Network Map

The Network Map screen offers a visual representation of the network assets and their connections over time, as discovered by OT Security’s Network Detection capabilities. Network Detection provides in-depth, real-time visibility into all activities performed over the operational network, with unique focus on control-plane engineering activities. For example, firmware downloads/uploads, code updates and configuration changes, performed over proprietary, vendor specific protocols. The assets can be shown by groups of related assets or as individual assets.

The Network Map displays all of the assets and connections that were discovered during the specified time frame.

The following is an explanation of the elements shown on the Network Map screen.

  • Search Box – Enter search text to search for assets in the display. The search results are indicated by highlighting all groups in which a match was found for the search text. You can drill down into each group to see the relevant assets.

  • Filters – You can filter the map display by one or more of the specified categories: Asset Type, Vendors, Families, Risk Levels, Purdue Levels. For an explanation of asset types, see Asset Types.

  • Time Frame – The Network Map shows assets and network connections that were detected during the specified time frame. The default time frame is set for Last 1 month. Click the Time Frame Selection to select a different time frame from the dropdown menu.

  • Grouping – You can specify the category by which the assets are grouped in the display. Options are: Asset type, Purdue level, Risk level, or No grouping. The Collapse all groups option, maintains the current grouping selection but collapses all groups that have been opened up.

  • Actions – You can select the following actions from the dropdown menu:

    • Set as baseline – Set the baseline used for detecting anomalous network activity, see Setting a Network Baseline.

    • Auto arrange – automatically optimize the map display for the entities currently being displayed.

  • Groups/Assets – Each group of assets is represented by an icon on the map, with each asset type represented by a different icon (as described in Asset Types). For groups, the number at the top of the icon indicates the number of assets included in that group. You can drill down to show separate icons for each sub-group until you get to the individual asset icons. For individual assets, the color of the frame around the asset indicates its risk level (red, yellow, green).

    Note: You can drag the groups and assets and reposition them to get a better view of the assets and their connections.

  • Connections – Each communication between groups of assets and/or individual assets, according to the degree of granularity currently displayed in the map. The thickness of the line indicates the volume of communication through that connection.

  • Total Assets Displayed – Shows the number of assets detected in the network (and displayed in the map) based on the specified time frame and asset filters. This number is shown relative to the total number of assets detected in your network.

  • Navigation Controls – You can zoom in and out of the display and navigate to show the desired elements using the onscreen controls or by using standard mouse controls.

Asset Groupings

The Network Map can show assets grouped by various different categories. Connections are shown between groups of assets. You can click on an asset to drill-down into the elements included in that group. Multiple groups can be drilled-down simultaneously. OT Security contains multiple layers of embedded groups, so that each time that you drill-down you get a more granular view of the included assets.

The following are the Groupings that can be applied to the main display and the drill-down options for that selection.

When the Map display is grouped by Asset Type (default), the drill-down hierarchy is as follows: Asset Type > Vendor > Family > Individual Asset.

When the Map display is grouped by Risk Level or Purdue Level, this adds an additional level above the Asset Type grouping, so that the hierarchy is: Purdue Level/Risk Level > Asset Type > Vendor > Family > Individual Asset. Every level is represented by a circle surrounding the included groups/assets.

The following example shows how you can drill down into the display:

To drill down into an Asset Type Group:

  1. By default, when you open the Network Map screen it shows the assets grouped by Asset type.

  2. Double-click on the group icon that you would like to drill down into (e.g. Controller).

    The group is expanded, displaying the Vendor groups within that group.

  3. To drill down further, click on a Vendor group (e.g. Rockwell).

  4. To drill down further, click on a Family group (e.g. SLC5).

    The individual assets within that group are displayed.

  5. You can now click on a specific asset to see details for that asset and its connections, see Inventory.

To collapse the display:

  1. Click on Group by.

  2. Click Collapse all groups.

    The display returns to showing the top-level groups.

To remove all grouping:

  1. Click on the Group by button.

  2. Select No grouping.

    The map shows all the single assets with no grouping applied.

Applying Filters to the Map Display

You can filter the map display by one or more of the specified categories: Asset Type, Vendors, Families, Risk Levels, Purdue Levels.

To apply filters to the Map:

  1. Click on the desired filter category.

  2. Select/deselect the checkboxes for each element that you would like to include/exclude from the display.

    Note: By default, all elements are included in the filter.

  3. You can click on the Select All checkbox to deselect all the values, and then add the desired values.

  4. You can perform a search in the filter search box to find a specific value in the filter window.

  5. Repeat the process for each filter category, as needed.

  6. Click Apply.

    Only the selected elements are displayed on the Map.

Viewing Asset Details

Click on a specific asset to display basic information about the asset and its network activities, including the risk level, IP address, asset type, vendor and family. The Map displays connections from the selected asset to all of the other assets that are communicating with it. You can then click on link in the asset name to go to the Asset Details screen where more detailed information about the asset is shown.

Setting a Network Baseline

A Network Baseline is a map of all conversations that took place between assets in the network during a specified time period. The Network Baseline is used in Network Baseline Deviation Policies, which alert for anomalous conversations in the network, see Network Event Types.

Each conversation between assets that did not interact during the Baseline sample triggers a Policy alert (assuming that it is within the scope of the specified Policy conditions). An initial Network Baseline must be created on the Network Map screen in order to enable creation of Network Baseline Deviation policies. The Network Baseline can be updated at any time by setting a new Network Baseline. You should set a new Network Baseline any time that new assets or connections are added to your network.

To Set a Network Baseline:

  1. On the Network Map screen, select the time range of the conversations that you would like to include in the Network Baseline using the Time Frame Selection at the top of the screen.

    The Network Map for the selected time frame is shown on the screen.

  2. Click on Actions > Set as baseline at the top of the screen. The new Network Baseline is configured in the system and applied to all Network Baseline Deviation Policies.