Robotslot
Replacing IPM Boards 6.7.1 Location of IPM Boards The IPM boards are located in the robot controller as shown below. SLOT Robot SLOT 6 SLOT 5 SLOT 4 SLOT 3 SLOT 2 SLOT 1 series VM-G Joint # IPM model Motor capacity (W) 1500 VS-G. Page 121: Replacing The Ipm Board 6.7.2 Replacing the IPM board Replace the IPM board with the procedure below. Logically add new media DR0076 (barcode DR0076L2) to robot slot 2. Logically add new media DR0033 (barcode DR0033L2) to robot slot 4. Logically add new media DR0082 (barcode DR0082L2) to robot slot 7. Updating volume configuration. Processing new media added to the robotic library by logically adding media with new media IDs as follows. Robot Riches Slot Machine Bonus Win (queenslots).
-->The Device Map provides a graphical representation of network devices detected. Use the map to:
Retrieve, analyze, and manage device information.
Analyze network slices, for example-specific groups of interest or Purdue layers.
Generate reports, for example export device details and summaries.
To access the map:
- Select Device Map from the console main screen.
Map search and layout tools
The following tools are used to working in the map.
Your user role determines which tools are available in the Device Map window. See Create and manage users for details about user roles.
Symbol | Description |
---|---|
Search by IP address or MAC address for a specific device. Enter the IP address or MAC address in the text box. The map displays the device that you searched for with devices connected to it. | |
Group Highlight and Filters | Filter or highlight the map based on default and custom device groups. |
IT Collapse view, to enable a focused view on OT devices, and group IT devices. | |
Maintain current device arrangement in the map. For example, if you drag devices to new locations on the map, the devices will remain in these locations when exiting the map. | |
Fit to screen | |
- View the Purdue layer identified for this device, including automatic, process control, supervisory, and enterprise - View connections between devices. | |
Show or hide between broadcast and multicast. | |
Filter the devices on the map according to the time they last communicating with other devices. | |
View notifications about a device. For example, if a new IP was detected for a device using an existing MAC address | |
Export/Import device information. | |
View basic device properties for selected devices. | |
or | Zoom in or out of devices in the map. |
View OT elements only
By default, IT devices are automatically aggregated by subnet, so that the map view is focused on OT and ICS networks. The presentation of the IT network elements is collapsed to a minimum, which reduces the total number of the devices presented on the map and provides a clear picture of the OT and ICS network elements.
Each subnet is presented as a single entity on the device map, including an interactive collapsing and expanding capability to look at the details of an IT subnet and back.
The figure below shows a collapsed IT subnet with 27 IT network elements.
To enable the IT networks collapsing capability:
- In the System Settings window, ensure that the Toggle IT Networks Grouping capability is enabled.
To expand an IT subnet:
To differentiate between the IT and OT networks, from the System Settings screen, select Subnets.
Note
It is recommended to name each subnet with meaningful names at the user can easily identify in order to differentiate between IT and OT networks.
In the Edit Subnets Configuration window, clear the ICS Subnet checkbox for each subnet that you want to define as an IT subnet. The IT subnets appear collapsed in the device map with the notifications for ICS devices, such as a controller or PLC, in IT networks.
To expand the IT network on the map, in the Devices window, right-click it and select Expand Network.
A confirmation box appears, notifying you that the layout change cannot be redone.
Select OK. The IT subnet elements appear on the map.
To collapse an IT subnet:
From the left pane, select Devices.
In the Devices window, select the collapse icon. The number in red indicates how many expanded IT subnets currently appear on the map.
Select the subnet(s) that you want to collapse or select Collapse All. The selected subnet appears collapsed on the map.
The collapse icon is updated with the updated number of expanded IT subnets.
View or highlight device groups
You can customize the map display based on device Groups. For example, groups of devices associated with a specific OT Protocol, VLAN, or subnet. Predefined groups are available and custom groups can be created.
View groups by:
Highlighting: Highlight the devices that belong to a specific group in blue.
Filtering: Display only devices that belong to a specific group.
