honeywell forge cybersecurity platform · honeywell forge cybersecurity 1911 (nov 2019) - security...

HONEYWELL FORGE CYBERSECURITY PLATFORM

1911 (NOV 2019)

Asset Passive Discovery (Asset PD)

User Guide

CS-HFCPE603en-1911A

November 2019

DocID CS-HFCPE603en-1911A 2

DISCLAIMER

This document contains Honeywell proprietary information. Information contained

herein is to be used solely for the purpose submitted, and no part of this document or

its contents shall be reproduced, published, or disclosed to a third party without the

express permission of Honeywell International Sàrl.

While this information is presented in good faith and believed to be accurate,

Honeywell disclaims the implied warranties of merchantability and fitness for a

purpose and makes no express warranties except as may be stated in its written

agreement with and for its customer.

In no event is Honeywell liable to anyone for any direct, special, or consequential

damages. The information and specifications in this document are subject to change

without notice.

Copyright 2019 – Honeywell International Sàrl


Notices

Trademarks Experion®, PlantScape®, SafeBrowse®, TotalPlant®, and TDC 3000® are registered

trademarks of Honeywell International, Inc.

ControlEdge™ is a trademark of Honeywell International, Inc.

OneWireless™ is a trademark of Honeywell International, Inc.

Matrikon® and MatrikonOPC™ are trademarks of Matrikon International. Matrikon

International is a business unit of Honeywell International, Inc.

Movilizer® is a registered trademark of Movilizer GmbH. Movilizer GmbH is a business

unit of Honeywell International, Inc.

Other trademarks Trademarks that appear in this document are used only to the benefit of the trademark

owner, with no intention of trademark infringement.

Third-party licenses This product may contain or be derived from materials, including software, of third

parties. The third party materials may be subject to licenses, notices, restrictions and

obligations imposed by the licensor.

The licenses, notices, restrictions and obligations, if any, may be found in the materials

accompanying the product, in the documents or files accompanying such third party

materials, or in a file named third_party_ licenses on the media containing the product.

Legal Notices

• "Ethernet/IP"

• "COTP"

• "TPKT

• "Link-Local Multicast Name Resolution"

• "Server Message Block"

• "Tabular Data Stream"

• "Transparent Network Substrate"

• "DNP3"

https://en.wikipedia.org/wiki/EtherNet/IP

https://wiki.wireshark.org/COTP

https://wiki.wireshark.org/TPKT

https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution

https://en.wikipedia.org/wiki/Server_Message_Block

https://en.wikipedia.org/wiki/Tabular_Data_Stream

https://en.wikipedia.org/wiki/Transparent_Network_Substrate

https://en.wikipedia.org/wiki/DNP3


• "EtherCAT"

• "IEC 60870 5"

• "Generic Substation Events"

• "BACnet"

• "Manufacturing Message Specification"

• "ICCP Protocol"

• "DCERPC"

• "OPC Data Access"

• "PROFINET"

• "Profibus"

• "Routing Information Protocol"

• "Interior Gateway Routing Protocol"

• "Open Shortest Path First"

• "Cisco Discovery Protocol"

• "Link Layer Discovery Protocol"

• "Simple Network Management Protocol"

These articles are released under the Creative Commons Attribution-Share-Alike

License 3.0.

Documentation feedback You can find the most up-to-date documents on the Honeywell Process Solutions

support website at:

http://www.honeywellprocess.com/support

If you have comments about Honeywell Process Solutions documentation, send your

feedback to:

[email protected]

Use this email address to provide feedback, or to report errors and omissions in the

documentation. For immediate help with a technical problem, contact your local

Honeywell Process Solutions Customer Contact Center (CCC) or Honeywell Technical

Assistance Center (TAC).

https://en.wikipedia.org/wiki/EtherCAT

https://en.wikipedia.org/wiki/IEC_60870-5#Supported_Types

https://en.wikipedia.org/wiki/Generic_Substation_Events

https://en.wikipedia.org/wiki/BACnet

https://en.wikipedia.org/wiki/Manufacturing_Message_Specification

https://enacademic.com/dic.nsf/enwiki/1761979

https://wiki.wireshark.org/DCE/RPC

https://en.wikipedia.org/wiki/OPC_Data_Access

https://en.wikipedia.org/wiki/PROFINET

https://en.wikipedia.org/wiki/Profibus

https://en.wikipedia.org/wiki/Routing_Information_Protocol

https://en.wikipedia.org/wiki/Interior_Gateway_Routing_Protocol

https://en.wikipedia.org/wiki/Open_Shortest_Path_First

https://en.wikipedia.org/wiki/Cisco_Discovery_Protocol

https://en.wikipedia.org/wiki/Link_Layer_Discovery_Protocol

https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

https://creativecommons.org/licenses/by-sa/3.0/

https://creativecommons.org/licenses/by-sa/3.0/

http://www.honeywellprocess.com/support

mailto:[email protected]


How to report a security vulnerability For the purpose of submission, a security vulnerability is defined as a software defect

or weakness that can be exploited to reduce the operational or security capabilities of

the software.

Honeywell investigates all reports of security vulnerabilities affecting Honeywell

products and services.

