OT Asset Discovery: Improving Your Security Posture Using Device Type Learning

A SCADAfence New Feature report

The first question we're usually asked by any CISO who wants to increase their OT security posture is about asset visibility and management. Gathering a comprehensive and accurate inventory of all the devices attached to an OT network is often the primary need driving an organization to seek assistance, and the biggest barrier to achieving their goals for security and compliance. It's the right question to be asking, and the best place to start.

As we've written before, you can't protect what you can't see, or what you don't know exists. Let's also add that the more detailed information you can gather about each asset on your OT network, the better your protection, prioritization, and compliance will be. Therefore, the asset detection and management capabilities of an OT security platform are the bedrock on which the rest of the security solution stands. 

Limitations of Most Asset Discovery Systems

Unfortunately, most asset management systems have serious limitations. They are stuck with static detection and inventory. The system finds a device on the network, decides what it is, adds some details, and presents the security team with an unalterable asset list. They are unable to successfully identify the type of device, protocols in use, and the vendor with 100% accuracy. Moreover, they lack any ability to learn how to do detection better. 

These systems were designed with no user-configurable options that would allow a security team to customize the asset inventory, change information about each device type, create new device types, or customize alerts based on device type to meet their security needs. 

Introducing Device Type Learning 

As part of its passive information gathering, the SCADAfence Platform can learn more about your network’s devices and improve how it recognizes and identifies each device type. In addition, your security team can manually change, customize or add details about each device type, and even create new device types. Device Type Learning allows the system to learn to accurately identify new devices based on their IP address or range of addresses, vendor type, similar network behavior or similar protocols in use. Also, you can rename devices, so if the system detected one as a certain asset type, but you would like it to me more specific or assign it a different type, you can manually change the asset name. All other identical devices on the network would then be associated with the new name and asset type.

Device Type Learning allows you to change the device type 

This results in close to 100% asset inventory coverage. Device Type Learning deploys quickly and offers tremendous flexibility, without needing to involve the device vendors. In the SCADAfence platform's asset manager module and in particular the pivot view, the new device type can be viewed effortlessly. 

Device Type Learning assists with prioritizing and customizing alerts. If the system detects unauthorized access it helps to know exactly which device was accessed. An alert about a PLC, for example, can be assigned a higher priority level than another less critical device. 

Customized device type rules 

Summary of benefits to the user of Device Type Learning

• Real time, detailed and comprehensive asset inventory with close to 100% accuracy.
• Receive better adapted standard alerts.
• Network activity monitored more precisely.
• Learning is done passively and automatically with no disruption to the OT network.
• Asset names and device types are customizable and can be changed to meet your organization’s needs.
• No need to involve vendor in order to add new device types to the monitoring system.