ICS SHIELD

R 510.2

Asset Passive Discovery (Asset PD) User Guide

CS-ICSE777en-510B

September 2019

DISCLAIMER

This document contains Honeywell proprietary information. Information contained herein is to be used solely for the purpose submitted, and no part of this document or its contents shall be reproduced, published, or disclosed to a third party without the express permission of Honeywell International Sàrl.

While this information is presented in good faith and believed to be accurate, Honeywell disclaims the implied warranties of merchantability and fitness for a purpose and makes no express warranties except as may be stated in its written agreement with and for its customer.

In no event is Honeywell liable to anyone for any direct, special, or consequential damages. The information and specifications in this document are subject to change without notice.

Copyright 2019 – Honeywell International Sàrl

DocID CS-ICSE777en-510B 2

Notices

Trademarks Experion®, PlantScape®, SafeBrowse®, TotalPlant®, and TDC 3000® are registered trademarks of Honeywell International, Inc.

ControlEdge™ is a trademark of Honeywell International, Inc.

OneWireless™ is a trademark of Honeywell International, Inc.

Matrikon® and MatrikonOPC™ are trademarks of Matrikon International. Matrikon International is a business unit of Honeywell International, Inc.

Movilizer® is a registered trademark of Movilizer GmbH. Movilizer GmbH is a business unit of Honeywell International, Inc.

Other trademarks Trademarks that appear in this document are used only to the benefit of the trademark owner, with no intention of trademark infringement.

Third-party licenses This product may contain or be derived from materials, including software, of third parties. The third party materials may be subject to licenses, notices, restrictions and obligations imposed by the licensor.

The licenses, notices, restrictions and obligations, if any, may be found in the materials accompanying the product, in the documents or files accompanying such third party materials, in a file named third_party_ licenses on the media containing the product, or at http://www.honeywell.com/ps/thirdpartylicenses.

Legal Notices

• "/IP"

• "COTP"

• "TPKT

• "Link-Local Multicast Name Resolution"

• "Server Message Block"

• "Tabular Data Stream"

• "Transparent Network Substrate"

• "DNP3" DocID CS-ICSE777en-510B 3

• "EtherCAT"

• "IEC 60870 5"

• "Generic Substation Events"

• "BACnet"

• "Manufacturing Message Specification"

• "ICCP Protocol"

• "DCERPC"

• "OPC Data Access"

• "PROFINET"

• "Profibus"

• "Routing Information Protocol"

• "Interior Gateway Routing Protocol"

• "Open Shortest Path First"

• "Cisco Discovery Protocol"

• "Link Layer Discovery Protocol"

• "Simple Network Management Protocol" These articles are released under the Creative Commons Attribution-Share-Alike License 3.0.

Documentation feedback You can find the most up-to-date documents on the Honeywell Process Solutions support website at: http://www.honeywellprocess.com/support

If you have comments about Honeywell Process Solutions documentation, send your feedback to: [email protected]

Use this email address to provide feedback, or to report errors and omissions in the documentation. For immediate help with a technical problem, contact your local Honeywell Process Solutions Customer Contact Center (CCC) or Honeywell Technical Assistance Center (TAC).

DocID CS-ICSE777en-510B 4

How to report a security vulnerability For the purpose of submission, a security vulnerability is defined as a software defect or weakness that can be exploited to reduce the operational or security capabilities of the software.

Honeywell investigates all reports of security vulnerabilities affecting Honeywell products and services.

To report a potential security vulnerability against any Honeywell product, please follow the instructions at: https://honeywell.com/pages/vulnerabilityreporting.aspx

Submit the requested information to Honeywell using one of the following methods:

Send an email to [email protected]. or

Contact your local Honeywell Process Solutions Customer Contact Center (CCC) or Honeywell Technical Assistance Center (TAC) listed in the “Support” section of this document.

Support For support, contact your local Honeywell Process Solutions Customer Contact Center (CCC). To find your local CCC visit the website, https://www.honeywellprocess.com/en- US/contact-us/customer-support-contacts/Pages/default.aspx.

Training classes Honeywell holds technical training classes that are taught by process control systems experts. For more information about these classes, contact your Honeywell representative, or see http://www.automationcollege.com.

DocID CS-ICSE777en-510B 5

About this Guide

This guide describes how to configure and use the Asset Passive Discovery (Asset PD) , the solution that enables the VSE to collect information about the network assets that the VSE can access.

Scope This guide provides step-by-step instructions for configuring, distributing, and using Asset Passive Discovery (Asset PD) . at all levels, from the initial settings up to the deployment in the Security Center and the VSEs.

Intended audience This guide is for people who are responsible for the configuration and operation of Asset Passive Discovery (Asset PD) on the Security Center and VSEs:

• Initial Settings - Professional Services, Support, or IT personnel

• Security Center – Administrators and operators

• VSE – Administrators and operators

Prerequisite skills This guide assumes basic knowledge of the ICS Shield R 510.2 modules relevant to the Security Center, the VSE, or both, depending on your specific role.

Related documents The following list identifies publications that contain information relevant to the information in this document.

