Identify IoT and OT devices with runZero

IoT and OT devices are different to manage when you compare this with laptops and servers. How can you identify and protect IoT and OT devices from possible hacking will be addressed in this article

Ask for a demo

runZero IT-IoT and OT devices in network

On this page Kappa Data informs you how to identify and protect IoT and OT devices.

What is IoT and OT?

IoT (Internet of Things) has become a buzzword for years. You can't open a website that is ICT related without reading something about it.

Why would that be?

Every "thing" is connected. In home-use environments we think about dishwashers and refrigerators. These things exist in business networks too, supplemented with radio's, coffee machines, etc... They need to be connected to inform the supplier for whatever or to receive functional information from the internet in order to work (such as internet radio). This is non production related and is categorized as "shadow IT".

On the other hand, we have OT networks (Operational Technology). These are more specific and quasi always production related assets, meaning that they are required to make the production work. A well-known example would be a PLC, but it could as well be a CT scanner in a hospital. Most of the time we know that it's there, but we forget about the subparts such as suppliers that install a sensor to do remote follow-up.

How is this a threat?

Both IoT and OT systems can be a potential danger for a network. Unpatched and unsecured systems can give hackers access to the network and allow them to use the zombie system as a jumping off point. Some of these assets are cloud manageable out of the box and have default passwords. These could potentially be a backdoor of any network.

Yeah yeah, not for me!

You might think this is a bit exaggerated. Maybe… At least, if you have this opinion, that must mean that you know exactly what assets are active in your network. Maybe you once did a discovery scan and the company has a policy in place not to link any kind of unmanaged system. But people come and go and people are creative in finding solutions for their problems.

Think about this discovering you once might have done. That is a snapshot of the moment. No visitor, testing machine or – at that time – turned off machine will be in that list. Your inventory is incomplete and after one day potentially outdated.

How are you able to protect a network if you don’t have an accurate inventory of all assets in your network?

What does Kappa Data offer?

runZero is a supplier that delivers complete visibility of all connected devices to your networks, whether they’re IT, IoT or OT devices. runZero does asset discovery in an unauthenticated way, like a hacker does. This peace of software is placed in the networks and acts agentless and credentialless.

runZero delivers 3 types of scanning :

API-integration with other EDR solutions and existing vulnerability scanners
Passive Discovery
Active Discovery

API-Integration

Endpoint Detection and Response (EDR) is often used on endpoints like workstations, laptops or servers and deliver already discovery of activities on these endpoints. The most common EDR solutions used are Crowdstrike, SentinelOne and Sophos. All these types of solutions are agent-based, so only for a limited number of devices.

The same API-integration can be used to integrate telemetry of other vulberability scanners, but as well Mobile devices of remote users that work remotely by integrating telemetry from Microsoft Intune or others

Passive Discovery

Passive discovery is used by many vulnerability scanners today and listen to network traffic on that moment. This type of discovery allows you to discover the communication between devices during the scan.

But, what if devices are not sending data packages on the moment of the scan?

That’s problem of using only a passive scan. IoT and OT devices don’t data packages over the network when they are not used. In other words, Passive discovery don’t offer a complete visibility of all devices in the network.

Active Scanning

Active Scanning with runZero can be performed in a safe way in any type of network of type of organization. The algorithms of runZero will not only listen to the current network traffic, but will ask questions to every type of device and deliver a complete overview of all attributes and services that are bound to the device.

With active scanning of runZero we experience safe scans in industrial and IT environments, but as well a discovery of more than 25% assets than expected.

Active Scanning with runZero provides you a complete visibility of your attack surface

After identification comes protection?

Yes, now you know what to protect, you can start drawing your segmentation plan. The first thing to do in order to protect OT networks, is to put them in a separate isolated network. You can read more about this in our article around NAC. Unfortunately, most OT systems do not have the ability to install some kind of a protection agent. By putting them in an isolated VLAN, they cannot be accessed from outside the production network.

But is this enough?

