Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable 部落格

訂閱

ICS/SCADA 智慧掃描:在融合式 IT/OT 環境中搜尋和評估以 IT 為基礎的系統

Increasingly, operational technology (OT) environments are interconnecting with IT and adopting exploitable IT-based assets and protocols. This means OT systems are exposed to IT threats. Additionally, IT/OT convergence is expanding the cyberattack surface. Threat actors who have compromised IT networks may be able to access OT systems from the IT network. These converged environments contain a mix of IT and OT devices and systems, some of which can be easily disrupted with traditional IT active scanning techniques.

For most industrial environments, Tenable® deploys and uses continuous, passive monitoring, which is non-disruptive to OT networks. However, there are situations with converged IT/OT networks where an active scan is preferred or necessary, and where it may be difficult to segment IT and OT scan targets.

To solve this dilemma, Tenable introduces ICS/SCADA Smart Scanning. This unique capability discovers and thoroughly assesses IT-based systems (e.g., supervisory, site operational control, ERP or scheduling) in the converged environment, while reducing the risk that active scanning will disrupt OT devices if they’re inadvertently encountered during a scan.

Measuring Cyber Exposure across the entire converged IT/OT environment

With the combination of ICS/SCADA Smart Scanning and passive network monitoring, Tenable safely measures Cyber Exposure across the entire converged IT/OT environment, providing complete visibility into your cyber risks.

OT devices like programmable logic controllers (PLCs) and remote terminal units (RTUs) that monitor the activity and state of machinery (e.g., pumps, valves and motors) and environmental factors (e.g., temperature, pH and vibration) need to be inventoried and assessed for vulnerabilities to measure and manage risk to OT processes. However, these OT devices may be too sensitive to withstand the active scanning approach commonly used in IT environments. Specifically, they may be sensitive for the following reasons:

  • Limited CPU power: They can be overwhelmed by too many requests because they’re designed to do only one thing at a time and may be less powerful than tablets.
  • Real-time communications: The protocols involved often expect an unbroken stream of readings from a device. If they’re delayed substantially, they may have issues re-establishing communications. A full vulnerability scan probes many areas of a device very quickly, which can overly burden the limited CPU power and delay communications.
  • Design tradeoffs: OT devices are designed to be resilient to power disruptions, vibrations or particles in the air. Many OT devices, especially legacy devices, have not been designed to withstand a heavy flow of network communications.
  • Custom operating system and software: OT devices generally do not run widely used and widely tested operating systems, such as Windows or Linux. They may include a small HTTP server, but it is limited in feature set. When a vulnerability scanner attempts to check for SSL issues, the embedded HTTP server can crash. Since the device is only designed to do one thing at a time, this usually means the entire device reboots – causing costly downtime and potentially unsafe working conditions.
  • Set it and forget it: Unlike desktops, it may be months or years before someone looks at a physical OT device. It could be operating marginally, covered in dust and close to failure. The additional load of a full vulnerability scan can cause it to reach the overload point.

Because of the risk of degradation and/or disruption, the common practice within OT environments is to avoid using active scanning approaches with OT devices. Instead, passive monitoring is used, and because passive monitoring does not interact with the sensitive devices, the devices are not impacted by it.

IT/OT convergence is resulting in many IT-based systems being deployed in the OT environment. These IT-based systems may be Windows computers running human machine interface (HMI), SCADA monitoring and historian applications. Additionally, these systems are increasingly networked to supply chain management and scheduling applications that may include databases and virtual infrastructure, which may reside in the cloud.

Typically, these IT-based systems are discovered and assessed with active scanning because active scanning can deliver much deeper insight about installed software (and related vulnerabilities), user accounts, configurations and malware.

Potential problem

Ideally, sensitive OT would be logically separated from IT-based OT systems, such as Windows computers. However, in reality, such segmentation may not exist. The potential problem is that if an existing OT device’s IP address changes or a new OT device is added, and that device is not omitted from the active scan, the scan could cause an outage.

Solution: ICS/SCADA Smart Scanning

ICS/SCADA Smart Scanning is a new attribute that can be applied to many existing scan templates. Existing scan parameters (e.g., IP ranges to be scanned/not scanned, ports, schedules and other settings) do not need to be modified.

Fragile Devices OT Scan

When the “Scan Operational Technology devices” box is checked, a full scan of OT devices is performed. When it is not checked, ICS/SCADA Smart Scanning takes effect.

