Groups

Groups are the fundamental building blocks to construct Policies. When you configure a Policy, you set each policy condition using Groups instead of individual entities. OT Security comes with some predefined Groups. You can also create your own user-defined Groups. To streamline the process of editing and creating Policies, Tenable recommends that you configure the Groups you need in advance.

Note: You can only set Policy parameters using Groups. If you want a Policy to apply to an individual entity you must configure a Group that includes only that entity.

View Groups

To view groups:

  1. In the left navigation bar, click Groups.

    The Groups section expands to display the group types.

Under Groups you can view all Groups configured in your system. Groups are divided into two categories:

  • Predefined Groups — These are pre-configured and you cannot edit these groups.

  • User-Defined Groups — You can create and edit these groups.

There are several different types of Groups, each of which is used for the configuration of various Policy types. Each Group type is shown on a separate screen under Groups. The Group types are:

  • Asset Groups — Assets are hardware entities in the network. Asset Groups are used as a Policy condition for a wide range of Policy types.

  • Network Segments — Network Segmentation is a method of creating groups of related network assets, assisting in the logical isolation of one group of assets from another.

  • Email Groups — Groups of emails that are notified when a Policy event occurs. Used for all Policy types.

  • Port Groups — Groups of Ports used by assets in the network. Used for Policies that identify open ports.

  • Protocol Groups — Groups of Protocols by which conversations are conducted between assets in the network. Used as a Policy condition for Network Events.

  • Schedule Groups — Schedule Groups are time ranges used to configure at what time the specified event must occur to fulfill the policy conditions.

  • Tag Groups — Tags are parameters in controllers that contain specific operational data. Tag Groups are used as a Policy condition for SCADA Events.

  • Rule Groups — Rule Groups comprises a group of related rules, identified by their Suricata Signature IDs (SIDs). These groups are used as a Policy condition for defining Intrusion Detection Policies.

The procedure for creating each type of Group is described in the following sections. In addition, you can View, Edit, Duplicate, or Delete an existing Group, see Actions on Groups.

Asset Groups

Assets are hardware entities in the network. Grouping similar assets together enables you to create policies that apply to all the assets in the group. For example, you can use an Asset Group Controller to create a policy that alerts for firmware changes to any controller. Asset Groups are used as a policy condition for a wide range of policy types. Asset Groups can be used to specify the Source asset, the Destination asset, or the Affected asset for various Policy types.

The Asset Groups screen shows all Asset Groups that are currently configured in the system. The Predefined asset groups tab includes groups that are built into the system, which you cannot edit, duplicate, or delete. The User-defined asset groups tab includes custom groups created by the user. You can edit, duplicate, or delete these groups.

The Asset Groups table shows the following information:

Parameter Description
Status Shows if the policy is turned on or off. If the system automatically disables the policy because it was generating too many events, then the system displays a warning icon. Toggle the status switch to turn a Policy ON/OFF.
Name The name of the Policy.
Severity The severity of the event. Possible values are: None, Low, Medium, or High. See section Severity Levels for more information.
Event Type The event type that triggers this Event Policy.
Category The category of the event that triggers this Event Policy. Possible values are: Configuration, SCADA, Network Threats, or Network Event. For an explanation of the various categories see Policy Categories and Sub-Categories.
Source A Policy condition. The source Asset Group to which the Policy applies. An Asset group is the asset that initiated the Activity.
Name The name to identify the Group.
Type

The Group type. Options are:

  • Function — A predefined Asset Group created to serve a particular function.

  • Asset List —Specified assets are included in the Group.

  • IP List — Assets with the specified IP address.

  • IP Range — Assets within the specified range of IP addresses.
Members

Shows the list of assets included in this Group. No value is shown for Function Groups.

Note: If there is no room to display all assets in this row then click Table Actions > View > Members tab.
Used in Policies

Shows the name of each policy that uses this Asset Group in its configuration.

Note: To view more details about the policies in which the Group is used, click Table Actions > View > Used in Policies tab.
Used in Queries Shows the name of the query that uses this Asset Group.

The procedures for creating various types of Asset Groups are described in the following section. In addition, you can View, Edit, Duplicate, or Delete an existing Group, see Actions on Groups.

