Active Asset Discovery ESP User Guide · • Initial Settings - Professional Services, Support, or IT personnel • Security Center – Administrators and operators ... 4.1 Creating

ICS SHIELD R 500.1

Active Asset Discovery ESP

User Guide

CS-ICSE602en-500A

February 2019

DocID CS-ICSE602en-500A 2

DISCLAIMER

This document contains Honeywell proprietary information. Information contained herein is to be

used solely for the purpose submitted, and no part of this document or its contents shall be

reproduced, published, or disclosed to a third party without the express permission of Honeywell

International Sàrl.

While this information is presented in good faith and believed to be accurate, Honeywell disclaims

the implied warranties of merchantability and fitness for a purpose and makes no express

warranties except as may be stated in its written agreement with and for its customer.

In no event is Honeywell liable to anyone for any direct, special, or consequential damages. The

information and specifications in this document are subject to change without notice.

Copyright 2019 – Honeywell International Sàrl


Notices

Trademarks Experion®, PlantScape®, SafeBrowse®, TotalPlant®, and TDC 3000® are registered trademarks of

Honeywell International, Inc.

ControlEdge™ is a trademark of Honeywell International, Inc.

OneWireless™ is a trademark of Honeywell International, Inc.

Matrikon® and MatrikonOPC™ are trademarks of Matrikon International. Matrikon International is a

business unit of Honeywell International, Inc.

Movilizer® is a registered trademark of Movilizer GmbH. Movilizer GmbH is a business unit of

Honeywell International, Inc.

Other trademarks Microsoft and SQL Server are either registered trademarks or trademarks of Microsoft Corporation

in the United States and/or other countries.

Trademarks that appear in this document are used only to the benefit of the trademark owner, with

no intention of trademark infringement.

Third-party licenses This product may contain or be derived from materials, including software, of third parties. The third

party materials may be subject to licenses, notices, restrictions and obligations imposed by the

licensor.

The licenses, notices, restrictions and obligations, if any, may be found in the materials

accompanying the product, in the documents or files accompanying such third party materials, in a

file named third_party_ licenses on the media containing the product, or at

http://www.honeywell.com/ps/thirdpartylicenses.

Documentation feedback You can find the most up-to-date documents on the Honeywell Process Solutions support website

at:

http://www.honeywellprocess.com/support

If you have comments about Honeywell Process Solutions documentation, send your feedback to:

[email protected]

http://www.honeywell.com/ps/thirdpartylicenses

http://www.honeywellprocess.com/support

mailto:[email protected]


Use this email address to provide feedback, or to report errors and omissions in the documentation.

For immediate help with a technical problem, contact your local Honeywell Process Solutions

Customer Contact Center (CCC) or Honeywell Technical Assistance Center (TAC).

How to report a security vulnerability For the purpose of submission, a security vulnerability is defined as a software defect or weakness

that can be exploited to reduce the operational or security capabilities of the software.

Honeywell investigates all reports of security vulnerabilities affecting Honeywell products and

services.

To report a potential security vulnerability against any Honeywell product, please follow the

instructions at:

https://honeywell.com/pages/vulnerabilityreporting.aspx

Submit the requested information to Honeywell using one of the following methods:

Send an email to [email protected].

or

Contact your local Honeywell Process Solutions Customer Contact Center (CCC) or Honeywell

Technical Assistance Center (TAC) listed in the “Support” section of this document.

Support For support, contact your local Honeywell Process Solutions Customer Contact Center (CCC). To

find your local CCC visit the website, https://www.honeywellprocess.com/en-US/contact-

us/customer-support-contacts/Pages/default.aspx.

Training classes Honeywell holds technical training classes that are taught by process control systems experts. For

more information about these classes, contact your Honeywell representative, or see

http://www.automationcollege.com.

https://honeywell.com/pages/vulnerabilityreporting.aspx

mailto:[email protected]

https://www.honeywellprocess.com/en-US/contact-us/customer-support-contacts/Pages/default.aspx

https://www.honeywellprocess.com/en-US/contact-us/customer-support-contacts/Pages/default.aspx

http://www.automationcollege.com/


About this Guide

This guide describes how to configure and use the Active Asset Discovery ESP, the solution that

enables the VSE to collect information about the network assets that the VSE can access.

Scope This guide provides step-by-step instructions for configuring, distributing, and using Active Asset

Discovery ESP. at all levels, from the initial settings up to the deployment in the Security Center and

the VSEs.

Intended audience This guide is for people who are responsible for the configuration and operation of Active Asset

Discovery ESP on the Security Center and VSEs:

• Initial Settings - Professional Services, Support, or IT personnel

• Security Center – Administrators and operators

• VSE – Administrators and operators

Prerequisite skills This guide assumes basic knowledge of the ICS Shield R 500.1 modules relevant to the Security

Center, the VSE, or both, depending on your specific role.

Related documents The following list identifies publications that contain information relevant to the information in this

document.

