Environment Configuration

Monitored Networks

The Monitored Network configuration contains a set of IP ranges (CIDRs / subnets) that define the monitoring boundaries for OT Security. OT Security ignores assets outside of the configured ranges.

By default, OT Security configures three default public ranges: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, as well as the link-local range of 169.254.0.0/16 (APIPA).

To disable any of the default ranges or add ranges appropriate for your network:

  1. Go to Local Settings >Environment Configuration > Asset Settings.

    The Asset Settings window appears.

  2. Click Edit.

    The Monitored Network panel appears.

  3. Select the required Default IP ranges and/or add Additional IP ranges (one IP range per line) in the designated text box.

  4. Click Save.

    OT Security saves the monitored network configuration.

Add Assets Manually

To track your inventory, you may want to view some additional assets you possess, even though OT Security has not yet detected these assets. You can manually add these assets to your inventory by downloading and editing a CSV file, and then uploading the file to the system. You can only upload assets with IPs that are not already in use by an existing asset in the system. In the event that the system detects an asset communicating over the network with the same IP, it uses the information retrieved about the detected asset and overwrites the previously uploaded information. The system begins handling the asset as a regular one when it is detected communicating in the network.

The IP addresses of uploaded assets are counted as part of the system licensing.

Uploaded assets display a risk score of 0 until OT Security detects these assets.

Note: When assets are added manually, events are not detected for those assets until OT Security detects their communication in the network.

To add assets manually:

  1. Go to Local Settings >Environment Configuration > Asset Settings.

    The Asset Settings screen appears.

  2. In Add Assets Manually, from the Actions menu, select Download CSV template.

    OT Security downloads the tot_Assets template document.

  3. Open the tot_Assets template document.

  4. Edit the tot_Assets template precisely in accordance with the instructions found in the file, leaving only the column headers (Name, Type, and so on.) and the values you enter.

  5. Save the edited file.

  6. Return to the Assets Settings screen.

  7. From the Actions menu, select Upload CSV and navigate to and open the desired CSV file to upload it.

  8. In Add Assets Manually, click Download Report.

    A CSV file with report appears, showing successes and failures in the Result column. Details of errors are shown in the Error column.

Event Clusters

To facilitate the monitoring of events, multiple events with the same characteristics are clustered together into a single cluster. The clustering is based on event type (that is, events that share the same policy), source, and destination assets, and so on.

To cluster events, they must be generated within the following configured time intervals:

  • Maximum time between consecutive events — Sets the maximal time interval between events. If this time passes, the consecutive events are not clustered.

  • Maximum time between the first and last event — Sets the maximal time interval for all events to be shown as a cluster. An event that is generated after this time interval is not be part of the cluster.

To enable clustering:

  1. Go to Local Settings, go to Environment Configuration > Event Clusters.

    The Event Clusters screen appears.

  2. Click the toggle to enable desired categories for clustering.

  3. To configure the time intervals for a category, click Edit.

    The Edit Configuration window appears.

  4. Type the required number value in the number box and select the unit of time using the drop-down box.

    Note: For more information about clustering and time intervals, click the icon.

  5. Click Save.

PCAP Player

OT Security enables you to upload a PCAP (Packet Capture) file containing recorded network activity and “play” it on OT Security. When you “play” a PCAP file, OT Security monitors the network traffic and records all information about detected assets, network activity, and vulnerabilities as if the traffic occurred within your network. You can use this feature for simulation purposes or in order to analyze traffic that occurs outside of the network that OT Security monitors. For example, remote plants.

Note:PCAP Player supports these file types: .pcap, .pcapng, .pcap.gz, .pcapng.gz. You can use files that are recorded by an instance of OT Security or other network monitoring tools.

Upload a PCAP File

To upload a PCAP file:

  1. Go to Local Settings > Environment Configuration > PCAP Player.

  2. Click Upload PCAP File.

    The File Explorer opens.

  3. Select the required PCAP recording.

  4. Click Open.

    OT Security uploads the PCAP file to the system.

Play a PCAP File

To play a PCAP file:

  1. Go to Local Settings >Environment Configuration > PCAP Player.

  2. Select the PCAP recording you want to play.

  3. Click Actions > Play.

    The Play PCAP wizard appears.

  4. In the Play Speed drop-down box, select the speed at which you want the system to play the file.

    Options are: 1X, 2X, 4X, 8X or 16X.

    Note: Playing a PCAP file injects data into the system, you cannot undo or stop this operation once it runs.

  5. Click Play.

    The system plays the PCAP file. All network activity in the PCAP file is registered in the system and assets identified by the system are added to the assets inventory.

    Note: You cannot play another PCAP file while a file is still playing.