Environment Configuration
Asset Settings
Monitored Networks
The Monitored Network configuration contains a set of IP ranges (CIDRs / subnets) that define the monitoring boundaries for OT Security. OT Security ignores assets outside of the configured ranges.
By default, OT Security configures three default public ranges: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, as well as the link-local range of 169.254.0.0/16 (APIPA).
To disable any of the default ranges or add ranges appropriate for your network:
-
Go to Local Settings >Environment Configuration > Asset Settings.
The Asset Settings window appears.
-
In the Monitored Network section, click Edit.
The Monitored Network panel appears.
-
Select the required Default IP ranges and/or add Additional IP ranges (one IP range per line) in the designated text box.
-
Click Save.
OT Security saves the monitored network configuration.
Duplicated Internal Networks
Overlapping IP ranges occur when an IP address is assigned to multiple devices. Overlapping IP ranges are common across manufacturing environments, which leads to challenges in accurately identifying and tracking asset resulting in visibility gaps, incorrect asset associations, and so on. You can define your overlapping networks for OT Security to track assets accurately even when IP addresses are reused across different segments.
Before you Begin
-
Make sure you have paired authenticated sensors.
Note: OT Security does not support duplicated networks on unauthenticated sensors.
To define the duplicate networks in your environment:
-
Go to Local Settings > Environment Configuration > Asset Settings.
The Asset Settings page appears.
-
In the Duplicated Internal Networks section, click Add Network.
The Add Duplicated Network panel appears.
Note: OT Security uses the 240.0.0.0/4 IP range as the internal reserve pool for mapping IP addresses to NAT IP allocation. To change this reserve pool range, contact Tenable Support. -
In the Duplicated IP Range box, type the duplicate IP ranges your network.
-
In the Duplicates box, select the sensors associated with the duplicate IP ranges.
-
Click Next.
The Confirmation side panel appears.
-
(Optional) Select the Delete Assets checkbox.
Tip: To separate all the selected assets into their own networks, Tenable recommends that you allow OT Security to delete the assets and rediscover them after startup. If you do not select the Delete Assets checkbox, the assets remain in the current IP range and may cause inconsistencies or unexpected behavior. -
Click Save.
OT Security saves the duplicate IP range and it appears in the Duplicated Internal Networks table.
Important: Once you complete configuring duplicated networks, Tenable recommends that you restart OT Security before enabling the sensors. -
Restart OT Security.
-
To enable active queries, go to Local Settings > Sensors:
Note: The IP ranges (CIDRs) for the active query are the ones that you configured in the Duplicated Internal Network settings.-
Do one of the following:
- Single sensor: Right-click the sensor and click Edit. In the Edit Sensor panel, click the Sensor active queries toggle to enable active queries.
-
Multiple sensors: Select all the required sensors. In the header, select Bulk Actions > Enable Active Queries.
-
Right-click the sensors and activate them by changing the status from Paused to Connected.
-
What to do next
After you configure the duplicated networks and restart OT Security, the assets appear with their real IP appears in the All Assets table. Additionally, when you need to input an IP configured as a duplicated network, you must select the Sensor for the IP, for instance, in Active query > Discovery / Nessus Scan > Create Scan, or in Credentials > Test Credentials:
-
In Inventory > All Assets, view the real IP addresses and the Source of assets in the All Assets table. For instance, two assets that share the same IP address but are associated with different sensors.
-
In Active Queries > Queries Management > Discovery or Nessus Scans > Create Scan, when configuring an active query involving duplicated networks, select the Relevant Sensors for that IP range. This allows you to run the query for assets associated with a specific sensor while excluding the other sensors.
Note: OT Security enables the Relevant Sensors box only for IP ranges in duplicated networks. It remains disabled for all other IP ranges. -
In Active Queries > Credentials > Test Credentials when configuring credentials, if you input an IP range in duplicated network, you must also select the associated sensors in the Duplicate (Sensor) box.
-
To create Asset Groups for assets part of duplicated networks, use the Asset Selection option and identify the specific IP based on the Source column in the Assets table.
Add Assets Manually
To track your inventory, you may want to view some additional assets you possess, even though OT Security has not yet detected these assets. You can manually add these assets to your inventory by downloading and editing a CSV file, and then uploading the file to the system. You can only upload assets with IPs that are not already in use by an existing asset in the system. In the event that the system detects an asset communicating over the network with the same IP, it uses the information retrieved about the detected asset and overwrites the previously uploaded information. The system begins handling the asset as a regular one when it is detected communicating in the network.