You can create custom Asset Groups to use when configuring Policies. By grouping together similar assets, you enable creation of policies that apply to all assets in the group.

There are three types of User-defined asset groups:

  • Asset List — Specify the specific assets included in the Group.

  • IP List — Specify the IP addresses of the Assets included in the Group.

  • IP Range — Specify the range of IP addresses of the Assets that are included in the Group.

There are different procedures for creating each type of Asset Group.

  1. Go to Groups > Asset Groups.

  2. Click Create Asset Group.

    The Create Asset Group panel appears.

  3. Click Asset Selection.

  4. Click Next.

    The list of Available Assets appears.

  5. In the Name box, type a name for the group.

    Choose a name that describes a common element that categorizes the assets included in the group.

  6. Select the check box next to each asset you want to include in the group.

  7. Click Create.

    OT Security creates the new asset group and displays it on the Asset Groups screen. You can now use this group when configuring policies.

  1. Go to Groups > Asset Groups.

  2. Click Create Asset Group.

    The Create Asset Group panel appears.

  3. Click IP Range.

  4. Click Next.

    The IP Range selection panel appears.

  5. In the Name box, type a name for the group.

    Choose a name that describes a common element that categorizes the assets included in the group.

  6. In the Start IP box, type the IP address at the beginning of the range you want to include.

  7. In the End IP box, type the IP address at the end of the range you want to include.

  8. Click Create.

    OT Security creates the new Asset Group displays it on the Asset Groups screen. You can now use this group when configuring policies.

  1. Go to Groups > Asset Groups.

  2. Click Create Asset Group.

    The Create Asset Group panel appears.

  3. Click IP List.

  4. Click Next.

    The IP List panel appears.

  5. In the Name box, type a name for the group.

    Choose a name that describes a common element that categorizes the assets that are included in the group.

  6. In the IP List box, type an IP Address or a Subnet to be included in the group.

  7. To add more assets to the Group, type each additional IP address or Subnet on a separate line.

  8. Click Create.

    OT Security creates the new Asset Group and displays it on the Asset Groups screen. You can now use this group when configuring policies.

Network Segments

With Network Segmentation, you can create groups of related network assets, enabling you to logically isolate asset groups from one-another. OT Security automatically assigns each IP address that is associated with an asset in your network to a Network Segment. For assets with more than one IP address, each IP is associated with a Network Segment. Each auto-generated segment includes all Assets of a specific Category (Controller, OT Servers, Network Devices, and so on) that have IPs with the same class C network address (that is, the IPs have the same first 24 bits).

You can create user-defined Network Segments, and specify which assets are assigned to that segment. A column on the Inventory screen shows the Network Segment for each asset, making it easy to sort and filter your assets by Network Segment.

The Network Segments screen shows all Network Segments that are currently configured in the system. The Auto-generated tab includes Network Segments that the system automatically generates. The User-defined tab includes custom Network Segments created by the user.

The Network Segments table shows the following details:

Parameter Description
Name The name used to identify the Network Segment.
VLAN The VLAN number of the Network Segment. (Optional)
Description A description of the Network Segment. (Optional)
Used in Policies

Shows the names of the Policies that apply to this Network Segment.

Note: To view more details about the Policies in which the Network Segment is used, click Actions > View > Used in Policies tab.

You can View, Edit, Duplicate, or Delete an existing Network Segment. For more information, see Actions on Groups.

You can create Network Segments to be used in the configuration of Policies. By grouping together related network assets you enable the creation of Policies that define acceptable network traffic for Asset in that segment.

To create a network segment:

  1. Go to Groups > Network Segments.

  2. Click Create Network Segment.

    The Create Network Segment panel appears.

  3. In the Name box, type a name for the Network Segment.

  4. (Optional) In the VLAN box, type a VLAN number for the Network Segment.

  5. (Optional) In the Description box, type a description of the Network Segment.

  6. Click Create.

    OT Security creates the new Network Segment and shows it in the list of Network Segments.

  7. To assign the assets to the newly created Network Segment:

    1. Go to Inventory > All Assets.

    2. Do one of the following:

      • Right-click the asset you want to assign to the newly created Network Segment and select Edit.

      • Hover over the asset you want to assign, then from the Actions menu, select Edit.

      The Edit Asset Details window opens.