Document Name Document Number

ICS Shield R510.1 - Security Center Getting Started CS-ICSE400en-510A Guide

ICS Shield R510.1 - Virtual Security Engine – User CS-ICSE601en-510A Guide

DocID CS-ICSE777en-510B 6

Revision history

Revision Supported Date Description Release

A Release 510.1 August 2019 This software is an upgrade-only release from Release 501.1

A Release 500.1 June 2019 First release of product to Honeywell Enterprise customers

DocID CS-ICSE777en-510B 7

Contents

1. SECURITY CONSIDERATIONS ...... 11 1.1 Physical security ...... 11 1.2 Secured zone ...... 11 1.3 Limiting access ...... 11 1.3.1 At the VSE level ...... 11 1.3.2 At the directory or file level ...... 12 1.4 Authorization measures ...... 12 2. TERMS AND DEFINITIONS ...... 13 3. INTRODUCTION ...... 15 3.1 Understanding the AssetPD solution ...... 15 3.2 The Definition of Asset ...... 16 3.3 Exploring the AssetPD architecture ...... 17 4. INSTALLATION ...... 19 4.1 Installation prerequisites ...... 19 4.1.1 Configuring the mirror port ...... 19 4.2 Installation procedure ...... 20 5. CONFIGURATION ...... 22 5.1 Configuring AssetPD...... 22 5.1.1 Configuring the connection to remote VSE ...... 22 5.1.2 Configuration of sources ...... 23 5.2 Configuring network interfaces ...... 23 5.3 Configuring offline sources ...... 24 6. RUNNING ASSETPD ...... 26 6.1 Getting AssetPD Results ...... 26 A PROTOCOLS SUPPORTED BY ASSETPD ...... 30 A.1 Link layer protocol ...... 30 A.2 Internet protocol suite ...... 30 A.3 SCADA (Supervisory Control and Data Acquisition) ...... 33 A.4 Database ...... 37 A.5 Network file sharing protocol ...... 38 A.6 IT 39 A.7 Routing protocol ...... 39 A.8 Discovery protocol ...... 40 A.9 Communication Protocol ...... 41

DocID CS-ICSE777en-510B 8

B POSSIBLE ASSETPD VALUES ...... 42 C CONFIGURING ASSETPD TO WORK FROM A VIRTUAL MACHINE ...... 44 C.1 Requirements ...... 44 C.2 Configuration process ...... 44

DocID CS-ICSE777en-510B 9

List of Figures

FIGURE 3-1: ASSETPD CONFIGURATION SCREEN...... 15 FIGURE 3-2. ASSETPD ARCHITECTURE ...... 17 FIGURE 4-1: CONFIGURATION OF MIRRORING PORT ...... 20 FIGURE 4-2: PRE-INSTALLATION SUMMARY SCREEN ...... 21 FIGURE 5-1: REMOTE VSE CONFIGURATION ...... 23 FIGURE 5-2: LIST OF NICS ...... 24 FIGURE 5-3: OFFLINE SOURCES TAB ...... 24 FIGURE 6-1: NEW DEVICE WITH HONEYWELL ASSET DISCOVERY REPORT GENERATOR ...... 26 FIGURE 6-2: HONEYWELL ASSET DISCOVERY REPORT GENERATOR PRODUCT LINE ...... 27 FIGURE 6-3: THE ASSET DISCOVERY REPORT ...... 27 FIGURE 6-4: THE HTML DISCOVERY REPORT ...... 28 FIGURE 6-5: THE EXCEL DISCOVERY REPORT ...... 28 FIGURE 6-6: CONNECTION TYPE WIZARD PAGE ...... 45 FIGURE 6-7: NETWORK ACCESS WIZARD PAGE ...... 45 FIGURE 6-8: SWITCH PROPERTIES ...... 45 FIGURE 6-9: VIRTUAL MACHINE HARDWARE TAB ...... 45 FIGURE 6-10: VIRTUAL MACHINE HARDWARE TAB ...... 45 FIGURE 6-11: SELECTING A NETWORK LABEL ...... 45

DocID CS-ICSE777en-510B

SECURITY CONSIDERATIONS

1. Security Considerations

This chapter outlines the security measures for Asset Passive Discovery (Asset PD) .

1.1 Physical security

Asset Passive Discovery (Asset PD) is a mission-critical component.

Take all necessary physical measures to prevent attacks or disasters. CAUTION

Ensure that the server where the product is installed is located in an approved physically secure location that is accessible only to authorized personnel.

1.2 Secured zone Asset Passive Discovery (Asset PD) Asset Passive Discovery (Asset PD) contains sensitive information, the loss of which could have severe consequences. Therefore, there is a need to protect the sensitive information and prevent attacks against the product. To do that, the VSE software, as well as its related extensions, must be installed in an internally secured zone such as the site’s layer 3 network, with strict access control lists and appropriate firewall/routing rules.

Ensure that Asset Passive Discovery (Asset PD) is installed in a directory that is only accessible to authorized personnel responsible for the product.

If Asset Passive Discovery (Asset PD) is installed on one or more servers that are exposed to untrusted networks such as the Internet, CAUTION protection against denial-of-service (DoS) attacks must be implemented.

1.3 Limiting access It is highly recommended to follow regulatory, industry, and enterprise standards for limiting access to sensitive information as specified below.

1.3.1 At the VSE level The user management at the host running the VSE must follow the principles of need to know and least privilege: Only users who absolutely must have access to the computer are granted access, and these users are assigned the minimal set of permissions allowing them to perform their job.

DocID CS-ICSE777en-510B 11

SECURITY CONSIDERATIONS

1.3.2 At the directory or file level Access to directories and files should also be granted in accordance with the principles of need to know and least privilege: Only Users who absolutely must have access to the requested directory and file are granted access, and these Users are assigned the minimal set of permissions allowing them to perform their job.

Use the built-in file access audit logging of the OS to monitor unauthorized changes to sensitive files.