To report a potential security vulnerability against any Honeywell product, please

follow the instructions at:

https://honeywell.com/pages/vulnerabilityreporting.aspx

Submit the requested information to Honeywell using one of the following methods:

Send an email to [email protected].

or

Contact your local Honeywell Process Solutions Customer Contact Center (CCC) or

Honeywell Technical Assistance Center (TAC) listed in the “Support” section of this

document.

Support For support, contact your local Honeywell Process Solutions Customer Contact Center

(CCC). To find your local CCC visit the website, https://www.honeywellprocess.com/en-

US/contact-us/customer-support-contacts/Pages/default.aspx.

Training classes Honeywell holds technical training classes that are taught by process control systems

experts. For more information about these classes, contact your Honeywell

representative, or see http://www.automationcollege.com.

https://honeywell.com/pages/vulnerabilityreporting.aspx

mailto:[email protected]

https://www.honeywellprocess.com/en-US/contact-us/customer-support-contacts/Pages/default.aspx

https://www.honeywellprocess.com/en-US/contact-us/customer-support-contacts/Pages/default.aspx

http://www.automationcollege.com/


About this Guide

This guide describes how to configure and use the Asset Passive Discovery (Asset PD) ,

the solution that enables the VSE to collect information about the network assets that

the VSE can access.

Scope Error! AutoText entry not defined.

Intended audience This guide is for people who are responsible for the configuration and operation of

Asset Passive Discovery (Asset PD) on the Security Center and VSEs:

• Initial Settings - Professional Services, Support, or IT personnel

• Security Center – Administrators and operators

• VSE – Administrators and operators

Prerequisite skills Error! AutoText entry not defined.

Related documents The following list identifies publications that contain information relevant to the

information in this document.

Document Name Document Number

Honeywell Forge Cybersecurity 1911 (Nov 2019) -

Security Center Getting Started Guide CS-HFCPE400en-1909A

Honeywell Forge Cybersecurity 1911 (Nov 2019) -

Virtual Security Engine – User Guide CS-HFCPE601en-1909A

Revision history

Revision Supported Release

Date Description

A 1909 September

2019

First release of product under the

Honeywell Forge Cybersecurity brand


Revision Supported Release

Date Description

A Release 510.1 August 2019 This software is an upgrade-only release

from Release 501.1

A Release 500.1 June 2019 First release of product to Honeywell

Enterprise customers


Contents 1. SECURITY CONSIDERATIONS ........................................................................................ 11

1.1 Physical securityError! AutoText entry not defined.Secured zone ................................. 11

1.2 Error! AutoText entry not defined.Limiting access ................................................................. 11 1.2.1 At the VSE level ...................................................................................................................... 11 1.2.2 At the directory or file level ............................................................................................... 11

1.3 Authorization measures ...................................................................................................................... 11

2. TERMS AND DEFINITIONS .............................................................................................. 12

3. INTRODUCTION ................................................................................................................... 14

3.1 Understanding the AssetPD solution ........................................................................................... 14

3.2 The Definition of Asset ......................................................................................................................... 15

3.3 Exploring the AssetPD architecture .............................................................................................. 16

4. INSTALLATION ..................................................................................................................... 18

4.1 Installation prerequisites .................................................................................................................... 18 4.1.1 Configuring the mirror port ............................................................................................. 18

4.2 Installation procedure .......................................................................................................................... 19

5. CONFIGURATION ................................................................................................................ 21

5.1 Configuring AssetPD............................................................................................................................. 21 5.1.1 Configuring the connection to remote VSE ............................................................ 21 5.1.2 Configuration of sources .................................................................................................. 22

5.2 Configuring network interfaces ....................................................................................................... 22

5.3 Configuring offline sources ............................................................................................................... 23

6. RUNNING ASSETPD ........................................................................................................... 25

6.1 Getting AssetPD Results ..................................................................................................................... 25

A PROTOCOLS SUPPORTED BY ASSETPD .................................................................... 29

A.1 Link layer protocol .................................................................................................................................. 29

A.2 Internet protocol suite .......................................................................................................................... 29

A.3 SCADA (Supervisory Control and Data Acquisition) .............................................................. 32

A.4 Database ..................................................................................................................................................... 37

A.5 Network file sharing protocol ............................................................................................................ 37

A.6 IT 38

A.7 Routing protocol ...................................................................................................................................... 38

A.8 Discovery protocol .................................................................................................................................. 39

A.9 Communication Protocol ................................................................................................................... 40

B POSSIBLE ASSETPD VALUES ......................................................................................... 41


C CONFIGURING ASSETPD TO WORK FROM A VIRTUAL MACHINE ................... 43

C.1 Requirements ........................................................................................................................................... 43

C.2 Configuration process .......................................................................................................................... 43


