OT Device Identification & Classification
Good OT asset management relies on a comprehensive and accurate inventory of all hardware and software that is present in your OT environment.
Armis automatically discovers and generates a comprehensive inventory of all devices and software in your environment. Leveraging our massive device knowledgebase, we provide a wealth of information such as device type, manufacturer, model, location, and more.
- Device Name, Category, Type, Model, and Brand
- IP Address
- MAC Address
- OS and Version
- Date/time First Seen and Last Seen
- Application data: name, version, date/time active
The scope of Armis’ device discovery extends to your entire environment — from the manufacturing line to the executive suite. This is important because attackers view your environment as one large interconnected attack surface. We discover instrumentation devices at Level 0, process control devices at Level 1, supervisory systems at Level 2, and all devices up to Level 5 including network switches and firewalls, video cameras, HVAC systems, and more.
OT Asset Metadata
Armis generates a wide spectrum of metadata that is useful for OT asset management and security. All information is stored for 90 days, with searchable history.
|Connections between the device and other devices including the protocol used to connect, time of the connection, duration of the connection, amount of data transferred, physical layer information such as Wi-Fi channel used.|
|Network Topology that shows where each device is on the Purdue reference architecture model and the real-time connections that each device makes relative to other devices in other levels of the Purdue model.|
|Alerts including important information such as date, time, type, activities that caused the alert, severity of the alert.|
|Services accessed by the device including the date and time, name of the service, amount of traffic, and transmission characteristics such as latency.|
|Traffic to and from the device including port, description.|
|Risk factors based on manufacturer reputation, cloud synchronization behavior, connection security, data-at-rest security, malicious domains visited, number of wireless protocols used, malicious behavior, number of open ports, user authentication, threat detected, and vulnerability history. Click here for more information about ICS Security Risk Assessment.|
|Software vulnerabilities (CVEs) found on the device including drill-down details such as CVE publish date, attack vector, attack complexity, and whether user interaction is required. This includes firmware vulnerabilities such as CDPwn.|
Passive Asset Discovery
OT asset discovery can be accomplished using either active or passive approaches. The active approach relies on network scans or probes that ask the OT devices to respond by providing information about themselves.
This approach suffers from two problems. First, the network scans and probes can be disruptive. They will crash many kinds of OT and IoT devices. Second, setting up a network scanner requires that you explicitly program the device to target certain network segments; this literally guarantees that you will not discover devices on network segments that you aren’t aware of—the so-called “shadow IT” problem.
Armis only uses passive asset discovery approaches, so there is no possibility of harm to your environment. Armis analyzes network traffic and compares what we see to over 280 million device profiles stored in our Device Knowledgebase. This allows us to identify every device in your environment.
Also, in contrast to products that use active scanning technologies, Armis is easier to deploy because no programming or configuration is required.
Locate OT Assets Quickly
For large industrial plants with multiple locations, good OT asset management requires knowing what devices you have and where they are located. For example, a security issue may be announced about a certain manufacturer’s device; in order to determine your level of risk, you may need to identify where those devices are being used throughout your plant.
Armis tracks the location of connected devices no matter whether they are stationary or mobile. This can be helpful during an incident response situation when all you might know is an IP address. Based on the IP address, Armis will tell you what the device is, where it is, and what that device has been doing.
OT Change Management and Configuration Management
Another important aspect of OT asset management is ensuring that each device is programmed and configured correctly. Armis helps in two ways:
Network changes: Temporary changes to network firewalls sometimes need to be made to facilitate troubleshooting or data acquisition. Unfortunately, these changes might not be reverted when the temporary period has expired. Armis monitors your network and can detect when such changes are inadvertently left in place, resulting in unintended levels of network connectivity.
PLC program changes: Armis can alert whenever a program change command is sent to a PLC. If this command is not intentional, it could be a sign that an intruder is maliciously trying to reprogram your PLC. This is one of the many attack techniques listed in the MITRE ATT&CK for ICS knowledgebase that Armis is able to detect.
Seamless Collaboration Between Plant Operations and Security
Armis helps engineers, maintenance specialists, plant administrators, and security teams get more stuff done in less time. Armis serves as a “source of truth” in terms of OT asset inventory and can integrate with your existing IT asset management platform or CMMS/CMDB, ensuring it is kept up-to-date with the latest and most complete information available.