Installing OT Security Sensor

Pairing Sensors with the ICP

The following section describes the procedure for configuring a Sensor version 3.14 and above. To configure an earlier model sensor, use the procedure described in Appendix 1 — Installing a Sensor (Version 3.13 and below).

Pairing Sensors with the ICP is done using both the ICP Management Console and the Sensor’s Tenable Core UI.

You may choose to enable automatic approval of incoming pairing requests, or disable automatic approval in order to require manual approval for each new Sensor pairing request.

Prerequisites

• The Sensor hardware is properly installed (see Setting up the Sensor).

• The Sensor is connected to your network switch (see Connecting the Sensor to the Network).

• The Sensor has its own static IPv4 address (see Accessing the Sensor Setup Wizard).

• The Sensor is connected to Tenable Core platform and you have a username and password for logging into the Core User Interface. For more information on using the Tenable Core User Interface, see /tenable-core/OT-security/Content/TenableCore/Introduction_OT.htm.

• Verify you have a valid Certificate in the ICP console (see Certificate).

• It is recommended to create a dedicated ICP user with admin role for the process of pairing Sensors, in order to prevent disruptions in connectivity (see Adding Local Users). One new admin user may be used to pair multiple Sensors.

Pairing the Sensor

To pair a Sensor v.3.14 or above with the ICP:

1. In the ICP Management Console (UI), navigate to the Local Settings > System Configuration > Sensors screen.

   

2. If you would like to enable automatic approval of Sensor Pairing, ensure that the Auto Approve Incoming Sensor Pairing Requests switch at the top of the screen is toggled to ON. If not selected, all pairing requests must be manually approved.

3. Open a new tab, leaving the ICP tab open, and access the Sensor’s Tenable Core User Interface by entering <Sensor IP>:8000.

   Note: The UI can only be accessed from a Chrome browser. You also need to be using the latest version of Chrome.

4. In the Tenable Core console login window, enter your User name and Password, select the Reuse my password for privileged tasks check box, and click Log In.

   

   Note: If the Reuse my password for privileged tasks checkbox is not selected upon login, the user will not be able to restart the Sensor service.

5. In the Navigation menu bar, click OT Security Sensor.

   The OT Security Sensor Pair window is displayed.

   

   Note: The Tenable OT Security Sensor Pair window only pops up the first time the page is loaded. To open the window after this, click on the button in the Pairing Info section of the Tenable Core console.

6. In the ICP IP Address field, enter the IPv4 address for the ICP with which you would like to pair this Sensor.

7. If you would like to use unauthenticated (unencrypted) pairing, click the Unauthenticated Pairing checkbox and skip to step 8.

   Note: Sensors that use Unauthenticated Pairing will only be able to passively scan their network segments and cannot be managed by the ICP in order to send Active Queries.

8. To authenticate the pairing, do one of the following:

   • Enter the ICP username in the ICP User field and the ICP password in the ICP Password field, OR

   • Enter an API Key for the ICP in the ICP API Key field.

   Note: It is recommended to create a dedicated ICP user for pairing Sensors in order to ensure connectivity during the pairing process (see ADDING LOCAL USERS).

   Note: The method of authentication via username and password has the advantage that the credentials don’t expire, as opposed to an API Key that will expire.

9. Click Pair Sensor.

10. If you wish to use a Certificate offered by the ICP:

    1. In the Tenable Core console, in the Tenable ICP Certificate section, under Approval Status, wait for the Certificate information to load, then click Approve to approve the Certificate.

       

    2. In the Confirm Accept Tenable OT Security Server Certificate pop-up window, click Accept This Certificate.

       If you prefer to manually upload a Certificate:

       1. In the Tenable ICP console, follow the procedure described in Generating an HTTPS Certificate.

       2. In the Tenable Core console, in the Tenable ICP Certificate section, under Upload Approved Certificate, click Choose File.

       3. Navigate to the .pem Certificate file to upload.

          Once a valid Certificate is accepted, its Approval Status in the OT Security ICP Certificate table is displayed as Approved.

          

11. In the ICP UI, return to the Local Settings > System Configuration > Sensors screen.

    The new Sensor is displayed in the table, the Status should be Pending Approval.

    

12. Click on the Sensor’s row, then click on the Actions button (or right-click on the row) and select Approve.

    

13. The Status should switch to Connected, indicating that the pairing was successful. Other possible Statuses are:

    • Connected (Unauthenticated) – The Sensor is connected in unauthenticated mode. The Sensor can only execute passive network detection.

    • Paused – The Sensor is connected properly, but has been paused.

    • Disconnected – The Sensor is not connected. For an authenticated Sensor, this may result from an error in the pairing process (e.g. tunnel error, API issue).

14. Once the pairing has been completed for an Authenticated Sensor, you can configure Active Queries to run on that Sensor. See CONFIGURING ACTIVE QUERIES.

    Note: Once the pairing has been completed, it is recommended to use only the ICP page to manage the Sensor, and not the Tenable Core UI.