List of Figures FIGURE 3-1: ASSETPD CONFIGURATION SCREEN................................................................................................... 14 FIGURE 3-2. ASSETPD ARCHITECTURE .................................................................................................................. 16 FIGURE 4-1: CONFIGURATION OF MIRRORING PORT ............................................................................................... 19 FIGURE 4-2: PRE-INSTALLATION SUMMARY SCREEN ............................................................................................. 20 FIGURE 5-1: REMOTE VSE CONFIGURATION .......................................................................................................... 22 FIGURE 5-2: LIST OF NICS ..................................................................................................................................... 23 FIGURE 5-3: OFFLINE SOURCES TAB ...................................................................................................................... 23 FIGURE 6-1: NEW DEVICE WITH ASSET DISCOVERY REPORT GENERATOR ............................................................. 25 FIGURE 6-2: ASSET DISCOVERY REPORT GENERATOR PRODUCT LINE ................................................................... 26 FIGURE 6-3: THE ASSET DISCOVERY REPORT ........................................................................................................ 26 FIGURE 6-4: THE HTML DISCOVERY REPORT ....................................................................................................... 27 FIGURE 6-5: THE EXCEL DISCOVERY REPORT ....................................................................................................... 27 FIGURE 6-6: CONNECTION TYPE WIZARD PAGE ...................................................................................................... 44 FIGURE 6-7: NETWORK ACCESS WIZARD PAGE ....................................................................................................... 44 FIGURE 6-8: SWITCH PROPERTIES .......................................................................................................................... 44 FIGURE 6-9: VIRTUAL MACHINE HARDWARE TAB .................................................................................................... 44 FIGURE 6-10: VIRTUAL MACHINE HARDWARE TAB ................................................................................................. 44 FIGURE 6-11: SELECTING A NETWORK LABEL ........................................................................................................ 44

SECURITY CONSIDERATIONS


1. Security Considerations

This chapter outlines the security measures for Asset Passive Discovery (Asset PD) .

1.1 Physical securityError! AutoText entry not defined.Secured zone

1.2 Error! AutoText entry not defined.Limiting access Error! AutoText entry not defined.

1.2.1 At the VSE level Error! AutoText entry not defined.

1.2.2 At the directory or file level Error! AutoText entry not defined.

1.3 Authorization measures

• Error! AutoText entry not defined.

TERMS AND DEFINITIONS


2. Terms and definitions

NOTE

The terms and definitions are listed in alphabetical order

Term Definition

asset Error! AutoText entry not defined.

communication server (CS)

Error! AutoText entry not defined.

compliance Error! AutoText entry not defined.

device Error! AutoText entry not defined.

Essential security policy (ESP)


execution profile Error! AutoText entry not defined.

Experion Honeywell distributed control system (DCS)

HQ Error! AutoText entry not defined.

metropolitan area network (MAN)


monitoring profile (MP)


Network Interface Card (NIC)


pcap files Error! AutoText entry not defined.

Perl Error! AutoText entry not defined.

product line Error! AutoText entry not defined.

Security Center (SC) Error! AutoText entry not defined.

site Error! AutoText entry not defined.

time server Error! AutoText entry not defined.

TERMS AND DEFINITIONS


Term Definition

VSE Error! AutoText entry not defined.

INTRODUCTION


3. Introduction

This chapter presents a brief introduction to the Honeywell Forge Cybersecurity, the

main functions of the Asset Passive Discovery (Asset PD) , and requirements for

running the ESP.

3.1 Understanding the AssetPD solution AssetPD is a tool which obtains network traffic from configured sources and then

parses this information and identifies the detected assets. AssetPD is installed and

configured on a Windows-operated computer.

By supporting several protocols with different formats, AssetPD gets traffic (raw

information) from the following sources:

• Recorded network traffic from pcap files (offline sources).

NOTE

AssetPD does not support pcapng files.

• Real-time network traffic from living switches.

AssetPD is activated by pressing Start in the AssetPD configuration screen.

AssetPD parses the packets from the given sources and identifies assets based on the

parsed information. Initially, all assets are classified as hosts. AssetPD collects and

coordinates all available information to identify each asset. When this process is

complete, assets whose classification has not been confirmed remain classified as

hosts, while other assets are classified as routers, printers, controllers and so on.

Customers are then provided with a detailed asset inventory, generated in HTML and

Excel formats.

The list of assets discovered by AssetPD is encrypted and sent to the VSE, where it is

displayed as a report. The VSE periodically synchronizes its asset database with the

AssetPD asset repository.

Figure 3-1: AssetPD configuration screen

INTRODUCTION


NOTE

Because the entire operation involves reading existing network traffic by analyzing

the packets and without actively scanning the network, AssetPD does not consume

any network traffic.

Asset Passive Discovery (Asset PD) is designed to meet the following needs:

• Security

Identification of all the network components is fundamental to network security.

Any unknown component is a potential security breach. An automated solution

verifies that all network components are known and monitored.

• Cost Efficiency

Manual inventory management can be inefficient and costly in terms of

manpower and money. An automated solution reduces the cost and time involved

in inventory management.

• Compliance and Regulations

Many industrial companies must comply with government regulations and obtain

the certifications of one or more organizations. Often the compliance policies

require constant monitoring and auditing of all machines and hardware being

used in the company. An automated solution facilitates and simplifies

compliance.

NOTE

For list of protocols supported for asset discovery through AssetPD, see appendix A,

Protocols supported by .

3.2 The Definition of Asset Assets can be included in one of the following groups:

• Host machines, such as PCs, laptops, database servers, printers.

• Field controllers, such as PLCs.

