Large OT networks are often poorly documented, or more precisely, have grown over many years. The result: the assets (= machines, computers etc.) within the network are not exactly recorded. In order to get and maintain an overview, it is advisable to carry out an asset discovery.
Of course, an asset valuation presupposes that you are aware of the existing assets, i.e. that you have a kind of inventory list. There are countless standard tools on the market for recognizing and documenting assets in an IT network, but these should be used carefully in OT networks. Why? Old components in a grown structure tend to be a bit “sensitive” when receiving unexpected packets, which can sometimes lead to a failure – not a desirable result.
For Asset Discovery there are tools from different manufacturers. The common denominator is the method used to detect assets on a network. Basically, there are active and passive methods.
Active detection addresses the “assets” directly – this approach is effective in simple networks. However, in complex, highly segmented networks, not all devices are accessible, and in networks with high levels of network security, certain devices may not be displayed at all because this was not explicitly allowed. An extended approach could be to listen to broadcasts within a segment. However, this approach is complex because you can only work within one segment in this way, i.e. the individual segments must be compiled at the end. Active methods also have the disadvantage that they do not contain any information about the actual communication between the assets. Although this information is not directly relevant to the asset inventory, it can provide information about complex network connections.
A more comprehensive and accurate alternative is to capture assets using purely passive methods. This observes the actual communication over a defined period of time with the enormous advantage that active end devices are identified without interaction, which is particularly important in the OT environment.
ASSET-DISCOVERY-TOOLS: sFlow and Netflow
Protocols such as Netflow/IPFIX or sFlow are suitable for recording communication. Both Netflow and sFlow are supported by conventional enterprise switches. In order to collect data, the switches of the network must be configured and a collector installed. The collector aggregates and collects the data and enables the detection of assets in a non-invasive way.
There are many collectors for Netflow /sFlow data – even as open source solutions. An open source variant, which we at Limes Security gladly recommend, is Elastiflow based on the ELK stack.
# Elastiflox download (https://github.com/robcowart/elastiflow)