The red team is winning, and winning by a larger and larger margin each day. To reverse this trend and ultimately bring protection to our healthcare facilities, everyone needs to share what they know. We believe in open source and responsible vulnerability disclosure.

Insight into the workings of an enterprise is essential to effectively and efficiently manage and defend its assets. However, in the operational technology (OT) space, which includes medical devices and equipment (MDE) and facility-related control systems (FRCS), stakeholders have a restricted understanding of what is actually happening within their organizations. This is painfully obvious when examining average dwell time (nearly one year), how quickly new devices are discovered (some ?new? devices have been on the network for years), and the difficulty engineers / managers have with quantitively stating their positions and needs.
The following approach is intended to create a flow analytics platform for OT using security techniques whose scalability is compute-limited, functionally automatic, and agnostic to the network environment. The approach is not intended to establish an illicit network discovery process. The proposed techniques and tools will passively collect information and will, at no time, inject packets, nor will they dive into or rely upon packet contents. All techniques will be rooted in command-line inspection using common, open, and simple tools to enable scripting. The approach will not use tools or techniques that cannot be scripted or executed in batch. Further, to maximize applicability, the tools will be restricted to default / standard libraries and configurations. The approach is intended to be modular, meaning that new scripts can be developed and added to the overall batch as they are built out to allow for infinite scalability (as compute allows, of course). To minimize initial implementation costs, the tools and techniques should initially be used on traffic that will has a digestible Ethernet header. It is likely that existing sensors on the enclave will be or have been configurated to capture this protocol. Communication over twisted-pair and other less common bus protocols should be completed to round out the remaining 25% to 40% of traffic only after a stable baseline with Ethernet headers has been established.