• Network components, such as routers and switches.

• Security components, such as firewalls.

• SCADA components, such as SCADA Gateways, HMIs, and Engineering Stations

In the AssetPD asset repository, assets can be classified to one of several values. For

details see appendix B, Possible AssetPD values.

INTRODUCTION


3.3 Exploring the AssetPD architecture The following diagram illustrates the architecture of the AssetPD solution:

NOTE

Depending on your network topology and needs, it is possible to install AssetPD on

several machines that are not connected to the same network but are all connected

to the same VSE.

Figure 3-2. AssetPD architecture

INTRODUCTION


The information flow is as follows:

1. Information about network traffic arrives to the AssetPD from the following

sources:

Network interfaces

Physical link between the AssetPD and a mirroring port – a dedicated network

interface in a switch for capturing network traffic. For details about the

mirroring port configuration see section 4.1.1, Configuring the mirror port.

Pcap files

Pcap files are used for storing recordings of network traffic. These can also

include recordings of traffic in remote locations that are entered by means

such as a cellular network or a USB flash drive.

2. Information about each asset is collected and parsed,

3. After the AssetPD mechanism parses the information, the various elements that

were collected are recognized.

An asset discovery report is generated, listing all discovered assets and their

classifications. This report is available from the VSE and is sent to the Security

Center.

4. The list of assets discovered by AssetPD is encrypted and sent to the VSE, where it

is displayed as a report

The report is available in both the VSE and the Security Center.

INSTALLATION


4. Installation

This chapter provides information for properly installing AssetPD.

4.1 Installation prerequisites The minimum machine requirements for using the AssetPD are:

• AssetPD supports Windows distributions:

Windows Server 2012 R2 Standard

Windows Server 2016 Standard

• CPU - 4 cores

• RAM – 8 GB

NOTE

AssetPD can be installed on a virtual machine. For details see Appendix C,

Configuring AssetPD to work from a virtual machine.

NOTE

The set of recommended prerequisites varies based on parameters such as traffic

volume and environment size. To obtain the list most suitable for your needs, contact

Support.

AssetPD requires a connection to a VSE machine with the following configuration:

VSE version 4.9.46 or higher, part of Honeywell Forge Cybersecurity 1911

HTTPS communication support (see VSE Administration Guide - Configuring

VSE to Support HTTPS).

Honeywell Asset Discovery Report Generator product line imported.

4.1.1 Configuring the mirror port

To configure a mirror port:

1. Define the ports from which traffic is to be collected; in the example shown in the

figure below, ports 1-3.

2. Define a target (mirror) port for to be used for sniffing the requested network

traffic packets.

3. Connect the mirror port to the AssetPD’s NIC.

INSTALLATION


4.2 Installation procedure The AssetPD package and supporting software must be installed on a Windows-

operated computer in the industrial control network where the switches and assets are

located. One AssetPD can be connected to multiple mirror ports.

The AssetPD package consists of the following:

• AssetPD application

• AssetPD Manager GUI Utility

To install the AssetPD:

1. Download the AssetPD installer to the target computer.

2. Run the installation wizard:

a. Accept the license agreement.

b. Choose whether to accept the default installation folder or to select another

folder.

c. Review the installation information as shown below.

Figure 4-1: Configuration of mirroring port

INSTALLATION


d. Once the installation completes, click Done to exit the wizard.

In addition to installing and setting up the AssetPD application, the AssetPD Manager

Installer automatically performs the following tasks:

• Creating a Java folder with AdoptOpenJDKJava 11.

• Installing WinPcap.

• Updating the AssetPD configuration file with the path to Java.

• Installing and setting up the AssetPD Manager GUI utility.

• Creating a desktop shortcut to the AssetPD Manager GUI.

Figure 4-2: Pre-installation summary screen

CONFIGURATION


5. Configuration

This chapter describes the steps required for configuring AssetPD for both source

types (network interfaces and offline sources), as well as for connecting to a remote

VSE.

NOTE

Working from a virtual machine requires a special configuration. For details see

Appendix C, Configuring AssetPD to work from a virtual machine.

5.1 Configuring AssetPD Configuring AssetPD requires local administrator privileges. AssetPD configuration

consists of the following steps:

• Configuring the network interfaces and offline sources to be used for data

collection.

• Downloading the VSE certificate.

To enable HTTPS communication with the VSE, the AssetPD needs the VSE

certificate.

• Connecting to the VSE using the following credentials:

username

password

URL

Certificate

NOTE

Changes made to the AssetPD configuration only take effect after restarting the

service.

5.1.1 Configuring the connection to remote VSE The AssetPD can transfer asset data to the target remote VSE only if HTTPS

connection is established with the remote VSE.

To get the information required for HTTPS connection:

1. Open the AssetPD Manager and click the Remote VSE tab, as shown in the figure

below.

CONFIGURATION


2. Click Edit at the bottom of the screen, and enter values in the following fields:

VSE URL

VSE Username

VSE Password

3. Under VSE Certificate, click Browse. Browse to the downloaded VSE certificate

and select it.

4. Click Save.

5.1.2 Configuration of sources An AssetPD can collect asset data only if at least one source is specified and activated.

For each source, specify:

• Source name – used by the VSE as the report name.

