How to Ensure You Have Complete OT/ICS Asset Visibility

How to Ensure You Have Complete OT/ICS Asset Visibility

Pick your framework – asset visibility is the foundation of OT/ICS cybersecurity. Whether you’re aligning with IEC 62443, NIST SP 800-82r3 or the SANS Five Critical Controls for ICS, asset inventory is where you start. As we all know, you can’t manage what you can’t see. Before you can assess risk, segment your network, manage vulnerabilities and implement effective incident response plans, you must know what’s on your network and what it’s communicating with.

For something so fundamental, there’s wide variation in what vendors mean by asset inventory management. If you cut corners at this fundamental step, instead of an actionable foundation for your cybersecurity program, you may end up with a glorified database of IP addresses.

This article will explain what to look for in an OT/ICS asset management solution, one that provides deep insights into device behavior and communications. There are five pillars to remember: sensor variety, data collection methods, DPI and protocol coverage, behavioral baselining and asset intelligence. Sacrifice any of these and you won’t have complete visibility.

1. Endpoint-to-Air Sensors

Discovering and identifying every asset in your environment requires a variety of sensors beyond traditional network sensors. Each of these sensor types must be purpose-built for OT/ICS environments to read industrial protocols and be non-disruptive.

Relying on passive discovery techniques alone isn’t enough to keep up with the increasing sophistication and frequency of industrial threats, both cyber and operational. With an increasing understanding that complete visibility is foundational to resilience, active discovery is becoming the norm in industrial networks.

Network Sensors and Remote Collectors

Network sensors and remote collectors passively collect, analyze and visualize network data for continuous monitoring and threat and anomaly detection. Guardian network sensors observe local traffic without agents or interrogation to identify devices and monitor activity. Small, low-resource remote collectors work in conjunction with Guardian sensors to capture data from hard-to-reach or unmanned locations such as wilderness, offshore and other remote and distributed locations (like electrical substations) where network sensors aren’t cost efficient or practical. These sensors come in a variety of form factors including rack-mounted hardware, ruggedized hardware, virtual, portable and containerized.

Wireless Sensors

The explosion of wireless connected devices in industrial and critical infrastructure environments has vastly increased the attack surface. Many wireless devices use insecure protocols, yet Nozomi Networks Labs researchers recently discovered that the vast majority of wireless networks are wide open to deauthentication attacks.

In addition to Wi-Fi and Bluetooth, process control networks rely on specialized wireless protocols designed to facilitate reliable communication between sensors and controllers with low power consumption. These protocols play a crucial role in collecting, concatenating and transmitting data that enables both system operation and surveillance. Nozomi Guardian Air is the first wireless sensor designed to detect not just Wi-Fi and Bluetooth but Zigbee, LoRaWAN, Drone RF and other wireless protocols frequently used in OT/IoT environments.

Endpoint Sensors

In IT security, endpoint agents are ubiquitous for anti-virus protection and patching. Unfortunately, negative experiences deploying IT-focused agents on OT devices have led to scarce adoption of much-needed endpoint monitoring in industrial environments. That’s equally risky. Traditional ICS network monitoring solutions monitor North-South traffic between Purdue levels or firewalls, but East-West communications between devices within a zone, especially at lower Purdue levels, have long been a blind spot. Moreover, endpoint monitoring is the only way to correlate user activity and events to detect insider threats.

Nozomi Arc is a lightweight, non-disruptive security agent for Windows, Linux and MacOS that understands OT/IoT protocols and  doesn't operate at the kernel level of the host operating system.

Endpoint Embedded Sensors

As mentioned, visibility into East-West traffic at Purdue Levels 1 and 0 is typically a black hole, including PLCs and their backplane communications. Yet any disruption at Purdue lower levels could directly impact production. The first version of Arc Embedded, developed in collaboration with Mitsubishi Electric, is available for the MELSEC iQ-R family of PLCs, with more OEM devices in development. It provides unprecedented visibility into these PLCs and the field assets they control, all the way down to Purdue Level 0.

Three Approaches to Asset Data Collection

Relying on passive discovery techniques alone isn’t enough to keep up with the increasing sophistication and frequency of industrial threats, both cyber and operational. Nozomi Networks combines passive and active discovery techniques, combined with the ability to integrate data stored in other parts of your security stack.

Passive Discovery: Network Sensors and Remote Collectors

Passive discovery through network sensors has long been the standard for OT/ICS asset discovery where active scanning and probing techniques may be inappropriate. It works by monitoring network traffic without directly interacting with devices. Imagine a network switch observing traffic patterns — it can see which devices are communicating, how frequently and using what protocols. Guardian network sensors, in conjunction with remote collectors, are workhorses at passive discovery. They continuously monitor the network to discover newly connected assets.

