Avoid Scanning Fragile Devices

There are many fragile devices on each network that cannot be included in active scanning, due to the sensitive nature of such devices. Operational Technology (OT) is the most common category of sensitive devices. OT refers to programmable systems or devices that interact with a physical environment, such as Internet of Things (IoT) devices, and Industrial Control Systems (ICS). The common practice within OT environments is to avoid using active scanning approaches because of the risk of degradation or disruption of service. Due to IT/OT Convergence, IT and OT networks are no longer as segregated as they were in the past, so it is common to find OT devices on the IT network and vice versa. This raises the importance placed on an organization's scanning strategy.

Tenable uses ICS/SCADA Smart Scanning by default to safely identify OT devices and stop scanning them once they are discovered. ICS/SCADA Smart Scanning reduces the number of plugins run against fragile devices by 90%. This eliminates the plugins that put the greatest load on the device, including HTTP and SSH testing. On the scan configuration page, under Settings > Discovery > Fragile Devices, the Scan Operational Technology devices slider is disabled by default, which turns on ICS/SCADA Smart Scanning. If the slider for Scan Operational Technology devices is enabled, the scanner will perform a full scan of OT devices, such as programmable logic controllers (PLCs) and Remote Terminal Units (RTUs) that monitor environmental factors and the activity and state of machinery. Tenable does not recommend enabling this setting, whether scanning an "IT" or an "OT" network.

Tenable.ot can be used to safely and comprehensively gain visibility into an OT environment. Tenable.ot uses passive monitoring and communication in each device’s proprietary protocol since these methods do not interfere with OT devices. A restricted version of the Nessus scanner is included in Tenable.ot to permit scanning of the non-sensitive OT devices, such as Human Machine Interfaces (HMIs), Historians, and network devices. Tenable.io and Tenable.ot work together to provide a unified view of IT and OT security. Check out the Getting Started with Tenable.ot Dashboard for Tenable.io.

Continue reading for more information about ICS/SCADA Smart Scanning, which can be used to identify devices to add to the "do not scan" list.

ICS/SCADA Smart Scanning identifies OT devices and stops scanning them once discovered. The following list provides further details of ICS/SCADA Smart Scanning:

  1. Smart Scanning pings the IP address to determine if a device is using that address.

  2. Smart Scanning probes against open known OT ports and protocols. Initially supported protocols include Siemens S7, Modbus, BACnet, Omron FINS, Ethernet CIP, 7T IGSS, and ICCP COTP.

  3. When an OT port or protocol is identified, Nessus will report the open ports and protocol found. Many of the protocols include INFO or QUERY commands to capture basic information about the device, such as the device type. Nessus records the information provided by the device protocol.

  4. The scan stops for that device. Plugin 109142 results show the OT device when an OT protocol was identified and normal scans of OT devices were not enabled.

  5. The devices listed by plugin 109142 can be added to the “do not scan” list.