Installing the OT Security Appliance

Step 1 – Setting up the OT Security Appliance

The OT Security appliance can be either rack mounted, or simply rested on top of a flat surface (such as a desktop).

Rack Mounting

To mount the OT Security appliance on a standard (19-inch) rack:

  1. Insert the server unit into an available 1U slot in the rack.

    Note: Make sure that the rack is electrically grounded. Make sure that the cooling fan air intake (located in the back panel) and the air ventilation holes (on the top panel) are not obstructed.

  2. Secure the unit to the rack by fastening the rack-mount brackets (supplied) to the rack frame, using the appropriate screws for rack mounting (not supplied).

  3. Plug in the AC power supply cable (supplied) to the power supply port in the rear panel, then plug the cable to the AC power supply (mains).

Flat Surface

To install the OT Security appliance on a flat surface:

  1. Place the appliance unit on a dry, flat, leveled surface (such as a desktop).

    Note: Make sure that the tabletop is flat and dry. Make sure that the cooling fan air intake (located in the back panel) and the air ventilation holes (on the top panel) are not obstructed.

  2. If the unit is placed within a stack of other electrical appliances, make sure there is ample space behind the cooling fan (located in the back panel) to allow proper ventilation and cooling.

  3. Plug in the AC power supply cable (supplied) to the power supply port in the rear panel, then plug the cable to the AC power supply (mains).

Step 2 – Connecting OT Security to the Network

OT Security is used for both Network Monitoring and Active Query.

  • To perform Network Monitoring - you will need to connect the unit to a mirroring port on the network switch, which is connected to the controllers/PLCs of interest.

  • To perform Active Query - you will need to connect the unit to a regular port that has an IP address on the network switch, which is connected to the controllers/PLCs of interest.

By default, the Active Query and the Management Console are configured to use the same port on the unit (Port 1), however after the initial setup it is possible to separate the Management port from the Active Query port, by configuring the management on Port 3. After this configuration, you will need to connect Port 3 on the unit to a regular port on the switch to perform the management as described in Step 7 – Connecting the Separate Management Port (for Port Separation Option).

For the initial setup you will connect Port 1 to a regular port on the network switch and connect Port 2 to a mirroring port.

To connect the OT Security appliance to the network:

  1. On the OT Security appliance, connect the Ethernet cable (supplied) to Port 1.

  2. Connect the cable to a regular port on the network switch.

  3. On the unit, connect another Ethernet cable (supplied) to Port 2.

  4. Connect the cable to a mirroring port on the network switch.

Step 3 – Logging in to the Management Console

To Log in to the Management Console.

  1. Do one of the following:

    • Connect the Management Console workstation (e.g. PC, laptop etc.) directly to Port 1 of the OT Security appliance using the Ethernet cable, OR

    • Connect the Management Console workstation to the network switch.

  2. Ensure that the Management Console workstation is part of the same subnet as the OT Security appliance (which is 192.168. 1.0/24) or is routable to the unit.

  3. Use the following procedure to set up a static IP (you must set up a static IP in order to connect to the OT Security appliance):

    1. Go to Network and Internet > Network and Sharing Center > Change adapter settings.

      The Network Connections screen is displayed.

      Note: Navigation may vary slightly for different versions of Windows.

    2. Right-click on Local Area Connections and select Properties.

      The Local Area Connections window appears.

    3. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.

      The Internet Protocol Version 4 (TCP/IPv4) Properties window is displayed.

    4. Select Use the Following IP address.

    5. In the IP address field, enter 192.168.1.10.

    6. In the Subet mask field, enter 255.255.255.0.

    7. Click OK.

      The new settings are applied.

  1. From your Chrome web browser, navigate to https://192.168.1.5.

    The Welcome screen of the setup wizard opens.

    Note: The UI can only be accessed from a Chrome browser. You also need to be using the latest version of Chrome.

  2. Click Start Setup Wizard.

    The setup wizard opens, showing the User Info page.

Step 4 – Setup Wizard

The OT Security setup wizard takes you through the process of configuring the basic system settings.

Note: If you would like to change the configuration later, you will be able to do so in the Settings screen in the Management Console (UI).

Screen 1 User Info

On the User Info page, fill in your user account information as follows.

Note: In the setup wizard you configure the credentials for an Administrator account. After logging in to the UI you can create additional user accounts. For more information about user accounts see section USERS AND ROLES.

  1. In the Username field, enter a username to be used for logging into the system.

    The username can have up to 12 characters and must include only lowercase letters and numbers.

  2. In the Retype Username field, re-enter the identical username.

  3. In the Full Name section, enter your complete First and Last Name.

    Note: This is the name that will appear in the header bar and on logs of your activity in the system.

  4. In the Password field, enter a password to be used for logging into the system. The passwords must contain at least:

    • 12 characters

    • One uppercase letter

    • One lowercase letter

    • One digit

    • One special character

  5. In the Retype Password field, re-enter the identical password.

  6. Click Next.

    The Device page of the setup wizard opens.

Screen 2 – Device

On the Device page, fill in the information about the OT Security platform as follows:

  1. In the Device Name field, enter a unique identifier for the OT Security platform.

  2. In the Port Configuration section, do one of the following:

    • Port separation - If you wish to use one port for management and a separate port for Queries, select the Separate management from active queries checkbox. Selecting this option will configure Port 1 as the Queries only port and Port 3 as the Management only port.

      Note: On some systems, the Port separation option may not be available. Contact your support agent for assistance.

    • No separation – if you wish to maintain the Queries and Management in the same port, don't select the Separate management from active queries checkbox. In this case, you can skip instructions number 3-5 of this procedure and proceed to number 6.

