How do I configure the Service Graph Connector Integration for Claroty CTD

 

Current Version: 2.1.5

Sample CTD Site to Monitor: Triton

Sample OT Devices in CTD Site to Monitor: GE1 PLC Device, XXX.XX.XX.250 @ 9C:EB:E8:2D:73:81 Endpoint Device, SIMATIC 300 PLC Device

Mid Server used to connect to Claroty CTD(Yes\No): Yes

ServiceNow Production Instance(Yes\No): No

NIDS(Network Intrusion Detection System) Deployment Type(IT\OT): OT

Software Asset Management Enabled(Yes\No): Yes

Updating NIDS Metadata(Yes\No): Yes

 

The following topics are covered in this How do I configure the Service Graph Connector Integration for Claroty CTD? Article:

 

A. Set up Claroty CTD Site for monitoring IT\OT Devices in your ICS Network

B. Analyze your Claroty CTD Site data in the Claroty CTD On Premises Solution

C. Installing & Configuring Service Graph Connector Integration for Claroty CTD on your ServiceNow Instance

D. Run Service Graph Connector Integration for Claroty CTD Scheduled Data Import Jobs on your ServiceNow Instance

E. Analyze the CMDB Records created\updated by the Service Graph Connector Integration for Claroty CTD for your Claroty CTD Site in your ServiceNow Instance

 

A. Set up Claroty CTD Site for monitoring IT\OT Devices in your ICS Network

 

Claroty CTD (Continuous Threat Detection) is an Agentless on-Premises Solution for monitoring the IT\OT Devices in your ICS (Industrial Control Systems) Network. It is made up of 1 or more Site Components that collect and analyze Network Traffic Data from the IT\OT Devices in your ICS Network before mapping the output of this Network Traffic Data Analysis to OT Assets whose Metadata is sent to a Central Enterprise Management Console (EMC) Component. The Central Enterprise Management Console (EMC) Component has a Web Based User Interface than can be accessed for Viewing all the Claroty CTD Sites in your ICS Network, the OT Assets in those Sites along with any reported Threats for those OT Assets (Please refer to Claroty 's Solution Overview Documentation Page for more details).

 

The Service Graph Connector Integration for Claroty CTD ingests Asset data from the Enterprise Management Console (EMC) Component of the overall Claroty CTD On-Premises Solution into the ServiceNow CMDB. It creates IT Device CI records from IT Asset data and OT Device CI records from OT Asset data (This will be explained in more detail in the Configure Assets Import Schedule sub section of the C. Installing & Configuring Service Graph Connector Integration for Claroty CTD on your ServiceNow Instance Section further down this Article)

 

The Purdue Diagram below shows these different Claroty Components (Please refer to Claroty's Solution Architecture Documentation Page for more details on the individual components) along with how the Service Graph Connector Integration for Claroty CTD interacts with the Claroty EMC Component via a ServiceNow Mid Server (will be referenced in Section C. Installing & Configuring Service Graph Connector Integration for Claroty CTD on your ServiceNow Instance) to ingest it's Asset data. 

 

Note: CTD Site is also sometimes referred to as CTD Server. It is shown as CTD Server in the below Diagram

 

 

 

 

(i)   Log into your Claroty Partner Portal

(ii)  Download the ISO File that you will be using to create a Claroty CTD Site in your Network

(iii) Install the ClarotyOS onto the CTD Servers that you will be designating as CTD Sites as per the ClarotyOS CTD Installation Documentation Page.

(iv) Go to your Enterprise Management Console Web Application to verify that your new Claroty CTD Site is reporting back to the Enterprise Management Console(EMC) Component.

 

- Navigate to Enterprise Overview in the Left Hand EMC Menu Navigator to see all the Claroty CTD Sites reporting back to the Enterprise Management Console(EMC) Component. You should see the Claroty CTD Site you just created included in these Claroty CTD Sites. Below is an example of this for all the Claroty CTD Sites in our Crucible Lab Environment. The Triton Site shows 237 Assets being associated with it and will be the Claroty CTD Site that we will be analyzing in this Article.

 

 

 

 

 

B. Analyze your Claroty CTD Site data in the Claroty CTD On Premises Solution

 

(i) Navigate to Dashboard in the Left Hand Menu Navigator.

(ii) Select your Claroty CTD Site from the Site Pulldown Menu at the top of the Enterprise Management Console Web Application Screen to bring up the Dashboard Screen for that Site.

 

The below screenshot shows an example of this where the Dashboard Screen for our Triton Claroty CTD Site is shown.