The following predefined groups are available:
Group name | Description |
---|---|
Known applications | Devices that use reserved ports, such as TCP. |
non-standard ports (default) | Devices that use non-standard ports or ports that have not been assigned an alias. |
OT protocols (default) | Devices that handle known OT traffic. |
Authorization (default) | Devices that were discovered in the network during the learning process or were officially authorized on the network. |
Device inventory filters | Devices grouped according to the filters save in the Device Inventory table. |
Polling intervals | Devices grouped by polling intervals. The polling intervals are generated automatically according to cyclic channels, or periods. For example, 15.0 seconds, 3.0 seconds, 1.5 seconds, or any interval. Reviewing this information helps you learn if systems are polling too quickly or slowly. |
Programming | Engineering stations, and programming machines. |
Subnets | Devices that belong to a specific subnet. |
VLAN | Devices associated with a specific VLAN ID. |
Cross subnet connections | Devices that communicate from one subnet to another subnet. |
Pinned alerts | Devices for which the user has pinned an alert. |
Attack vector simulations | Vulnerable devices detected in attack vector reports. In order to view these devices on the map, select the Display on Device Map checkbox when generating the Attack Vector. . |
Last seen | Devices grouped by the time frame they were last seen, for example: One hour, six hours, one day, seven days. |
Not In Active Directory | All non-PLC devices that are not communicating with the Active Directory. |
To highlight or filter devices:
Select Device Map on the side menu.
Select the filter icon.
From the Groups pane, select the group you want to highlight or filter devices.
Select Highlight or Filter. Toggle the same selection to remove the highlight, or filter.
Define custom groups
In addition to viewing predefined groups, you can define custom groups. The groups appear in the Device Map, Device Inventory, and Data Mining Reports.
Note
You can also create groups from the Device Inventory.
To create a group:
Select Devices on the side menu. The Device Map is displayed.
Select to display the Groups settings.
Select to create a new custom group.
Add the name of the group, use up to 30 characters.
Select the relevant devices, as follows:
- Add the devices from this menu by selecting them from the list (select on the arrow button),
Or, - Add the devices from this menu by copying them from a selected group (select on the arrow button)
- Add the devices from this menu by selecting them from the list (select on the arrow button),
Select Add group to add existing groups to custom groups.
Add devices to a custom group
You can add devices to a custom group or create a new custom group and the device.
Right-click a device(s) on the map.
Select Add to group.
Enter a group name in the group field and select +. The new group appears. If the group already exists, it will be added to the existing custom group.
Add devices to a group by repeating steps 1-3.
Map zoom views
Working with map views help expedite forensics when analyzing large networks.
Three device detail views can be displayed:
Bird’s-eye view
This view provides an at-a-glance view of devices represented as follows:
Red dots indicate devices with alert(s)
Starred dots indicate devices marked as important
Black dots indicate devices with no alerts
Device type and connection view
This view presents devices represented as icons on the map in order to highlight devices with alerts, device types, and connected devices.
Devices with alerts are displayed with a red ring
Devices without alerts are displayed with a grey ring
Devices displayed as a star were marked as important
The device type icon is shown with connected devices.
Detailed view
The detailed view presents devices and device labels and indicators with the following information:
Control the zoom view
The map view displayed depends on the map zoom-level. Switching between the map views is done by changing the zoom levels.
Enable simplified zoom views
Administrators who want security analysts and RO users to access Bird’s-eye and device and type connection views, should enable the simplified view option.
To enable simplified map views:
- Select System Settings and then toggle the Simplified Map View option.
Learn more about devices
An extensive range of tools are available to learn more about devices form the Device Map:
Device labels and indicators
The following labels and indicators may appear on devices on the map:
Device label | Description |
---|---|
IP address host name and IP address, or subnet addresses | |
Number of alerts associated with the device | |
Device type icon, for example storage, PLC or historian. | |
Number of devices grouped in a subnet in an IT network. In this example 8. | |
An device that was detected after the Learning period and was not authorized as a network device. | |
Solid line | Logical connection between devices |
New device discovered after Learning is complete. |
Device quick views
Access device properties and connections from the map.
To open the quick properties menu:
- Select the quick properties menu .
Quick device properties
Select a device or multiple devices while the Quick Properties screen is open to see the highlights of those devices:
Quick connection properties
Select a connection while the Quick Properties screen is open to see the protocols that are utilized in this connection and when they were last seen:
View and manage device properties
You can view device proprieties for each device displayed on the map. For example, the device name, type or OS, or the firmware or vendor.
The following information can be updated manually. Information manually entered will override information discovered by Defender for IoT.