Document Name Document Number

ICS Shield R500.1 - Security Center Getting Started Guide CS-ICSE400en-500A

ICS Shield R500.1 - Virtual Security Engine – User Guide CS-ICSE601en-500A

Revision History

Revision Supported Release Date Description

A R 500.1 February 27, 2019 First release of ICS Shield


Contents 1. SECURITY CONSIDERATIONS ........................................................................................................................ 7

1.1 Physical security ............................................................................................................................... 7

1.2 Secured zone ..................................................................................................................................... 7

1.3 Limiting access ................................................................................................................................. 7 1.3.1 At the VSE level ................................................................................................................................ 7 1.3.2 At the directory or file level ............................................................................................................. 8

1.4 Authorization measures ................................................................................................................... 8

2. TERMS AND DEFINITIONS ............................................................................................................................... 9

3. INTRODUCTION ................................................................................................................................................ 11

3.1 Understanding the Active Asset Discovery ESP solution ......................................................... 11

3.2 Exploring the Active Asset Discovery ESP architecture ........................................................... 12

3.3 Basic workflow of the Active Asset Discovery ESP solution ..................................................... 13

3.4 Requirements .................................................................................................................................. 13

4. CONFIGURING THE ACTIVE ASSET DISCOVERY ESP IN THE VSE ................................................ 14

4.1 Creating a new device for Active Asset Discovery ESP ............................................................. 15

4.2 Configuring the basic parameters of the device ........................................................................ 16

4.3 Configuring the advanced parameters of the device ................................................................ 19

5. RUNNING ACTIVE ASSET DISCOVERY ESP ............................................................................................ 22

5.1 Active Asset Discovery ESP output .............................................................................................. 22 5.1.1 Asset Discovery Report ................................................................................................................. 22 5.1.2 VSE devices ..................................................................................................................................... 24

5.2 Using the ESP from the Security Center ..................................................................................... 27 5.2.1 Running the ESP from the Security Center ............................................................................... 27 5.2.2 Generating the Asset Discovery Report from the Security Center ......................................... 30 5.2.3 Viewing the discovered assets ..................................................................................................... 32

5.3 Using the ESP from the VSE ......................................................................................................... 33 5.3.1 Running the ESP from the VSE ................................................................................................... 33 5.3.2 Generating the Asset Discovery Report from the VSE ............................................................. 35 5.3.3 Viewing the discovered assets ..................................................................................................... 37

SECURITY CONSIDERATIONS


1. Security Considerations

This chapter outlines the security measures for Active Asset Discovery ESP.

1.1 Physical security

CAUTION

Active Asset Discovery ESP is a mission-critical component.

Take all necessary physical measures to prevent attacks or disasters.

Ensure that the server where Active Asset Discovery ESP is installed is located in an approved

physically secure location that is accessible only to authorized personnel.

1.2 Secured zone Active Asset Discovery ESP contains sensitive information, the loss of which could have severe

consequences. Therefore, there is a need to protect the sensitive information and prevent attacks

against the product. To do that, the VSE software, as well as its related extensions, must be installed

in an internally secured zone such as the site’s layer 3 network, with strict access control lists and

appropriate firewall/routing rules.

Ensure that Active Asset Discovery ESP is installed in a directory that is only accessible to

authorized personnel responsible for the product.

CAUTION

If Active Asset Discovery ESP is installed on one or more servers that are exposed to untrusted networks such as the Internet, protection against denial-of-service (DoS) attacks must be implemented.

1.3 Limiting access It is highly recommended to follow regulatory, industry, and enterprise standards for limiting access

to sensitive information as specified below.

1.3.1 At the VSE level The user management at the host running the VSE must follow the principles of need to know and

least privilege: Only users who absolutely must have access to the computer are granted access,

and these users are assigned the minimal set of permissions allowing them to perform their job.

SECURITY CONSIDERATIONS


1.3.2 At the directory or file level Access to directories and files should also be granted in accordance with the principles of need to

know and least privilege: Only Users who absolutely must have access to the requested directory

and file are granted access, and these Users are assigned the minimal set of permissions allowing

them to perform their job.

Use the built-in file access audit logging of the OS to monitor unauthorized changes to sensitive

files.

1.4 Authorization measures It is strongly recommended to implement the following security measures:

• Change the default administrative password and delete/disable the default service accounts

as soon as new administrative accounts are created

• Disable any default Administrator/Root user on the computer

• Disable any default Guest user on the computer

• Disable any unauthenticated access to the computer via shared directories etc.