1.4 Authorization measures It is strongly recommended to implement the following security measures:

• Change the default administrative password and delete/disable the default service accounts as soon as new administrative accounts are created

• Disable any default Administrator/Root user on the computer

• Disable any default Guest user on the computer

• Disable any unauthenticated access to the computer via shared directories etc.

• Ensure that the OS is up to date with the latest security patches provided by the OS vendor

DocID CS-ICSE777en-510B 12

TERMS AND DEFINITIONS

2. Terms and definitions

The terms and definitions are listed in alphabetical order

NOTE

Term Definition

asset Any site component that is connected to the network and is accessible from the VSE

communication The Communication Server provides secure communication server (CS) between the Security Center and the VSEs and, optionally, between the VSEs themselves.

compliance Whether the device meets the organization policy

device A representation of a physical or virtual server or machine in the VSE

Essential security Essential Security Policy: A collection of scripts related to policy (ESP) one logical area, such as machine security status, hardware information, event logs, or storage information; these scripts can either be run on demand (Diagnose Routine or Corrective Action) or based on a predefined schedule.

execution profile A collection of scripts related to one logical area, such as machine security status, hardware information, event logs, or storage information; these scripts can either be run on demand (Diagnose Routine or Corrective Action) or based on a predefined schedule.

Experion Honeywell distributed control system (DCS)

HQ Headquarters; the physical location of the Security Center

metropolitan area A computer network that interconnects users with computer network (MAN) resources in a geographic region of the size of a metropolitan area.

monitoring profile An execution profile configured to run at set time intervals, (MP) such as Every day at 18:00.

Network Interface An NIC, also known as network interface controller,

DocID CS-ICSE777en-510B 13

TERMS AND DEFINITIONS

Term Definition Card (NIC) implements the electronic circuitry required for communicating by using a specific physical layer and standard such as Ethernet or Wi-Fi. This allows communication among computers on the same local area network (LAN) and large-scale network communications through routable protocols, such as Internet Protocol (IP).

pcap files Data files created by using Wireshark, a program used for analyzing networks. .pcap files contain the packet data of a network and are mainly used in analyzing the network characteristics of a certain data. These files also contribute to successfully controlling traffic of a certain network, because they are being monitored by the program. All data and results of the network analysis are saved by using the .pcap file extension.

Perl A scripting language used by execution profiles

product line A set of actions and scripts that together instruct the VSE to perform certain procedures on devices that are defined in the VSE.

Security Center (SC) ICS Shield component that is installed at the corporate data center. The security center is composed of various software components, which enable to remotely collect, analyze, view, manage, and store data retrieved from the VSEs. This data refers to the monitored network assets and devices found at the VSE’s sites.

site A remote physical location, such as an industrial plant, which includes one or more network environments and has at least one VSE.

time server A server computer that reads the actual time from a reference clock and distributes this information to its clients using a computer network.

VSE The ICS Shield component that is installed at the remote site, monitors the devices at the site, and provides additional functionalities such as remote access.

DocID CS-ICSE777en-510B 14

INTRODUCTION

3. Introduction

This chapter presents a brief introduction to the ICS Shield, the main functions of the Asset Passive Discovery (Asset PD) , and requirements for running the ESP.

3.1 Understanding the AssetPD solution AssetPD is a tool which obtains network traffic from configured sources and then parses this information and identifies the detected assets. AssetPD is installed and configured on a Windows-operated computer.

By supporting several protocols with different formats, AssetPD gets traffic (raw information) from the following sources:

• Recorded network traffic from pcap files (offline sources).

AssetPD does not support pcapng files.

NOTE

• Real-time network traffic from living switches. AssetPD is activated by pressing Start in the AssetPD configuration screen.

Figure 3-1: AssetPD configuration screen

AssetPD parses the packets from the given sources and identifies assets based on the parsed information. Initially, all assets are classified as hosts. AssetPD collects and coordinates all available information to identify each asset. When this process is complete, assets whose classification has not been confirmed remain classified as hosts, while other assets are classified as routers, printers, controllers and so on. Customers are then provided with a detailed asset inventory, generated in HTML and Excel formats.

The list of assets discovered by AssetPD is encrypted and sent to the VSE, where it is displayed as a report. The VSE periodically synchronizes its asset database with the AssetPD asset repository.

DocID CS-ICSE777en-510B 15

INTRODUCTION

Because the entire operation involves reading existing network traffic by analyzing

the packets and without actively scanning the network, AssetPD does not consume NOTE any network traffic.

Asset Passive Discovery (Asset PD) is designed to meet the following needs:

• Security Identification of all the network components is fundamental to network security. Any unknown component is a potential security breach. An automated solution verifies that all network components are known and monitored.

• Cost Efficiency Manual inventory management can be inefficient and costly in terms of manpower and money. An automated solution reduces the cost and time involved in inventory management.

• Compliance and Regulations Many industrial companies must comply with government regulations and obtain the certifications of one or more organizations. Often the compliance policies require constant monitoring and auditing of all machines and hardware being used in the company. An automated solution facilitates and simplifies compliance.

For list of protocols supported for asset discovery through AssetPD, see appendix A,

Protocols supported by . NOTE

3.2 The Definition of Asset Assets can be included in one of the following groups:

• Host machines, such as PCs, laptops, database servers, printers.

• Field controllers, such as PLCs.

• Network components, such as routers and switches.

• Security components, such as firewalls.

• SCADA components, such as SCADA Gateways, HMIs, and Engineering Stations In the AssetPD asset repository, assets can be classified to one of several values. For details see appendix B, Possible AssetPD values.

