How to Accelerate Asset Visibility with Claroty Edge on AWS Snowcone

By Ryan Dsouza, Principal Industrial IoT Security Solutions Architect – AWS
By Yoni Salomon, Principal Alliances Solutions Architect – Claroty

Claroty

Industrial digital transformation is driving changes to the operational technology (OT) landscape, making it more connected to the internet, IT systems, and solutions.

The trend of OT/IT convergence and use of Industrial Internet of Things (IIoT) technologies for digital transformation is expected to continue along with the growing number of connected devices. This includes enterprise IoT devices such as cameras, TVs, smart speakers, and more.

You cannot defend what you cannot see, though, and without a solid understanding of the connected assets in your enterprise it’s challenging to develop and implement a strategy to manage risk and ensure reliable operations.

Increased visibility into control system cyber assets and configurations was the top priority for facilities focusing on practical ways to improve their industrial control system (ICS) security program as per the SANS 2023 ICS/OT cybersecurity survey. Strong asset identification is a foundational step for security efforts, and Amazon Web Services (AWS) recommends maintaining an up-to-date asset inventory of all connected assets in the 10 security golden rules for IIoT solutions.

Despite this priority, asset inventories continue to be unreliable and incomplete due to the complexity, resourcing challenges, and time-consuming and costly efforts of deploying asset identification solutions.

In this post, we describe how Claroty Edge on AWS Snowcone can be used for asset discovery to identify devices in your environment and how this solution, when combined with Claroty xDome, provides an asset inventory and vulnerability management solution. xDome on AWS delivers deep visibility into the cyber-physical systems (CPS) that underpin OT environments, integrates with IT tools and workflows, and extends existing IT security controls and governance to OT.

Claroty is an AWS Partner and cybersecurity software company that secures the safety and reliability of industrial control networks. Claroty’s xDome is available in AWS Marketplace and Claroty Edge is available for download from xDome.

Claroty Edge on AWS Snowcone

With Claroty Edge on AWS Snowcone, asset owners can rapidly deploy additional asset discovery and visibility sensors to remote plants leveraging AWS’s edge compute flexibility and security.

Claroty specifically designed its active query capabilities to safely query ICS/OT assets. The active queries used by Claroty Edge use the same proprietary protocols used by industrial assets in the operational network. This means that from a Programmable Logic Controller (PLC) perspective, an active query from Claroty is indistinguishable from a standard request sent from an engineering workstation—making Claroty active queries using Claroty Edge safe to utilize for asset discovery.

Once assets and vulnerabilities are identified, users are given actionable insights on how to address discovered gaps in their security posture using controls like patching (where applicable), network segmentation, or other security measures.

The Claroty Edge on AWS Snowcone solution can be used to discover ICS/OT devices on the plant floor, as well as enterprise IoT devices connected to IT networks.

Solution benefits include:

• Builds the foundation for cybersecurity maturity: With in-depth visibility of the Extended IoT (XIoT)–which includes OT, IoT, IIoT, and more–asset inventory, risk, and vulnerability details provided by Edge are foundational to all other phases of an industrial cybersecurity maturity journey.
• Supports multi-disciplinary use cases: Comprehensive asset inventory enables a variety of other use cases such as incident response, security audits, and even due diligence for mergers and acquisitions (M&A).
• Requires limited network changes: It’s easy to deploy Edge by connecting the Snow appliance to the network of interest, and existing networks running Snowcone can immediately leverage Edge with no further network changes.
• Simple to order and safe to deploy: Simple to order with pay-as-you-go pricing and designed for deployment in OT environments.
• Reduces time to value: Reduces the amount of time it takes to deploy, run, and gain full visibility into all assets, risks, and vulnerabilities in your environment.

Prerequisites

• AWS Snowcone has been ordered and set up with an IP address.
• Access Snowcone using AWS OpsHub and AWS Command Line Interface (AWS CLI).
• Deployed an instance of Claroty xDome.
• Internet connectivity for Snowcone.
• Claroty Edge software from the Claroty console.

Setup

• In the xDome user interface (UI), go to Settings > System Settings.
• On the left, choose Edge Scans.
• Under Edge Locations, you can create custom locations that will be associated with your edge scans.
• Under Edge Hosts, click Copy Edge Key from the top and copy the key to clipboard.

Figure 1 – Edge key for Claroty Edge.

• In AWS OpsHub for Snow Family, sign in to your Snowcone device.
• Click on Local devices.

Figure 2 – Snowcone device ID in AWS OpsHub.

• Click on Start Computing.

Figure 3 – Start computing in AWS OpsHub.

• Select Launch Instance.

Figure 4 – Launch Amazon EC2 instance in AWS OpsHub.

• For the settings, chose the following:
  • Image: amzn2-ami-snow-family image
  • Instance: snc1.micro
  • For IP: Create a public IP address (VNI) with either static or DHCP.
  • For Keypair: Either create or use existing keypair
  • Click Launch

Figure 5 – Configure EC2 instance to launch in AWS OpsHub.

• Install the SnowballEdge CLI onto your laptop.
• Configure the SnowballEdge client using these instructions.
• Configure a Direct Network Interface (DNI) using these instructions, and attach it to the instance you created above.
• After you created the DNI, verify it’s correctly attached to the new instance by using the command: snowballEdge describe-direct-network-interfaces. The output should look like this, and it’s important you have the correct InstanceId in there:

{
    "DirectNetworkInterfaceArn" : "arn:aws:snowball-device:::interface/s.ni-85111d83cdbb47451",
    "PhysicalNetworkInterfaceId" : "s.ni-857467bd36027808d",
    "InstanceId" : "s.i-857467bd36027808d",
    "Driver" : "ixgbevf",
    "MacAddress" : "f2:f9:xx:xx:xx:xx"
  } ]
}

[ec2-user@ip-34-223-xx.xxx ~]$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 34.223.xx.xxx  netmask 255.255.255.128  broadcast 34.223.xx.xxx
        inet6 fe80::5054:xx:xxxx:xxxx  prefixlen 64  scopeid 0x20<link>
        ether 52:54:xx:xx:xx:xx  txqueuelen 1000  (Ethernet)
        RX packets 1828  bytes 161283 (157.5 KiB)
        RX errors 0  dropped 23  overruns 0  frame 0
        TX packets 1614  bytes 192593 (188.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.1.30.76  netmask 255.255.255.0  broadcast 10.1.30.255
        inet6 fe80::7096:xxxx:xxxx:xxxx  prefixlen 64  scopeid 0x20<link>
        ether 72:96:xx:xx:xx:xx  txqueuelen 1000  (Ethernet)
        RX packets 363  bytes 28677 (28.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 42  bytes 7848 (7.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

scp -i PEM-FILE-FOR-INSTANCE ClarotyEdge.zip ec2-user@IP-of-instance:/home/ec2-user/

$ ls -ltrh
total 65M
-rw-r--r-- 1 ec2-user ec2-user  65M May 15 08:12 ClarotyEdge.zip 

$unzip ClarotyEdge.zip

$chmod +x ClarotyEdge

sudo ./ClarotyEdge --accept-eula --region <AWS REGION> --api-key <KEY> --edge-location-name <EDGE LOCATION NAME>

0 0 * * * /home/ec2-user/ClarotyEdge --accept-eula --region <AWS REGION> --api-key <KEY> --edge-location-name <EDGE LOCATION NAME>