Queries

The OT Security Queries screens enable you to configure and activate the queries features. For a general explanation of the Queries technology, see OT Security Technologies. As part of the initial setup, it was recommended to activate all of the Query capabilities. At any time, you can activate/de-activate any of the Query functions. You can also adjust the settings for when and how the Queries are executed.

In addition to the automatic Queries that are run periodically, most queries can be initiated by the user on demand by clicking the Run Now button next to the Query.

Note: The Log4J and Ripple20 Vulnerabilities Scans can only be run manually, not by a periodic schedule. They are activated from the Local Settings > Queries > Network screen, see Network Query Functions Table.
Note: Turning the Queries off will prevent the system from detecting significant events in the network. This will cause many features to become unavailable.

The query activation and configuration are done under Local Settings > Queries. The queries are divided into three separate screens. The following sections explain the different types of Queries and gives procedures for activating and configuring each type of Query.

All Controller Queries

To activate Controller Queries:

  1. Under Local Settings, go to the Queries > Controller screen.

  2. Toggle the switch for All Controller Queries to ON.

  3. Activate/deactivate specific types of Queries by toggling the status ON/OFF for each type of query. For a description of the various type of Controller Queries, see Controller Query Functions Table.

  4. You can edit the settings for each Controller Query type using the following procedure:

    1. Click Edit next to the desired Query Type.

    2. Adjust the frequency and scheduling of the queries (for an explanation of the available settings options, see Controller Query Functions Table.)

    3. Click Save.

Controller Query Functions Table

Function Description Frequency (min.-max.)
All Controller Queries Activates all of the Query functions related to controllers, as described below. n/a
Periodic Snapshots Captures the current program deployed on each controller. By periodically taking snapshots, OT Security can detect changes that were made to a controller’s program even if the changes were not sent through the network. 1/day – 1/6 weeks
Policy Triggered Snapshots Enables the user to configure policies to trigger a snapshot when the conditions of a policy are met. n/a
Controllers Discovery A broadcast that searches for new controllers and assists in classifying unknown assets. 1/hr. – 1/6 weeks
Controller State Query Detects the current PLC status (options are: Running, Stopped, Fault, No config. And Test). 1/5 min. – 1/hr.
Diagnostic Buffer Query Queries for the Diagnostic Buffer event logs as defined in Siemens controllers. 1/day – 1/6 weeks
Controller Details Query Retrieves the controller’s hardware and firmware details. 1/hr. – 1/6 weeks
Backplane Query Discovers modules and their specifications within a backplane. The query allows for quick identification of the entire backplane configuration. 1/15 min. – 1/week

All Network Queries

To activate Network Queries:

  1. Under Local Settings, go to the Queries > Network screen.

  2. Toggle the switch for All Network Queries to ON.

  3. Activate/deactivate specific types of Queries by toggling the status ON/OFF for each type of query that you would like to activate. For a description of the various Network Query capabilities, see Network Query Functions Table.

  4. You can edit the settings for each Network Query type using the following procedure:

    1. Click Edit next to the desired Query type.

    2. Adjust the frequency and scheduling of the queries (for an explanation of the available settings options see Network Query Functions Table).

    3. Click Save.

Network Query Functions Table

Function Description Settings
All Network Queries Activates all of the Query functions related to non-controller network assets, as described below. n/a
Port Mapping Identifies all open ports in network assets. This enables you to minimize security risks by closing off unused ports. Mapping Range – set whether mapping is done for all ports or only for the 1,000 most frequently used ports. Mapping Rate – set the number of ports mapped per second by default and the maximum rate for mapping on demand.
SNMP Query Collects configuration info from SNMP enabled assets in the network.

SNMP v2 Community Strings

SNMP v3 Usernames

Frequency and Scheduling – 1/day – 1/6 weeks
DNS Query Searches for the DNS names of the assets in the network. n/a
ARP Query Retrieves the MAC address of new Ips detected in the network. n/a
NetBIOS This query sends a NetBIOS unicast packet which is used to classify and detect Windows machines in the network. Frequency and Scheduling – 1/hr. – 1/6 weeks
Active Asset Tracking Detects assets that are inactive in the network for the specified time period and polls them to verify if they are still active. Frequency and Scheduling – 1/5 min. – 1/week
WMI Query Collects info about Windows machines in the network.

WMI Username – provided by IT

Password – provided by IT

Frequency and Scheduling – 1/day – 1/6 weeks

Test IP Address – You can test the WMI configuration by clicking Test IP address, entering the IP of a known Windows machine in your network and then clicking Test IP Address at the bottom of the screen. You can then open the Asset Details for that asset and check that the WMI info was added.
USB Connections Query Detects connection of USB/DoK devices to Windows PCs in the network. Frequency and Scheduling – 1/day – 1/6 weeks
Ripple20 Vulnerabilities Scan

This scan identifies CVEs related to the Ripple20 vulnerabilities. It uses a Tenable Nessus plugin.

