honeywell forge cybersecurity platform · honeywell forge cybersecurity 1911 (nov 2019) - security...
TRANSCRIPT
HONEYWELL FORGE CYBERSECURITY PLATFORM
1911 (NOV 2019)
Asset Passive Discovery (Asset PD)
User Guide
CS-HFCPE603en-1911A
November 2019
DocID CS-HFCPE603en-1911A 2
DISCLAIMER
This document contains Honeywell proprietary information. Information contained
herein is to be used solely for the purpose submitted, and no part of this document or
its contents shall be reproduced, published, or disclosed to a third party without the
express permission of Honeywell International Sàrl.
While this information is presented in good faith and believed to be accurate,
Honeywell disclaims the implied warranties of merchantability and fitness for a
purpose and makes no express warranties except as may be stated in its written
agreement with and for its customer.
In no event is Honeywell liable to anyone for any direct, special, or consequential
damages. The information and specifications in this document are subject to change
without notice.
Copyright 2019 – Honeywell International Sàrl
DocID CS-HFCPE603en-1911A 3
Notices
Trademarks Experion®, PlantScape®, SafeBrowse®, TotalPlant®, and TDC 3000® are registered
trademarks of Honeywell International, Inc.
ControlEdge™ is a trademark of Honeywell International, Inc.
OneWireless™ is a trademark of Honeywell International, Inc.
Matrikon® and MatrikonOPC™ are trademarks of Matrikon International. Matrikon
International is a business unit of Honeywell International, Inc.
Movilizer® is a registered trademark of Movilizer GmbH. Movilizer GmbH is a business
unit of Honeywell International, Inc.
Other trademarks Trademarks that appear in this document are used only to the benefit of the trademark
owner, with no intention of trademark infringement.
Third-party licenses This product may contain or be derived from materials, including software, of third
parties. The third party materials may be subject to licenses, notices, restrictions and
obligations imposed by the licensor.
The licenses, notices, restrictions and obligations, if any, may be found in the materials
accompanying the product, in the documents or files accompanying such third party
materials, or in a file named third_party_ licenses on the media containing the product.
Legal Notices
• "Ethernet/IP"
• "COTP"
• "TPKT
• "Link-Local Multicast Name Resolution"
• "Server Message Block"
• "Tabular Data Stream"
• "Transparent Network Substrate"
• "DNP3"
DocID CS-HFCPE603en-1911A 4
• "EtherCAT"
• "IEC 60870 5"
• "Generic Substation Events"
• "BACnet"
• "Manufacturing Message Specification"
• "ICCP Protocol"
• "DCERPC"
• "OPC Data Access"
• "PROFINET"
• "Profibus"
• "Routing Information Protocol"
• "Interior Gateway Routing Protocol"
• "Open Shortest Path First"
• "Cisco Discovery Protocol"
• "Link Layer Discovery Protocol"
• "Simple Network Management Protocol"
These articles are released under the Creative Commons Attribution-Share-Alike
License 3.0.
Documentation feedback You can find the most up-to-date documents on the Honeywell Process Solutions
support website at:
http://www.honeywellprocess.com/support
If you have comments about Honeywell Process Solutions documentation, send your
feedback to:
Use this email address to provide feedback, or to report errors and omissions in the
documentation. For immediate help with a technical problem, contact your local
Honeywell Process Solutions Customer Contact Center (CCC) or Honeywell Technical
Assistance Center (TAC).
DocID CS-HFCPE603en-1911A 5
How to report a security vulnerability For the purpose of submission, a security vulnerability is defined as a software defect
or weakness that can be exploited to reduce the operational or security capabilities of
the software.
Honeywell investigates all reports of security vulnerabilities affecting Honeywell
products and services.
To report a potential security vulnerability against any Honeywell product, please
follow the instructions at:
https://honeywell.com/pages/vulnerabilityreporting.aspx
Submit the requested information to Honeywell using one of the following methods:
Send an email to [email protected].
or
Contact your local Honeywell Process Solutions Customer Contact Center (CCC) or
Honeywell Technical Assistance Center (TAC) listed in the “Support” section of this
document.
Support For support, contact your local Honeywell Process Solutions Customer Contact Center
(CCC). To find your local CCC visit the website, https://www.honeywellprocess.com/en-
US/contact-us/customer-support-contacts/Pages/default.aspx.
Training classes Honeywell holds technical training classes that are taught by process control systems
experts. For more information about these classes, contact your Honeywell
representative, or see http://www.automationcollege.com.
DocID CS-HFCPE603en-1911A 6
About this Guide
This guide describes how to configure and use the Asset Passive Discovery (Asset PD) ,
the solution that enables the VSE to collect information about the network assets that
the VSE can access.
Scope Error! AutoText entry not defined.
Intended audience This guide is for people who are responsible for the configuration and operation of
Asset Passive Discovery (Asset PD) on the Security Center and VSEs:
• Initial Settings - Professional Services, Support, or IT personnel
• Security Center – Administrators and operators
• VSE – Administrators and operators
Prerequisite skills Error! AutoText entry not defined.
Related documents The following list identifies publications that contain information relevant to the
information in this document.
