Our new Biannual ICS Risk & Vulnerability Report is the most up-to-date look at CVEs disclosed in OT devices.
Check it out!
Feature Spotlight: Claroty Active Queries
By Gary Kneeland and Matt Ziegler | May 16, 2022
We’ve written extensively on visibility and why it serves as the prerequisite for almost all other industrial cybersecurity measures necessary to secure your environment. As a general framework, we like to think of visibility in terms of the following types: asset, session, and process visibility. One of these, asset visibility, drives not only the other two, but a multitude of other facets of a strong cybersecurity posture, including segmentation, vulnerability and risk management, threat detection, and more. One of the most powerful tools an organization can employ for gaining asset visibility is active querying.
What is Active Querying?
In short, an active query is any direct request for data, such as a status report, that one device sends to another device. In an IT environment there are many common protocols associated with active queries such as SNMP, WMI, and port scans. However, many industrial assets are not designed to respond to these protocol requests. In some cases, sending these types of requests to an industrial asset can cause it to crash, leading to unscheduled downtime and loss in productivity. This is where many operators, especially those who have had bad experiences in the past, may begin to get a little uneasy with the idea of using activity queries in an industrial environment.
Let’s look at a few specific examples of this risk and how they can be overcome with a properly designed approach to active querying:
Querying an industrial asset with traffic it is not expecting
Due to the age and design of many industrial assets they cannot always properly handle traffic they were not expecting. The result of querying an asset with incorrect traffic (i.e. using a protocol it cannot understand) can range from something as simple as a failed request to, as mentioned above, causing the network driver on the asset to fail–resulting in abnormal behavior.
Knowing that downtime is an unacceptable outcome for device discovery, Claroty specifically designed its active query capabilities with these risks in mind. The active queries used by Claroty Continuous Threat Detection (CTD) and Claroty Edge use the same proprietary protocols that are used by industrial assets in the operational network. This means that from a PLC’s perspective, an active query from Claroty is completely indistinguishable from a standard request sent from an engineering workstation—making Claroty active queries safe to utilize for asset discovery.
Generating too much network traffic
Any time a system generates network traffic, it is introducing load onto the existing infrastructure. This can be an issue if either the network is already oversaturated beyond capacity or the queries being used are generating a large amount of additional traffic. While active query traffic alone is not expected to create a disproportionate load on the network, if the previously mentioned scenarios are true the network can display degraded performance that can lead to slower asset response times, errors, and the possibility of asset downtime.
Claroty has designed our active queries to mitigate the risks associated with additional network traffic. Active queries used by CTD and Claroty Edge are built to generate the absolute minimum amount of traffic possible to achieve a positive response from an asset, sometimes creating as little as one network packet to send a query, and generally cause no more load than adding an engineering workstation to the network.
Given the risks, why bother?
Whether it’s done from the core switch of the network or a sensor at lower levels, active queries provide many benefits to asset visibility, filling gaps that can’t be achieved by using strictly passive monitoring. For example, if you have devices that generate traffic on a highly infrequent basis, they may rarely be picked up by a passive monitoring tool. This means that while that asset is not generating traffic, the system is not able to enrich its database with information on that asset such as its details and configuration, meaning that critical vulnerabilities and risks may not be identified.
Active queries allow operators to request this information directly from devices and fill in any gaps left by more traditional passive monitoring methods. Additionally, it enables access to gather information from parts of the network that cannot be reached passively, such as areas that are nested many switches deep in the network and would otherwise require complicated adjustments of the architecture to reach. An active query lets operators target these parts of the network directly, bypassing complex network architectures.
A multi-pronged approach to asset discovery
There’s no one-size-fits-all approach to asset discovery, and no solution using only one discovery method can provide you with 100% asset visibility. As powerful as active queries are, even they have limitations. One being that active queries are a snapshot in time and while they provide quick, deep, and accurate information on asset details and vulnerabilities, they do not provide the behavioral or signature-based context needed to detect baseline anomalies and threats. Combining active queries with other methods like continuous passive monitoring and Claroty’s unique AppDB parser provides you with the widest breadth and depth of asset information needed to create a strong foundation for your cyber-physical systems’ security journey.
To learn more about Claroty’s ability to reveal all network assets, sessions, and processes, request a demo.