Name
Type
OS
Purdue layer
Description
Item | Description |
---|---|
Basic Information | The basic information needed. |
Name | The device name. By default, the sensor discovers the device name as it defined in the network. For example, a name defined in the DNS server. If no such names were defined, the device IP address appears in this field. You can change a device name manually. Give your devices meaningful names that reflect their functionality. |
Type | The device type detected by the sensor. For more information, see View device types. |
Vendor | The device vendor. This is determined by the leading characters of the device MAC address. This field is read-only. |
Operating System | The device OS detected by the sensor. |
Purdue Layer | The Purdue layer identified by the sensor for this device, including: - Automatic - Process Control - Supervisory - Enterprise |
Description | A free text field. Add more information about the device. |
Attributes | Any additional information that was discovered about the device during the learning period and does not belong to other categories, appears in the attributes section. The information is RO. |
Settings | You can manually change device settings to prevent false positives: - Authorized Device: During the learning period, all the devices discovered in the network are identified as authorized devices. When a device is discovered after the learning period, it appears as an unauthorized device by default. You can change this definition manually. - Known as Scanner: Enable this option if you know that this device is known as scanner and there is no need to alert you about it. - Programming Device: Enable this option if you know that this device is known as a programming device and is used to make programming changes. Identifying it as a programming device will prevent alerts for programming changes originating from this asset. |
Custom Groups | The custom groups in the device map in which this device participates. |
State | The security and the authorization status of the device: - The status is Secured when there are no alerts - When there are alerts about the device, the number of alerts is displayed - The status Unauthorized is displayed for devices that were added to the network after the learning period. You can manually define the device as Authorized Device in the settings - In case the address of this device is defined as a dynamic address, DHCP is added to the status. |
Network | Description |
---|---|
Interfaces | The device interfaces. A RO field. |
Protocols | The protocols used by the device. A RO field. |
Firmware | If Backplane information is available, firmware information will not be displayed. |
Address | The device IP address. |
Serial | The device serial number. |
Module Address | The device model and slot number or ID. |
Model | The device model number. |
Firmware Version | The firmware version number. |
To view the device information:
Select Devices on the side menu.
Right-click a device and select View Properties. The Device Properties window is displayed.
Select on the required alert at the bottom of this window to view detailed information about alerts for this device.
View device types
The Device Type is automatically identified by the sensor during the device discovery process. You can change the type manually.
The following table presents all the types in the system:
Category | Device Type |
---|---|
ICS | Engineering Station PLC Historian HMI IED DCS Controller RTU Industrial Packaging System Industrial Scale Industrial Robot Slot Meter Variable Frequency Drive Robot Controller Servo Drive Pneumatic Device Marquee |
IT | Domain Controller DB Server Workstation Server Terminal Station Storage Smart Phone Tablet Backup Server |
IoT | IP Camera Printer Punch Clock ATM Smart TV Game console DVR Door Control Panel HVAC Thermostat Fire Alarm Smart Light Smart Switch Fire Detector IP Telephone Alarm System Alarm Siren Motion Detector Elevator Humidity Sensor Barcode Scanner Uninterruptible Power Supply People Counter System Intercom Turnstile |
Network | Wireless Access Point Router Switch Firewall VPN Gateway NTP Server Wifi Pineapple Physical Location I/O Adapter Protocol Converter |
To view the device information:
Select Devices on the side menu.
Right-click a device and select View Properties. The Device Properties window is displayed.
Select on the required alert to view detailed information about alerts for this device.
Backplane properties
If a PLC contains multiple modules separated into racks and slots, the characteristics might vary between the module cards. For example, if the IP address and the MAC address are the same, the firmware might be different.
You can use the Backplane option to review multiple controllers/cards and their nested devices as one entity with a variety of definitions. Each slot in the Backplane view represents the underlying devices – the devices that were discovered behind it.
A Backplane can contain up to 30 controller cards and up to 30 rack units. The total number of devices included in the multiple levels can be up to 200 devices.
The Backplane pane is shown in the Device Properties window when Backplane details are detected.
Each slot appears with the number of underlying devices and the icon that shows the module type.
Icon | Module Type |
---|---|
Power Supply | |
Analog I/O | |
Communication Adapter | |
Digital I/O | |
CPU | |
HMI | |
Generic |
When you select a slot, the slot details appear:
To view the underlying devices behind the slot, select VIEW ON MAP. The slot is presented in the device map with all the underlying modules and devices connected to it.
View a timeline of events for the device
View a timeline of events associated with a device.
To view the timeline:
Right-click a device from the map.
Select Show Events. The Event Timeline window opens with information about events detected for the selected device.
See Event Timeline for details.
Analyze programming details and changes
Enhance forensics by displaying programming events carried out on your network devices and analyzing code changes. This information helps you discover suspicious programming activity, for example:
Human error: An engineer is programming the wrong device.