Document Name Document Number
Honeywell Forge Cybersecurity 1911 (Nov 2019) -
Security Center Getting Started Guide CS-HFCPE400en-1909A
Honeywell Forge Cybersecurity 1911 (Nov 2019) -
Virtual Security Engine – User Guide CS-HFCPE601en-1909A
Revision history
Revision Supported Release
Date Description
A 1909 September
2019
First release of product under the
Honeywell Forge Cybersecurity brand
DocID CS-HFCPE603en-1911A 7
Revision Supported Release
Date Description
A Release 510.1 August 2019 This software is an upgrade-only release
from Release 501.1
A Release 500.1 June 2019 First release of product to Honeywell
Enterprise customers
DocID CS-HFCPE603en-1911A 8
Contents 1. SECURITY CONSIDERATIONS ........................................................................................ 11
1.1 Physical securityError! AutoText entry not defined.Secured zone ................................. 11
1.2 Error! AutoText entry not defined.Limiting access ................................................................. 11 1.2.1 At the VSE level ...................................................................................................................... 11 1.2.2 At the directory or file level ............................................................................................... 11
1.3 Authorization measures ...................................................................................................................... 11
2. TERMS AND DEFINITIONS .............................................................................................. 12
3. INTRODUCTION ................................................................................................................... 14
3.1 Understanding the AssetPD solution ........................................................................................... 14
3.2 The Definition of Asset ......................................................................................................................... 15
3.3 Exploring the AssetPD architecture .............................................................................................. 16
4. INSTALLATION ..................................................................................................................... 18
4.1 Installation prerequisites .................................................................................................................... 18 4.1.1 Configuring the mirror port ............................................................................................. 18
4.2 Installation procedure .......................................................................................................................... 19
5. CONFIGURATION ................................................................................................................ 21
5.1 Configuring AssetPD............................................................................................................................. 21 5.1.1 Configuring the connection to remote VSE ............................................................ 21 5.1.2 Configuration of sources .................................................................................................. 22
5.2 Configuring network interfaces ....................................................................................................... 22
5.3 Configuring offline sources ............................................................................................................... 23
6. RUNNING ASSETPD ........................................................................................................... 25
6.1 Getting AssetPD Results ..................................................................................................................... 25
A PROTOCOLS SUPPORTED BY ASSETPD .................................................................... 29
A.1 Link layer protocol .................................................................................................................................. 29
A.2 Internet protocol suite .......................................................................................................................... 29
A.3 SCADA (Supervisory Control and Data Acquisition) .............................................................. 32
A.4 Database ..................................................................................................................................................... 37
A.5 Network file sharing protocol ............................................................................................................ 37
A.6 IT 38
A.7 Routing protocol ...................................................................................................................................... 38
A.8 Discovery protocol .................................................................................................................................. 39
A.9 Communication Protocol ................................................................................................................... 40
B POSSIBLE ASSETPD VALUES ......................................................................................... 41
DocID CS-HFCPE603en-1911A 9
C CONFIGURING ASSETPD TO WORK FROM A VIRTUAL MACHINE ................... 43
C.1 Requirements ........................................................................................................................................... 43
C.2 Configuration process .......................................................................................................................... 43
DocID CS-HFCPE603en-1911A 10
List of Figures FIGURE 3-1: ASSETPD CONFIGURATION SCREEN................................................................................................... 14 FIGURE 3-2. ASSETPD ARCHITECTURE .................................................................................................................. 16 FIGURE 4-1: CONFIGURATION OF MIRRORING PORT ............................................................................................... 19 FIGURE 4-2: PRE-INSTALLATION SUMMARY SCREEN ............................................................................................. 20 FIGURE 5-1: REMOTE VSE CONFIGURATION .......................................................................................................... 22 FIGURE 5-2: LIST OF NICS ..................................................................................................................................... 23 FIGURE 5-3: OFFLINE SOURCES TAB ...................................................................................................................... 23 FIGURE 6-1: NEW DEVICE WITH ASSET DISCOVERY REPORT GENERATOR ............................................................. 25 FIGURE 6-2: ASSET DISCOVERY REPORT GENERATOR PRODUCT LINE ................................................................... 26 FIGURE 6-3: THE ASSET DISCOVERY REPORT ........................................................................................................ 26 FIGURE 6-4: THE HTML DISCOVERY REPORT ....................................................................................................... 27 FIGURE 6-5: THE EXCEL DISCOVERY REPORT ....................................................................................................... 27 FIGURE 6-6: CONNECTION TYPE WIZARD PAGE ...................................................................................................... 44 FIGURE 6-7: NETWORK ACCESS WIZARD PAGE ....................................................................................................... 44 FIGURE 6-8: SWITCH PROPERTIES .......................................................................................................................... 44 FIGURE 6-9: VIRTUAL MACHINE HARDWARE TAB .................................................................................................... 44 FIGURE 6-10: VIRTUAL MACHINE HARDWARE TAB ................................................................................................. 44 FIGURE 6-11: SELECTING A NETWORK LABEL ........................................................................................................ 44
SECURITY CONSIDERATIONS
DocID CS-HFCPE603en-1911A 11
1. Security Considerations
This chapter outlines the security measures for Asset Passive Discovery (Asset PD) .
1.1 Physical securityError! AutoText entry not defined.Secured zone
1.2 Error! AutoText entry not defined.Limiting access Error! AutoText entry not defined.
1.2.1 At the VSE level Error! AutoText entry not defined.
1.2.2 At the directory or file level Error! AutoText entry not defined.
1.3 Authorization measures
• Error! AutoText entry not defined.
