In Part II reviewed Industrial Defender’s Automation Systems Manager (ASM) based on interview and some limited detail documents. Today I had the opportunity to get an online demo of the ASM interface and ask a lot of questions for just over an hour. You can see in the diagram below that the ASM has a number of software applications, more than can be covered in an hour, but here are my thoughts pro and con.
ASM really begins with the Asset Management module. Minimal information is entered into the ASM, and then the ASM gets the rest of the information through either agent, Industrial Defenders IT and ICS agents, or agentless technology, such as WMI for Windows systems. Information on the ports, services, software, users, etc. are all pulled into the ASM where it can be monitored for change and used for other purposes, such as the security patching program.
What about assets that are not entered into the ASM? An ARP Watch feature on either the Network IDS sensor or ASA collector appliance looks for any MAC or IP addresses not in the ASM and generates an alert that an unknown device is on the network.
North American electric utilities probably already understand the NERC CIP value this ports, services, user information can provide from a compliance standpoint, but it is valuable for any sector’s security monitoring and management. Alerts can be generated when new ports, services or software are on a system (and yes they have ways to deal with dynamic ports and services that start and stop).
The Asset Management module has the information and management component of patch management, but it does not actually apply any patches. Assets can be put into groups, and there should be some thought put into the groups. You can have OS groups, device type groups (eg HMI, EWS, Historian, PLC, router), or anything else you can think of. Your groups will affect the security patch management workflow because the ASM user needs to designate what new patches apply to the groups.
One of the most interesting futures is the capability to import security patch information from the ICS vendors. For example, GE or Siemens could provide a list of the approved and required OS, database, and ABB security patches tested and approved for deployment in a file that the ASM could import and then apply to the appropriate assets. The ASM user would then see all the security patches that need to be applied by working with the asset through the agent or agentless connection.
Configuration Change Management
Read the title carefully. This module does not provide the ability to change the configuration of a firewall, router or ICS device. Rather it provides the ability to identify changes.
A simple example — the IT Department has the skills to manage the Control Center / Enterprise firewall, but the Operations Group is worried that changes will be made without their approval. ASM could identify and generate an alert for all firewall changes. This is not a replacement for a Tripwire-type product, but it can identify changes in any configuration file.