  8. In the Network Segments drop-down box, select the required Network Segment.

    Note: Some assets have more than one associated IP address, and you can select the required Network Segment for each one.

    OT Security applies the Network Segment to the asset and shows it in the Network Segment column. You can now use this Network Segment when configuring Policies.

Email Groups

Emails Groups are groups of emails of relevant parties. Email Groups are used to specify recipients for Event notifications triggered by specific Policies. For example, grouping by role, department, and so on enables you to send the notifications for specific Policy Events to the relevant parties.

The Email Groups screen shows all Email Groups that are currently configured in the system.

The Email Groups table shows the following information:

Note: You can view additional details about a specific Group by selecting the Group and clicking Actions > View.

Parameter Description
Name The name used to identify the Group.
Emails

The list of emails included in the Group.

Note: If there is no space to display all members of the Group, then click Actions > View > Members tab.
Email Server The name of the SMTP server used to send emails to the Group.
Used in Policies

Shows the names of the Policies for which notifications are sent to this Group.

Note: To view more details about the Policies in which the Group is used, click Actions > View > Used in Policies tab.

In addition, you can View, Edit, Duplicate, or Delete an existing Group. For more information, see Actions on Groups.

You can create Email Groups to be used in the configuration of Policies. By grouping related emails, you set Policy Event notifications to be sent to all relevant personnel.

Note: You can only assign one Email Group to each Policy. Therefore, it is useful to create both broad, inclusive Groups as well as specific, limited Groups so that you can assign the appropriate Group to each Policy.

To create an Email Group:

  1. Go to Groups > Email Groups.

  2. Click Create Email Group.

    The Create Email Group panel appears.

  3. In the Name box, type a name for the Group.

  4. In the SMTP server drop-down box, select the server used for sending out the email notifications.

    Note: If no SMTP server is configured in the system, then you must first configure a server before you can create an Email Group, see SMTP Servers.

  5. In the Emails box, type the email of each member of the Group on a separate line.

  6. Click Create.

    OT Security creates the new Email Group and shows it on the Email Groups page. You can now use this Group when configuring Policies.

Port Groups

Port Groups are groups of ports used by assets in the network. Port Groups are used as a policy condition for defining Open Port Network Event Policies, which detect open ports in the network.

The Predefined tab shows the Port Groups that are predefined in the system. These Groups comprise ports expected to be Open on controllers from a specific vendor. For example, the Group Siemens PLC Open Ports includes: 20, 21, 80, 102, 443 and 502. This enables configuration of Policies that detect open ports that are not expected to be opened for controllers from that vendor. These Groups cannot be edited or deleted but they can be duplicated.

The User-defined tab includes custom Groups created by the user. You can edit, duplicate, or delete these Groups.

The View Port Groups table includes the following details:

Parameter Description
Name The name used to identify the Group.
TCP Port

The list of ports and/or ranges of ports that are included in the Group.

Note: If the table does not display all members of the Group, you can view them on Actions > View > Members tab.
Used in Policies

Shows the name of each Policy that uses this Port Group in its configuration.

Note: To view additional information about the Policies in which this Group is used, click Actions > View > Used in Policies tab.

You can create user-defined Port Groups that you can use in the configuration of Policies. By grouping together similar ports, you enable creation of Policies that alert for open ports that pose a particular security risk.

To create a Port Group:

  1. Go to Groups > Port Groups.

  2. Click Create Port Group.

    The Create Port Group panel appears.

  3. In the Name box, type a name for the Group.

  4. In the TCP Port box, type a single port or a range of ports to be included in the Group.

  5. To add additional Ports to the Group:

    1. Click + Add Port.

      A new Port Selection box appears.

    2. In the new Port number box, type a single port or a range of ports to be included in the Group.

  6. Click Create.

    OT Security creates the new Port Group is created and shows it in the list of Port Groups. You can now use this Group when configuring Policies.

Protocol Groups

Protocol Groups are a set of protocols used for conversations between assets on a network. Protocol Groups are a Policy condition for Network Policies They also define what Protocols used between particular assets trigger a Policy.

OT Security comes with a set of predefined Protocol Groups which comprise related protocols. These Groups are available for use in Policies. You cannot edit or delete these Groups. Protocols can be grouped by which protocols are allowed by a specific vendor.

