Attaining Deep Visibility with Dynamic Discovery at S4x26

At the recent S4 Conference in Miami, Claroty engineers took part in the event’s first PoC Pavilion, a showcase of OT security products that were put to the test in a realistic automotive environment that featured SCADA systems, human-machine interfaces (HMIs), programmable logic controllers (PLCs) and other assets that make up a typical tech stack in the manufacturing sector. 

Our task was to deploy Claroty xDome with dynamic discovery in order to provide a detailed asset inventory that would demonstrate not only the quality of our collection and discovery capabilities, but also inform our ability to identify exposures—including vulnerabilities—and prioritize remediation.   

We saw this as an opportunity to demonstrate how our dynamic discovery capabilities could deliver deep visibility into such an environment. Deep visibility as we define it is the most complete classification we have where we are able to collect everything from firmware versions and serial numbers of products down to the rack slot. It’s a higher level of visibility than knowing simply a product name and model number, or an asset class such as PLC or HMI. 

xDome was able to show exactly that capability throughout the PoC Pavilion, gaining the deepest visibility into the test environment—including down to working firmware versions on an asset that was not announced to participants in advance—uncovering dozens of critical vulnerabilities as well as some known exploited vulnerabilities on a half-dozen assets. Furthermore, Claroty’s data collections were of such quality that four of the eight participating vendors leveraged our xDome installation to demonstrate their own use cases. 

Deep Asset Visibility Through Dynamic Discovery

Dynamic discovery methods include carrying out active queries on live assets as well as Claroty Edge integrations, and provide asset owners with a more robust inventory than exclusively using passive discovery. Non-passive discovery is imperative for organizations wishing to improve their time-to-value with a security product, and an overall lower total cost of ownership. 

Dynamic discovery methods allowed us at the PoC Pavilion, for example, to compile a full asset inventory on the sample environment within three hours of starting the PoC, substantially quicker than could be achieved using passive collections only. Claroty was the only vendor at the PoC Pavilion to successfully complete its task using dynamic discovery

So how did we do? Our Edge and xDome implementation using dynamic discovery achieved excellent visibility results with a score of 86 out of 100 measuring overall visibility quality; successfully identifying more than 80 persistent devices including nearly 30 OT assets classified with a high level of precision such as PLCs, HMIs, engineering workstations, and SCADA systems. In addition to delivering positive visibility results, we wanted to demonstrate quantitatively what we consider to be deep visibility. During our demonstration, we were able to show our visibility quality formulas and highlight how to achieve better results through our recommendations and the high-fidelity data from Claroty’s CPS Library. In addition, Cisco/Splunk, Elisity, ServiceNow, and Frenos leveraged our xDome installation to demonstrate their own use cases. 

Dynamic Discovery Mastered PoC Curveballs

The pavilion’s OT environment—which was provided and run by Booz Allen—was not just a straightforward collection of Rockwell Automation and Siemens sensors, controllers, HMIs, and databases; there were some curveballs that forced us to prepare for the unexpected. That came in the form of two Monigear temperature sensors that we had not seen before in any environment. While the sensors were included on a spec sheet provided by Booz Allen prior to the pavilion, an Opto 22 controller was also in the environment—physically hidden in a cabinet—and was not shared prior to the event. 

We did our homework on the Monigear sensors, learning that the vendor encrypts MQTT communication on the device, blinding any passive discovery capabilities and forcing us to research and identify other methods rather than parsing normal communication. We did so by purchasing a device in order to understand how to interact with it. After connecting the device to our network, we discovered that if the device communicated on a local subnet, it responded in plain text over port 6104 for local discovery, which allowed Claroty Edge to get deep visibility and extract the necessary device information. This enabled us to discover the device in the PoC Pavilion environment. 

The addition of the Opto 22 asset was unexpected. Not only were all participants unaware the device would be part of the environment, PoC Pavilion organizers disconnected the device and reconnected it on different days of the event. Our dynamic discovery identified the asset the first time it was connected, but at that time, we weren’t able to gain deep visibility. Anticipating that it might be reconnected later during the event, we were able to prepare a number of active queries that allowed us to gather additional details; Claroty was the only vendor participating that was able to gain deep device information down to working firmware versions. 

Deep Visibility Informs Mitigation Prioritization

Having deep visibility from dynamic discovery informed how we would meet the vulnerability and prioritization tasks we were assigned. We also demonstrated not only the quality of our visibility, but also how dynamic discovery improves time to visibility in an environment; We were able to compile a full asset inventory on the sample environment within three hours of starting the PoC, substantially quicker than could be achieved using passive collections only. Claroty was the only vendor at the PoC Pavilion to successfully complete its task using dynamic discovery

Our collections also informed our vulnerability detection capabilities; we identified 168 vulnerabilities in the environment, with six key devices that contained critical-severity, network-exploitable vulnerabilities that were actively being exploited in the wild, with active internet communication. As a result, we were able to make a number of mitigation recommendations that included patching software, updating firmware, and hardening systems by disabling key ports for unused services, or updating insecure configurations. 

Overall, the PoC Pavilion was our chance to demonstrate the effectiveness of dynamic discovery and how it paves the way for deep asset visibility and the most complete asset inventory possible. Having this ledger of asset information can inform an OT security program better than a passive-only approach because of the completeness of the insights it provides.