 

 

Overview

 

(i) Navigate to Visibility\Overview in the Left Hand Menu Navigator to bring up the CTD Claroty Site Visibility Overview Screen for your Site. The screenshot below shows the Visibility Overview Screen for the Triton Site.

 

 

 

Assets

 

(i) Navigate to Visibility\Assets in the Left Hand Menu Navigator to bring up the CTD Claroty Site Assets List for your Site. The screenshot below lists the 237 Assets associated with the Triton Site.

 

 

(ii) Click on the Layered Topology View Icon to show these Assets in the Purdue Model Topology View. The screenshot below shows the Purdue Model Topology View from Level 0 to Level 5 for the 237 Assets associated with our Triton Site.

 

 

 

You can drill into specific Asset Types you are interested in seeing by selecting these Asset Types from an Asset Type Pulldown Filter Menu (shown in the above screenshot). The following sub-sections outline the various Asset Types that are associated with the Triton Site to demonstrate which assets may appear in each level of the Purdue Model.

 

OT Supervisory System Devices

 

OT Supervisory System Devices are found in Level 2 of the Purdue Model. The following OT Supervisory System Device Types are included in our Triton Site Assets:

 

• Engineering Station
• HMI 
• OT

 

(iii) Select Engineering Station, HMI and OT from the Asset Types Pulldown Menu while still in the Purdue Model Layered View. A screen showing these Device Types will be shown like the one shown below for our Triton Site. You will notice that all 8 of the Assets matching this Asset Type Filter selection are shown in Level 2 of the Purdue Model View with each different Asset Type being shown as a different colored icon. For example the green icon being shown to represent the single Engineering Station in our Triton Site, the purple icon being shown to represent the 6 HMI Devices in our Triton Site and the red  icon being shown to represent the single OT Device in our Triton Site.

 

 

 

OT Control System Devices

 

OT Control System Devices can be found in Levels 0, 1 and 5 of the Purdue Model. The following OT Control System Device Types are included in our Triton Site Assets:

 

• PLC
• RTU
• Controller

 

(iv) Select PLC, RTU and Controller from the Asset Types Pulldown Menu while still in the Purdue Model Layered View. A screen showing these Device Types will be shown like the one shown below for our Triton Site that shows 14 Assets matching this Asset Type Filter selection with each different Asset Type being shown as a different colored icon. For example the green  icon being shown to represent the single Controller Device in Purdue Level 1 of our Triton Site, the purple  icon being shown to represent the 3 RTU Devices across Purdue Level's 0,1 and 5 of our Triton Site and the red  icon being shown to represent the 10 PLC Devices across Purdue Level's 1 and 5 of our Triton Site.

 

 

 

End Point Devices

 

End Point Devices are found in Level 3 of the Purdue Model. 

 

(v) Select Endpoint from the Asset Types Pulldown Menu while still in the Purdue Model Layered View. A screen showing these Device Types will be shown like the one shown below for our Triton Site that shows 210 Endpoint Devices being represented as purple icons in Purdue Level 3 of our Triton Site.

 

 

 

Networking IT Devices

 

Networking IT Devices are found in Level 1.5 of the Purdue Model.  The following Networking IT Device Types are included in our Triton Site Assets:

 

• Gateway
• Networking

 

(vi) Select Gateway, Networking from the Asset Types Pulldown Menu while still in the Purdue Model Layered View. A screen showing these Device Types will be shown like the one shown below for our Triton Site that shows 5 Assets matching this Asset Type Filter selection with each different Asset Type being shown as a different colored icon. For example the 2 Networking IT Devices are shown as purple Icons with the 3 Gateway IT Devices being shown as redicons.

 

 

 

 

C. Installing & Configuring Service Graph Connector Integration for Claroty CTD on your ServiceNow Instance

 

(i) Login to your ServiceNow Instance

(ii) Install the following Application from the ServiceNow Store:

 

Service Graph Connector Integration for Claroty CTD: sn_clarotyctdsgc

 

The following Applications are automatically installed\activated when you install this application

 

1. Integration Commons for CMDB: sn_cmdb_int_util
2. CMDB CI Class Model: sn_cmdb_ci_class

 

The following Plugins are automatically installed\activated when you install this application

 

1. ITOM Discovery License: com.snc.itom.discovery.license (Included with full Discovery Product)
2. ITOM Licensing: com.snc.itom.license
3. ServiceNow IntegrationHub Action Template: com.glide.hub.action_type.datastream
   
   

(iii) Navigate to Guided Setup under Service Graph Connector Claroty CTD in the Filter Menu

(iv) Go through all Guided Setup Steps as per the ServiceNow Documentation: Service Graph Connector Integration for Claroty CTD 

 

Setup Credentials and Connections - Guided Setup Section

 

The Service Graph Connector will be Authenticating with your Claroty CTD Enterprise Management Console(EMC) Web Application using the Connection & Credential Details from the OOTB Claroty_CTD_Base_Auth Connection & Credential Alias Record shown in the below screen shot.