• Requested IP range (optional). It is possible to provide a list of IP ranges, separated

by space, by using the format shown below:

192.168.1.1/24 192.173.1.1/24

• Whether the source is activated or deactivated.

5.2 Configuring network interfaces The network interface sources (NICs) are automatically discovered by AssetPD

Manager. Each time you open the AssetPD Manager, the utility retrieves the current

NICs and displays an updated list.

Figure 5-1: Remote VSE configuration

CONFIGURATION


To configure an active network interface source:

1. Click the Network Interfaces tab.

2. Go to the requested row and click Edit on the right.

3. In the Source Name field, specify a name for the source.

4. Optionally, limit the search results by specifying one or more IP ranges.

5. Choose whether to activate or deactivate the source.

6. Click Save.

5.3 Configuring offline sources

To configure an offline source:

1. Click the Offline Sources tab.

2. Click Add. Alternatively, if the device already exists, click Edit.

3. In the Source Name field, enter a name for the source.

Figure 5-2: List of NICs

Figure 5-3: Offline Sources tab

CONFIGURATION


4. Optionally, limit the search results by specifying an IP range. You can also enter a

comma-separated list of IP ranges.

5. Choose whether to activate or deactivate the source.

6. Click Save.

The column Source Folder column now displays the words Open Folder. Clicking

this prompt opens a folder with the relevant sniffer number; for example,

…:\Program Files\AssetPD\offline\sniffer1.

NOTE

Each time a network interface or an offline source is added, the sniffer number is

incremented; for example, the first and second rows have their source pcap file in

folder sniffer0 and sniffer1, while the source file of the third row is found in folder

sniffer4.

RUNNING ASSETPD


6. Running AssetPD

To run AssetPD:

1. Ensure that you have configured:

All requested sources, both offline sources and network interfaces.

The connection to the VSE.

2. In the AssetPD Manager, in the upper right corner, click Start .

During the run of the Asset PD service, AssetPD updates the VSE with the

detected assets. This information is displayed in the VSE as a report, in both

HTML and Excel formats.

6.1 Getting AssetPD Results

To get Asset PD results:

1. Create a device in the VSE configured with the Honeywell Asset Discovery Report

Generator product line.

a. In the VSE, in Operations > Device Management, Click NEW.

b. In the Product Line list, select Honeywell Asset Discovery Report Generator.

c. In the New Device fields, select or enter the requested values. In the Device

Address field, enter 127.0.0.1.

d. Click Save.

e. In the Add Device message, click OK.

2. Execute the Honeywell Asset Discovery Report Generator product line on the

device.

a. In the VSE, In Operations > Devices, in the Execution tab, select the device

configured with the Honeywell Asset Discovery Report Generator.

b. In the product line Profile Name list, select a profile name. The options are:

Figure 6-1: New Device with Asset Discovery Report Generator

RUNNING ASSETPD


o Get Last Generated Reports –Provides the last created results from the

last successful execution of the report generator.

o Run Report Generator – Create a new report.

o Run Report Generator Every Morning – Automatically creates an

execution of the report generator every morning at 06:00.

c. Click Execute Once Now.

d. In the Activate Execution Profile message, click OK. The execution can take

several minutes.

3. Download the Asset Discovery Report.

a. In the VSE, In Operations > Devices, in the View Data tab, select the device configured with the Honeywell Asset Discovery Report Generator.

b. In the Profiles list locate the Get Last Generated Reports line and click the OK link in the status field.

c. In the Execution Result – View window, in the Collected Data object list,

locate the HTML Discovery Report and the XLSX Discovery Report objects.

To download the Asset Discovery Report, click on the link in the Value field in

the object with the requested format.

d. Open the downloaded Asset Discovery Report. The report details are

classified by Source.

Figure 6-2: Asset Discovery Report Generator product line

Figure 6-3: The Asset Discovery Report

RUNNING ASSETPD


To view the results in the HTML Discovery Report, in the Source dropdown

select the required source.

To view the results in the Excel Discovery Report, click on the sheet with the

required source name.

Figure 6-4: The HTML Discovery Report

Figure 6-5: The Excel Discovery Report

Appendices


Appendices

This guide includes the following appendices:

• A, Protocols supported by AssetPD

• B, Possible AssetPD values

• C, Configuring AssetPD to work from a virtual machine

PROTOCOLS SUPPORTED BY ASSETPD


A Protocols supported by AssetPD

The following tables display the protocols that AssetPD uses to identify network assets.

A.1 Link layer protocol

Protocol Description Notes Supported?

Ethernet A family of computer networking technologies

commonly used in local area networks (LANs),

metropolitan area networks (MANs), and wide

area networks (WANs).

Used for identifying the source

and the destination MAC

addresses. The source MAC

address is used as part of the

asset data.

Yes

A.2 Internet protocol suite


ARP (Address Resolution Protocol)

A communication protocol used for discovering the

link layer address associated with a given internet

layer address.

Used for identifying IPv4 source

and destination IPs. The source

IP is used as part of the asset

data.

Yes

BOOTP (Bootstrap Protocol)

A computer networking protocol used in Internet

Protocol networks to automatically assign an IP

address to network devices from a configuration

server.