The answer is always: “it depends”, but in security it can never be enough, it can only be too expensive. What we need is an affordable solution that is highly flexible to adapt to any kind of network. The problem in the segmentation example above, is that one asset is still capable of infecting another, while – let’s be honest – they don’t need to contact each other, only the server or engineering station.

The solution to this is hyper-segmentation or micro-segmentation.

Kappa Data offers this together with Extreme Networks’ Fabric solution. This makes it possible to add an extra isolation layer on top of a VLAN and decide who can access what. For example, the PLC can contact the Engineering workstation but nothing else. Another PLC can do the same thing, but they can’t contact each other, although they are in the same VLAN. This is a very cost-effective and relatively easy integrable solution in any existing network, by the use of Extreme Networks Fabric switches (also known as VOSS).

Another way to protect an asset, is to keep it up to date. Firmware and OS upgrades and updates should be applied on a regular basis and in high priority if needed. But priorities are network dependent, which causes chalenges in larger environments. The product VIPR of the vendor Armis is able to identify and prioritize vulnerabilities unique to each network. This assits the engineers to update their assets in the correct order. This way you can achieve fast and affective protection in a minimum of time. Whenever there are CVE’s published, they will be in the protal and taken into account.

What if there still is an attack?

Although a network can be highly secured, you know that an attack is never far away. In regular IT networks we already have lots of detection tools in place, such as XDR, NDR, SIEM and other effective tools. Since this article is about OT, we will put a spotlight on Armis again.

Earlier, you read that Armis builds the perdue model of an OT network and is able to identify traffic layers. It is a rule within these networks that one can only talk with another in the layer just above or just below. If you would pass a layer and jump one further, this could indicate a breach.

This and many more specific attacks can be identified by Armis Centric.

In Armis you can build policies in how to deal with certain situations, in this case a potential breach detection. Armis itself will not take direct action but will notify someone or something among others by the use of webhooks and API’s.

Why would you consider IoT and OT protection?

The are two basic rules in this:

Assets can be used as a jump host to attach the internal network.
OT networks are in the heart of your production network. You don’t want this to be attacked.

And remember: you probably don’t know all devices that are connected to your network.

Frequently asked questions

Check our FAQ section where you can find the first questions that have been asked to us during the last months.

What challenges do organizations face in managing and securing IoT and OT devices?
Organizations face several challenges in managing and securing IoT and OT devices, including:
- Visibility: Difficulty in identifying all devices connected to the network due to the sheer number and variety of devices.
- Diverse protocols: IoT and OT devices often use various protocols that are not standardized.
- Legacy systems: Many OT devices are legacy systems that were not designed with security in mind.
- Limited control: Difficulty in applying traditional security measures to devices that cannot be easily managed or updated.
- Vulnerabilities: Increased risk of vulnerabilities due to lack of regular updates and patches.
What are the benefits of using runZero for a network with many IoT and OT devices?
Using runZero in a network with many IoT (Internet of Things) and OT (Operational Technology) devices offers substantial benefits, especially in environments where visibility, manageability, and security of these devices are challenging. IoT and OT networks often contain unmanaged, legacy, or proprietary devices that are difficult to monitor with traditional IT tools—runZero fills that visibility and security gap.
How does runZero help in identifying IoT and OT devices on a network?
runZero helps organizations identify IoT (Internet of Things) and OT (Operational Technology) devices on a network by using agentless, active scanning and network fingerprinting techniques that uncover assets traditional tools often miss. These capabilities are crucial in environments where IoT/OT devices are common but difficult to manage, such as manufacturing, healthcare, energy, and critical infrastructure.
How can runZero improve security for IoT and OT devices that are difficult to manage?
runZero can significantly improve security for IoT (Internet of Things) and OT (Operational Technology) devices that are often difficult to manage due to limited interfaces, lack of agent support, or outdated firmware.

Contact us for a demo

Are you curious to learn whether our solutions can help you with searching of assets in the network and how to protect these assets? Contact us for a demo via the below button.