Note: this scan must be run manually and it is only run on the assets within the specified IP addresses and/or CIDRs.

 IP addresses or CIDRs
Log4J Vulnerabilities Scan

This scan identifies CVEs related to the Log4J vulnerabilities. It uses a Tenable Nessus plugin.

Note: this scan must be run manually, and it is only run on the assets within the specified IP addresses and/or CIDRs.
 IP addresses or CIDRs

Asset Discovery

OT Security automatically identifies assets in the network by detecting their interactions with other assets through the network. OT Security has an additional capability of identifying assets that are not active in the network or that their communication streams are not captured by the mirroring ports using the Asset Discovery Query. You can configure the frequency that the query is run automatically. You can also manually run the query at any time from this screen.

Once a new asset is discovered, the Initial Asset Enrichment feature runs the following queries to determine precise information about the asset: SNMP, Minimal Open Port Verification, CIP/DCP, NetBIOS, Backplane Query, Unicast Identification, Controller Details and Controller State.

Note: Only IPs that are defined as Monitored Networks in the Asset Settings will be included in the scan.
Note: Turning the Queries off will prevent the system from detecting significant events in the network. This will cause many features to become unavailable.

To activate the Asset Discovery Query:

  1. Under Local Settings, go to the Queries > Asset Discovery screen.

  2. Click Edit in the Asset Discovery section.

    A series of configuration fields are shown.

  3. In the IP Ranges box, enter one or more IP ranges (with each range on a separate line).

    Note: Segments of your network that are monitored by the mirror port do not need to be entered, and are automatically queried by OT Security. If you would like to run the Asset Discovery query on additional segments of your network that are not monitored by the mirror port, enter the range of IPs for those segments in this box.

  4. You can adjust the following configuration settings (optional) by selecting a value from the dropdown menu.

    • Number of Assets to Poll Simultaneously (options: 10, 20, 30)

    • Time Between Discovery Queries (options: 1-3 seconds)

    • Repeats – set the type of interval used for setting the frequency of the query (daily or weekly)

    • Repeats Every – set the frequency of the query (Daily: 1-31 days, Weekly: 1-6 weeks)

    • On – for a weekly interval set the day of the week on which the query is run

    • At – set the time of day that the query is run

  5. Click Save.

  6. Toggle the Asset Discovery switch to ON.

To activate Initial Asset Enrichment:

  1. Under Local Settings, go to the Queries > Asset Discovery screen.

  2. Toggle the switch for Initial Asset Enrichment to ON.

Tenable Nessus Plugin Scans

The Tenable Nessus plugin scan launches an advanced Tenable Nessus scan that executes a user-defined list of Plugins on the assets specified in the list of CIDRs and IP addresses.

The scan is executed on responsive assets within the designated CIDRs. However, in order to protect your OT devices, only confirmed network assets in the given range (non-PLCs) will be scanned. Assets of the type “Endpoint” won’t be scanned.

Note: Tenable Nessus is an invasive tool which works best in IT environments. It is not recommended for use on OT devices, as it may interfere with their normal operation.

To run a basic Tenable Nessus scan on any one asset, seeInventory.

Note: The basic scan can be run on assets of type “Endpoint”.

To create a Nessus Plugin Scan:

  1. Go to Local Settings > Queries > Nessus Scans.

  2. Click on the Create Scan button.

    The Create Nessus Plugin List Scan side panel is displayed.

  3. In the Name field, enter a name for the Tenable Nessus scan.

  4. In the IP Ranges field, enter a range of IPs or CIDRs.

  5. Click Next.

    The Plugins pane is displayed.

    Note: The Plugins displayed are device-specific. Your license must be up-to-date in order to receive new Plugins. To update your license, see Updating the License.

  6. Select Plugin Families as desired in the left column to include them in the scan, and deselect individual Plugins as desired in the right column.

    Note: For more information about Tenable Nessus Plugin Families, see https://www.tenable.com/plugins/nessus/families.

  7. Click Save.

    The new Tenable Nessus scan appears in the Nessus Scans screen.

    Note: To edit or delete an existing Tenable Nessus Scan, right-click on the desired Scan row and select Edit or Delete.

To run a Nessus Plugin Scan:

  1. On the Nessus Scans screen, select the desired Scan row, right-click and select Run now, or click Actions > Run now.

    The Approve Nessus Scan dialog appears.

  2. If you know there are no OT devices included in the scan, click Proceed Anyway.

    The dialog closes and the Scan is saved.

  3. To run the Scan, right-click on the Scan row again and select Run now.

    The Approve Nessus Scan dialog appears again.

  4. Click Proceed Anyway.

    The scan is now running. Scans may be paused/resumed, stopped, and killed, depending on their current status.