The IP addresses of uploaded assets are counted as part of the system licensing.
Uploaded assets display a risk score of 0 until OT Security detects these assets.
To add assets manually:
-
Go to Local Settings >Environment Configuration > Asset Settings.
The Asset Settings screen appears.
-
In Add Assets Manually, from the Actions menu, select Download CSV template.
OT Security downloads the tot_Assets template document.
-
Open the tot_Assets template document.
-
Edit the tot_Assets template precisely in accordance with the instructions found in the file, leaving only the column headers (Name, Type, and so on.) and the values you enter.
-
Save the edited file.
-
Return to the Assets Settings screen.
-
From the Actions menu, select Upload CSV and navigate to and open the desired CSV file to upload it.
-
In Add Assets Manually, click Download Report.
A CSV file with report appears, showing successes and failures in the Result column. Details of errors are shown in the Error column.
SCD Files
The Substation Configuration Description (SCD) file includes the complete communication-related details for a substation. You can now upload an SCD file to OT Security and gain visibility into your assets, IEC 61850 configuration and security insights about your environment.
Based on the SCD file information, OT Security reports findings related to substation misconfiguration such as:
-
Expose access to Manufacturing Message Specification (MMS) reports from unauthorized clients.
-
Expose unauthorized clients not mentioned in the SCD file trying to subscribe to MMS reports.
- Substation Configuration Language (SCL) versions 1.0 and 2.0.
- SCD files with only one substation.
To upload an SCD file:
-
Go to Local Settings > Environment Configuration > Asset Settings.
The Asset Settings page appears.
-
In the SCD Files section, click Upload.
Note: You can upload only one SCD file per substation. The most recently uploaded file containing the same substation name overrides previous one. -
Browse and select the file to upload.
OT Security uploads the SCD file and you can view the asset details in the Inventory > Details and IEC 61850 tabs. Any misconfiguration in the SCD file triggers an event and an unauthorized access error message appears at the top of the Details and IEC 61850 pages.
-
(Optional) To download the findings details, in the error message, click Download Details.
OT Security downloads the details in the CSV format.
Event Clusters
To facilitate the monitoring of events, multiple events with the same characteristics are clustered together into a single cluster. The clustering is based on event type (that is, events that share the same policy), source, and destination assets, and so on.
To cluster events, they must be generated within the following configured time intervals:
-
Maximum time between consecutive events — Sets the maximal time interval between events. If this time passes, the consecutive events are not clustered.
-
Maximum time between the first and last event — Sets the maximal time interval for all events to be shown as a cluster. An event that is generated after this time interval is not be part of the cluster.
To enable clustering:
-
Go to Local Settings, go to Environment Configuration > Event Clusters.
The Event Clusters screen appears.
-
Click the toggle to enable desired categories for clustering.
-
To configure the time intervals for a category, click Edit.
The Edit Configuration window appears.
-
Type the required number value in the number box and select the unit of time using the drop-down box.
Note: For more information about clustering and time intervals, click the icon. -
Click Save.
PCAP Player
OT Security enables you to upload a PCAP (Packet Capture) file containing recorded network activity and “play” it on OT Security. When you “play” a PCAP file, OT Security monitors the network traffic and records all information about detected assets, network activity, and vulnerabilities as if the traffic occurred within your network. You can use this feature for simulation purposes or in order to analyze traffic that occurs outside of the network that OT Security monitors. For example, remote plants.
Upload a PCAP File
To upload a PCAP file:
-
Go to Local Settings > Environment Configuration > PCAP Player.
-
Click Upload PCAP File.
The File Explorer opens.
-
Select the required PCAP recording.
-
Click Open.
OT Security uploads the PCAP file to the system.
Play a PCAP File
To play a PCAP file:
-
Go to Local Settings >Environment Configuration > PCAP Player.
-
Select the PCAP recording you want to play.
-
Click Actions > Play.
The Play PCAP wizard appears.
-
In the Play Speed drop-down box, select the speed at which you want the system to play the file.
Options are: 1X, 2X, 4X, 8X or 16X.
Note: Playing a PCAP file injects data into the system, you cannot undo or stop this operation once it runs. -
Click Play.
The system plays the PCAP file. All network activity in the PCAP file is registered in the system and assets identified by the system are added to the assets inventory.
Note: You cannot play another PCAP file while a file is still playing.