In order to get the most out of a PoC on premise it is suggested to make educated decisions about the following topics before starting technical implementation.
Identify participating sites
Identify good candidates for PoC participation. If your operation features similar types of production facilities, you may want to include sites from different geographical regions. If your production facilities are considerably different, it is a good idea to represent such diversity in the PoC.
It is not necessarily required that each participating site and network has online connectivity to OT-BASE Asset Center. Some probing results from Asset Discovery may simply be forwarded by email, and results discussed with remote staff in a web conference.
Identify target networks and device types
You should have a clear idea of which networks you want to include in the PoC. In many cases this overlaps with the different device types that you are using and that you want to see in OT-BASE Asset Center.
As an example, if you want to see network switches and network topology, you will need to access switch management networks. If you want to see automation equipment, you will need to access process networks. And so on.
Get access credentials where needed
Some probes require access credentials, most notably WMI (Windows Management Instrumentation) and SNMP (Simple Network Management Protocol).
WMI is used to pull software configuration data from Windows computers. It always requires credentials (username/password). If you don't have an appropriate group account already, create one. OT-BASE only needs read-only access rights. It will not change configuration settings.
SNMP is mostly used to obtain connectivity information from network switches. There are different versions of SNMP in use. Version 3 is the only version that will require authentication at the switch. Earlier versions don't require/support authentication. However, make sure that the SNMP community string is set to the default value of "public", or if it is not, that you know the respective setting.
In some cases obtaining access credentials may take quite a while, especially when appropriate accounts must be created in the first place. It is suggested that this is already taken care of before you start your PoC.
Identify hosting candidates for OT-BASE Asset Discovery
Asset Discovery is a Windows service and can use all network adapters of the machine that it is running on. In addition, you can probe remote networks if they can be reached via routing, and if the protocols you want to use for probing support routing (as an example, this does not fully apply to Profinet).
Good candidates for installation of Asset Discovery are engineering stations as they often connect to multiple networks and don't show realtime processing requirements.
Another consideration is the question if the target can easily talk to the server that hosts OT-BASE Asset Center.
Identify a hosting candidate for OT-BASE Asset Center
OT-BASE Asset Center requires a Linux host with the Docker container platform installed. That host can be bare metal or virtualized. A major aspect for picking an appropriate host is the networking environment as all or most Asset Discovery nodes should be able to talk to Asset Center directly.
When considering firewall rules, note that Asset Center never tries to connect to Asset Discovery nodes, it is always the other way around. Therefore, outgoing connection attempts to process networks may be blocked.
If you want to use automatic imports of vulnerability data, Asset Center must be able to connect to https://nvd.nist.gov and https://api.msrc.microsoft.com/.
Identify hosting candidates for OT-BASE Discovery Manager
Discovery Manager is an application for managing multiple Asset Discovery nodes. Among other things, it relieves you from having to RDP to a remote Asset Discovery node for configuration changes. You can run multiple instances of Discovery Manager, just remember that the software can only manage Asset Discovery nodes that it can reach online.
Since Discovery Manager allows for configuration changes of Asset Discovery nodes, it has higher security requirements than Asset Center and should not be placed in an enterprise network.
Identify, and coordinate with, key personnell
For some tasks you will need the cooperation of certain people that may be difficult to onboard and schedule. For example, you may need network administrators and control engineers. You may need system administrators for sharing access credentials or creating system accounts.
In addition, and as important, you need the cooperation of end users. Identify target groups (engineering, OT security, IT, maintenance, ...) and the individuals that best represent these groups when it comes to defining, and evaluating, essential use cases.
Develop a project plan / timeline
After having all the information needed for the topics mentioned above, it is a good idea to develop a project plan with a solid timeline.
Please sign in to leave a comment.