• Ensure that the OS is up to date with the latest security patches provided by the OS vendor

TERMS AND DEFINITIONS


2. Terms and definitions

Term Definition

asset Any site component that is connected to the network and is accessible

from the VSE

communication server (CS)

The Communication Server provides secure communication between the

Security Center and the VSEs

compliance Whether the device meets the organization policy

corrective action An execution profile that performs an action to correct a problem

detected by other execution profiles; for example, if a monitoring profile

detected a low disk space issue, a corrective action will delete obsolete

and large temporary files

device A representation of a physical or virtual server or machine in the VSE

diagnose routine (DR)

An execution profile that runs on demand when an issue is encountered,

and is intended to collect in-depth diagnostic data

discovery engine A VSE utility that represents the ICS Shield Active Discovery ESP, which

detects and classifies network assets, and, optionally, adds them as

devices to the VSE

Essential security policy (ESP)

Essential Security Policy: A collection of scripts related to one logical

area, such as machine security status, hardware information, event logs,

or storage information; these scripts can either be run on demand

(Diagnose Routine or Corrective Action) or based on a predefined

schedule.

execution profile A collection of scripts related to one logical area, such as machine

security status, hardware information, event logs, or storage information;

these scripts can either be run on demand (Diagnose Routine or

Corrective Action) or based on a predefined schedule.

HQ Headquarters; the physical location of the Security Center

monitoring profile (MP)

An execution profile configured to run at set time intervals, such as Every

day at 18:00

Nmap A network scanning software tool used for the asset discovery

Perl A scripting language used by execution profiles

TERMS AND DEFINITIONS


Term Definition

product line A set of actions and scripts that together instruct the VSE to perform

certain procedures on devices that are defined in the VSE

Security Center (SC) ICS Shield component that is installed at the corporate data center. The

security center is composed of various software components, which

enable to remotely collect, analyze, view, manage, and store data

retrieved from the VSEs. This data refers to the monitored network assets

and devices found at the VSE’s sites.

site A remote physical location, such as an industrial plant, which includes

one or more network environments and has at least one VSE

VSE Virtual Security Engine; the ICS Shield component that is installed at the

remote site, monitors the devices at the site, and provides additional

functionalities such as remote access

INTRODUCTION


3. Introduction

This chapter presents a brief introduction into the ICS Shield, the main functions of the Active Asset

Discovery ESP, and requirements for running the ESP.

3.1 Understanding the Active Asset Discovery ESP solution The Active Asset Discovery ESP enables the VSE to collect information about the network assets

that the VSE can access. The ESP initiates a network scan that involves communication between

the VSE and every network entity that has an IP address within a specified range. After the network

assets are detected, Active Asset Discovery ESP collects information, such as operating systems

and vendors, from each asset that responds, and classifies the assets based on this information. An

inventory asset report that displays the discovered assets and their parameters is generated in

HTML format. The network scan is activated on a scheduled basis or once a day at midnight.

Active Asset Discovery ESP is designed to meet the following needs:

• Security – fundamental to network security is the identification of all the network components.

Any unknown component is a potential security breach. An automated solution verifies that all

the network components are known and monitored.

• Cost Efficiency – manual inventory management can be inefficient and costly in terms of

manpower and money. An automated solution reduces the cost and time involved in inventory

management. There can be additional savings regarding associated licenses as well.

• Compliance and Regulations - many industrial companies must comply with government

regulations and be certified by various organizations. Often the compliance policies require

constant monitoring and auditing of all the machines and hardware being used in the

company. An automated solution facilitates and simplifies compliance.

Active Asset Discovery ESP is distributed to the VSEs that require asset discovery, and then it is

represented by a specific device in each VSE. After the device is configured, network scanning is

scheduled for asset discovery.

To implement Active Asset Discovery ESP

1. In the VSEs, locate the existing device for the Active Asset Discovery ESP, called the Discovery

Engine. If this device does not exist, create and configure a specific device for Active Asset

Discovery ESP.

2. Activate the Discovery Engine device to scan the network in the specified IP range.

3. View the discovered assets in the Asset Discovery Report.

4. View the discovered assets that were added as devices in the Execution Result – View window.

INTRODUCTION


3.2 Exploring the Active Asset Discovery ESP architecture The following diagram illustrates the architecture of the Active Asset Discovery ESP solution:

1. The Active Asset Discovery ESP is activated from the VSE at the remote site. It scans the

network assets within the specified IP range. Assets outside of the range are not accessed; for

example, Asset 7 in the above figure is outside the specified IP range.

2. In the scanning process information about each asset is collected and the assets are

classified as hosts.

3. The information is further analyzed, and the assets are reclassified more precisely; for example,

in the above figure Asset 3 is reclassified as a router and Asset 4 is reclassified as a printer.

However, Asset 1, Windows OS, and Asset 2, Linux OS, remain classified as hosts.

4. An asset discovery report is generated listing all the discovered assets and their classifications.

This report is available from the VSE and is sent to the Security Center.

5. Types of assets that have been configured to be added as devices to the VSE can now be

monitored by the VSE. In the above figure, Asset 6 has not been configured.

6. A report of the new devices is available from the VSE and is sent to the Security Center.

Figure 3-1. Active Asset Discovery ESP architecture

INTRODUCTION


3.3 Basic workflow of the Active Asset Discovery ESP solution The basic workflow of the configuration, execution, and operation of the Active Asset Discovery ESP

solution is as follows:

1. Security Center

a. Importing the Active Asset Discovery ESP

b. Distributing the Active Asset Discovery ESP from the Security Center into the required

VSEs

For details, see the Security Center Administrator Guide.