ICS/SCADA Smart Scanning cautiously identifies OT devices and stops scanning them once they’re discovered. Here’s how it works:

  1. Smart Scanning pings the IP address to determine if a device is using that address.
  2. Smart Scanning runs probes against open known OT ports/protocols. Initially supported protocols are:
    • Siemens S7
    • Modbus
    • BACnet
    • Omron FINS
    • Ethernet CIP
    • 7T IGSS
    • ICCP COTP
      Note: ICS/SCADA Smart Scanning reduces the plugins run against devices by 90%. This eliminates the plugins that put the greatest load on the device, including HTTP and SSH testing.
  3. When an OT port/protocol is identified, Nessus® will report the ports that were identified to be open and the OT protocol found. Many of the protocols include INFO or QUERY commands to capture basic information about the device. If this is supported by the discovered protocol, the additional information, usually including the device type, will be recorded.
  4. The scan stops for that device. The plugin 109142 results show the OT device when an OT protocol was identified and normal scans of OT devices were not enabled.
  5. The user can use the devices listed by plugin 109142 to add the device to the “do not scan” list.

Caveat

Tenable cannot guarantee that ICS/SCADA Smart Scanning will not cause issues. Therefore, it should only be used after it has been tested with each device type in a laboratory environment and when it is known not to conflict with warranties and service agreements.

相關文章

您可以使用的網路安全最新消息

輸入您的電子郵件,就不會錯過來自 Tenable 專家提供的及時警示與安全指引。

Tenable Vulnerability Management

享受現代、雲端型的弱點管理平台,能夠以無與倫比的準確性查看和追蹤所有資產。

您的 Tenable Vulnerability Management 試用版軟體也包含 Tenable Lumin 和 Tenable Web App Scanning。

Tenable Vulnerability Management

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

100 項資產

選取您的訂閱選項:

立即購買

Tenable Vulnerability Management

享受現代、雲端型的弱點管理平台,能夠以無與倫比的準確性查看和追蹤所有資產。

您的 Tenable Vulnerability Management 試用版軟體也包含 Tenable Lumin 和 Tenable Web App Scanning。

Tenable Vulnerability Management

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

100 項資產

選取您的訂閱選項:

立即購買

Tenable Vulnerability Management

享受現代、雲端型的弱點管理平台,能夠以無與倫比的準確性查看和追蹤所有資產。

您的 Tenable Vulnerability Management 試用版軟體也包含 Tenable Lumin 和 Tenable Web App Scanning。

Tenable Vulnerability Management

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

100 項資產

選取您的訂閱選項:

立即購買

試用 Tenable Web App Scanning

享受完整存取我們專為新型應用程式所設計、屬於 Tenable One 曝險管理平台一部分的最新 Web 應用程式掃描產品。不需耗費大量人力或中斷重要 Web 應用程式,即可高度準確且安全地掃描您整個線上產品系列中是否含有任何弱點。 立即註冊。

您的 Tenable Web App Scanning 試用版軟體也包含 Tenable Vulnerability Management 和 Tenable Lumin。

購買 Tenable Web App Scanning

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

5 個 FQDN

$3,578

立即購買

試用 Tenable Lumin

利用 Tenable Lumin 視覺化並探索您的曝險管理、追蹤經過一段時間後風險降低的情形以及與同業進行指標分析。

您的 Tenable Lumin 試用版軟體也包含 Tenable Vulnerability Management 和 Tenable Web App Scanning。

購買 Tenable Lumin

聯絡業務代表,瞭解 Tenable Lumin 如何協助您取得您整個環境的深入解析和管理網路風險。

免費試用 Tenable Nessus Professional

免費試用 7 天

Tenable Nessus 是目前市場上最全方位的弱點掃描器。

最新 - Tenable Nessus Expert
現已上市

Nessus Expert 新增了更多功能,包括外部攻擊破綻掃描和新增網域及掃描雲端基礎架構的能力。按這裡試用 Nessus Expert。

請填妥以下表單以繼續 Nessus Pro 試用。

購買 Tenable Nessus Professional

Tenable Nessus 是目前市場上最全方位的弱點掃描器。Tenable Nessus Professional 可協助將弱點掃描流程自動化,節省您執行合規工作的時間並讓您與 IT 團隊合作。

購買多年期授權,節省更多。新增 365 天全年無休 24 小時全天候可使用電話、社群及對談的進階支援。

選擇您的授權

購買多年期授權,節省更多。

增加支援與訓練

免費試用 Tenable Nessus Expert

免費試用 7 天

Nessus Expert 是專為現代攻擊破綻所打造,它能讓您從 IT 到雲端洞察更多資訊,並保護貴公司免於弱點危害。

您已經有 Tenable Nessus Professional 了嗎?
升級至 Nessus Expert,免費試用 7 天。

購買 Tenable Nessus Expert

Nessus Expert 是專為現代攻擊破綻所打造,它能讓您從 IT 到雲端洞察更多資訊,並保護貴公司免於弱點危害。

選擇您的授權

購買多年期授權省更多!

增加支援與訓練