Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

ICS Network Utilization and Topology

by Cesar Navas
April 18, 2019

ICS Network Utilization and Topology

Understanding the network topology is a critical first step in understanding the security posture of an ICS/SCADA environment. Due to the criticality of the ICS/SCADA devices, these devices cannot be scanned using traditional active scanning methods. This dashboard leverages information collected from Industrial Security to passively detect operating systems, protocols, and applications used on the ISC network.

ICS is a term which describes hardware and software that are connected to a network to support critical infrastructure. Some of the most commonly used terms used in ICS are:

  • Programmable Logic Controllers (PLCs)
  • Remote Terminal Units (RTU)
  • Intelligent Electronic Device (IED)
  • Human Machine Interface (HMI)

These connected control systems manage the operation of critical equipment within power plants, water and waste treatment plants, transport industries, and more. This convergence of OT and Information Technology (IT) has raised concerns of security as the systems can now be targeted by bad actors.

An organization should always be aware of their Network Topology to keep an eye on the types of devices that are in the network, and to determine whether there has been a potential unauthorized connection into the Network. Using Tenable.sc along with Tenable Industrial Security, an analyst can monitor network traffic and identify the most active users/devices as well as most active ports.

Information on recent network changes as well as indicators of systems by type will assist the organization in maintaining accurate inventory and detecting rogue devices or unauthorized users. Information on the most active systems, ports, and protocols will help in tracking regular activity as well as discovering any unusual event.

Understanding the network topology enables a customer to build out a view of what is communicating on the customer's networks. The ICS Network Utilization and Topology dashboard assists an organization in determining how at risk the ICS network is. This dashboard provides an analyst with top hosts with internal connections to and from other hosts as well as a count of hosts separated into their respective class C subnet. Vulnerability counts along with the most talkative TCP/UDP ports is also highlighted. Lastly, system types as well as protocol activity is identified using data from Industrial Security.

The dashboard and components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards, and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Security Industry Trends.

The dashboard requirements are:

  • Tenable.sc 5.9.0
  • Nessus Network Monitor 5.8.1
  • Industrial Security 1.3.1

Tenable.sc Continuous View® (Tenable.sc CV™) along with Tenable Industrial Security enables organizations to accurately identify, investigate and prioritize vulnerabilities for critical infrastructure and operational technology. Vulnerability assessment identifies and prioritizes weaknesses that can become the pathway for adversaries to compromise control systems and disrupt critical processes. Comprehensive dashboards and reports simplify stakeholder communication. Industrial Security has comprehensive asset identification, which identifies thousands of OT and IT devices, applications and protocols, including PLCs, RTUs, HMIs, SCADA gateways, desktop computers and network devices. By passively scanning the ICS network, security teams are able to properly fingerprint the many devices that are on the network as well as identify vulnerabilities associated with said devices.

Listed below are the components included with this dashboard. 

ICS Network Utilization and Topology - Top Hosts with Most Internal Connections to Other Hosts

This table presents information on the hosts with the most passively detected internal connections to other hosts (Internal Client Trusted Connection). The table is sorted so that the host with the highest count of detections is at the top. This information can assist an organization in understanding who is talking to whom, as well as detecting any unauthorized or suspicious host connections. The Total column displays the number of detections. The number of detections may not equal the number of other hosts to which this host is connecting to, as some detections may include multiple hosts, and multiple connections to the same host that may have been detected. Note that only passively detected internal host connections will be displayed, and this may not include all possible internal connections.

ICS Network Utilization and Topology - Top Hosts with Most Internal Connections from Other Hosts

This table presents information on the hosts with the most passively detected internal connections from other hosts (Internal Server Trusted Connection). The table is sorted so that the host with the highest count of detections is at the top. This information can assist an organization in understanding who is talking to whom, as well as detecting any unauthorized or suspicious host connections. The Total column displays the number of detections. The number of detections may not equal the number of other hosts connecting to this host, as some detections may include multiple hosts, and multiple connections from the same host may also have been detected. Note that only passively detected internal host connections will be displayed, and this may not include all possible internal connections.

ICS Network Utilization and Topology - Included Class C Subnets

This table assists an ICS organization in understanding the scope of its network by grouping all the IP addresses discovered passively by NNM into representative Class C subnets. This information can assist an organization in detecting any unauthorized subnets or rogue devices. Note that if the organization has a very large network, this component can be modified to present Class B subnets, if desired. The Total column displays the number of detections. The number of detections may be greater than the number of hosts in each subnet, as each host may have been detected multiple times.

ICS Asset Detection - System Types

This matrix component presents indicators of detected ICS System Types. By reviewing the activity, an analyst can better understand network communications, assess risk, and identify any potential problems within the SCADA network. Clicking on a highlighted indicator will bring up the vulnerability analysis screen to display details and allow further investigation.

ICS Asset Detection - SCADA Protocol Activity

This matrix component presents indicators of detected network activity related to SCADA protocols, and activity on standard ports used by SCADA protocols. This activity might include internal and external connections, encrypted sessions, service detections, and even detections of vulnerabilities. By reviewing the activity, an analyst can better understand network communications, assess risk, and identify any potential problems within the SCADA network. Clicking on a highlighted indicator will bring up the vulnerability analysis screen to display details and allow further investigation.

ICS Network Utilization and Topology - Most Talkative Ports

This table presents the most talkative ports that were detected to be open by various passive scanning techniques. The table is sorted so that the ports with the highest number of detections are at the top. This table displays ports that are detected to be open, not necessarily ports that are being actively used. To reduce the network attack surface, open ports that are not being used should be disabled. The data in this table does not count against the Tenable.sc licensing.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training