 

 

 

It will be Authenticating with the Claroty CTD REST API's using the Connection & Credential Details from the OOTB Child Claroty_CTD_API Connection & Credential Alias Record shown in the below screen shot.

 

 

Notice that the OOTB Child Claroty_CTD_API Connection & Credential Alias is a Child Alias of the OOTB Parent Claroty_CTD_Base_Auth Connection & Credential Alias.

 

You will be configuring the ServiceNow Claroty Connection and Credential Records associated with these Claroty_CTD_Base_Auth and Claroty_CTD_API  Parent and Child Aliases respectively in this Setup Credentials and Connections section of Guided Setup.

 

Configure Connections 

 

(i) On the Configure Connections Tab of this Setup Credentials and Connections Guided Setup Section click on the Configure pushbutton to bring up the OOTB Claroty HTTP Connection Records shown in the below screenshot.

 

 

Claroty CTD EMC Base Auth

 

(ii) Open the Claroty CTD EMC Base Auth HTTP Connection Record to bring up the Claroty CTD EMC Base Auth HTTP Connection Record Screen like the one shown below.

 

 

Connection URL: Populate with your Claroty CTD Enterprise Management Console(EMC) Application URL.

Use MID Server: Turn on the Check Box

Mid Server: Populate with the Mid Server that your ServiceNow Instance will be using for communicating with your Claroty CTD Enterprise Management Console(EMC) Application. 

 

Claroty CTD API

 

(iii) Open the Claroty CTD API HTTP Connection Record to bring up the Claroty CTD API HTTP Connection Record Screen like the one shown below.

 

 

Connection URL: Populate with your Claroty CTD Enterprise Management Console(EMC) Application URL.

Use MID Server: Turn on the Check Box

Mid Server: Populate with the Mid Server that your ServiceNow Instance will be using for communicating with your Claroty CTD Enterprise Management Console(EMC) Application. 

 

N.B. For Production ServiceNow Instances a Valid Certificate must be installed on the Mid Server. For Non-Production\Proof of Concept Instances (the Use Case Scenario being addressed by this Article) the next step outlines how the requirement for a Valid Certificate on the Mid Server can be circumvented for Testing purposes. It is not safe to do this in Production Instances.

 

(iv) Navigate to Mid Server\MID Security Policy in the UI Filter Navigator to bring up the Certificate Check Policies List. Set the following Checks to false for the Intranet Mid Certificate Policy. (Please refer to the ServiceNow MID Server certificate check policies Documentation Page for more details on Mid Server Certificate Check Policies)

 

• Certificate chain Check
• Hostname Check
• Revocation Check

 

The below screen shot shows what you should expect to see listed for the Intranet Mid Certificate Policy after these Checks have been set to false.

 

 

Configure Credentials

 

(i) On the Configure Credentials Tab of this Setup Credentials and Connections Guided Setup Section click on the Configure pushbutton to bring up the OOTB Claroty Credential Records shown in the below screenshot.

 

Note: You will only be updating the Claroty CTD EMC Base Auth Credential Record. The Claroty CTD API Key Record is updated by the Service Graph Connector itself when it gets an API Key back from the Enterprise  Management Console(EMC) Web Application after the successfully Authenticating with it (via the Claroty CTD EMC Base Auth Connection & Credential Records). 

 

(ii) Open the Claroty CTD EMC Base Auth Credential Record to bring up the below Basic Auth Credentials - - Claroty CTD EMC Base Auth Screen.

 

 

User name: Populate with the User Name associated with the Enterprise Management Console(EMC) Account that the Service Graph Connector will be using for Authenticating with the Enterprise Management Console(EMC) Web Application.

 

Password: Populate with the Password associated with the Enterprise Management Console(EMC) Account

 

 

Test the Connection

 

All Service Graph Connectors have at least 1 Service Graph Connection Record associated with them that encapsulates the Properties (if any), Data Sources and Scheduled Data Import Jobs associated with the Service Graph Connector Connection that is connecting to the Back End System URL in question. The Connection Record has a Test Connection Link that is used for Testing the connection from the Service Graph Connector to the Back End System URL that it is connecting to. These Service Graph Connection Records are stored in the Service Graph Connections[sn_cmdb_int_util_service_graph_connection] Table.