Active Discovery, or Smart Polling

Passive discovery is tried and true, but it has limitations. It can’t detect silent devices or those that aren’t actively transmitting data. This means hidden risks can go undetected, such as dormant devices, rogue assets or misconfigured endpoints that aren’t generating network traffic but still pose a security threat.

Active discovery fills in these blind spots. With a growing understanding that complete visibility is foundational to resilience, it’s also becoming the norm in industrial networks.

Referred to as Smart Polling in the Nozomi Networks platform, active discovery probes the network, sending carefully crafted queries such as network pings or protocol-specific requests to devices. This is like a system administrator actively polling connected assets, asking, "What type of device are you?" "What services are you running?" Active querying reveals more details about devices, even those that aren’t communicating, but must be done carefully to avoid disrupting critical operations.  

Third-Party Integrations (Catalog Connectors)

Most OT/ICS environments rely on dozens of technology solutions, many of which capture valuable data that can be tapped to enrich asset inventories. The Nozomi Networks platform has a growing library of third-party connectors that can pull structured asset data from where it already exists, such as Microsoft Active Directory, Microsoft Defender, Cisco routers and switches, CrowdStrike, ServiceNow and other leading IT security solutions.

DPI and Protocol Coverage

Data for the sake of data is a good way to bury the needle deeper in the haystack rather than giving your operators and security analysts actionable context. To troubleshoot In OT/IoT environments, you need a combination of deep packet inspection (DPI) and comprehensive protocol coverage to ensure you don’t just see all your assets but understand what they’re doing and who they’re communicating with.

Deep Packet Inspection

Visibility into process variables and flows is essential for early anomaly detection. That can only be achieved using DPI to carefully analyze propriety industrial protocols like Modbus or Profibus. Our passive sensors use DPI to automatically discover network components, connections and topology — and reveal threats.

Data for the sake of data is a good way to bury the needle deeper in the haystack rather than help your operators and security analysts understand what they’re looking at.

Industrial Protocol Coverage

IT systems communicate using standard protocols, but OT systems use a wide range of protocols, many of them proprietary and industry specific. Device profiles will always be incomplete if the solution can’t analyze network traffic and asset-to-asset communications, key indicators for flagging potential issues in your environment. Since assets communicate via their protocols, fluency in a wide range of protocols is the key to understanding asset behavior. If your tool doesn’t support a protocol, you’re blind to those behaviors.

The Nozomi Networks platform understands hundreds of OT, IoT and IT protocols, from common to obscure, and we're constantly adding more. Using our protocol software development kit (SDK), we can quickly create new protocol support on demand.

Behavioral Baselining

AI and machine learning are also essential for baselining asset behavior and detecting anomalies. Upon deployment, the Nozomi Networks platform begins monitoring device communications in "learning mode," all the way down to process-level variables. It used AI to create detailed profiles of the expected behavior of every device at each stage in a process to establish a baseline of “normal” behavior. When switched to "protection" mode, the platform uses behavioral analytics to monitor the environment and alert on suspicious events that deviate from those baselines, while filtering out benign anomalous activity below established thresholds. In this way, asset behavior becomes an essential part of each asset profile.

AI-Powered Asset Intelligence

There’s still more that can be done to achieve a near 100% accurate inventory that’s always up to date — essentially through community sourcing. Available as a subscription, the Nozomi Networks Asset Intelligence feed uses advanced behavioral inference to fill in missing data from like data in our database. These enriched profiles enable teams to make informed decisions about the maintenance and security of your digital assets.

The result is asset classification that’s up to 50-70% more accurate, which helps simplify vulnerability management and reduce mean time to respond (MTTR).

Our AI engine learns from millions of assets that we monitor in customer environments across industries around the globe. This data trove is used to fill in gaps about identical devices across environments based on attributes such as MAC addresses, configuration, protocols, end-of-sale and -support dates, and more. When a match is found, those attributes and behaviors are added to your device profile. The same data is used to determine known behavior, reducing the number of benign alerts by knowing when "new" or "different" isn't a risk. The result is asset classification that’s up to 50-70% more accurate, which helps simplify vulnerability management and reduce mean time to respond (MTTR).

Don’t Skimp on Asset Inventory, Your Cybersecurity Foundation

Industrial and critical infrastructure networks typically contain thousands of OT devices from hundreds of vendors, as well as IoT devices, that monitor and control processes. Creating an accurate, up-to-date inventory of these assets and keeping track of them, along with important context information, is foundational for maintaining cyber and operational resilience. It can’t be done manually.

Using a combination of endpoint-to-air sensors, passive and active data collection, OT/IoT protocol support and third-party IT asset data, the Nozomi Networks platform provides a complete asset inventory — turbocharged with actionable, AI-powered asset intelligence. Turn it on in your environment. You’ll be surprised what you see.