2. VSEs

a. Creating a specific device for the Active Asset Discovery ESP, if this device does not already

exist

b. Configuring the device used for Active Asset Discovery ESP based on the specific

parameters and the required synchronization interval

3. VSEs and Security Center

Running the Active Asset Discovery ESP, either manually or automatically, in accordance

with the built-in schedule

3.4 Requirements Before you start configuring and using the Active Asset Discovery ESP, you need to verify the

following:

• ICS Shield has been installed

• The Active Asset Discovery ESP exists in the Security Center and has been distributed to the

appropriate VSEs.

• If it is necessary to add the discovered assets as devices, the following product lines are

distributed and present in the VSEs:

Nextnine Linux Machine

Nextnine Windows Machine

Nextnine Network Device

NOTE

If these product lines are not distributed to the VSEs on which the Active Asset

Discovery ESP runs, the discovered assets will not be added as devices to the VSEs.

However, they will be displayed as discovered assets in the Asset Discovery Report,

which is generated following a discovery run.

CONFIGURING THE ACTIVE ASSET DISCOVERY ESP IN THE VSE


4. Configuring the Active Asset Discovery ESP in the VSE

A product line or ESP that is distributed to a VSE must be represented by a specific device in the

VSE before it can be configured and executed.

In general, a new device must be created in the VSE for each distributed ESP. In some cases,

depending on the specific ESP and your predefined configurations, specific devices might already

exist in your VSE. In certain VSE configurations, the VSE already includes a device for Active Asset

Discovery ESP, called the Discovery Engine. Therefore, before creating a new device for the ESP,

check whether the Discovery Engine already exists in your VSE.

If it does not exist, check whether your VSE has Nmap and Perl installed because the Discovery

Engine requires them, and they need to be installed before the Discovery Engine is created.

Once the device for the ESP has been created, you must configure it. The key parameter that must

be set for this device is the IP range of the network scan. If necessary, include Nmap and Perl

installation packages. In addition, if necessary, add login credentials for communicating with

assets through protocols that require credentials.

The configuration of the Active Asset Discovery ESP consists of the following steps:

1. Verifying whether the VSE already includes a device for Active Asset Discovery ESP, called the

Discovery Engine.

2. If the Discovery Engine does not exist – see section 4.1, Creating a new device for Active Asset

Discovery ESP.

3. Configuring the basic parameters of the Active Asset Discovery ESP, mainly providing an IP

range and the necessary communication credentials – see section 4.2, Configuring the basic

parameters of the device.

[Optional]

4. Configuring the advanced parameters of the Active Asset Discovery ESP – see section 4.3,

Configuring the advanced parameters of the device.

After you configure the Discovery Engine according to your network specification and

requirements, it will automatically start running once a day at midnight.



4.1 Creating a new device for Active Asset Discovery ESP If you do not have a specific device for the distributed Active Asset Discovery ESP, you must define

a new device by entering several values in the VSE.

To create a new device for Active Asset Discovery ESP

1. In the VSE, go to Operations > Device Management.

2. Click New to display the New Device page.

3. In the top section of the New Device page, as shown below, define the device by setting the

following values:

From the Product Line drop-down list – select NextNine Asset Discovery v2.

In the Device Address text box – enter 127.0.0.1.

In the Device Name text box – enter Discovery Engine or any other name.

NOTE

To create a device, enter the definition values in the top section of the New Device

page. If a value is not specified for Device Address, an alert message appears, and

the required field is highlighted in red. The new device cannot be saved without this

value.

4. Click Save at the bottom of the page.

Figure 4-1. Top of New Device page



4.2 Configuring the basic parameters of the device

NOTE

The instructions below assume that the name of the Active Asset Discovery ESP

device is Discovery Engine. If your Active Asset Discovery ESP device has a different

name, use the name you chose.

To configure the basic parameters of the Active Asset Discovery ESP device:

1. In the VSE, go to Operations > Devices.

2. From the All Devices list in the left pane, select Discovery Engine.

NOTE

You can also set the configuration through the Device Management page by

selecting Discovery Engine from the list and clicking Edit at the top of the screen.

3. Click the tool icon next to the Discovery Engine item.

The Edit Protocol Settings of Device dialog box opens, allowing you to configure the settings

for the Discovery Engine.

4. In the Edit Protocol Settings of Device dialog box, configure the parameters listed in Table

4-1.

Figure 4-2. Edit Protocol Settings of Device dialog box



NOTE

• The IP Range is the only mandatory property for the device.

• The parameters listed in the table do not have default values.

• Scanning multiple domains, with different credentials, is not supported. Instead, the device can be reconfigured with different credentials between scans executions or multiple devices can be created in the VSE.

Executing multiple scans at the same time is not recommended.

Table 4-1. Basic parameters for the Discovery Engine

Parameter Name Description

IP Range The IP range for the network scan.