 

(i) On the Test\Validate Connection Tab of this Setup Credentials and Connections Guided Setup Section click on the Configure pushbutton to bring up the SG-OT Claroty CTD Default Connection Service Graph Connection Record shown in the below screen shot.

 

 

 

(ii) Click on the Test Connection Link to Test that the Connection successfully connects to the Enterprise Management Console(EMC) Web Application.

 

If the Connection is successful, you will see a Success Information Message displayed at the top of the screen and the Status Field change to Success (like the Status field shown in the above screen)

 

 

Configure CTD Sites - Guided Setup Section

 

Each CTD Site that monitors the IT\OT Devices in your ICS Network needs to be imported by the Service Graph Connector into the ServiceNow CMDB as an NIDS(Network Intrusion Detection System) Sensor and then Validated. This is a necessary Prerequisite step that needs to be followed before the Service Graph Connector imports the IT\OT Device data associated with the IT\OT Devices discovered by these CTD Sites.

 

Import CTD Sites

 

(i) On the Import CTD Sites Tab of this Configure CTD Sites Guided Setup Section click on the Configure pushbutton to bring up the SG-OT Claroty CTD Sites Scheduled Import Record shown in the below screen shot:

 

 

 

 

(ii) Click on the Execute Now pushbutton on this screen to kick off the CTD Sites Scheduled Import Scheduled import job.

 

- This Scheduled Import Job imports all the CTD Sites from your Claroty Enterprise Management Console(EMC) Web Application as NIDS Sensor[cmdb_ci_nids] Records in your ServiceNow CMDB.

 

(iii) Navigate to Network IDS Appliances (NIDS)\Sensors in the UI Filter Navigator to bring up the NIDS Sensor[cmdb_ci_nids] Records that were imported.

 

The screen shot below shows the Triton and Protheus CTD Sites in our Crucible Lab Environment that were imported as NIDS Sensor[cmdb_ci_nids] Records into our CMDB.

 

Notice how NIDS Network Type is shown as OT for the NIDS Sensor Records that were imported to represent our CTD Sites. This is because our CTD Sites were deployed in an OT ICS Network as oppose to bring deployed in an IT Data Center. The Use Case that this Article outlines is the deployment of Claroty CTD Sites in an OT ICS Network.

 

 

Update the NIDS Metadata - Optional Step

 

You can update OT Device and ServiceNow Change\Incident Metadata fields in the NIDS Sensor Records with values that will be used for populating the corresponding fields in the OT Device Records created by the Service Graph Connector.

 

(i) Open the NIDS Sensor Record that you want to prepopulate with OT Device and ServiceNow Change\Incident Metadata field values, for example our Triton NIDS Sensor Record.

(ii) Populate the OT Device and ServiceNow Change\Incident Fields with appropriate values for your organization. The screenshot below shows our Triton NIDS Sensor Record with the NIDS Assignment Site OT Device Metadata Field being Prepopulated with Triton to represent our Triton CTD Site.

 

 

 

 

All OT Device Records created by the Service Graph Connector will be automatically populated with these OT Device Metadata and ServiceNow Change\Incident Metadata Field values. For example, in our case, the Site field for all OT Device Records that are created by the Claroty CTD Service Graph Connector will be automatically  populated with Triton as we are populating the NIDS assignment site field on the above Triton NIDS Sensor Record with the Triton value as shown in the above screenshot.

 

Validate the NIDS  - Validate the NIDS Sensors  ServiceNow Documentation Page

 

(i) For each NIDS Sensor Record change Life Cycle Stage Status from Learning Mode to In Use.

(ii) Select each NIDS Sensor Record and click on the Validate Sensors UI Action Button to Validate each NIDS Sensor.

 

- If Validation is successful the Validated column for each NIDS Sensor will change from false to true. The screen shot below shows successful Validation for the CTD Sensor Records imported for our Crucible Lab CTD Sites.

 

 

 

 

Configure Import Schedules - Guided Setup Section

 

In this section of Guided Setup you will be marking the Claroty CTD Scheduled Import Jobs as Active and scheduling the time for them to run if you want to change from the OOTB Run Times.

 

Configure Sites Import Schedule

 

As mentioned in the above Configure CTD Sites Guided Setup section, the CTD Sites Scheduled Import Job imports all the CTD Sites from your Claroty Enterprise Management Console(EMC) Web Application as NIDS Sensor[cmdb_ci_nids] Records in your ServiceNow CMDB.

 

(i) On the Configure Sites Import Schedule Tab (Default Tab) of this Configure Import Schedules Guided Setup Section click on the Configure pushbutton to bring up SG-OT Claroty CTD Sites Scheduled Import Record.