On Internet Protocol networks,

used to provide information on

Subnet Mask, Gateway address,

DNS server, hostname, FQDN

(DNS name).

Yes (as of

2.0.2)




Browser Service A Windows protocol that enables users to easily

browse and locate shared resources in neighboring

computers.

Used for identifying Windows

OS names and detecting

Domain Controller asset types.

Yes

COTP (Connection Oriented Transport Protocol)

The connection transport protocol of the ISO

Protocol Family.

Supporting protocol for other

protocols

Yes

DHCP (Dynamic Host Configuration Protocol)

A network management protocol used on UDP/IP

networks. Using this protocol, a DHCP server

dynamically assigns an IP address and other

network configuration parameters to each device

on a network so they can communicate with other

IP networks.

On UDP/IP networks, used to

provide information on Subnet

Mask, Gateway address, DNS

server, hostname, FQDN (DNS

name).

Yes (as for

2.0.2)

DNS (Domain Name System)

A hierarchical and decentralized naming system for

computers, services, or other resources connected

to the Internet or a private network

Used to discover host names by

analyzing the DNS answers. Yes

HTTP Headers The name or value pairs that are displayed in the

request and response message headers for

Hypertext Transfer Protocol (HTTP).

The HTTP request header includes information

such as the type and version of the browser that

generated the request, the OS used by the client,

and the page that was requested.

Used for identifying OS

versions and hostnames. Yes




ICMP (Internet Control Message Protocol)

An error-reporting protocol used by network

devices to send error messages and operational

information.

Used for documenting the

protocol traffic. Yes

IPv4 (Internet Protocol version 4)

One of the core protocols of standards-based

internetworking methods in the Internet and other

packet-switched networks.

Used for identifying IPv4 source

and destination IPs. The source

IP is used as part of the of the

asset data.

Yes

LLMNR

(Link-Local Multicast Name Resolution)

Enables both IPv4 and IPv6 hosts to perform name

resolution for hosts on the same local link.

Used for identifying hostnames

of Windows machines.

Not yet

NBNS

(NetBIOS Name Service)

Part of the NetBIOS-over-TCP protocol suite. NBNS

translates human-readable names to IP addresses.


of Windows machines.

Yes

NetBIOS (Network Basic Input/Output System) Datagram Service

Allows applications on computers to communicate

with one another over a local area network (LAN).

Datagram mode is connectionless; the application

is responsible for error detection and recovery.


and group names of Windows

machines.

Yes

NTP (Network Time Protocol)

A networking protocol for clock synchronization

between computer systems over packet-switched,

variable-latency data networks.

Used for discovering Time

Servers. Yes




TCP (Transmission Control Protocol)

Provides host-to-host connectivity at the transport

layer of the Internet model.

Used for collecting information

about the TCP flags and TCP

source and destination ports.

The source port is used as part

of the asset data.

Yes

TPKT TPKT enables translating between two networking

protocol family models, Open Systems

Interconnection (OSI) and TCP/IP, by providing a

method to carry OSI data over TCP/IP networks.

Used for identifying S7COMM. Yes

UDP (User Datagram Protocol)

An alternative communications protocol to TCP

used primarily for establishing low-latency and

loss-tolerating connections between applications

on the internet.

Used for collecting information

about the UDP source and

destination ports. The source

port is used as part of the of the

asset data.

Yes

A.3 SCADA (Supervisory Control and Data Acquisition)


BACnet (Building Automation and Control)

Enables communication between building automation

and control systems for applications (for example:

heating, ventilating and fire detection systems) and

their associated equipment.

Used for identifying

Building Management

System controllers.

Yes




CDA (Common Data Access)

The Experion native (Honeywell proprietary) internal

communication protocol.

Used to detect roles for

c200, c300 Programmable

Logic Controllers (PLCs).

Yes

DNP3

(Distributed Network Protocol)

A set of communications protocols used between

components in process automation systems.

Used for identifying HMIs

and Field Controllers.

Yes

Ethernet/IP An industrial network protocol that adapts the Common

Industrial Protocol (CIP) to standard Ethernet.

Used for detecting Rockwell

components.

Yes

FTE

(Fault Tolerant Ethernet)

The industrial control network of the Experion Process Knowledge System (PKS). Connects clusters or groups of nodes such as servers and stations, typically associated with the same process unit, and provides multiple communication paths between them so the network can tolerate all single faults and many multiple faults.

Used to collect Experion

components information.

Yes

GOOSE (Generic Object-Oriented Substation Events)

Provides a fast and reliable mechanism for transferring

event data over entire electrical substation networks.

Ensures the same event message is received by

multiple physical devices using multicast or broadcast

services.

Used to detect sub-station

controllers.

Yes

ICCP (Inter-Control Center Communications Protocol)

Provides data exchange over WANs between utility

control centers, utilities, power pools, regional control

centers, and Non-Utility Generators.

Used to detect control

centers.

Yes




IEC104 The IEC 60870 set of standards define systems used for

telecontrol (supervisory control and data acquisition) in

electrical engineering and power system automation

applications. IEC 60870-5-101/102/103/104 are

companion standards generated for basic telecontrol

tasks, transmission of integrated totals, data exchange

from protection equipment & network access of IEC101

respectively.