For example, Schneider allowed protocols include: TCP:80 (HTTP), TCP:21 (FTP), Modbus, Modbus_UMAS, Modbus_MODICON, TCP:44818 (CIP), UDP:69 (TFTP), UDP:161 (SNMP), UDP:162 (SNMP), UDP:44818, UDP:67-68 (DHCP). They can also be grouped by type of protocol, that is, Modbus, PROFINET, CIP and so on. You can also create your own user-defined Protocol Groups.

The Protocol Groups screen shows all Protocol Groups that are currently configured in the system. The Predefined tab shows Groups that are built into the system. You cannot edit or delete these Groups, but you can duplicate them. The User-defined tab shows the custom Groups that you create. You can edit, duplicate, or delete these Groups.

The Protocol Groups table shows these details:

Parameter Description
Name The name to identify the Group.
Protocols

The list of protocols included in the Group.

Note: If you are unable to view all members of the Group, then click Actions > View > Members tab.
Used in Policies

Shows the name of each Policy that uses this Protocol Group in its configuration.

Note: To view additional details about the Policies in which this Group is used, click Actions > View > Used in Policies tab.

You can create custom Protocol Groups used in the configuration of Policies. By grouping together similar Protocols, you enable creation of Policies that define which protocols are suspicious.

To create a Protocol Group:

  1. Go to Groups > Protocol Groups.

  2. Click Create Protocol Group.

    The Create Protocol Group appears.

  3. In the Name box, type a name for the Group.

  4. In the Protocols drop-down box, select a Protocol type.

  5. If the selected Protocol is TCP or UDP, in the Port box, type a Port number or range of Ports.

    For other Protocol types, you do not have to enter any value in the Port box.

  6. To add additional Protocols to the Group:

    1. Click + Add Protocol.

      A new Protocol Selection box appears.

    2. Fill in the new Protocol Selection in the manner described in steps 4-5.

  7. Click Create.

    OT Security creates the new Protocol Group and shows in the list of Protocol Groups. You can now use this Group when configuring Policies.

Schedule Group

A Schedule Group defines a time range or group of time ranges that has particular characteristics that make activities that happen during that time period noteworthy. For example, certain activities are expected to occur during work hours while other activities are expected to occur during down-time.

The Schedule Groups screen shows all Schedule Groups that are currently configured in the system. The Predefined schedule groups tab includes Groups that are built into the system. You cannot edit, duplicate, or delete these Groups. The User-defined schedule groups tab shows the custom groups you created. You can edit, duplicate, or delete these Groups.

The Schedule Groups table shows the following details:

Parameter Description
Name The name to identify the Group.
Type

The Group type. Options are:

  • Function — A predefined Schedule Group created to serve a particular function.

  • Recurring — A schedule that recurs on a daily or weekly basis. For example, a Work Hours schedule can be defined as Monday to Friday from 9 AM to 5 PM.

  • Interval — A schedule that occurs on a specific date or range of dates. For example, a Plant Renovation schedule can be defined by the period from June 1 to August 15.
Covers

A summary of the schedule settings.

Note: If you are unable to view all members of the Group, then click Actions > View > Members tab.
Used in Policies

Shows the Policy ID of each Policy that uses this Schedule Group in its configuration.

Note: To view additional details about the Policies in which this Group is used, click Actions > View > Used in Policies tab.

You can create custom Schedule Groups to be used in the configuration of Policies. Designate a time range or group of time ranges with shared characteristics to highlight the events that happen during that time period.

There are two types of Schedule Groups:

  • Recurring — Schedules that recur on a weekly basis. For example, a Work Hours schedule can be defined as Monday to Friday from 9 AM to 5 PM.

  • Once — Schedules that occur on a specific date or range of dates. For example, a Plant Renovation schedule could be defined by the period from June 1 to August 15. There are different procedures for creating each type of Schedule Group.

There are different procedures for creating each type of Schedule Group.

To create a Recurring Type Schedule Group:

  1. Go to Groups > Schedule Groups.

    The Schedule Groups page appears.

  2. Click Create Schedule Group.

    The Create Schedule Groups panel appears.

  1. Click Recurring.

  2. Click Next.

    The parameters for defining a Recurring Schedule group appear.