(ii) Mark it as Active and set the time for it to run if you want to change it from Default Daily at Midnight Run Time.

 

 

Configure Assets Import Schedule

 

The CTD Assets Scheduled Import Job imports IT\OT Device data associated with the IT\OT Devices that have been detected by your CTD Sites. You must run the CTD Sites Scheduled Import Job and Validate the associated Target NIDS Sensor Records (as described in the above Configure CTD Sites Guided Setup section) before running the CTD Assets Scheduled Import Job.

 

(i) On the Configure Assets Import Schedule Tab of this Configure Import Schedules Guided Setup Section click on the Configure pushbutton to bring up SG-OT Claroty CTD Assets Scheduled Import Record.

(ii) Mark it as Active and set the time for it to run if you want to change it from Default Daily at Midnight Run Time.

 

OT Device Data that gets created by the CTD Assets Scheduled Job

 

Your ICS (Industrial Control Systems) Network can have a combination of IT Devices and OT Devices residing in it. OT Devices are pieces of equipment in your ICS Network that serve an Operational Technology(OT) function. An OT Device can either be a physical piece of Operational Technology(OT) equipment like for example a physical HMI OT Device or it can be a IT piece of equipment like for example a Computer Device running HMI Software that is serving an Operational Technology(OT) HMI function.

 

IT Devices on the other hand are IT pieces of equipment that do not serve an an Operational Technology(OT) function. For example, IP Switches or Net Gear pieces of equipment would fall under this category.

 

In the CMDB an OT Device is represented as the combination of an OT Device CI record and an accompanying OT Device Entity record. 

 

OT Device =  CI + OT Entity

 

The OT Device Entity record stores OT Device Metadata like e.g. Purdue level, Device Type, Device criticality, Site, Zone that is specific to the OT Device. Site and Zone OT Metadata can by prepopulated at the NIDS Sensor Record Level, as described in the Update NIDS Metadata step of the above Configure CTD Sites Guided Setup section.

 

The CTD Assets Scheduled Import Job creates OT Device CI records for these OT Devices in the Configuration Items[cmdb_ci] Table and accompanying OT Device Entity Records in the All OT Devices[cmdb_ot_entity] Table (accessible by navigating to Operational Technology (OT)\All OT Devices in the UI Filter Navigator). These OT Device CI records will either be Operational Technology(OT)[cmdb_ci_ot_xxx] records or Configuration Items[cmdb_ci_xxx] records (depending on the type of equipment in your ICS Network that is serving the Operational Technology function as discussed above). Each of these OT Device CI records will have a reference to an accompanying OT Device Entity Record with a specified Device Type.

 

For IT Devices it creates IT Device CI[cmdb_ci_xxx] records in the Configuration Items[cmdb_ci] Table that have an Empty OT Entity reference, Device Type=Empty (You will see this in the last E. Analyze the CMDB Records created\updated by the Service Graph Connector Integration for Claroty CTD for your Claroty CTD Site in your ServiceNow Instance section of this Article).

 

As well as creating IT\OT Device records in the CMDB it also creates Detected, Owned Relationship Type records in the CI Relationships[cmdb_ci_rel] Table where Detects are always between the NIDS and the CIs it Detected, and Owned will usually be between the Control System (like PLC) and the Control Modules that it Owns.

 

Note: For more information on how OT Device data is stored in the CMDB please refer to the  Operational Technology (OT) extension classes ServiceNow Documentation page.

 

Configure Baselines Import Schedule

 

The CTD Baselines Scheduled Import Job imports the Connections that exist between OT Devices as “Connected to::Connected by” CI Relationship Records in the CI Relationships[cmdb_rel_ci] Table. 

 

(i) On the Configure Baselines Import Schedule Tab of this Configure Import Schedules Guided Setup Section click on the Configure pushbutton to bring up SG-OT Claroty CTD Baselines Scheduled Import Record.

(ii) Mark it as Active

 

It is configured to run After the Parent CTD Assets Scheduled Import Job.

 

 

Configure Installed Programs Import Schedule

 

The CTD Installed Programs Scheduled Import Job imports Installed Programs that are running on OT Devices that have been detected by your CTD Sites. You must run the CTD Assets Scheduled Import Job (So associated OT Device Records exist in the CMDB) before running the CTD Installed Programs Scheduled Import Job.

 

CTD Installed Programs Scheduled Import Job creates Software Install Records in the Software Installations[cmdb_sam_sw_install] Table.

 

(i) On the Configure Installed Programs Import Schedule Tab of this Configure Import Schedules Guided Setup Section click on the Configure pushbutton to bring up SG-OT Claroty CTD Installed Programs Scheduled Import Record.

