The user can choose the level of data to collect, the intervals and specific time windows for querying, and which protocols will be used for each IP range.

Industrial Native Discovery

OTORIO queries Industrial assets and systems using the same common industrial protocols (DCP, Ethernet/IP, ABB, and more) as the assets vendors. An extremely slow ping sweep prevents any load from being placed on the operational network.

Zero Impact Discovery and Identification

Only standard application protocols (e.g., SNMP, DCE/RPC, S7, and more) relevant to the asset type are used to limit the unnecessary querying of assets. This minimal querying approach ensures that once needed information is collected for each asset, querying stops.

Industry Validation

The safe active querying development is led by OTORIO’s cyber security research team, which has vast experience with OT environments. Each version goes through rigorous testing in the lab (OTORIO’s and automation vendor labs). Safe Active Querying has been field-proven and undergoes ongoing validation for safety and accuracy. Engaging in constant dialogue with our customers and partners deepens our understanding of their requirements, enabling us to improve and extend the value of OTORIO’s Safe Active Query coverage.

OTORIO's  Safe Active Query is a reliable and secure solution for organizations seeking comprehensive visibility into their industrial assets. With its emphasis on safety, efficiency, and thorough data collection,  OTORIO's Safe Active Query is a valuable tool for enhancing cybersecurity in industrial environments.

Do you want to know more? Please schedule a meeting to hear more about OTORIO's OT security solutions and asset discovery process.

Schedule a Demo