DocID CS-ICSE777en-510B 16

INTRODUCTION

3.3 Exploring the AssetPD architecture The following diagram illustrates the architecture of the AssetPD solution:

Figure 3-2. AssetPD architecture

Depending on your network topology and needs, it is possible to install AssetPD on

several machines that are not connected to the same network but are all connected NOTE to the same VSE.

DocID CS-ICSE777en-510B 17

INTRODUCTION

The information flow is as follows:

1. Information about network traffic arrives to the AssetPD from the following sources:

. Network interfaces

Physical link between the AssetPD and a mirroring port – a dedicated network interface in a switch for capturing network traffic. For details about the mirroring port configuration see section 0, AssetPD requires a connection to a VSE machine with the following configuration:

. VSE version 4.9.46 or higher, part of ICS Shield R510.2

. HTTPS communication support (see VSE Administration Guide - Configuring VSE to Support HTTPS).

. Honeywell Asset Discovery Report Generator product line imported.

Configuring the mirror port.

. Pcap files

Pcap files are used for storing recordings of network traffic. These can also include recordings of traffic in remote locations that are entered by means such as a cellular network or a USB flash drive.

2. Information about each asset is collected and parsed,

3. After the AssetPD mechanism parses the information, the various elements that were collected are recognized.

An asset discovery report is generated, listing all discovered assets and their classifications. This report is available from the VSE and is sent to the Security Center.

4. The list of assets discovered by AssetPD is encrypted and sent to the VSE, where it is displayed as a report

The report is available in both the VSE and the Security Center.

DocID CS-ICSE777en-510B 18

INSTALLATION

4. Installation

This chapter provides information for properly installing AssetPD.

4.1 Installation prerequisites The minimum machine requirements for using the AssetPD are:

• AssetPD supports Windows distributions: . Windows Server 2012 R2 Standard

. Windows Server 2016 Standard

• CPU - 4 cores

• RAM – 8 GB

AssetPD can be installed on a virtual machine. For details see Appendix C,

Configuring AssetPD to work from a virtual machine. NOTE

The set of recommended prerequisites varies based on parameters such as traffic

volume and environment size. To obtain the list most suitable for your needs, contact NOTE Support.

AssetPD requires a connection to a VSE machine with the following configuration:

. VSE version 4.9.46 or higher, part of ICS Shield R510.2

. HTTPS communication support (see VSE Administration Guide - Configuring VSE to Support HTTPS).

. Honeywell Asset Discovery Report Generator product line imported.

4.1.1 Configuring the mirror port

To configure a mirror port:

1. Define the ports from which traffic is to be collected; in the example shown in the figure below, ports 1-3.

2. Define a target (mirror) port for to be used for sniffing the requested network traffic packets.

3. Connect the mirror port to the AssetPD’s NIC.

DocID CS-ICSE777en-510B 19

INSTALLATION

Figure 4-1: Configuration of mirroring port

4.2 Installation procedure The AssetPD package and supporting software must be installed on a Windows- operated computer in the industrial control network where the switches and assets are located. One AssetPD can be connected to multiple mirror ports.

The AssetPD package consists of the following:

• AssetPD application

• AssetPD Manager GUI Utility

To install the AssetPD:

1. Download the AssetPD installer to the target computer.

2. Run the installation wizard:

a. Accept the license agreement. b. Choose whether to accept the default installation folder or to select another folder. c. Review the installation information as shown below.

DocID CS-ICSE777en-510B 20

INSTALLATION

Figure 4-2: Pre-installation summary screen d. Once the installation completes, click Done to exit the wizard.

In addition to installing and setting up the AssetPD application, the AssetPD Manager Installer automatically performs the following tasks:

• Creating a Java folder with AdoptOpenJDKJava 11.

• Installing WinPcap.

• Updating the AssetPD configuration file with the path to Java.

• Installing and setting up the AssetPD Manager GUI utility.

• Creating a desktop shortcut to the AssetPD Manager GUI.

DocID CS-ICSE777en-510B 21

CONFIGURATION

5. Configuration

This chapter describes the steps required for configuring AssetPD for both source types (network interfaces and offline sources), as well as for connecting to a remote VSE.

Working from a virtual machine requires a special configuration. For details see

Appendix C, Configuring AssetPD to work from a virtual machine. NOTE

5.1 Configuring AssetPD Configuring AssetPD requires local administrator privileges. AssetPD configuration consists of the following steps:

• Configuring the network interfaces and offline sources to be used for data collection.

• Downloading the VSE certificate. To enable HTTPS communication with the VSE, the AssetPD needs the VSE certificate.

• Connecting to the VSE using the following credentials: . username

. password

. URL

. Certificate

Changes made to the AssetPD configuration only take effect after restarting the

service. NOTE

5.1.1 Configuring the connection to remote VSE The AssetPD can transfer asset data to the target remote VSE only if HTTPS connection is established with the remote VSE.

To get the information required for HTTPS connection:

1. Open the AssetPD Manager and click the Remote VSE tab, as shown in the figure below.

DocID CS-ICSE777en-510B 22

CONFIGURATION

Figure 5-1: Remote VSE configuration

2. Click Edit at the bottom of the screen, and enter values in the following fields:

. VSE URL

. VSE Username

. VSE Password

3. Under VSE Certificate, click Browse. Browse to the downloaded VSE certificate and select it.

4. Click Save.

5.1.2 Configuration of sources An AssetPD can collect asset data only if at least one source is specified and activated.

For each source, specify:

• Source name – used by the VSE as the report name.

• Requested IP range (optional). It is possible to provide a list of IP ranges, separated by space, by using the format shown below: 192.168.1.1/24 192.173.1.1/24

• Whether the source is activated or deactivated.