  3. In the Name box, type a name for the Group.

  4. In the Repeats box, select which days of the week are included in the Schedule Group.

    Options are: Every day, Monday to Friday or a specific day of the week.

    Note: If you want to include particular days of the week, for example Monday and Wednesday, then you need to add a separate condition for each day.

  5. In the Start Time box, type the time of day (HH:MM:SS AM/PM) of the beginning of the time range included in the Schedule Group.

  6. In the End Time box, type the time of day (HH:MM:SS AM/PM) of the end of the time range included in the Schedule Group.

  7. To add additional Conditions (that is, additional time ranges) to the Schedule Group:

    1. Click + Add Condition.

      A new row of Schedule selection parameters appears.

    2. Fill in the schedule fields as described above in step 5-7.

  8. Click Create.

    OT Security creates the new Schedule Group and shows the list of Schedule Groups. You can now use this Group when configuring Policies.

To create a one-time Schedule Group:

  1. Go to Groups > Schedule Groups.

  2. Click Create Schedule Group.

    The Create Schedule Group wizard appears.

  3. Select Time Range.

  4. Click Next.

    The parameters for defining a time range schedule group appear.

  5. In the Name box, type a name for the Group.

  6. In the Start Date box, click the calendar icon .

    A calendar window opens.

  7. Select the date on which the Schedule Group begins. Default: the current date.

  8. In the Start Time box, type the time of day (HH:MM:SS AM/PM) of the beginning of the time range included in the Schedule Group.

  9. In the End Date box, click the calendar icon .

    A calendar window opens.

  10. Select the date on which the Schedule Group ends. (Default: the current date)

  11. In the End Time box, type the time of day (HH:MM:SS AM/PM) of the end of the time range included in the Schedule Group.

  12. Click Create.

    OT Security creates the new Schedule Group and shows it in the list of Schedule Groups. You can now use this Group when configuring Policies.

Tag Groups

Tags are parameters in controllers that contain specific operational data. Tag Groups are used as a Policy condition for SCADA Events policies. By grouping together tags that play similar roles, you can create Policies that detect suspicious changes to the specified parameter. For example, by grouping together Tags that control furnace temperature, you can create a Policy that detects temperature changes that can be harmful to the furnaces.

The Tag Groups page shows all tag groups currently configured in the system.

The Tag Groups table shows the following details:

Parameter Description
Name The name to identify the Group.
Type The data type of the Tag. Possible values are: Bool, Dint, Float, Int, Long, Short, Unknown (for Tags of a type that OT Security was unable to identify) or Any Type (which can include Tags of different Types).
Controller The controller on which the Tag is being monitored.
Tags

Shows each Tag that is included in the Group as well as the name of the controller in which it is located.

Note: If you are unable to view all Tags in this row, then click Actions > View > Members tab.
Used in Policies

Shows the Policy ID of each Policy that uses this Schedule Group in its configuration.

Note: To view additional details about the Policies in which this Group is used, click Actions > View > Used in Policies tab.

You can View, Edit, Duplicate, or Delete an existing Group, see Actions on Groups.

You can create custom Tag Groups for use in Policy configuration. By grouping together similar Tags, you can create Policies that apply to all Tags in the Group. Select the Tags that are of a similar type and give them a name that represents the common element of the Tags.

You can also create Groups that include Tags of different types by selecting the Any Type option. In this case, Policies that are applied to this Group can only detect changes to Any Value for the specified Tags but cannot be set to detect specific values.

You can edit, duplicate, or delete Tag Groups.

To create a new tag group:

  1. Go to Groups > Tag Groups.

  2. Click Create Tag Group.

    The Create Tag Group panel appears.

  3. Select a Tag type.

    Options are: Bool, Dint, Float, Int, Long, Short, or Any Type (which can include Tags of different Types).

  4. Click Next.

    A list of controllers in your network appears.

  5. Select a controller for which you want to include Tags in the Group.

  6. Click Next.

    A list of Tags of the specified type on the specified controller appears.

  7. In the Name box, type a name for the Group.

  8. Select the check box next to each of the Tags that you want to include in the Group.

  9. Click Create.

    OT Security creates the new Tag Group and shows in the list of Tag Groups. You can now use this Group when configuring SCADA Event Policies.