  3. If you have selected the port separation option, in the Active Queries IP field, enter the IP address of the unit’s Queries port. This port will be connected to a regular port in the network switch, which can communicate with (i.e. is routable to) the controllers. And, since OT Security will actively connect to the controllers, it will need an IP address within the network subnet.

  4. If you have selected the port separation option, in the Active Queries Subnet Mask field, enter the Subnet Mask of the Queries port.

  5. If you have selected the port separation option, in the Active Queries Gateway field (optional), enter the IP address of the gateway in the operations network.

  6. In the Management IP field, enter an IP address (within the network subnet) to be applied to the OT Security platform. This becomes the OT Security management IP address. (It is also the Queries address if there is no separation between the ports.)

  7. In the Management Subnet Mask field, enter the Subnet Mask of the network.

  8. If you would like to set up a Gateway (optional), enter the Gateway IP for the network in the Management Gateway field.

    Note: If you do not fill in this field then OT Security will not be able to communicate with external components outside of the subnet (e.g. email servers, syslog servers etc.).

  9. Initial Asset Enrichment Active Query is a series of queries that are run on each asset that is discovered in the system. This helps OT Security to classify the assets. If you would like to run these queries on each new asset that is discovered, turn on the toggle switch in the bottom box.

  10. Click Next.

    The System Time page of the setup wizard opens.

Screen 3 System Time

On the System Time page, the correct time and date are generally set automatically.

Note: Setting the correct date and time is essential for accurate recording of logs and alerts.

If the correct date and time are not set, fill in the information as follows.

  1. In the Time Zone field, select from the dropdown list the local time zone at the site location.

  2. In the Date field, click the calendar icon .

    A pop-up calendar appears.

  3. Select the current date.

  4. In the Time field, select hours, minutes and seconds AM/PM respectively and enter the correct number using either the keyboard or the up and down arrows.

    Note: If you would like to edit any of the previous pages of the setup wizard, click Back. After clicking Complete and Restart you won't be able to return to the setup wizard. However, you can change the configuration settings on the Settings page of the UI.

  5. To complete the setup procedure, click Complete and Restart.

    Once the restart is complete, you are redirected to the Licensing screen.

Step 5 - Licensing

Before you can activate the system, you need to register your OT Security license.

Prerequisites

  • The License Code (20 characters letter/numbers) which you received from Tenable when you ordered your device.

  • You need access to the Internet. If your OT Security device is not connected to the Internet, you can register the license from any PC.

Activating your License

To Activate Your License:

  1. On the License Activation screen, in step 1, Enter license code field, click the Enter license code button.

    The Enter license code side panel is shown on the right side.

  2. In the License Code field, enter your license code and click Verify.

    The side panel closes.

  3. In step 2, Generate activation certificate field, click the Generate Certificate button.

    The Generate Certificate side panel is shown with the Activation Certificate.

  4. Click the Copy text to clipboard button, and then click Done.

    The side panel closes.

  5. In step 3, Enter activation code field, click the Self-service portal link.

    The Activate OT Security Offline screen opens in a new tab.

    Note: If your OT Security device is not connected to the Internet, you will need to access the Activate OT Security Offline screen from an Internet-connected device using the following URL: https://provisioning.tenable.com/activate/offline/tenable-ot.

    Note: If you are not currently logged in to tenable.com, you will need to log in using your email address and password. You must use the email account where you received your License Code. If you don’t have login credentials, you can either click on Don’t remember your password (and follow the prompts) or reach out to your Tenable account manager.

  6. In the Activation Certificate field, enter the Activation Certificate.

  7. In the License Code field, enter the same 20-character license code you entered in Step 2 of this procedure.

  8. Click the I have read and understand the Tenable Software License Agreement checkbox.

    Note: To view the license agreement, click on the Tenable Software License Agreement link.

  9. Click the Generate Activation Code button.

    The Offline Activation Code Successfully Created! screen is shown.

  10. Click Copy text to Clipboard.

  11. Navigate back to the License Activation screen on your OT Security device, and click the Enter Activation Code button.

    The Enter Activation Code side panel is shown.

  12. In the Activation Code field, paste your activation code and click the Activate button.

    The side panel closes, and the OT Security home screen is shown. The Enable button is displayed.

    Note: For information about updating your license, see License.

Step 6 - Enabling the System

After completing the license activation, the Enable button is displayed.

You need to enable the system in order to activate the system’s core functionality.

The following functionalities are activated when the system is enabled:

  • Identifying Assets in the network

  • Collection and monitoring of all network traffic

  • Logging 'Conversations' on the network

All compiled data and analysis from the above functionalities can be viewed in the Management Console (UI).

Note: These are ongoing processes that continue over time, it will take some time until the results shown in the UI are fully updated.

Additional functions such as Active Queries can be configured and activated on the Local Settings screen in the Management Console (UI), see Queries.

To enable the system:

  1. Click the Enable button.

    The system is enabled. The UI opens, showing the Dashboard > Risk screen.

    Note: It will take a few minutes for the system to identify your assets. You may need to refresh the page in order to start showing the data.

Step 7 – Connecting the Separate Management Port (for Port Separation Option)

If you have selected the port separation option (to separate Queries from the Management), you must connect Port 3 on the OT Security appliance, which is now the management port, to a port in a network switch. This can be a different network switch, such as a network switch of the IT network.

To Connect the Management Port:

  1. On the OT Security appliance, connect an Ethernet cable (supplied) to Port 3.

  2. Connect the cable to a port on a network switch.