When entering IP ranges, you can use various formats and can

also combine the formats. The following examples are all valid:

• 192.168.200.160-170

• 192.168.200.1/23 (CIDR notation)

• 192.168.200.160 192.168.200.162 192.168.200.165 (use the space character to separate the addresses)

• 192.168.200.1/23 10.33.15.22 10.33.15.23 (combination)

WMI Username [for

Windows machines

only]

The name of the user that has the permissions to connect

remotely and query the data via WMI on the target Windows-

based machines

WMI Password [for

Windows machines

only]

The password for the username mentioned above

WMI Domain [for

Windows machines

only]

The domain for the above username

SSH Username [for

Linux machines and

network equipments]

The username of the user that has the permissions to connect

remotely and query the data via SSH on the target Linux

machines and network elements.

SSH Password [for

Linux machines and

network equipments]

The password for the username mentioned above

SNMP Community String [for network

equipments]

The read-only community string for a remote connection that

uses SNMP

Label A metadata tag, consisting of one or more words



Parameter Name Description

Active Asset Discovery ESP associates the Label tag to all the

newly discovered assets that are added as devices to the VSE. It

does this by populating the Label property of the added devices.

Associating the Label to the discovered devices enables you to:

• More easily manage the discovered devices from the Security Center.

• Distribute user privileges according to the label.

• Perform compliance calculations.

Note:

To see the devices associated with the Label in the Security Center, the

Label must be added to the Security Center. In addition, the user in the

Security Center requires permissions related to the Label (for example,

for viewing, editing, deleting and managing).

5. Click Save.

By default, once the Discovery Engine device is created, the first network scan is automatically

executed at midnight. You can wait for the automatic execution, or perform one or both of the

following:

• [Optional] Configure the advanced parameters of the Active Asset Discovery ESP device – see

section 4.3, Configuring the advanced parameters of the device.

• Manually run the Active Asset Discovery ESP, and generate the Asset Discovery Report – see

chapter 5, Running Active Asset Discovery ESP.

CAUTION

When the Active Asset Discovery ESP scans the network, it uses some of the bandwidth and might interfere with other processes that are currently running.



4.3 Configuring the advanced parameters of the device This section provides instructions for changing the default value of the advanced parameters of the

Active Asset Discovery ESP device, if needed.

To configure the advanced parameters of the Active Asset Discovery ESP device:

1. Open the Edit Protocol Settings of Device dialog box. (See section 4.2, Configuring the basic

parameters of the device).

2. Click Add.

A new row is added below the basic parameters.

3. Enter the parameter name and its value in the appropriate table cells, using the information

listed in Table 4-2.

NOTE

• Copy the parameter name from the following table, without making any changes.

The names and values of the parameters are case sensitive.

Table 4-2. Advanced parameters for the Discovery Engine

Parameter Name Description Default Value

AutoAddWindows If the value is yes, any asset that is identified

as a Windows host will automatically be

added as a device that is related to the

Windows Machine Product Line

(WindowsPL_name and

WindowsVendor_name).

If the value is no, the discovered host will

appear only in the Asset Report and will not

be added as a device to the VSE.

yes

AutoAddLinux If a discovered host is identified as a Linux

host, it will automatically be created as a

Linux device. This action requires the

definition of the Linux Machine Product

Line (LinuxPL_name and

LinuxVendor_name).




yes




AutoAddNetwork If a discovered host is identified as a

Network host, it will automatically be created

as a Network Element.

This action requires the definition of the

Network/Cisco Machine Product Line

(NetworkPL_name and

NetworkVendor_name; or, CiscoPL_name

and CiscoVendor_name).




yes

LinuxPL_name The name of the product line for Linux

machines

Generic Linux

Machine

LinuxVendor_name The name of the vendor of the product line

for Linux machines

Nextnine

NetworkPL_name The name of the product line for network

elements

Network Device

NetworkVendor_name The name of the vendor of the product line

for network elements

Nextnine

WindowsPL_name The name of the product line for Windows

machines

Windows

Machine

WindowsVendor_name The name of the vendor of the product line

for Windows machines

Nextnine

ExcludeVendorsScan The name of vendors whose discovered

components will not be included in the scan

results

NMAPLocation Full path of the Nmap folder Nextnine\

Siteserver\

Nmap

OSfingerprint Specifies that an OS fingerprinting

technique will be used for enhancing the

accuracy of identifying different operating

yes




systems. The accuracy level of the detection

will be displayed in the report.

If you set the parameter to no, less

information might be retrieved, reducing the

level of accuracy. The default value yes will

provide better results but will require slightly

more network traffic.

PythonLocation Full path of the Python folder Nextnine\

Siteserver\

Python

SSH_Port The SSH port for communication 22

4. After entering all the required settings, click Save.

The Save command overrides the default values.