5.2 Configuring network interfaces The network interface sources (NICs) are automatically discovered by AssetPD Manager. Each time you open the AssetPD Manager, the utility retrieves the current NICs and displays an updated list.

DocID CS-ICSE777en-510B 23

CONFIGURATION

Figure 5-2: List of NICs

To configure an active network interface source:

1. Click the Network Interfaces tab.

2. Go to the requested row and click Edit on the right.

3. In the Source Name field, specify a name for the source.

4. Optionally, limit the search results by specifying one or more IP ranges.

5. Choose whether to activate or deactivate the source.

6. Click Save.

5.3 Configuring offline sources

To configure an offline source:

1. Click the Offline Sources tab.

Figure 5-3: Offline Sources tab

2. Click Add. Alternatively, if the device already exists, click Edit.

3. In the Source Name field, enter a name for the source.

DocID CS-ICSE777en-510B 24

CONFIGURATION

4. Optionally, limit the search results by specifying an IP range. You can also enter a comma-separated list of IP ranges.

5. Choose whether to activate or deactivate the source.

6. Click Save.

The column Source Folder column now displays the words Open Folder. Clicking this prompt opens a folder with the relevant sniffer number; for example, …:\Program Files\AssetPD\offline\sniffer1.

Each time a network interface or an offline source is added, the sniffer number is

incremented; for example, the first and second rows have their source pcap file in NOTE folder sniffer0 and sniffer1, while the source file of the third row is found in folder sniffer4.

DocID CS-ICSE777en-510B 25

RUNNING ASSETPD

6. Running AssetPD

To run AssetPD:

1. Ensure that you have configured:

. All requested sources, both offline sources and network interfaces.

. The connection to the VSE.

2. In the AssetPD Manager, in the upper right corner, click Start .

During the run of the Asset PD service, AssetPD updates the VSE with the detected assets. This information is displayed in the VSE as a report, in both HTML and Excel formats.

6.1 Getting AssetPD Results

To get Asset PD results:

1. Create a device in the VSE configured with the Honeywell Asset Discovery Report Generator product line.

a. In the VSE, in Operations > Device Management, Click NEW. b. In the Product Line list, select Honeywell Asset Discovery Report Generator. c. In the New Device fields, select or enter the requested values. In the Device Address field, enter 127.0.0.1. d. Click Save. e. In the Add Device message, click OK.

Figure 6-1: New Device with Honeywell Asset Discovery Report Generator

2. Execute the Honeywell Asset Discovery Report Generator product line on the device.

a. In the VSE, In Operations > Devices, in the Execution tab, select the device configured with the Honeywell Asset Discovery Report Generator. b. In the product line Profile Name list, select a profile name. The options are:

DocID CS-ICSE777en-510B 26

RUNNING ASSETPD

o Get Last Generated Reports –Provides the last created results from the last successful execution of the report generator.

o Run Report Generator – Create a new report.

o Run Report Generator Every Morning – Automatically creates an execution of the report generator every morning at 06:00.

c. Click Execute Once Now. d. In the Activate Execution Profile message, click OK. The execution can take several minutes.

Figure 6-2: Honeywell Asset Discovery Report Generator product line

3. Download the Asset Discovery Report.

a. In the VSE, In Operations > Devices, in the View Data tab, select the device configured with the Honeywell Asset Discovery Report Generator. b. In the Profiles list locate the Get Last Generated Reports line and click the OK link in the status field. c. In the Execution Result – View window, in the Collected Data object list, locate the HTML Discovery Report and the XLSX Discovery Report objects. To download the Asset Discovery Report, click on the link in the Value field in the object with the requested format. d. Open the downloaded Asset Discovery Report. The report details are classified by Source.

Figure 6-3: The Asset Discovery Report

DocID CS-ICSE777en-510B 27

RUNNING ASSETPD

To view the results in the HTML Discovery Report, in the Source dropdown select the required source.

Figure 6-4: The HTML Discovery Report

To view the results in the Excel Discovery Report, click on the sheet with the required source name.

Figure 6-5: The Excel Discovery Report

DocID CS-ICSE777en-510B 28

Appendices

Appendices

This guide includes the following appendices:

• A, Protocols supported by AssetPD

• B, Possible AssetPD values

• C, Configuring AssetPD to work from a virtual machine

DocID CS-ICSE777en-510B

PROTOCOLS SUPPORTED BY ASSETPD

A Protocols supported by AssetPD

The following tables display the protocols that AssetPD uses to identify network assets.

A.1 Link layer protocol

Protocol Description Notes Supported?

Ethernet A family of computer networking technologies Used for identifying the source Yes commonly used in local area networks (LANs), and the destination MAC metropolitan area networks (MANs), and wide addresses. The source MAC area networks (WANs). address is used as part of the asset data.

A.2 Internet protocol suite

Protocol Description Notes Supported?

ARP (Address A communication protocol used for discovering the Used for identifying IPv4 source Yes Resolution Protocol) link layer address associated with a given internet and destination IPs. The source layer address. IP is used as part of the asset data.

BOOTP (Bootstrap A computer networking protocol used in Internet On Internet Protocol networks, Yes (as of Protocol) Protocol networks to automatically assign an IP used to provide information on 2.0.2) address to network devices from a configuration Subnet Mask, Gateway address, server. DNS server, hostname, FQDN (DNS name).

DocID CS-ICSE777en-510B 30

PROTOCOLS SUPPORTED BY ASSETPD

Protocol Description Notes Supported?

Browser Service A Windows protocol that enables users to easily Used for identifying Windows Yes browse and locate shared resources in neighboring OS names and detecting computers. Domain Controller asset types.