Rule Groups

Rule Groups comprise a group of related rules, identified by their Suricata Signature IDs (SIDs). These groups are used as a Policy condition for defining Intrusion Detection Policies.

OT Security provides a set of predefined groups of related vulnerabilities. In addition, you can select individual rules from our repository of vulnerabilities and create your own custom Rule Groups.

The Rule Groups screen shows all Rule Groups that are currently configured in the system. The Predefined tab includes Groups that are built into the system. You cannot edit, duplicate, or delete these groups. The User-defined tab shows the custom Groups created by the user. You can edit, duplicate, or delete these groups.

The Rule Groups table shows the following details:

Parameter Description
Name The name used to identify the Group.
Number of Rules The number of rules (SIDs) that comprise this Rule Group.
Used in Policies

Shows the Policy ID of each Policy that uses this Rule Group in its configuration.

Note: To view additional details about the Policies in which this Group is used, click Actions > View > Used in Policies tab.

To create a new Rule Group:

  1. Go to Groups > Rule Groups.

  2. Click Create Rule Group.

    The Create Rule Group panel appears.

  3. In the Name box, type a name for the group.

  4. In the Available Rules section, select the check box next to each of the rules you want to include in the group.

    Note: Use the search box to find the desired rules.

  5. Click Create.

    OT Security creates the new Rule Group and shows it in the list of Rule Groups. You can now use this Group when configuring Intrusion Detection Policies.

Actions on Groups

When you select a Group on any of the Group screens, you can do the following from the Actions menu on the top of the screen:

  • View — Shows details about the selected Group, such as which entities are included in the group and which Policies use the Group as a policy condition. See View Group Details

  • Edit — Edit details of the Group. See Edit a Group

  • Duplicate — Create a new Group with a similar configuration to the specified Group. See Duplicate a Group

  • Delete — Delete the Group from the system. See Delete a Group

    Note: You cannot edit or delete predefined Groups. Some predefined Groups also cannot be duplicated. You can also access the Actions menu by right-clicking a Group.

When you select a group and click Actions > View the Group Details screen appears for the selected group.

The Group Details screen has a header bar that shows the name and type of the Group. It has two tabs:

  • Members — Shows a list of all members of the Group.

  • Used in Policies — Shows a listing for each Policy for which the specified Group is used as a policy condition. The Policy listing includes a toggle switch for turning the Policy On/Off. For more information, see View Policies.

To view details of a Group:

  1. In Groups, select the required type of Group.

  2. Do one of the following:

    • Click Actions.

    • Right-click the required group.

      A menu appears.

  3. Select View.

    The Group details screen appears.

You can edit the details of an existing Group.

To edit details of a Group:

  1. Under Groups, select the desired type of Group.

  2. Do one of the following:

    • Click Actions.

    • Right-click the required group.

      A menu appears.

  3. Select Edit.

  4. The Edit Group window appears, showing the relevant parameters for the specified Group type.

  5. Modify as needed.

  6. Click Save.

    OT Security saves the group with the new settings.

To create a new Group with similar settings to an existing Group, you can duplicate the existing Group. When you duplicate a Group, the new Group is saved under a new name, in addition to the original Group.

To duplicate a Group:

  1. Under Groups, select the desired type of Group.

  2. Select the existing Group on which you want to base the new Group.

  3. Do one of the following:

    • Click Actions.

    • Right-click the required group.

      A menu appears.

  4. Select Duplicate.

    The Duplicate Group window appears, showing the relevant parameters for the specified Group type.

  5. In the Name box, type a name for the new group. By default, the new group is named 'Copy of' the original Group name.

  6. Make the desired changes to the group settings.

  7. Click Duplicate.

    OT Security saves the new Group with the new settings, in addition to the existing Group.

You can delete user-defined Groups but not predefined Groups. You cannot delete a user-defined policy, if it is being used as a policy condition for one or more Policies.

To delete a Group:

  1. Under Groups, select the required type of Group.

  2. Select the Group that you want to delete.

  3. Do one of the following:

    • Click Actions.

    • Right-click the required group.

      A menu appears.

  4. Select Delete.

    A confirmation window appears.

  5. Click Delete.

    OT Security permanently deletes the group from the system.