RUNNING ACTIVE ASSET DISCOVERY ESP


5. Running Active Asset Discovery ESP

By default, once the settings of the Active Asset Discovery ESP in the Security Center and VSE have

been configured, the Active Asset Discovery ESP runs once a day at midnight. No additional actions

are required to ensure the execution of the discovery scan.

The Active Asset Discovery ESP can be run on demand from the following locations:

• The Security Center

• The VSE

NOTE

The execution of both the Active Asset Discovery ESP has a default timeout of 8

hours. This means that if after 8 hours the ESP execution could not be completed,

the ESP run will be stopped, and an error message will appear. No partial data will be

displayed following an incomplete run.

5.1 Active Asset Discovery ESP output The discovery scan output consists of the following:

• Asset Discovery Report – an inventory report, in HTML format, listing all the network assets

discovered in the scan. This report is produced after every execution of the scan.

• VSE devices – the devices are created after the execution of the scan when your system is

configured to add newly discovered assets as devices to the VSE.

• Asset Scan Result – a summary listing the number of discovered assets and the number of the

assets added or not added as VSE devices.

5.1.1 Asset Discovery Report Each execution of the Active Asset Discovery ESP automatically generates an HTML report, called

the Asset Discovery Report. This inventory report lists all the assets that were detected in the scan,

along with additional information about each asset.

The Asset Discovery Report displays the information collected and classified by the Active Asset

Discovery ESP. Once the ESP is executed, it tries to identify and collect the following parameters for

each detected asset:

• Hostname

• IP

• MAC

• OS

• Vendor



After these parameters are collected, each detected asset undergoes a classification process. This

process determines the asset type, which is indicated in the Type column in the Asset Discovery

Report. Initially, each newly discovered asset is classified as a Host as shown in Figure 5-1.

Afterwards, further classification is performed according to the following rules:

• If the asset OS is either Windows or Linux - the Asset Type remains Host.

• If the asset OS is not Windows or Linux, the Active Asset Discovery ESP tries to identify the

exact type of network component and to classify the asset:

If the identification of the exact type of network component is successful, the identified

type serves as the Type of the discovered asset in the Report. For example, if the Active

Asset Discovery ESP identified a printer, a router, and a switch, the type of these

components in the report will be Printer, Router, and Switch, respectively.

If the identification of the exact type of network element fails, the Type of the discovered

asset in the Report will be either Network Element or Cisco Network Element.

NOTE

The Type of the asset is shown in the Asset Discovery Report and in the Execution

Result – View dialog box, which shows a summary of results of the last scan.

For each classified type, the discovery scan attempts to gather the following information:

• Windows-based host – exact OS version

• Linux-based host – kernel version or OS type

Figure 5-1. Asset Discover Report – initial classification



• Network elements – manufacturer information

• Cisco Network elements – device type (switch, router, or printer), including model and version

If the discovery scan cannot gather the required information on an asset with absolute certainty, it

uses the OS fingerprinting technique to identify the missing information with a percentage of

certainty. In this case, the level of certainty of the information will be displayed as a percentage in

the report, as shown in the highlighted box in Figure 5-2.

5.1.2 VSE devices After the classification, every asset that was detected by the Active Asset Discovery ESP can be

added to the VSE as a device. It is then configured and monitored by the VSE according to its

device definition.

NOTE

• The advanced parameters determine if and how discovered assets are added as devices to the VSE.

• The VSE license limits the number of devices in a VSE. If the number of discovered assets exceeds the license terms, some of the assets will not be added as devices to the VSE. However, all the discovered assets appear in the Asset Discovery Report that is generated after a scan

The name of each device is unique. By default, the name of a newly added device is the hostname

of the machine. If the network scan is unable to detect the hostname of the machine, the IP

address of the machine is used as the name of the device.

Figure 5-2. Asset Discover Report – final classification



Each device that is added to the VSE using the Active Asset Discovery ESP, has several properties

that are updated automatically, as follows:

Table 5-1. Device properties that are updated automatically

Property Name Description Example

[Optional]

Labels

One or more words that are attached as

a tag to the device.

This property only receives a value if the

Label property of the Discovery Engine

was set (see section 4.2, Configuring

the basic parameters of the device).

Testing, Production

First Seen Date and time of the first time that the

VSE detected the device

Sun Apr 10 17:13:56 2016

Last Seen Date and time of the last time that the

device was detected by the VSE

Thu Apr 21 06:23:54 2016

Each execution of the Active Asset Discovery ESP initiates a new scan of the specified IP range. All

the assets that are detected for the first time are added to the VSE. Upon each run, the Active Asset

Discovery ESP checks if a newly discovered asset already exists in the VSE. Only when a newly

discovered asset does not exist in the VSE is it added to the VSE as a device. The date of the first

time the ESP discovered an asset and added it as a device appears in the First Seen parameter of

the device (see Figure 5-3).

Figure 5-3. First Seen parameter



When previously discovered assets no longer appear in a new scan, they are not automatically

removed from the devices list. It is possible to identify the current presence of a device by checking

the value of its Last Seen parameter. If the date value of the Last Seen parameter is earlier than the

last scan, this means that the device was not present in the last scan, or even in earlier scans. This

might mean that the device is down, or that it no longer exists in the scanned network.