COTP (Connection The connection transport protocol of the ISO Supporting protocol for other Yes Oriented Transport Protocol Family. protocols Protocol)

DHCP (Dynamic Host A network management protocol used on UDP/IP On UDP/IP networks, used to Yes (as for Configuration networks. Using this protocol, a DHCP server provide information on Subnet 2.0.2) Protocol) dynamically assigns an IP address and other Mask, Gateway address, DNS network configuration parameters to each device server, hostname, FQDN (DNS on a network so they can communicate with other name). IP networks.

DNS (Domain Name A hierarchical and decentralized naming system for Used to discover host names by Yes System) computers, services, or other resources connected analyzing the DNS answers. to the Internet or a private network

HTTP Headers The name or value pairs that are displayed in the Used for identifying OS Yes request and response message headers for versions and hostnames. Hypertext Transfer Protocol (HTTP). The HTTP request header includes information such as the type and version of the browser that generated the request, the OS used by the client, and the page that was requested.

DocID CS-ICSE777en-510B 31

PROTOCOLS SUPPORTED BY ASSETPD

Protocol Description Notes Supported?

ICMP (Internet An error-reporting protocol used by network Used for documenting the Yes Control Message devices to send error messages and operational protocol traffic. Protocol) information.

IPv4 (Internet One of the core protocols of standards-based Used for identifying IPv4 source Yes Protocol version 4) internetworking methods in the Internet and other and destination IPs. The source packet-switched networks. IP is used as part of the of the asset data.

LLMNR Enables both IPv4 and IPv6 hosts to perform name Used for identifying hostnames Not yet (Link-Local Multicast resolution for hosts on the same local link. of Windows machines. Name Resolution)

NBNS Part of the NetBIOS-over-TCP protocol suite. NBNS Used for identifying hostnames Yes (NetBIOS Name translates human-readable names to IP addresses. of Windows machines. Service)

NetBIOS (Network Allows applications on computers to communicate Used for identifying hostnames Yes Basic Input/Output with one another over a local area network (LAN). and group names of Windows System) Datagram Datagram mode is connectionless; the application machines. Service is responsible for error detection and recovery.

NTP (Network Time A networking protocol for clock synchronization Used for discovering Time Yes Protocol) between computer systems over packet-switched, Servers. variable-latency data networks.

DocID CS-ICSE777en-510B 32

PROTOCOLS SUPPORTED BY ASSETPD

Protocol Description Notes Supported?

TCP (Transmission Provides host-to-host connectivity at the transport Used for collecting information Yes Control Protocol) layer of the Internet model. about the TCP flags and TCP source and destination ports. The source port is used as part of the asset data.

TPKT TPKT enables translating between two networking Used for identifying S7COMM. Yes protocol family models, Open Systems Interconnection (OSI) and TCP/IP, by providing a method to carry OSI data over TCP/IP networks.

UDP (User Datagram An alternative communications protocol to TCP Used for collecting information Yes Protocol) used primarily for establishing low-latency and about the UDP source and loss-tolerating connections between applications destination ports. The source on the internet. port is used as part of the of the asset data.

A.3 SCADA (Supervisory Control and Data Acquisition)

Protocol Description Notes Supported?

BACnet (Building Enables communication between building automation Used for identifying Yes Automation and and control systems for applications (for example: Building Management Control) heating, ventilating and fire detection systems) and System controllers. their associated equipment.

DocID CS-ICSE777en-510B 33

PROTOCOLS SUPPORTED BY ASSETPD

Protocol Description Notes Supported?

CDA (Common Data The Experion native (Honeywell proprietary) internal Used to detect roles for Yes Access) communication protocol. c200, c300 Programmable Logic Controllers (PLCs).

DNP3 A set of communications protocols used between Used for identifying HMIs Yes (Distributed Network components in process automation systems. and Field Controllers. Protocol)

Ethernet/IP An industrial network protocol that adapts the Common Used for detecting Rockwell Yes Industrial Protocol (CIP) to standard Ethernet. components.

FTE The industrial control network of the Experion Process Used to collect Experion Yes Knowledge System (PKS). Connects clusters or groups of components information. (Fault Tolerant nodes such as servers and stations, typically associated Ethernet) with the same process unit, and provides multiple communication paths between them so the network can tolerate all single faults and many multiple faults.

GOOSE (Generic Provides a fast and reliable mechanism for transferring Used to detect sub-station Yes Object-Oriented event data over entire electrical substation networks. controllers. Substation Events) Ensures the same event message is received by multiple physical devices using multicast or broadcast services.

ICCP (Inter-Control Provides data exchange over WANs between utility Used to detect control Yes Center control centers, utilities, power pools, regional control centers. Communications centers, and Non-Utility Generators. Protocol)

DocID CS-ICSE777en-510B 34

PROTOCOLS SUPPORTED BY ASSETPD

Protocol Description Notes Supported?

IEC104 The IEC 60870 set of standards define systems used for Used in the electronics Yes telecontrol (supervisory control and data acquisition) in industry, generic. electrical engineering and power system automation applications. IEC 60870-5-101/102/103/104 are companion standards generated for basic telecontrol tasks, transmission of integrated totals, data exchange from protection equipment & network access of IEC101 respectively.

MDLC (Motorola Data Data communications protocol designed for shared Used to detect Motorola Partial Link two-way radio communication circuits. MDLC allows controllers. Communications) multiple logical communication channels per communication medium, allowing for simultaneous Host-to-RTU (Remote Terminal Unit), RTU-to-Host, and RTU-to-RTU data sessions. Used in oil & gas, water utilities, power utilities or geographically distributed systems.