(ii) Mark it as Active and set the time for it to run if you want to change it from Default Daily at Midnight Run Time.

 

 

D. Run Service Graph Connector Integration for Claroty CTD Scheduled Data Import Jobs on your ServiceNow Instance

 

(i) Navigate to Import Schedules under Service Graph Connector Claroty CTD in the Filter Menu. The 4 OOTB Scheduled Data Imports that were described in the previous section should be listed with all of them being marked Active as shown below. 

 

You have already run the SG-Claroty CTD Sites Scheduled Import job as part of the Configure CTD Sites sub section of the previous C. Installing & Configuring Service Graph Connector Integration for Claroty CTD on your ServiceNow Instance Section so this section outlines how to run the other 3 OOTB Scheduled Import Jobs.

 

(i)   Open the SG-Claroty CTD Assets Scheduled Import job record and click on the Execute button

(ii)  Navigate to Concurrent Import Sets in the Filter Menu.

 

- You should see 2 Concurrent Import Sets, 1 for SG-Claroty CTD Assets and 1 for SG-Claroty CTD Baselines (Child job of Parent CTD Assets Job). Wait for the Scheduled Data Import jobs associated with both of these Concurrent Import Sets to finish.

 

(iii) Open the SG-Claroty CTD Installed Programs Scheduled Import job record and click on the Execute button

(iv) Navigate to Concurrent Import Sets in the Filter Menu.

 

- You should see a SG-Claroty CTD Baselines Concurrent Import Set. Wait for the Scheduled Import Jobs associated with this Concurrent Import Set to finish.

 

E. Analyze the CMDB Records created\updated by the Service Graph Connector Integration for Claroty CTD for your Claroty CTD Site in your ServiceNow Instance

 

There are 5 types of Records created by the Claroty CTD Service Graph Connector in the CMDB:

 

• OT Device Entity[cmdb_ot_entity] Records
• Configuration Item CI[cmdb_ci] Records
• Software Installation[cmdb_sam_sw_install] Records - If Software Asset Management(SAM) enabled
• Software Instance[cmdb_software_instance] + Software Package[cmdb_ci_spkg] Records - If Software Asset Management(SAM) not enabled
• Serial Number[cmdb_serial_Number] Records
• Key Value v2[key_value_v2] Records

 

OT Device Entity Records

 

OT Device Entity Records are created for every OT Device detected by your CTD Site.

 

(i) Navigate to Operational Technology (OT)\All OT Devices in the UI Filter Navigator to bring you to the All OT Devices[cmdb_ot_entity] Table

(ii) Group by Discovery Source

(iii) Navigate to the SG-OT Claroty CTD Discovery Source and double click on its Discovery source:SG-OT Claroty CTD(n) link where n represents the Number of CMDB OT Entity Records Created\Updated by the Claroty CTD Service Graph Connector.

(iv) Group By OT Device Type

 

A List of CMDB OT Device Entity Records Created\Updated by the Claroty CTD Service Graph Connector will be displayed grouped by OT Device Type. The screen shot below shows the OT Device Records displayed in this OT Device Type List for the data that was ingested by the Claroty CTD Service Graph Connector for our Triton CTD Site that includes our GE1 PLC Device (highlighted below).

 

 

OT Supervisory System Devices

 

The OT Supervisory System Devices that were covered in the OT Supervisory System Devices sub section of the above B. Analyze your Claroty CTD Site data in the Claroty CTD On Premises Solution Section are shown in the below screen shot.

 

 

• The single 10.1.0.171 @ 00:50:56:B9:19:B1 Engineering Station for our Triton Site is listed as an EWS OT Device and has a reference to an associated EWS CI[cmdb_ci_ot_ews] record in the Operational Technology(OT)[cmdb_ci_ot] Table.
• The 6 HMI's for our Triton Site are listed as HMI OT Devices and have references to 6 associated HWI CI[cmdb_ci_ot_hwi] records in the Operational Technology(OT)[cmdb_ci_ot] Table.
• The single 10.1.0.3 @ 00:50:56:B9:59:79 OT Device for our Triton Site is listed as 1 of the 211 Operational Technology Device records shown in the above screen shot and has a reference to an associated Operational Technology Device CI[cmdb_ci_ot] record in the Operational Technology(OT)[cmdb_ci_ot] Table.

 

OT Control System Devices

 

The OT Control System Devices that were covered in the OT Control System Devices sub section of the above B. Analyze your Claroty CTD Site data in the Claroty CTD On Premises Solution Section are shown in the below screenshot (our GE1 PLC Device is highlighted).

