Qualys VMDR OT provides comprehensive visibility and vulnerability management for critical infrastructure across all industrial network layers - Control, Supervisory, and Site Operations.
Industrial IoT (IIOT) and smart manufacturing greatly enhance Overall Equipment Efficiency (OEE) and cost savings. However, they also increase enterprises’ exposure to cyber-attacks due to rapid digitization and newly established inter-connectivity between previously air-gapped industrial environments and enterprise networks. Industrial assets have higher availability and reliability requirements. Their functioning round the clock and malfunction can potentially lead to significant physical safety incidents. Qualys provides a single platform and a single pane of glass for all IT & OT Asset Inventory, Vulnerabilities Management, Policy Compliance, and OT Endpoint based Threat Detection and Response.
Typically, industrial processes are supported by multiple equipment manufactured by different industrial vendors and powered by varied industrial protocols such as Ethernet/IP, Modbus TCP, Siemens S7 Comm, S7Comm Plus, Profinet, BACnet, and DNP3, among others. Many of these protocols are insecure by design, lacking basic authentication and encryption, so it is even more critical to have visibility and regular risk assessments conducted in these environments.
With Qualys VMDR OT, you get real-time asset inventory, network visualization, and vulnerability management for your industrial control systems. With an intuitive interface and a fully automated risk assessment workflow, Qualys VMDR OT is a powerful tool to reduce the risk of costly and dangerous cyber security breaches.
VMDR OT provides asset inventory, network visibility, and vulnerability postures at all the Purdue levels.
Purdue Level |
Assets |
Feature |
Supported by |
Available on Qualys Applications |
---|---|---|---|---|
Purdue Levels 0/1/2 |
Hardware like PLC, RTU, IO, Robots, VFDs etc |
|
|
VMDR OT |
Purdue Levels 2 and above |
OT/ICS OS-based endpoints hosting ICS Vendor software - (Engineering workstations, Operator Stations, HMI Servers, DCS Servers, etc.) |
Asset Inventory |
VMDR application (Safe OT Device scan support in Qualys Scanner and Cloud Agent) |
VMDR, CSAM, For more information, refer to the OT Device Scan details |
Vulnerability Management |
VMDR (OT/ICS OS-based endpoints hosting ICS Vendor software) |
VMDR |
||
Policy Compliance |
Policy Compliance application IEC 62443 NERC CIP Policy |
Policy Compliance |
- Real-time VMDR asset inventoryReal-time VMDR asset inventory
Qualys VMDR OT builds a comprehensive real-time asset inventory via multiple engines:
Qualys Passive Sensor dissects industrial protocols and gives visibility into various Purdue Levels, especially at Field and Control network layers.
Qualys extends the scanner capabilities to perform safe VMDR OT discovery for industrial protocols. This new scan is designed to be safe and talks the same language as industrial protocols querying the devices in the protocol language they understand. This interaction is similar to how a SCADA server or an engineering workstation would talk to a controller.
Both Passive Sensor and Safe Active Scanning help in inventory creation for devices such as Programming Logic Controllers (PLCs), Remote Terminal Units (RTU), Intelligent Electronic Devices (IEDs), Remote IOs, Human Machine Interface (HMI), Industrial Gateways, Building Automation Controllers, IP-based Sensors, Robots, and Drivers, among others.
All industrial endpoints with operating systems like Windows, Linux and others can trigger Authenticated Scans. This is a safe way of getting software inventories as well as software vulnerabilities.
Qualys Cloud Agent can also be deployed on supported OS-based endpoints, giving a continuous visibility and vulnerability posture of these assets.
Both Authenticated VM scans and Qualys Cloud Agent help in getting detailed inventory of industrial PCs hosting Operator Stations, SCADA servers or an engineering workstation, or IT stations hosting Manufacturing Execution Systems (MES), ERPs, and remote connectivity workstations, among others.
- Extensive Industrial protocol supportExtensive Industrial protocol support
Qualys VMDR OT supports a wide range of IT and OT protocols such as S7Comm, S7comm Plus, Profinet, Ethernet IP, BACnet, Modbus TCP, DNP3, MQTT, IEC 104, CIP, IEC 61850- MMS, Beckhoff ADS, Omron, PCCC, Niagara Fox, and many more.
- Out of band Configuration Assessment supportOut of band Configuration Assessment support
Qualys VMDR OT supports Out of band Configuration Assessment. You can import the asset information using a project file, collected from programming and maintenance software. The ICS application parses the uploaded file with valuable data and creates assets from the data gathered. Qualys supports different vendors engineering tools such as Omron CX Programmer (.cxp), Rockwell RSLogix 500 (.RSS), Rockwell Studio 5000 (.L5X), Rockwell System Ferret (.Xml), Siemens DIGSI 4 (.zip), Siemens DIGSI 5 (.zip), Siemens DIGSI 5 (.dz5), and many more.