Used in the electronics

industry, generic.

Yes

MDLC (Motorola Data Link Communications)

Data communications protocol designed for shared

two-way radio communication circuits. MDLC allows

multiple logical communication channels per

communication medium, allowing for simultaneous

Host-to-RTU (Remote Terminal Unit), RTU-to-Host, and

RTU-to-RTU data sessions.

Used in oil & gas, water utilities, power utilities or

geographically distributed systems.

Used to detect Motorola

controllers.

Partial

MMS (Manufacturing Message Specification)

An international standard (ISO 9506) for messaging

systems transferring real time process data and

supervisory control information between networked

devices or computer applications.

Generic (common in ABB) Yes




Modbus TCP Modbus is a serial communications protocol that

enables communication among many devices

connected to the same network.

Used for identifying the

asset type:

• If the source port is 502, the type is Field Controller (etc. PLC).

• If the destination port is 502, the type is HMI (Human Machine Interface).

Also, used to collect

additional parameters from

the responder.

Yes

OPC-DA (OPC Data Access)

A group of client-server standards that provide specifications for communicating real-time data from data acquisition devices such as PLCs to display and interface devices like Human-Machine Interfaces (HMI), SCADA systems, and ERP/MES systems. The specifications focus on the continuous communication of data.

Used to detect OPC servers. Yes

PROFINET IO (Process Field Net)

An industry technical standard for data communication

over Industrial Ethernet, designed for collecting data

from, and controlling, equipment in industrial systems.

Used to detect Fieldbus

devices. Yes




S7COMM (based on COTP and TPKT)

A Siemens proprietary protocol that runs between

programmable logic controllers (PLCs) of the Siemens

S7-300/400 family.

Used for PLC programming, exchanging data between

PLCs, accessing PLC data from SCADA systems and

diagnostic purposes.

Used to identify Field

Controllers (PLC’s) and

Engineering Stations. The

S7COMM data comes as

payload of COTP data

packets.

• If destination port is 102 then the asset is Engineering Station.

If the source port is 102

then the asset type is Field

Controller (PLC).

Yes

Synchrophasor A phasor measurement unit (PMU) is a device used to

estimate the magnitude and phase angle

(synchrophasor) of an electrical phasor quantity (such

as voltage or current) in an electricity grid.

Used to identify PMUs and

PDCs.

Yes



A.4 Database


TDS (Tabular Data Stream)

An application layer protocol used to transfer data

between a database server and a client.

Used to detect MSSQL

servers.

Yes

TNS (Transparent Network Substrate)

Supports homogeneous peer-to-peer connectivity

on top of other networking technologies such as

TCP/IP, SDP, and named pipes. TNS operates

mainly for connection to Oracle databases.

Used to detect Oracle

servers (DB).

Yes

MYSQL Protocol Protocol used between MySQL Clients and Servers. Used for identifying

MySQL database clients

and servers.

Yes

A.5 Network file sharing protocol


SMB (Server Message Block)

An application-layer network protocol used for providing

shared access to files, printers, and serial ports, and

miscellaneous communications between nodes on a

network. It also provides an authenticated inter-process

communication mechanism.

Generic protocol for

windows naming and file

shares.

Yes



A.6 IT


DCE/RPC (Distributed Computing Environment / Remote Procedure Calls)

DCE/RPC is a specification for a remote

procedure call mechanism that defines both APIs

and an over-the-network protocol.

Supporting protocols for

OPC-DA.

Yes

A.7 Routing protocol


RIP (Routing Information Protocol)

A distance-vector routing protocol employing the

hop count as a routing metric. Prevents routing

loops by implementing a limit on the number of

hops allowed in a path from source to destination.


routers. Yes

IGRP (Interior Gateway Routing Protocol)

A distance vector interior gateway protocol (IGP),

used by routers to exchange routing data within

an autonomous system. Developed by CISCO,

IGRP is a proprietary protocol.


routers.

Yes

OSPF (Open Shortest Path First)

A routing protocol for IP networks. It uses a link

state routing (LSR) algorithm and falls into the

group of interior gateway protocols (IGPs),

operating within a single autonomous system

(AS).


routers.

Yes



A.8 Discovery protocol


CDP (Cisco Discovery Protocol)

A proprietary Data Link Layer protocol developed by

Cisco Systems, used to share information about other

directly connected Cisco equipment, such as the

operating system version and IP address.


switches. Yes

LLDP (Link Layer Discovery Protocol)

A vendor-neutral link layer protocol in the Internet

Protocol Suite used by network devices for advertising

their identity, capabilities, and neighbors on an IEEE

802 local area network, principally wired Ethernet.


switches. Yes

ISDP

(Industry Standard Discovery Protocol)

A proprietary Layer 2 network protocol that inter-

operates with Cisco devices running the Cisco

Discovery Protocol (CDP). ISDP is used to share

information between neighboring devices. The switch

software participates in the CDP protocol and can both

discover and be discovered by other CDP-supporting

devices.


switches. No



A.9 Communication Protocol


SNMP

(Simple Network Management Protocol)

An Internet Standard protocol for collecting and

organizing information about managed devices on

IP networks and for modifying that information to

change device behavior. Devices that typically

support SNMP include cable modems, routers,

switches, servers, workstations, printers, and more.