TERMS AND DEFINITIONS
DocID CS-HFCPE603en-1911A 12
2. Terms and definitions
NOTE
The terms and definitions are listed in alphabetical order
Term Definition
asset Error! AutoText entry not defined.
communication server (CS)
Error! AutoText entry not defined.
compliance Error! AutoText entry not defined.
device Error! AutoText entry not defined.
Essential security policy (ESP)
Error! AutoText entry not defined.
execution profile Error! AutoText entry not defined.
Experion Honeywell distributed control system (DCS)
HQ Error! AutoText entry not defined.
metropolitan area network (MAN)
Error! AutoText entry not defined.
monitoring profile (MP)
Error! AutoText entry not defined.
Network Interface Card (NIC)
Error! AutoText entry not defined.
pcap files Error! AutoText entry not defined.
Perl Error! AutoText entry not defined.
product line Error! AutoText entry not defined.
Security Center (SC) Error! AutoText entry not defined.
site Error! AutoText entry not defined.
time server Error! AutoText entry not defined.
TERMS AND DEFINITIONS
DocID CS-HFCPE603en-1911A 13
Term Definition
VSE Error! AutoText entry not defined.
INTRODUCTION
DocID CS-HFCPE603en-1911A 14
3. Introduction
This chapter presents a brief introduction to the Honeywell Forge Cybersecurity, the
main functions of the Asset Passive Discovery (Asset PD) , and requirements for
running the ESP.
3.1 Understanding the AssetPD solution AssetPD is a tool which obtains network traffic from configured sources and then
parses this information and identifies the detected assets. AssetPD is installed and
configured on a Windows-operated computer.
By supporting several protocols with different formats, AssetPD gets traffic (raw
information) from the following sources:
• Recorded network traffic from pcap files (offline sources).
NOTE
AssetPD does not support pcapng files.
• Real-time network traffic from living switches.
AssetPD is activated by pressing Start in the AssetPD configuration screen.
AssetPD parses the packets from the given sources and identifies assets based on the
parsed information. Initially, all assets are classified as hosts. AssetPD collects and
coordinates all available information to identify each asset. When this process is
complete, assets whose classification has not been confirmed remain classified as
hosts, while other assets are classified as routers, printers, controllers and so on.
Customers are then provided with a detailed asset inventory, generated in HTML and
Excel formats.
The list of assets discovered by AssetPD is encrypted and sent to the VSE, where it is
displayed as a report. The VSE periodically synchronizes its asset database with the
AssetPD asset repository.
Figure 3-1: AssetPD configuration screen
INTRODUCTION
DocID CS-HFCPE603en-1911A 15
NOTE
Because the entire operation involves reading existing network traffic by analyzing
the packets and without actively scanning the network, AssetPD does not consume
any network traffic.
Asset Passive Discovery (Asset PD) is designed to meet the following needs:
• Security
Identification of all the network components is fundamental to network security.
Any unknown component is a potential security breach. An automated solution
verifies that all network components are known and monitored.
• Cost Efficiency
Manual inventory management can be inefficient and costly in terms of
manpower and money. An automated solution reduces the cost and time involved
in inventory management.
• Compliance and Regulations
Many industrial companies must comply with government regulations and obtain
the certifications of one or more organizations. Often the compliance policies
require constant monitoring and auditing of all machines and hardware being
used in the company. An automated solution facilitates and simplifies
compliance.
NOTE
For list of protocols supported for asset discovery through AssetPD, see appendix A,
Protocols supported by .
3.2 The Definition of Asset Assets can be included in one of the following groups:
• Host machines, such as PCs, laptops, database servers, printers.
• Field controllers, such as PLCs.
• Network components, such as routers and switches.
• Security components, such as firewalls.
• SCADA components, such as SCADA Gateways, HMIs, and Engineering Stations
In the AssetPD asset repository, assets can be classified to one of several values. For
details see appendix B, Possible AssetPD values.
INTRODUCTION
DocID CS-HFCPE603en-1911A 16
3.3 Exploring the AssetPD architecture The following diagram illustrates the architecture of the AssetPD solution:
NOTE
Depending on your network topology and needs, it is possible to install AssetPD on
several machines that are not connected to the same network but are all connected
to the same VSE.
Figure 3-2. AssetPD architecture
INTRODUCTION
DocID CS-HFCPE603en-1911A 17
The information flow is as follows:
1. Information about network traffic arrives to the AssetPD from the following
sources:
Network interfaces
Physical link between the AssetPD and a mirroring port – a dedicated network
interface in a switch for capturing network traffic. For details about the
mirroring port configuration see section 4.1.1, Configuring the mirror port.
Pcap files
Pcap files are used for storing recordings of network traffic. These can also
include recordings of traffic in remote locations that are entered by means
such as a cellular network or a USB flash drive.
2. Information about each asset is collected and parsed,
3. After the AssetPD mechanism parses the information, the various elements that
were collected are recognized.
An asset discovery report is generated, listing all discovered assets and their
classifications. This report is available from the VSE and is sent to the Security
Center.
4. The list of assets discovered by AssetPD is encrypted and sent to the VSE, where it
is displayed as a report
The report is available in both the VSE and the Security Center.
INSTALLATION
DocID CS-HFCPE603en-1911A 18
4. Installation
This chapter provides information for properly installing AssetPD.
4.1 Installation prerequisites The minimum machine requirements for using the AssetPD are:
• AssetPD supports Windows distributions:
Windows Server 2012 R2 Standard
Windows Server 2016 Standard
• CPU - 4 cores
• RAM – 8 GB
NOTE
AssetPD can be installed on a virtual machine. For details see Appendix C,
Configuring AssetPD to work from a virtual machine.