- Robust vulnerability managementRobust vulnerability management
Qualys VMDR OT provides continuous vulnerability assessment on all discovered industrial assets. Hardware and firmware-based vulnerabilities impacting PLCs, IOs, Robots, HMIs, Drives, etc. as well as Software vulnerabilities affecting SCADA servers, Engineering software, HMI Software, License Management Software, MES and ERPs systems are covered via Passive sensor and Qualys scanner or a Cloud agent combined.
Risk scores are based on asset criticality, severity of vulnerability, availability of redundancy for the asset to assist with better prioritization and remediation actions.
The ICS QID Pack available as an add-on to Qualys VM / VMDR is another mechanism to cover these vulnerabilities. Vulnerability knowledge base is continuously updated and maintained with newly discovered vulnerabilities.
- Broad industrial vendor supportBroad industrial vendor support
Qualys VMDR OT supports the major industry vendors like Siemens, Rockwell Automation, Schneider Electric, Wago, Johnson Controls, Niagara Fox, Beckhoff, Omron, ABB, Tridium, Eaton Turck, Balluf, Distech Controls, Danfoss, Parker Hannifin and many more.
VMDR OT application can be accessed with a subscription to VMDR, Cyber Security Asset Management (CSAM) and Qualys Network Passive Sensor (NPS) applications.
VMDR OT is powered by Qualys Network Passive Sensor. It continuously monitors all network traffic and flags any asset activity. It identifies and profiles devices the moment it is connected to the network.
Qualys Network Passive Sensor (NPS) identifies assets in an industrial environment that can’t be actively scanned. Qualys Network Passive Sensor (NPS) enriches existing asset inventory with additional details, such as recent open ports, traffic summary, network services, and applications. This helps to gain a deeper understanding of an asset and its activity on the network in real-time.
- Discover Assets and Collect InventoryDiscover Assets and Collect Inventory
Once Qualys Network Passive Sensor is deployed and configured in the network, it starts passively listening to the network traffic and creating assets based on the information dissected from the traffic. For more details on deployment, refer to Deploying Qualys Network Passive Sensors.
Over the period, with various asset activities seen on the wire, the passive sensor will continue to enhance the asset inventory attributes with additional contextual information. The time taken for a complete asset context to be built is based on the type of industrial protocol and the type of activities performed in the environment.
Start generating traffic required for device identity and retrieve device information from the programming software you use to configure and manage your network devices. For steps to generate this traffic, refer to the Device Discovery Documents.
Asset inventory can also be created using ICS Out of band configuration assessment using the project files collected from programming and maintenance software. For more details on generating the project file from programming and maintenance software, refer to Generating a Project File. To upload the project files and to view the details of imported asset inventory, refer to the Import Asset tab
- Detect and MonitorDetect and Monitor
Qualys Network Passive Sensor monitors network activity without any active probing of devices to detect active assets in the network. The ICS asset inventory is continuously updated depending on the asset activities flagged by the Qualys Network Passive Sensor. For information about the ICS asset inventory, refer to Viewing Asset Details.
To view network traffic that displays the communication between server and client in the network, refer to Network Tab.
Vulnerabilities on your ICS assets are detected and listed in the Vulnerabilities tab.
We have the most up-to-date KnowledgeBase of vulnerabilities in the security industry, and it's continuously getting updated. For more details, refer to Viewing KnowledgeBase.
- Visualize the Assets and Vulnerability Postures on the Dashboard
Dashboards help you visualize your assets, see your threat exposure, leverage saved searches, and quickly fix the priority of vulnerabilities.
Qualys VMDR OT integrates with Unified Dashboard (UD) to bring information from all Qualys applications into a single place for visualization. UD provides a powerful, new dashboarding framework and platform service that will be consumed and used by all other products to enhance the existing dashboard capabilities.
Qualys VMDR OT offers several dashboards out-of-the-box. Each dashboard displays a short description of the information it offers. You can also easily configure widgets to pull information from other modules/applications and add them to your dashboard. You can add as many dashboards as you like to customize your view.
See the Unified Dashboard help for more information.
Your access to Unified Dashboard depends on the Admin utility's global permissions granted to you. Refer to the Online Help in the Admin utility for information on Global Dashboard Permissions.
Note: When you assign the Global Dashboard permissions to a role, the Global Dashboard permissions override the module-specific dashboard permissions. As a result, the module-specific dashboard permissions are ignored.
Was this topic helpful?