Network appliance

detection and attributes.

Yes

POSSIBLE ASSETPD VALUES


B Possible AssetPD values

In the AssetPD asset repository, assets can be classified to one of the following values:

• Host

• HMI (Human Machine Interface)

• Field Controller

• RTU (Remote terminal unit)

• PLC (Programmable Logic Controller)

• PMU (Phasor Measurement Unit)

• Control Center Server

• Domain Controller

• DNS Server

• Time Server

• Engineering Station

• Switch

• Router

• SCADA Gateway

• Security Appliance

• Source – The sniffer name or source it came from.

• Hostname – The machine hostname if any.

• Group – The Workgroup/Domain name which the asset belongs to.

• OS – The operating system name.

• MAC address – The physical address of the asset.

• Manufacturer Name – The manufacturer name (vendor name).

• IP – The IP address of the asset. Only IPv4 is supported.

• Addr5, Addr6, Addr7 – 3 parameters that hold values like the unit identifier in

Modbus, related to SCADA protocols.

• Hops – Number of hops from the router.

• VLAN ID – The VLAN ID to which the asset belongs.

POSSIBLE ASSETPD VALUES


• DNS names – List of DNS names related to the asset.

• Services – contains list of identified ports that the asset uses, these ports can tell

us which services the assets runs, for example, FTP (21), Telnet (23), SNMP (161),

etc.

• Additional parameters map – Contains key/value pairs of additional information on

the asset, such as information about the PLCs, sensors, SCADA info, vendor

names, and product codes.

• Last updated – When was the last update of the asset.

• Last Seen – When was the time the asset was “seen” (got packets from this asset)

on the network.

CONFIGURING ASSETPD TO WORK FROM A VIRTUAL MACHINE


C Configuring AssetPD to work from a virtual machine

This appendix provides instructions for connecting and enabling a virtual machine

(VM) under an ESXi platform to capture network traffic in promiscuous mode – namely:

capturing Ethernet frames to different destinations - such as traffic from a

mirror/SPAN port in an Ethernet switch.

C.1 Requirements The prerequisites for the AssetPD configuration are:

• Source of network traffic to analyze in promiscuous mode (SPAN/mirror port in a

switch)

• Administrator access to an ESXi server with at least one available and unused

physical NIC.

• The network analyzer/sniffer Virtual Machine.

C.2 Configuration process

To configure the AssetPD to work from a virtual machine:

1. Connect the SPAN/mirror port in the Ethernet switch directly to an available

physical NIC in the ESXi server.

2. Log on to the ESXi configuration management using the vSphere client with an

administrator permissions account.

3. In the vSphere management tree, select the server that hosts the AssetPD virtual

machine.

4. Go to the Configuration tab and from the Hardware menu on the left click

Networking.

5. Click Add Networking… to open the Add Networking wizard.

6. In the Connections Type wizard page, select the option Virtual Machine.



7. In the Network Access wizard page select which physical NIC to connect to the

SPAN/mirror port. While the choice shown below is vmnic1, you can select

another value in other setups.

Figure 6-6: Connection Type wizard page



8. In the Connection Settings wizard page give the newly created network a

meaningful name, and do not select a VLAN ID.

9. Click Next and Finish to complete the wizard.

A new vSwitch is now displayed in the Networking window.

10. Click the Properties… link as shown below.

11. In the vSwitch tab go the Ports tab.

12. Select the vSwitch configuration and click Edit..

13. In the new Properties dialog box that appears now, under the Security tab, select

the option Accept for the Promiscuous mode policy exception.

Figure 6-7: Network Access wizard page

Figure 6-8: Switch properties



14. Click OK to close the dialog box.

15. Repeat steps 12 to 14 for the option Sniffer Network in the Properties window.

16. In the vSwitch Properties dialog box, ensure that option Promiscuous Mode is

enabled in both configuration items and close the dialog box.

17. Ensure that the network sniffer virtual machine is stopped.

18. Right-click this virtual machine and from the menu that opens click Edit

Settings…

19. In the Virtual Machine Properties dialog box, go to the Hardware tab and click

Add…

20. Select the option Ethernet Adapter and click Next.

21. Under the Network Connection section select the label of the network you had

just created and click Next.

Figure 6-9: Virtual machine Hardware tab



22. Check your settings and click Finish.

23. In the Virtual Machine Properties dialog box, click OK to save the new settings and

close the dialog box.

Figure 6-11: Selecting a network label

CS-HFCPE603en-1911A November 2019 © 2019 Honeywell International Sàrl

Honeywell Process Solutions

1250 W Sam Houston Pkwy S #150, Houston,

TX 77042

Honeywell House, Skimped Hill Lane

Bracknell, Berkshire, RG12 1EB Building #1, 555 Huanke Road, Zhangjiang

Hi-Tech Park,

Pudong New Area, Shanghai, China 201203

www.honeywellprocess.com

honeywell forge cybersecurity platform · honeywell forge cybersecurity 1911 (nov 2019) - security...

Documents