NOTE
The set of recommended prerequisites varies based on parameters such as traffic
volume and environment size. To obtain the list most suitable for your needs, contact
Support.
AssetPD requires a connection to a VSE machine with the following configuration:
VSE version 4.9.46 or higher, part of Honeywell Forge Cybersecurity 1911
HTTPS communication support (see VSE Administration Guide - Configuring
VSE to Support HTTPS).
Honeywell Asset Discovery Report Generator product line imported.
4.1.1 Configuring the mirror port
To configure a mirror port:
1. Define the ports from which traffic is to be collected; in the example shown in the
figure below, ports 1-3.
2. Define a target (mirror) port for to be used for sniffing the requested network
traffic packets.
3. Connect the mirror port to the AssetPD’s NIC.
INSTALLATION
DocID CS-HFCPE603en-1911A 19
4.2 Installation procedure The AssetPD package and supporting software must be installed on a Windows-
operated computer in the industrial control network where the switches and assets are
located. One AssetPD can be connected to multiple mirror ports.
The AssetPD package consists of the following:
• AssetPD application
• AssetPD Manager GUI Utility
To install the AssetPD:
1. Download the AssetPD installer to the target computer.
2. Run the installation wizard:
a. Accept the license agreement.
b. Choose whether to accept the default installation folder or to select another
folder.
c. Review the installation information as shown below.
Figure 4-1: Configuration of mirroring port
INSTALLATION
DocID CS-HFCPE603en-1911A 20
d. Once the installation completes, click Done to exit the wizard.
In addition to installing and setting up the AssetPD application, the AssetPD Manager
Installer automatically performs the following tasks:
• Creating a Java folder with AdoptOpenJDKJava 11.
• Installing WinPcap.
• Updating the AssetPD configuration file with the path to Java.
• Installing and setting up the AssetPD Manager GUI utility.
• Creating a desktop shortcut to the AssetPD Manager GUI.
Figure 4-2: Pre-installation summary screen
CONFIGURATION
DocID CS-HFCPE603en-1911A 21
5. Configuration
This chapter describes the steps required for configuring AssetPD for both source
types (network interfaces and offline sources), as well as for connecting to a remote
VSE.
NOTE
Working from a virtual machine requires a special configuration. For details see
Appendix C, Configuring AssetPD to work from a virtual machine.
5.1 Configuring AssetPD Configuring AssetPD requires local administrator privileges. AssetPD configuration
consists of the following steps:
• Configuring the network interfaces and offline sources to be used for data
collection.
• Downloading the VSE certificate.
To enable HTTPS communication with the VSE, the AssetPD needs the VSE
certificate.
• Connecting to the VSE using the following credentials:
username
password
URL
Certificate
NOTE
Changes made to the AssetPD configuration only take effect after restarting the
service.
5.1.1 Configuring the connection to remote VSE The AssetPD can transfer asset data to the target remote VSE only if HTTPS
connection is established with the remote VSE.
To get the information required for HTTPS connection:
1. Open the AssetPD Manager and click the Remote VSE tab, as shown in the figure
below.
CONFIGURATION
DocID CS-HFCPE603en-1911A 22
2. Click Edit at the bottom of the screen, and enter values in the following fields:
VSE URL
VSE Username
VSE Password
3. Under VSE Certificate, click Browse. Browse to the downloaded VSE certificate
and select it.
4. Click Save.
5.1.2 Configuration of sources An AssetPD can collect asset data only if at least one source is specified and activated.
For each source, specify:
• Source name – used by the VSE as the report name.
• Requested IP range (optional). It is possible to provide a list of IP ranges, separated
by space, by using the format shown below:
192.168.1.1/24 192.173.1.1/24
• Whether the source is activated or deactivated.
5.2 Configuring network interfaces The network interface sources (NICs) are automatically discovered by AssetPD
Manager. Each time you open the AssetPD Manager, the utility retrieves the current
NICs and displays an updated list.
Figure 5-1: Remote VSE configuration
CONFIGURATION
DocID CS-HFCPE603en-1911A 23
To configure an active network interface source:
1. Click the Network Interfaces tab.
2. Go to the requested row and click Edit on the right.
3. In the Source Name field, specify a name for the source.
4. Optionally, limit the search results by specifying one or more IP ranges.
5. Choose whether to activate or deactivate the source.
6. Click Save.
5.3 Configuring offline sources
To configure an offline source:
1. Click the Offline Sources tab.
2. Click Add. Alternatively, if the device already exists, click Edit.
3. In the Source Name field, enter a name for the source.
Figure 5-2: List of NICs
Figure 5-3: Offline Sources tab
CONFIGURATION
DocID CS-HFCPE603en-1911A 24
4. Optionally, limit the search results by specifying an IP range. You can also enter a
comma-separated list of IP ranges.
5. Choose whether to activate or deactivate the source.
6. Click Save.
The column Source Folder column now displays the words Open Folder. Clicking
this prompt opens a folder with the relevant sniffer number; for example,
…:\Program Files\AssetPD\offline\sniffer1.
NOTE
Each time a network interface or an offline source is added, the sniffer number is
incremented; for example, the first and second rows have their source pcap file in
folder sniffer0 and sniffer1, while the source file of the third row is found in folder
sniffer4.
