Active Network Scanning in OT Environments

By Zane Blomgren, Belden
Periodic active network scanning is generally essential to maintain an accurate picture of the network, as significant information is only available upon request and otherwise never present in normal traffic.
The reason for passive traffic analysis is that many industrial control systems (ICS) devices were really only designed to function as expected and are often not tested to maintain function when they receive traffic other than designed. For example, I’ve seen RFID controllers and Anybus modules lock up, simply by receiving packets that confused them.
Active network scanning can deliver much more information than passive scanning, and can be an incredibly valuable tool in any industrial environment. However, as I noted in a previous blog post, devices in the industrial environment – including VFD s , PLCs, I/O blocks, actuators and sensors – can be more sensitive than those in the office environment.
Standard IT methods for network scanning cannot be used in an industrial environment without planning and forethought.
Precautions need to be taken; for example, scanning should be done delicately and while machines are not operating due to the potential that the added traffic could add latencies and other issues. Yes, some machines could run just fine during an active scan, but it requires an additional study to verify that.
Operators can get all of the benefits of an active scan without concerns for their network by incorporating the proper proactive, responsible and knowledgeable planning before performing an active scan. Usually.
I say “usually” because my colleagues and I were recently involved in a situation that did not go 100% as planned. However, it had a fascinating outcome.
Example: Active network scanning achieved through partnership
We were brought in to perform an active scan on a network operated by a large automotive manufacturer. This client is very sophisticated and we have a close partnership with them.
They knew just what they wanted – an active network scan that would quickly and efficiently go deep into their network to identify every device and provide extremely detailed information. Their goal was to receive rich data about all of their systems along with thorough analysis and recommendations.
Through their relationship with Belden, the client chose to work with Tripwire specifically due to our experience and knowledge in this space. We scheduled the scan activity during a period that the line was down for scheduled maintenance. The scan was designed to be performed in a slow, gentle manner throughout the network.
We expected the impact on the network to be the equivalent of a light breeze. Yet, it was soon reported that a VFD tripped. Of course, we were concerned. Could our scan have caused this? Fortunately, everyone involved looked at the situation objectively and quickly concluded that the extraordinarily gentle scan could not – or should not – have caused the failure.
As it turns out, the source was an existing, hidden vulnerability in the VFD that could have been triggered by a multitude of disruptive situations, including a broadcast storm or a series of malformed packets. It was incredibly fortunate that it was triggered harmlessly in this circumstance – if it had been triggered while the line was up, it could have been a serious issue, potentially shutting down production.
Our analysis confirmed for the client where the issue was stemming from and they approached the VFD manufacturer. To their credit, the manufacturer was grateful for the knowledge and agreed that what happened during our scanning activity should not have occurred. They tested the VFDs in their labs and addressed the issues, proactively correcting other reliability issues with modifications and firmware.
The end result is a better product and more reliable operation for all.
What would you do?
The reason I am discussing this situation is that active network scanning still has a bad reputation due to situations where IT professionals have applied the active monitoring methods common in the office environment without adapting to the sensitive nature of the OT environment, causing adverse device interactions.
With this reputation still lingering, it could have been natural for the automotive network operator to assume that when the VFD tripped, it was the result of a poorly executed active scan. Fortunately, they were involved in and knowledgeable about the very careful precautions taken to alleviate any potential negative impacts while getting all the benefits of active network scanning.
With open eyes, they investigated the situation and accurately identified the source of the issue. And that was the first step towards solving the problem and ensuring that it doesn’t happen again. I must also give credit to the drive manufacturer, who took the opportunity to address the situation and improve further upon a quality product. Truth is, this could have been a story where everyone was angry and finger pointing. But instead, it was a partnership where everyone looked in the right direction and ultimately benefited from the situation.
So I’d like to ask—if this happened in your facility, what would you have done? Would you have jumped to conclusions, or investigated the situation? I welcome a dialog.
Related Links
- Tripwire Visibility Datasheet
- ICS Visibility White Paper
- OT Network Security Webinar
- ICS i s Essential White Paper
- IT-OT Convergence Means Greater Resources for Both

Check out our free e-newsletters
to read more great articles.
MORE ARTICLES
-
Augmented Intelligence
By Mark Howard, EU Automation
Augmented intelligence is one of the few technologies named on the Gartner Hype Cycle for Emerging Technologies,... -
PLC Programming Preference Survey: Insights & User Comments
By Bill Lydon, Automation.com
The PLCopen organization and Automation.com conducted a joint survey of PLC programming preferences. Here are some... -
Robots or Cobots: Which to Choose?
By Jonathan Wilkins, EU Automation
Today’s plant managers are faced with a dearth of automation technologies but it’s not always obvious what... -
A Closer Look at Composites
By Robert Glass, Exel Composites
Composites have transformed the technologies of many industries —although the materials used to manufacture... -
How AI is Disrupting the Oil and Gas Industry
By Ripal Vyas, Softweb Solutions
The arrival of new technologies like artificial intelligence (AI) and machine learning (ML) is transforming the...
RELATED
-
Seeq announces achievement of Amazon Web Services (AWS) Industrial Software Competency status
To receive the AWS Industrial Software Competency designation, APN Partners undergo rigorous AWS technical validation related to industry specific...
-
Pepperl+Fuchs Comtrol and Callisto Integration announce strategic partnership
Pepperl+Fuchs Comtrol and Callisto work with each manufacturing customer to deliver initial solutions that have tangible results, and then collect...
-
ST Robotics providing hands-on robotics training to university students
More than 30 other educational institutions have benefited from ST Robotics’ systems. These include: MIT, Cambridge University, Ecole Nationale...
-
Senet announces partnership with Zenseio
Senet has certified the Zenseio LSMP2 - Professional Multi-purpose Telemetry Station, providing the agriculture market with a pre-integrated,...
-
Arena Solutions announces strategic partnership with PRG
This deepened strategic partnership expands PRG’s services for Arena customers that desire assistance or simply have limited internal resources....