Figure 5-4. Last Seen parameter



5.2 Using the ESP from the Security Center After an IP range and network protocols credentials are specified for the device, the ESP can be run

manually from the Security Center to generate reports.

One advantage of running the ESP from the Security Center as compared to running it from the

VSE is that you can see the results immediately in the Security Center. By default, the VSE updates

the Security Center once an hour, and it can therefore take up to an hour until the results appear in

the Security Center.

5.2.1 Running the ESP from the Security Center In addition to running the Active Asset Discovery ESP on a scheduled basis, you can manually run

the ESP on demand.

To run the Active Asset Discovery ESP from the Security Center:

1. On the Security Center, on the Device List tab of a specific site, open the Discovery Engine.

2. Once the Discovery Engine is opened, click Diagnose.

3. On the Run Diagnose activity on device Discovery Engine dialog box that appears, open the

Diagnosis Routine drop-down list and select the Run Asset Scan option. After every execution

of the scan, an inventory report, in HTML format, is produced listing all the network assets

discovered in the scan.

Figure 5-5. Discovery Engine from Security Center



4. To start the scan, click Run.



Once the Active Asset Discovery ESP run is initiated, the run activity is added to the Activity

Log. In addition, a message appears, indicating that the run activity has started.

The Active Asset Discovery ESP starts running, and the defined IP range of the VSE is scanned

for network assets. When the scan is completed, the status of its activity in the Activity Log

changes to Completed.

The newly discovered assets are displayed as devices in the Device List page.

Figure 5-6. Run Active Discovery

Figure 5-7. Discovered assets displayed as devices



5.2.2 Generating the Asset Discovery Report from the Security Center After each run of the Active Asset Discovery ESP, the HTML-based Asset Discovery Report is

generated. In addition, you can regenerate and view the report from the Security Center. The report

generated displays the information of the last scan.

To generate and view the Asset Discovery Report from the Security Center:

1. On the Security Center, open the Discovery Engine.

2. Once the Discovery Engine is opened, click Diagnose.

The Run Diagnose activity on device Discovery Engine dialog box appears.

3. On the Run Diagnose activity on device Discovery Engine dialog box, open the Diagnosis

Routine drop-down list and select the Generate Asset Scan Report option.

4. To generate the report, click Run.

Once the report generation is initiated, the generation activity is added to the Activity Log. In

addition, a message appears, indicating that the report generation activity has started.

5. To view the report, open the Activity Log tab.

6. Locate the report generation activity and click either View Data or View Details on the right

side of the activity line.

Figure 5-8. Report generation activity



Note that:

Clicking View Data opens the Data Viewer window.

Clicking View Details opens the Activity Log Details window and then clicking View

Attached Data in the Data column opens the Data Viewer window.

7. In the Data Viewer window, the Asset Scan Result is listed in the Value column.

Figure 5-9. Activity Log Details dialog box



5.2.3 Viewing the discovered assets After the Active Asset Discovery ESP is executed, a summary of the scan results can be viewed in

the Security Center.

To view the Discovered Assets Summary in the Security Center:

1. In the Security Center, find and open the VSE for which you wish to view the scan.

2. Open the Data tab of the selected VSE and select the Discovery Engine option from the list in

the left pane.

NOTE

You can also open the Activity Log tab of the selected VSE. The list of performed

activities, including scans, appears there.

On the Data page of the Discovery Engine, you can view a partial summary of the scan results

in the Value column.

3. To view the full summary of the last scan results, click the Result link in the Property column,

as shown below, to display the result details.

To learn more about the displayed information, see section 5.3.3, Viewing the discovered

assets.

Figure 5-10. Partial summary of the last scan results



5.3 Using the ESP from the VSE After defining an IP range for the and adding the credentials necessary for using your network

protocols, you can manually run from the VSE and generate and view its report.

NOTE

You can also run the and generate its report from the Security Center.

5.3.1 Running the ESP from the VSE In addition to running the Active Asset Discovery ESP on a scheduled basis, you can manually run

the ESP on demand.

To run the Active Asset Discovery ESP from the VSE:


The All Devices page appears.

2. From the list in the left pane, select Discovery Engine.

A list of available Execution Profiles for the Discovery Engine is displayed in the Execution tab.

The Active Asset Discovery ESP contains the following execution profiles:

Generate Asset Scan Report – generates an Asset Discovery Report (in HTML format)

that displays a summary of the assets discovered in the last scan. This profile is triggered

immediately after the scan is complete. See section 5.3.2, Generating the Asset Discovery

Report from the VSE.

Run Asset Scan – runs the Active Asset Discovery ESP once on demand. A summary

report of the discovered assets is generated after the scan is completed. Immediately

after the summary report is completed, the Generate Asset Scan Report profile is

automatically triggered, generating an HTML document called the Asset Discovery Report.