RUNNING ASSETPD
DocID CS-HFCPE603en-1911A 25
6. Running AssetPD
To run AssetPD:
1. Ensure that you have configured:
All requested sources, both offline sources and network interfaces.
The connection to the VSE.
2. In the AssetPD Manager, in the upper right corner, click Start .
During the run of the Asset PD service, AssetPD updates the VSE with the
detected assets. This information is displayed in the VSE as a report, in both
HTML and Excel formats.
6.1 Getting AssetPD Results
To get Asset PD results:
1. Create a device in the VSE configured with the Honeywell Asset Discovery Report
Generator product line.
a. In the VSE, in Operations > Device Management, Click NEW.
b. In the Product Line list, select Honeywell Asset Discovery Report Generator.
c. In the New Device fields, select or enter the requested values. In the Device
Address field, enter 127.0.0.1.
d. Click Save.
e. In the Add Device message, click OK.
2. Execute the Honeywell Asset Discovery Report Generator product line on the
device.
a. In the VSE, In Operations > Devices, in the Execution tab, select the device
configured with the Honeywell Asset Discovery Report Generator.
b. In the product line Profile Name list, select a profile name. The options are:
Figure 6-1: New Device with Asset Discovery Report Generator
RUNNING ASSETPD
DocID CS-HFCPE603en-1911A 26
o Get Last Generated Reports –Provides the last created results from the
last successful execution of the report generator.
o Run Report Generator – Create a new report.
o Run Report Generator Every Morning – Automatically creates an
execution of the report generator every morning at 06:00.
c. Click Execute Once Now.
d. In the Activate Execution Profile message, click OK. The execution can take
several minutes.
3. Download the Asset Discovery Report.
a. In the VSE, In Operations > Devices, in the View Data tab, select the device configured with the Honeywell Asset Discovery Report Generator.
b. In the Profiles list locate the Get Last Generated Reports line and click the OK link in the status field.
c. In the Execution Result – View window, in the Collected Data object list,
locate the HTML Discovery Report and the XLSX Discovery Report objects.
To download the Asset Discovery Report, click on the link in the Value field in
the object with the requested format.
d. Open the downloaded Asset Discovery Report. The report details are
classified by Source.
Figure 6-2: Asset Discovery Report Generator product line
Figure 6-3: The Asset Discovery Report
RUNNING ASSETPD
DocID CS-HFCPE603en-1911A 27
To view the results in the HTML Discovery Report, in the Source dropdown
select the required source.
To view the results in the Excel Discovery Report, click on the sheet with the
required source name.
Figure 6-4: The HTML Discovery Report
Figure 6-5: The Excel Discovery Report
Appendices
DocID CS-HFCPE603en-1911A 28
Appendices
This guide includes the following appendices:
• A, Protocols supported by AssetPD
• B, Possible AssetPD values
• C, Configuring AssetPD to work from a virtual machine
PROTOCOLS SUPPORTED BY ASSETPD
DocID CS-HFCPE603en-1911A 29
A Protocols supported by AssetPD
The following tables display the protocols that AssetPD uses to identify network assets.
A.1 Link layer protocol
Protocol Description Notes Supported?
Ethernet A family of computer networking technologies
commonly used in local area networks (LANs),
metropolitan area networks (MANs), and wide
area networks (WANs).
Used for identifying the source
and the destination MAC
addresses. The source MAC
address is used as part of the
asset data.
Yes
A.2 Internet protocol suite
Protocol Description Notes Supported?
ARP (Address Resolution Protocol)
A communication protocol used for discovering the
link layer address associated with a given internet
layer address.
Used for identifying IPv4 source
and destination IPs. The source
IP is used as part of the asset
data.
Yes
BOOTP (Bootstrap Protocol)
A computer networking protocol used in Internet
Protocol networks to automatically assign an IP
address to network devices from a configuration
server.
On Internet Protocol networks,
used to provide information on
Subnet Mask, Gateway address,
DNS server, hostname, FQDN
(DNS name).
Yes (as of
2.0.2)
PROTOCOLS SUPPORTED BY ASSETPD
DocID CS-HFCPE603en-1911A 30
Protocol Description Notes Supported?
Browser Service A Windows protocol that enables users to easily
browse and locate shared resources in neighboring
computers.
Used for identifying Windows
OS names and detecting
Domain Controller asset types.
Yes
COTP (Connection Oriented Transport Protocol)
The connection transport protocol of the ISO
Protocol Family.
Supporting protocol for other
protocols
Yes
DHCP (Dynamic Host Configuration Protocol)
A network management protocol used on UDP/IP
networks. Using this protocol, a DHCP server
dynamically assigns an IP address and other
network configuration parameters to each device
on a network so they can communicate with other
IP networks.
On UDP/IP networks, used to
provide information on Subnet
Mask, Gateway address, DNS
server, hostname, FQDN (DNS
name).
Yes (as for
2.0.2)
DNS (Domain Name System)
A hierarchical and decentralized naming system for
computers, services, or other resources connected
to the Internet or a private network
Used to discover host names by
analyzing the DNS answers. Yes
HTTP Headers The name or value pairs that are displayed in the
request and response message headers for
Hypertext Transfer Protocol (HTTP).
The HTTP request header includes information
such as the type and version of the browser that
generated the request, the OS used by the client,
and the page that was requested.
Used for identifying OS
versions and hostnames. Yes
PROTOCOLS SUPPORTED BY ASSETPD
DocID CS-HFCPE603en-1911A 31
Protocol Description Notes Supported?