MMS (Manufacturing An international standard (ISO 9506) for messaging Generic (common in ABB) Yes Message systems transferring real time process data and Specification) supervisory control information between networked devices or computer applications.

DocID CS-ICSE777en-510B 35

PROTOCOLS SUPPORTED BY ASSETPD

Protocol Description Notes Supported?

Modbus TCP Modbus is a serial communications protocol that Used for identifying the Yes enables communication among many devices asset type: connected to the same network. • If the source port is 502, the type is Field Controller (etc. PLC). • If the destination port is 502, the type is HMI (Human Machine Interface). Also, used to collect additional parameters from the responder.

OPC-DA (OPC Data A group of client-server standards that provide Used to detect OPC servers. Yes specifications for communicating real-time data from Access) data acquisition devices such as PLCs to display and interface devices like Human-Machine Interfaces (HMI), SCADA systems, and ERP/MES systems. The specifications focus on the continuous communication of data.

PROFINET IO An industry technical standard for data communication Used to detect Fieldbus Yes (Process Field Net) over Industrial Ethernet, designed for collecting data devices. from, and controlling, equipment in industrial systems.

DocID CS-ICSE777en-510B 36

PROTOCOLS SUPPORTED BY ASSETPD

Protocol Description Notes Supported?

S7COMM (based on A Siemens proprietary protocol that runs between Used to identify Field Yes COTP and TPKT) programmable logic controllers (PLCs) of the Siemens Controllers (PLC’s) and S7-300/400 family. Engineering Stations. The Used for PLC programming, exchanging data between S7COMM data comes as PLCs, accessing PLC data from SCADA systems and payload of COTP data diagnostic purposes. packets. • If destination port is 102 then the asset is Engineering Station. If the source port is 102 then the asset type is Field Controller (PLC).

Synchrophasor A phasor measurement unit (PMU) is a device used to Used to identify PMUs and Yes estimate the magnitude and phase angle PDCs. (synchrophasor) of an electrical phasor quantity (such as voltage or current) in an electricity grid.

A.4 Database

Protocol Description Notes Supported?

TDS (Tabular Data An application layer protocol used to transfer data Used to detect MSSQL Yes Stream) between a database server and a client. servers.

DocID CS-ICSE777en-510B 37

PROTOCOLS SUPPORTED BY ASSETPD

Protocol Description Notes Supported?

TNS (Transparent Supports homogeneous peer-to-peer connectivity Used to detect Oracle Yes Network Substrate) on top of other networking technologies such as servers (DB). TCP/IP, SDP, and named pipes. TNS operates mainly for connection to Oracle databases.

MYSQL Protocol Protocol used between MySQL Clients and Servers. Used for identifying Yes MySQL database clients and servers.

A.5 Network file sharing protocol

Protocol Description Notes Supported?

SMB (Server An application-layer network protocol used for providing Generic protocol for Yes Message shared access to files, printers, and serial ports, and windows naming and file Block) miscellaneous communications between nodes on a shares. network. It also provides an authenticated inter-process communication mechanism.

DocID CS-ICSE777en-510B 38

PROTOCOLS SUPPORTED BY ASSETPD

A.6 IT

Protocol Description Notes Supported?

DCE/RPC DCE/RPC is a specification for a remote Supporting protocols for Yes (Distributed procedure call mechanism that defines both APIs OPC-DA. Computing and an over-the-network protocol. Environment / Remote Procedure Calls)

A.7 Routing protocol

Protocol Description Notes Supported?

RIP (Routing A distance-vector routing protocol employing the Used for identifying Yes Information hop count as a routing metric. Prevents routing routers.

Protocol) loops by implementing a limit on the number of hops allowed in a path from source to destination.

IGRP (Interior A distance vector interior gateway protocol (IGP), Used for identifying Yes Gateway Routing used by routers to exchange routing data within routers. Protocol) an autonomous system. Developed by CISCO, IGRP is a proprietary protocol.

DocID CS-ICSE777en-510B 39

PROTOCOLS SUPPORTED BY ASSETPD

Protocol Description Notes Supported?

OSPF (Open A routing protocol for IP networks. It uses a link Used for identifying Yes Shortest Path First) state routing (LSR) algorithm and falls into the routers. group of interior gateway protocols (IGPs), operating within a single autonomous system (AS).

A.8 Discovery protocol

Protocol Description Notes Supported?

CDP (Cisco A proprietary Data Link Layer protocol developed by Used for identifying Yes Discovery Cisco Systems, used to share information about other switches. Protocol) directly connected Cisco equipment, such as the operating system version and IP address.

LLDP (Link A vendor-neutral link layer protocol in the Internet Used for identifying Yes Layer Protocol Suite used by network devices for advertising switches. Discovery their identity, capabilities, and neighbors on an IEEE Protocol) 802 local area network, principally wired Ethernet.

ISDP A proprietary Layer 2 network protocol that inter- Used for identifying No (Industry operates with Cisco devices running the Cisco switches. Standard Discovery Protocol (CDP). ISDP is used to share Discovery information between neighboring devices. The switch Protocol) software participates in the CDP protocol and can both discover and be discovered by other CDP-supporting devices.

DocID CS-ICSE777en-510B 40

PROTOCOLS SUPPORTED BY ASSETPD

A.9 Communication Protocol

Protocol Description Notes Supported?