 

 

• The 10 PLC's for our Triton Site are listed as PLC OT Devices and have references to 10 associated PLC CI[cmdb_ci_ot_plc] records in the Operational Technology(OT)[cmdb_ci_ot] Table. Our sample GE1 PLC is highlighted in the above screen shot.
• The 3 RTU's for our Triton Site are listed as RTU OT Devices and have references to 3 associated RTU CI[cmdb_ci_ot_rtu] records in the Operational Technology(OT)[cmdb_ci_ot] Table.
• The single DROP6 Controller for our Triton Site is listed as an OT Control System OT Device and has a reference to an associated OT Control System CI[cmdb_ci_ot_control] record in the Operational Technology(OT)[cmdb_ci_ot] Table.

 

End Point Devices

 

The 210 Endpoint Devices for our Triton Site are listed as Operational Technology Device records shown in the below screen shot and has a reference to 210 associated Operational Technology Device CI[cmdb_ci_ot] records in the Operational Technology(OT)[cmdb_ci_ot] Table.

 

 

 

Networking IT Devices (Empty OT Device Type) 

 

The Networking IT Devices that were covered in the Networking IT Devices sub section of the above B. Analyze your Claroty CTD Site data in the Claroty CTD On Premises Solution Section are shown in the below screenshot.

 

 

 

• The 2 Networking IT Devices as 2 Empty OT Device Type Records with 2 associated Net Gear CI[cmdb_ci_netgear] records in the Configuration Items[cmdb_ci] Table.
• The 3 Gateway IT Devices as 3 Empty OT Device Type Records with 3 associated IP Switch CI[cmdb_ci_ip_switch] records in the Configuration Items[cmdb_ci] Table.

 

GE1 PLC OT Device (Sample PLC OT Device that we're monitoring)

 

(v) Double click on the GE1 PLC OT Device Entity Record. You are automatically redirected to the associated GE1 PLC CI[cmdb_ci_ot_plc] Record shown below:

 

 

Summary Fields

 

The screenshot below shows the OT Entity Metadata and Change\Incident Summary Fields that get populated by the Service Graph Connector.

 

 

 

OT Entity Meta Data fields

 

• OT Display Name, OT Device Type, Device Criticality and Purdue level were populated by the Claroty CTD Service Graph Connector using source values found for these fields for the GE1 PLC Device in the Claroty Enterprise Management Console(EMC) Application.

• Site was populated by the Claroty CTD Service Graph Connector using the prepopulated NIDS  Assignment Site OT Device Metadata Site Field in our NIDS Triton Sensor Record (covered in the Update NIDS Metadata subsection of the above C. Installing & Configuring Service Graph Connector Integration for Claroty CTD on your ServiceNow Instance Section.)

•  Zone would have been populated using the NIDS Assignment Zone OT Device Metadata Site Field in our NIDS Triton Sensor Record if it had been populated.

 

ServiceNow Change\Incident Fields

 

These fields are shown as empty but if the NIDS Triton Sensor Record had prepopulated values for the NIDS Sensor Approval group, Owned by fields, these fields would have been populated with these prepopulated values.

 

Additional Information Fields

 

The screenshot below shows the General CI and OT Specific CI Additional Fields that get populated by the Service Graph Connector. The OT CI Specific Fields are circled below.

 

 

• Firmware version, Hardware version are OT Device CI[cmdb_ci_ot] specific fields
• Backplan ID, Backplane Name & Has Module are OT Control System CI[cmdb_ci_ot_control] specific fields.
• Switch position & Switch remote mode are PLC CI CI[cmdb_ci_ot_plc] specific fields.

 

Related Items

 

The screen shot below shows the different Connects to, Detected by and Owns CI Relationships records, that were populated by the CTD Baselines and CTD Assets Scheduled Import Jobs respectively, under the Related Items section of Additional Information

 

These CI Relationships are shown in the below Dependency Map View when you click on the Dependency Map   Icon in the above screen.

 

 

 

Configuration Item CI Records

 

There are 2 types of Configuration Item CI Records created by the Claroty CTD Service Graph Connector. These are:

 

• OT Device CI Records
• Child Configuration Item Records

 

OT Device CI Records

 

These are the OT Device CI[cmdb_ci_ot_xxx or cmdb_ci_xxx] Records that are created for every OT Device in your ICS Network by the CTD Assets Import Schedule job (as per the previous Configure Assets Import Schedule sub section of the C. Installing & Configuring Service Graph Connector Integration for Claroty CTD on your ServiceNow Instance Section). 