ICMP (Internet Control Message Protocol)
An error-reporting protocol used by network
devices to send error messages and operational
information.
Used for documenting the
protocol traffic. Yes
IPv4 (Internet Protocol version 4)
One of the core protocols of standards-based
internetworking methods in the Internet and other
packet-switched networks.
Used for identifying IPv4 source
and destination IPs. The source
IP is used as part of the of the
asset data.
Yes
LLMNR
(Link-Local Multicast Name Resolution)
Enables both IPv4 and IPv6 hosts to perform name
resolution for hosts on the same local link.
Used for identifying hostnames
of Windows machines.
Not yet
NBNS
(NetBIOS Name Service)
Part of the NetBIOS-over-TCP protocol suite. NBNS
translates human-readable names to IP addresses.
Used for identifying hostnames
of Windows machines.
Yes
NetBIOS (Network Basic Input/Output System) Datagram Service
Allows applications on computers to communicate
with one another over a local area network (LAN).
Datagram mode is connectionless; the application
is responsible for error detection and recovery.
Used for identifying hostnames
and group names of Windows
machines.
Yes
NTP (Network Time Protocol)
A networking protocol for clock synchronization
between computer systems over packet-switched,
variable-latency data networks.
Used for discovering Time
Servers. Yes
PROTOCOLS SUPPORTED BY ASSETPD
DocID CS-HFCPE603en-1911A 32
Protocol Description Notes Supported?
TCP (Transmission Control Protocol)
Provides host-to-host connectivity at the transport
layer of the Internet model.
Used for collecting information
about the TCP flags and TCP
source and destination ports.
The source port is used as part
of the asset data.
Yes
TPKT TPKT enables translating between two networking
protocol family models, Open Systems
Interconnection (OSI) and TCP/IP, by providing a
method to carry OSI data over TCP/IP networks.
Used for identifying S7COMM. Yes
UDP (User Datagram Protocol)
An alternative communications protocol to TCP
used primarily for establishing low-latency and
loss-tolerating connections between applications
on the internet.
Used for collecting information
about the UDP source and
destination ports. The source
port is used as part of the of the
asset data.
Yes
A.3 SCADA (Supervisory Control and Data Acquisition)
Protocol Description Notes Supported?
BACnet (Building Automation and Control)
Enables communication between building automation
and control systems for applications (for example:
heating, ventilating and fire detection systems) and
their associated equipment.
Used for identifying
Building Management
System controllers.
Yes
PROTOCOLS SUPPORTED BY ASSETPD
DocID CS-HFCPE603en-1911A 33
Protocol Description Notes Supported?
CDA (Common Data Access)
The Experion native (Honeywell proprietary) internal
communication protocol.
Used to detect roles for
c200, c300 Programmable
Logic Controllers (PLCs).
Yes
DNP3
(Distributed Network Protocol)
A set of communications protocols used between
components in process automation systems.
Used for identifying HMIs
and Field Controllers.
Yes
Ethernet/IP An industrial network protocol that adapts the Common
Industrial Protocol (CIP) to standard Ethernet.
Used for detecting Rockwell
components.
Yes
FTE
(Fault Tolerant Ethernet)
The industrial control network of the Experion Process Knowledge System (PKS). Connects clusters or groups of nodes such as servers and stations, typically associated with the same process unit, and provides multiple communication paths between them so the network can tolerate all single faults and many multiple faults.
Used to collect Experion
components information.
Yes
GOOSE (Generic Object-Oriented Substation Events)
Provides a fast and reliable mechanism for transferring
event data over entire electrical substation networks.
Ensures the same event message is received by
multiple physical devices using multicast or broadcast
services.
Used to detect sub-station
controllers.
Yes
ICCP (Inter-Control Center Communications Protocol)
Provides data exchange over WANs between utility
control centers, utilities, power pools, regional control
centers, and Non-Utility Generators.
Used to detect control
centers.
Yes
PROTOCOLS SUPPORTED BY ASSETPD
DocID CS-HFCPE603en-1911A 34
Protocol Description Notes Supported?
IEC104 The IEC 60870 set of standards define systems used for
telecontrol (supervisory control and data acquisition) in
electrical engineering and power system automation
applications. IEC 60870-5-101/102/103/104 are
companion standards generated for basic telecontrol
tasks, transmission of integrated totals, data exchange
from protection equipment & network access of IEC101
respectively.
Used in the electronics
industry, generic.
Yes
MDLC (Motorola Data Link Communications)
Data communications protocol designed for shared
two-way radio communication circuits. MDLC allows
multiple logical communication channels per
communication medium, allowing for simultaneous
Host-to-RTU (Remote Terminal Unit), RTU-to-Host, and
RTU-to-RTU data sessions.
Used in oil & gas, water utilities, power utilities or
geographically distributed systems.
Used to detect Motorola
controllers.
Partial
MMS (Manufacturing Message Specification)
An international standard (ISO 9506) for messaging
systems transferring real time process data and
supervisory control information between networked
devices or computer applications.
Generic (common in ABB) Yes
PROTOCOLS SUPPORTED BY ASSETPD
DocID CS-HFCPE603en-1911A 35
Protocol Description Notes Supported?
Modbus TCP Modbus is a serial communications protocol that
enables communication among many devices
connected to the same network.
Used for identifying the
asset type:
• If the source port is 502, the type is Field Controller (etc. PLC).