Run Asset Scan Every Day – similar to Run Asset Scan, except that the Active Asset

Discovery ESP runs once a day, according to a predefined schedule.



3. To run the Active Asset Discovery ESP once, select the check box for Run Asset Scan and click

Execute Once Now.

The Active Asset Discovery ESP starts running and the defined IP range of the VSE is scanned

for network assets. During the scan, in the Current Execution tab, the status of the Run Asset

Scan action changes to collecting.

NOTE

The estimated time of a scan of a subnet of 255 addresses is approximately 1 hour.

Once the scan is completed, the action no longer appears in the Current Execution tab. The

newly discovered assets might appear as devices in the Operations tab under the Devices

Management page.

Figure 5-11. Run Asset Scan

Figure 5-12. Current Execution tab



NOTE

If necessary, click on the currently selected tab again to see the results of the last

scan.

5.3.2 Generating the Asset Discovery Report from the VSE After each run of the Active Asset Discovery ESP, the HTML-based Asset Discovery Report is

generated. In addition, you can regenerate and view the report. The report displays the information

of the last scan.

To generate and view the Asset Discovery Report from the VSE:


2. From the All Devices list in the left pane, select Discovery Engine.

3. To generate the Active Asset Discovery Report of the last scan, select the check box for

Generate Asset Scan Report and click Execute Once Now.

Figure 5-13. Operations tab displaying newly discovered assets

Figure 5-14. Generate Asset Scan Report



A message appears, indicating that the report generation execution profile has started.

4. Click OK on the confirmation message.

Once the activity is completed, the Asset Discovery Report is generated. It displays the

information of the last scan.

5. To view the report list, click the View Data tab.

The View Data page appears, displaying all the reports that were generated in the last week.

6. Locate the report in the list by verifying that:

Generate Asset Scan Report is displayed in the Profile Name column

Diagnose Routine is displayed in the Type column

Manual is displayed in the Reason column

The date and time when the scan was executed is displayed in the Execution Date

column

7. To open the report, click the OK link in the Status column of the required report.

8. On the Execution Result – View dialog box that appears now, click the link report.html in the

Value column.

The report is downloaded.

9. Click the downloaded HTML file to display the Asset Discovery Report.



5.3.3 Viewing the discovered assets When your system is configured to add newly discovered assets as devices to the VSE, the number

of assets added as devices is displayed in the summary for each scan. Otherwise, only the number

of assets, listed according to each type of asset, and the total number of assets are displayed.

To view the scan summary from the VSE:


2. Select the Discovery Engine option from the All Devices list.

3. Click the View Data tab.

4. To open a scan summary, click the OK link in the Status column of the Run Asset Scan or Run

Asset Scan Everyday profile.

The Execution Result – View window opens, displaying the scan summary.

Figure 5-15. The Asset Discovery Report



Figure 5-16. Asset Scan summary



The summary of the asset discovery scan is displayed in the Value column and arranged in the

following categories:

First category at the top – lists the number of discovered assets arranged according to

their operating systems and types, such as the number of Windows Hosts and Linux

Hosts. See the top of the Value column in Figure 5-16.

Total number of Assets Found – indicates the total number of assets that were

discovered, not the number of assets that were added as devices to the VSE. In the first

execution of the network scan, all the assets that are discovered appear in either the

Device Added or Devices Not Added categories. In later scans, if the assets that are

discovered were already added to the VSE, they will not appear in the categories Device

Added or Devices Not Added, but their total will appear in the category Total number of

Assets Found. In Figure 5-16, see the line highlighted with a dotted green line.

Added Devices – lists the discovered assets that are added as devices to the VSE

following the current scan. For every added device, the following details are provided:

Hostname, IP address, OS, and Type. If an asset that was discovered in the current scan

was already added as a device following a previous scan, it will not appear here again. See

the area highlighted by means of a solid red line in Figure 5-16.

Devices Not Added – lists the discovered assets that were not added as devices to the

VSE following the current scan, either due to an error or because the number of devices in

the VSE exceeded the maximum number of licensed devices. See the bottom of the Value

column in Figure 5-17.

Figure 5-17. Scan summary listing the devices that are not added



If your system is not configured to add newly discovered assets as devices to the VSE, or

all assets have already been added as devices to the VSE, the summary will show the

number of discovered assets and total number of assets found as shown in Figure 5-18.

Figure 5-18. Scan summary without any added devices

CS-ICSE602en-500A February 2019 © 2019 Honeywell International Sàrl

Honeywell Process Solutions

1250 W Sam Houston Pkwy S #150, Houston,

TX 77042

Honeywell House, Skimped Hill Lane

Bracknell, Berkshire, RG12 1EB Building #1, 555 Huanke Road, Zhangjiang

Hi-Tech Park,

Pudong New Area, Shanghai, China 201203

www.honeywellprocess.com

Documents

Active Asset Discovery ESP User Guide · • Initial Settings - Professional Services, Support, or IT personnel • Security Center – Administrators and operators ... 4.1 Creating