 

Each OT Device Entity Record that represents an OT Device in the All OT Devices[cmdb_ot_entity] Table contains a reference to a corresponding OT Device CI[cmdb_ci_xxx or cmdb_ci_ot_xxx] Record in the Configuration Items[cmdb_ci]\Operational Technology CI[cmdb_ci_ot] Table. 

 

Child Configuration Item[cmdb_ci] Records

For every IT\OT Device detected by your CTD Sites, Child CI records are created for that Device in the Configuration Item[cmdb_ci] Table. For example, our GE1 PLC OT Device has 1 Child Network Adapter and 2 Child OT Control Module CI's created for it in the Configuration Item[cmdb_ci] Table.

 

The below GE1 PLC Related Tabs screen shot references the single Child Network Adapter CI in the Network Adapters(1) Related Tab and it lists the 2 Child Control Module CI's in the OT Control Modules(2) Related Tab.

 

 

Software Installation Records

 

Software Asset Management(SAM) enabled

 

For ServiceNow Instances that have Software Asset Management(SAM) enabled, the Software Install Records associated with Created\Updated OT Devices will be ingested into the Software Installations[cmdb_sam_sw_install] Table.

 

Software Asset Management(SAM) not enabled

 

For ServiceNow Instances that do not have Software Asset Management(SAM) enabled, the Software Install Records associated with Created\Updated OT Devices will be ingested into the Software Instances[cmdb_software_instance] Table along with associated Software Package Records being ingested into the Software Packages[cmdb_ci_spkg] Table.

 

Note: All that is needed to enable Software Asset Management is the free SAM Foundation plugin. Installing this plugin triggers the Software Install Records being populated into the Software Installations[cmdb_sam_sw_install] Table. Installing this free SAM Foundation plugin is a recommended Best Practice for customers that believe that they may be using Software Asset Management Professional (SAM Pro) in the future. These customers would then not have to migrate Software Records from the Software Instances[ cmdb_software_instance] Table to the Software Installations[cmdb_sam_sw_install] Table at the point in time that they would be installing Software Asset Management Professional (SAM Pro).

 

The Use Case outlined in this Article is for a ServiceNow Instance with Software Asset Management(SAM) enabled. To see the Software Install Records associated with OT Devices that were Created\Updated by the Claroty CTD Service Graph Connector, the steps below direct you to navigate to the Software Installations[cmdb_sam_sw_install] Table:

 

(i) Navigate to Software Installations[cmdb_sam_sw_install] in the Filter Menu

(ii) Group by Discovery Source

(iii) Navigate to the SG-OT Claroty CTD Discovery Source and double click on its Discovery source:SG-OT Claroty CTD (n) link where n represents the Number of Software Install Records Created\Updated by the Claroty CTD Service Graph Connector.

(iv) A List of Software Install Records Created\Updated by the Claroty CTD Service Graph Connector will be displayed. The screen shot below shows the Google Chrome Software Install Record displayed in this List for the XXX.XX.XX.250 @ 9C:EB:E8:2D:73:81 Endpoint Device in our Triton Site.

 

 

 

Serial Number Records

 

(i) Navigate to the Serial Numbers[cmdb_serial_number] Table in the Filter Menu

(ii) A List of all the Serial Number Records in your ServiceNow Instance will be displayed

(iii) To see the Serial Number Records associated with any of your IT\OT Devices from your Claroty CTD Sites, type the Device name into the Configuration Item Search Field in this list. The screen shot below shows the Serial Number Record associated with our SIMATIC 300 PLC Device.

 

 

Key Value v2 Records

 

(i) Navigate to External system metadata[cmdb_key_value_v2] Table in the Filter Menu

(ii) A List of all the Key Value v2 Records in your ServiceNow Instance will be displayed

(iii) To see the Key Value v2 Records associated with any of your IT\OT Devices from your Claroty CTD Sites, type the Device name into the Configuration Item Search Field in this list. The screen shot below shows the Key Value V2 Records associated with our XXX.XX.XX.250 @ 9C:EB:E8:2D:73:81 Endpoint Device.

 

 

The Claroty CTD Service Graph Connector writes the Key Values associated your IT\OT Devices to the External system metadata[cmdb_key_value_v2] Table as oppose to the Key Values[cmdb_key_value] Table because the External system metadata[cmdb_key_value_v2] Table allows for strongly typed Values, the URL Value type in particular. The Key Values[cmdb_key_value] Table only allows for String type Values.

 

In the above External system metadatas screen shot, the URL values shown are clickable where the user can go directly to the Source Asset in the Claroty Dashboard by clicking on it's associated URL value. For example, clicking on the https://10.197.203.199/asset/24-1 URL value shown in the above External system metadatas screen shot brings you directly to the Claroty Asset shown in the below Claroty screen shot.