• If the destination port is 502, the type is HMI (Human Machine Interface).
Also, used to collect
additional parameters from
the responder.
Yes
OPC-DA (OPC Data Access)
A group of client-server standards that provide specifications for communicating real-time data from data acquisition devices such as PLCs to display and interface devices like Human-Machine Interfaces (HMI), SCADA systems, and ERP/MES systems. The specifications focus on the continuous communication of data.
Used to detect OPC servers. Yes
PROFINET IO (Process Field Net)
An industry technical standard for data communication
over Industrial Ethernet, designed for collecting data
from, and controlling, equipment in industrial systems.
Used to detect Fieldbus
devices. Yes
PROTOCOLS SUPPORTED BY ASSETPD
DocID CS-HFCPE603en-1911A 36
Protocol Description Notes Supported?
S7COMM (based on COTP and TPKT)
A Siemens proprietary protocol that runs between
programmable logic controllers (PLCs) of the Siemens
S7-300/400 family.
Used for PLC programming, exchanging data between
PLCs, accessing PLC data from SCADA systems and
diagnostic purposes.
Used to identify Field
Controllers (PLC’s) and
Engineering Stations. The
S7COMM data comes as
payload of COTP data
packets.
• If destination port is 102 then the asset is Engineering Station.
If the source port is 102
then the asset type is Field
Controller (PLC).
Yes
Synchrophasor A phasor measurement unit (PMU) is a device used to
estimate the magnitude and phase angle
(synchrophasor) of an electrical phasor quantity (such
as voltage or current) in an electricity grid.
Used to identify PMUs and
PDCs.
Yes
PROTOCOLS SUPPORTED BY ASSETPD
DocID CS-HFCPE603en-1911A 37
A.4 Database
Protocol Description Notes Supported?
TDS (Tabular Data Stream)
An application layer protocol used to transfer data
between a database server and a client.
Used to detect MSSQL
servers.
Yes
TNS (Transparent Network Substrate)
Supports homogeneous peer-to-peer connectivity
on top of other networking technologies such as
TCP/IP, SDP, and named pipes. TNS operates
mainly for connection to Oracle databases.
Used to detect Oracle
servers (DB).
Yes
MYSQL Protocol Protocol used between MySQL Clients and Servers. Used for identifying
MySQL database clients
and servers.
Yes
A.5 Network file sharing protocol
Protocol Description Notes Supported?
SMB (Server Message Block)
An application-layer network protocol used for providing
shared access to files, printers, and serial ports, and
miscellaneous communications between nodes on a
network. It also provides an authenticated inter-process
communication mechanism.
Generic protocol for
windows naming and file
shares.
Yes
PROTOCOLS SUPPORTED BY ASSETPD
DocID CS-HFCPE603en-1911A 38
A.6 IT
Protocol Description Notes Supported?
DCE/RPC (Distributed Computing Environment / Remote Procedure Calls)
DCE/RPC is a specification for a remote
procedure call mechanism that defines both APIs
and an over-the-network protocol.
Supporting protocols for
OPC-DA.
Yes
A.7 Routing protocol
Protocol Description Notes Supported?
RIP (Routing Information Protocol)
A distance-vector routing protocol employing the
hop count as a routing metric. Prevents routing
loops by implementing a limit on the number of
hops allowed in a path from source to destination.
Used for identifying
routers. Yes
IGRP (Interior Gateway Routing Protocol)
A distance vector interior gateway protocol (IGP),
used by routers to exchange routing data within
an autonomous system. Developed by CISCO,
IGRP is a proprietary protocol.
Used for identifying
routers.
Yes
OSPF (Open Shortest Path First)
A routing protocol for IP networks. It uses a link
state routing (LSR) algorithm and falls into the
group of interior gateway protocols (IGPs),
operating within a single autonomous system
(AS).
Used for identifying
routers.
Yes
PROTOCOLS SUPPORTED BY ASSETPD
DocID CS-HFCPE603en-1911A 39
A.8 Discovery protocol
Protocol Description Notes Supported?
CDP (Cisco Discovery Protocol)
A proprietary Data Link Layer protocol developed by
Cisco Systems, used to share information about other
directly connected Cisco equipment, such as the
operating system version and IP address.
Used for identifying
switches. Yes
LLDP (Link Layer Discovery Protocol)
A vendor-neutral link layer protocol in the Internet
Protocol Suite used by network devices for advertising
their identity, capabilities, and neighbors on an IEEE
802 local area network, principally wired Ethernet.
Used for identifying
switches. Yes
ISDP
(Industry Standard Discovery Protocol)
A proprietary Layer 2 network protocol that inter-
operates with Cisco devices running the Cisco
Discovery Protocol (CDP). ISDP is used to share
information between neighboring devices. The switch
software participates in the CDP protocol and can both
discover and be discovered by other CDP-supporting
devices.
Used for identifying
switches. No
PROTOCOLS SUPPORTED BY ASSETPD
DocID CS-HFCPE603en-1911A 40
A.9 Communication Protocol
Protocol Description Notes Supported?
SNMP
(Simple Network Management Protocol)
An Internet Standard protocol for collecting and
organizing information about managed devices on
IP networks and for modifying that information to
change device behavior. Devices that typically
support SNMP include cable modems, routers,
switches, servers, workstations, printers, and more.
Network appliance
detection and attributes.
