Scanning IoT and OT

Can I safely scan my IoT or OT environments?

Some organizations have IoT or OT equipment sensitive to high traffic rates or malformed packets that may have experienced issues with other scanning tools in the past, resulting in a “don’t scan” rule to be in effect.

runZero is different, and should be able to scan in these environments. runZero provides a lightweight active scan engine called an Explorer that can be deployed almost anywhere. Since the scan is active, there are no tap or span ports that need to be configured, nor device level agents that need to be installed, so you don’t have to modify your environment.

The runZero Explorer was built with sensitive OT environments in mind. It is not based on any other commercial or open source tools such as nmap or masscan. The Explorer only sends normal traffic, nothing malformed that might potentially crash a fragile system. Some of the controls in place also include:

  • packets-per-second scan rates with sensible default values:
    • 1000 packets per second for overall maximum scan rate (adjustable; scan traffic is balanced across all hosts in the scan range)
    • 40 packets per second for per-host maximum scan rate (adjustable)
  • IP and TCP port exclusions
  • UDP service probes can be enabled or disabled individually
  • The scan balances SYNs and ACKs and watches for port consumption issues on both the client & target
  • Configurable max group size that limits the number of targets runZero can scan at once, which correlates to the number of connections stateful devices such as firewalls or routers receive
  • Only those TCP and UDP ports that provide actionable intelligence for fingerprinting a device are checked, not all 65535. This list is adjustable in case specialized equipment runs on a non-standard port (see the Port List).
  • Per port / protocol considerations engineered to avoid issues. Ex: Sending characters to port 9100 on a printer could print “garbage”. runZero will collect a banner from some ports such as these but never actively probe them.

Some OT/ICS vendors which runZero can fingerprint upon discovery include:

  • Allen-Bradley
  • BARIX
  • Cisco
  • Control Solutions
  • Control Techniques
  • GE
  • GENEREX
  • GLC Controls
  • Lantronix
  • Linor Koda
  • Mitsubishi
  • Moxa
  • PLC
  • Pressac
  • Rittal
  • Rockwell
  • Schneider Electric
  • Siemens

Many organizations opt to deploy the Explorer to the same system that runs their vulnerability scans since there may already be allow-lists, full network connectivity, and considerations made for session table capacity on any session-aware middle boxes such as firewalls, proxies, or small routers. It may also be advisable to deploy additional Explorers at remote sites to gather additional detail and avoid altogether any need to consider middle boxes.

Updated