SNMP An Internet Standard protocol for collecting and Network appliance Yes (Simple Network organizing information about managed devices on detection and attributes. Management IP networks and for modifying that information to Protocol) change device behavior. Devices that typically support SNMP include cable modems, routers, switches, servers, workstations, printers, and more.

DocID CS-ICSE777en-510B 41

POSSIBLE ASSETPD VALUES

B Possible AssetPD values

In the AssetPD asset repository, assets can be classified to one of the following values:

• Host

• HMI (Human Machine Interface)

• Field Controller

• RTU (Remote terminal unit)

• PLC (Programmable Logic Controller)

• PMU (Phasor Measurement Unit)

• Control Center Server

• Domain Controller

• DNS Server

• Time Server

• Engineering Station

• Switch

• Router

• SCADA Gateway

• Security Appliance

• Source – The sniffer name or source it came from.

• Hostname – The machine hostname if any.

• Group – The Workgroup/Domain name which the asset belongs to.

• OS – The operating system name.

• MAC address – The physical address of the asset.

• Manufacturer Name – The manufacturer name (vendor name).

• IP – The IP address of the asset. Only IPv4 is supported.

• Addr5, Addr6, Addr7 – 3 parameters that hold values like the unit identifier in Modbus, related to SCADA protocols.

• Hops – Number of hops from the router.

• VLAN ID – The VLAN ID to which the asset belongs.

DocID CS-ICSE777en-510B 42

POSSIBLE ASSETPD VALUES

• DNS names – List of DNS names related to the asset.

• Services – contains list of identified ports that the asset uses, these ports can tell us which services the assets runs, for example, FTP (21), Telnet (23), SNMP (161), etc.

• Additional parameters map – Contains key/value pairs of additional information on the asset, such as information about the PLCs, sensors, SCADA info, vendor names, and product codes.

• Last updated – When was the last update of the asset.

• Last Seen – When was the time the asset was “seen” (got packets from this asset) on the network.

DocID CS-ICSE777en-510B

CONFIGURING ASSETPD TO WORK FROM A VIRTUAL MACHINE

C Configuring AssetPD to work from a virtual machine

This appendix provides instructions for connecting and enabling a virtual machine (VM) under an ESXi platform to capture network traffic in promiscuous mode – namely: capturing Ethernet frames to different destinations - such as traffic from a mirror/SPAN port in an Ethernet switch.

C.1 Requirements The prerequisites for the AssetPD configuration are:

• Source of network traffic to analyze in promiscuous mode (SPAN/mirror port in a switch)

• Administrator access to an ESXi server with at least one available and unused physical NIC.

• The network analyzer/sniffer Virtual Machine. C.2 Configuration process

To configure the AssetPD to work from a virtual machine:

1. Connect the SPAN/mirror port in the Ethernet switch directly to an available physical NIC in the ESXi server.

2. Log on to the ESXi configuration management using the vSphere client with an administrator permissions account.

3. In the vSphere management tree, select the server that hosts the AssetPD virtual machine.

4. Go to the Configuration tab and from the Hardware menu on the left click Networking.

5. Click Add Networking… to open the Add Networking wizard.

6. In the Connections Type wizard page, select the option Virtual Machine.

DocID CS-ICSE777en-510B

CONFIGURING ASSETPD TO WORK FROM A VIRTUAL MACHINE

Figure 6-6: Connection Type wizard page

7. In the Network Access wizard page select which physical NIC to connect to the SPAN/mirror port. While the choice shown below is vmnic1, you can select another value in other setups.

DocID CS-ICSE777en-510B

CONFIGURING ASSETPD TO WORK FROM A VIRTUAL MACHINE

Figure 6-7: Network Access wizard page

8. In the Connection Settings wizard page give the newly created network a meaningful name, and do not select a VLAN ID.

9. Click Next and Finish to complete the wizard.

A new vSwitch is now displayed in the Networking window.

10. Click the Properties… link as shown below.

Figure 6-8: Switch properties

11. In the vSwitch tab go the Ports tab.

12. Select the vSwitch configuration and click Edit..

13. In the new Properties dialog box that appears now, under the Security tab, select the option Accept for the Promiscuous mode policy exception.

DocID CS-ICSE777en-510B

CONFIGURING ASSETPD TO WORK FROM A VIRTUAL MACHINE

14. Click OK to close the dialog box.

15. Repeat steps 12 to 14 for the option Sniffer Network in the Properties window.

16. In the vSwitch Properties dialog box, ensure that option Promiscuous Mode is enabled in both configuration items and close the dialog box.

17. Ensure that the network sniffer virtual machine is stopped.

18. Right-click this virtual machine and from the menu that opens click Edit Settings…

19. In the Virtual Machine Properties dialog box, go to the Hardware tab and click Add…

Figure 6-9: Virtual machine Hardware tab

20. Select the option Ethernet Adapter and click Next. 21. Under the Network Connection section select the label of the network you had just created and click Next.

DocID CS-ICSE777en-510B

CONFIGURING ASSETPD TO WORK FROM A VIRTUAL MACHINE

Figure 6-11: Selecting a network label

22. Check your settings and click Finish.

23. In the Virtual Machine Properties dialog box, click OK to save the new settings and close the dialog box.

DocID CS-ICSE777en-510B

Honeywell Process Solutions

1250 W Sam Houston Pkwy S #150, Houston, TX 77042

Honeywell House, Skimped Hill Lane Bracknell, Berkshire, RG12 1EB

Building #1, 555 Huanke Road, Zhangjiang Hi-Tech Park, Pudong New Area, Shanghai, China 201203 CS-ICSE777en-510B July 2019 www.honeywellprocess.com © 2019 Honeywell International Sàrl