Yes
POSSIBLE ASSETPD VALUES
DocID CS-HFCPE603en-1911A 41
B Possible AssetPD values
In the AssetPD asset repository, assets can be classified to one of the following values:
• Host
• HMI (Human Machine Interface)
• Field Controller
• RTU (Remote terminal unit)
• PLC (Programmable Logic Controller)
• PMU (Phasor Measurement Unit)
• Control Center Server
• Domain Controller
• DNS Server
• Time Server
• Engineering Station
• Switch
• Router
• SCADA Gateway
• Security Appliance
• Source – The sniffer name or source it came from.
• Hostname – The machine hostname if any.
• Group – The Workgroup/Domain name which the asset belongs to.
• OS – The operating system name.
• MAC address – The physical address of the asset.
• Manufacturer Name – The manufacturer name (vendor name).
• IP – The IP address of the asset. Only IPv4 is supported.
• Addr5, Addr6, Addr7 – 3 parameters that hold values like the unit identifier in
Modbus, related to SCADA protocols.
• Hops – Number of hops from the router.
• VLAN ID – The VLAN ID to which the asset belongs.
POSSIBLE ASSETPD VALUES
DocID CS-HFCPE603en-1911A 42
• DNS names – List of DNS names related to the asset.
• Services – contains list of identified ports that the asset uses, these ports can tell
us which services the assets runs, for example, FTP (21), Telnet (23), SNMP (161),
etc.
• Additional parameters map – Contains key/value pairs of additional information on
the asset, such as information about the PLCs, sensors, SCADA info, vendor
names, and product codes.
• Last updated – When was the last update of the asset.
• Last Seen – When was the time the asset was “seen” (got packets from this asset)
on the network.
CONFIGURING ASSETPD TO WORK FROM A VIRTUAL MACHINE
DocID CS-HFCPE603en-1911A 43
C Configuring AssetPD to work from a virtual machine
This appendix provides instructions for connecting and enabling a virtual machine
(VM) under an ESXi platform to capture network traffic in promiscuous mode – namely:
capturing Ethernet frames to different destinations - such as traffic from a
mirror/SPAN port in an Ethernet switch.
C.1 Requirements The prerequisites for the AssetPD configuration are:
• Source of network traffic to analyze in promiscuous mode (SPAN/mirror port in a
switch)
• Administrator access to an ESXi server with at least one available and unused
physical NIC.
• The network analyzer/sniffer Virtual Machine.
C.2 Configuration process
To configure the AssetPD to work from a virtual machine:
1. Connect the SPAN/mirror port in the Ethernet switch directly to an available
physical NIC in the ESXi server.
2. Log on to the ESXi configuration management using the vSphere client with an
administrator permissions account.
3. In the vSphere management tree, select the server that hosts the AssetPD virtual
machine.
4. Go to the Configuration tab and from the Hardware menu on the left click
Networking.
5. Click Add Networking… to open the Add Networking wizard.
6. In the Connections Type wizard page, select the option Virtual Machine.
CONFIGURING ASSETPD TO WORK FROM A VIRTUAL MACHINE
DocID CS-HFCPE603en-1911A 44
7. In the Network Access wizard page select which physical NIC to connect to the
SPAN/mirror port. While the choice shown below is vmnic1, you can select
another value in other setups.
Figure 6-6: Connection Type wizard page
CONFIGURING ASSETPD TO WORK FROM A VIRTUAL MACHINE
DocID CS-HFCPE603en-1911A 45
8. In the Connection Settings wizard page give the newly created network a
meaningful name, and do not select a VLAN ID.
9. Click Next and Finish to complete the wizard.
A new vSwitch is now displayed in the Networking window.
10. Click the Properties… link as shown below.
11. In the vSwitch tab go the Ports tab.
12. Select the vSwitch configuration and click Edit..
13. In the new Properties dialog box that appears now, under the Security tab, select
the option Accept for the Promiscuous mode policy exception.
Figure 6-7: Network Access wizard page
Figure 6-8: Switch properties
CONFIGURING ASSETPD TO WORK FROM A VIRTUAL MACHINE
DocID CS-HFCPE603en-1911A 46
14. Click OK to close the dialog box.
15. Repeat steps 12 to 14 for the option Sniffer Network in the Properties window.
16. In the vSwitch Properties dialog box, ensure that option Promiscuous Mode is
enabled in both configuration items and close the dialog box.
17. Ensure that the network sniffer virtual machine is stopped.
18. Right-click this virtual machine and from the menu that opens click Edit
Settings…
19. In the Virtual Machine Properties dialog box, go to the Hardware tab and click
Add…
20. Select the option Ethernet Adapter and click Next.
21. Under the Network Connection section select the label of the network you had
just created and click Next.
Figure 6-9: Virtual machine Hardware tab
CONFIGURING ASSETPD TO WORK FROM A VIRTUAL MACHINE
DocID CS-HFCPE603en-1911A 47
22. Check your settings and click Finish.
23. In the Virtual Machine Properties dialog box, click OK to save the new settings and
close the dialog box.
Figure 6-11: Selecting a network label
CS-HFCPE603en-1911A November 2019 © 2019 Honeywell International Sàrl
Honeywell Process Solutions
1250 W Sam Houston Pkwy S #150, Houston,
TX 77042
Honeywell House, Skimped Hill Lane
Bracknell, Berkshire, RG12 1EB Building #1, 555 Huanke Road, Zhangjiang
Hi-Tech Park,
Pudong New Area, Shanghai, China 201203
www.honeywellprocess.com