Corrupted programming automation: Programming is erroneously carried out because of automation failure.
Hacked systems: Unauthorized users logged into a programming device.
You can display a programmed device and scroll through various programming changes carried out on it by other devices.
View code that was added, changed, removed, or reloaded by the programming device. Search for programming changes based on file types, dates, or times of interest.
When to review programming activity
You may need to review programming activity:
After viewing an alert regarding unauthorized programming
After a planned update to controllers
When a process or machine is not working correctly (to see who carried out the last update and when)
Other options let you:
Mark events of interest with a star.
Download a *.txt file with the current code.
About authorized vs unauthorized programming events
Unauthorized programming events are carried out by devices that have not been learned or manually defined as programming devices. Authorized programming events are carried out by devices that were resolved or manually defined as programming devices.
The Programming Analysis window displays both authorized and unauthorized programming events.
Accessing programming details and changes
Access the Programming Analysis window from the:
Event timeline
Use the event timeline to display a timeline of events in which programming changes were detected.
Unauthorized programming alerts
Alerts are triggered when unauthorized programming devices carry out programming activities.
Note
You can also view basic programming information in the Device Properties window and Device Inventory.
Working in the programming timeline window
This section describes how to view programming files and compare versions. Search for specific files sent to a programmed device. Search for files based on:
Date
File type
Programming timeline type | Description |
---|---|
Programmed Device | Provides details about the device that was programmed, including the hostname and file. |
Recent Events | Displays the 50 most recent events detected by the sensor. To highlight an event, hover over it and click the star. The last 50 events can be viewed. |
Files | Displays the files detected for the chosen date and the file size on the programmed device. By default, the maximum number of files available for display per device is 300. By default, the maximum file size for each file is 15 MB. |
File status | File labels indicate the status of the file on the device, including: Added: the file was added to the endpoint on the date or time selected. Updated: The file was updated on the date or time selected. Deleted: This file was removed. No label: The file was not changed. |
Programming Device | The device that made the programming change. Multiple devices may have carried out programming changes on one programmed device. The hostname, date, or time of change and logged in user are displayed. |
Displays the current file installed on the programmed device. | |
Download a text file of the code displayed. | |
Compare the current file with the file detected on a selected date. |
Choose a file to review
This section describes how to choose a file to review.
To choose a file to review:
Select an event from the Recent Events pane
Select a file form the File pane. The file appears in the Current pane.
Compare files
This section describes how to compare programming files.
To compare:
Select an event from the Recent Events pane.
Select a file from the File pane. The file appears in the Current pane. You can compare this file to other files.
Select the compare indicator.
The window displays all dates the selected file was detected on the programmed device. The file may have been updated on the programmed device by multiple programming devices.
The number of differences detected appears in the upper right-hand corner of the window. You may need to scroll down to view differences.
The number is calculated by adjacent lines of changed text. For example, if eight consecutive lines of code were changed (deleted, updated, or added) this will be calculated as one difference.
Select a date. The file detected on the selected date appears in the window.
The file selected from the Recent Events/Files pane always appears on the right.
Device programming information: Other locations
In addition to reviewing details in the Programming Timeline, you can access programming information in the Device Properties window and the Device Inventory.
Device type | Description |
---|---|
Device properties | The device properties window provides information on the last programming event detected on the device. |
The device inventory | The device inventory indicates if the device is a programming device. |
Manage device information from the map
The sensor does not update or impact devices directly on the network. Changes made here only impact how analyzes the device.
Delete devices
You may want to delete a device if the information learned is not relevant. For example,
A partner contractor at an engineering workstation connects temporarily to perform configuration updates. After the task is completed, the device is removed.
Due to changes in the network, some devices are no longer connected.
If you do not delete the device, the sensor will continue monitoring it. After 60 days, a notification will appear, recommending that you delete.
You may receive an alert indicating that the device is unresponsive if another device tries to access it. In this case, your network may be misconfigured.
The device will be removed from the Device Map, Device Inventory, and Data Mining reports. Other information, for example: information stored in Widgets will be maintained.
The device must be inactive for at least 10 minutes to delete it.
To delete a device from the device map:
Select Devices on the side menu.
Right-click a device and select Delete.
Merge devices
Under certain circumstances, you may need to merge devices. This may be required if the sensor discovered separate network entities that are associated with one unique device. For example,
A PLC with four network cards.
A Laptop with WIFI and physical card.
A Workstation with two, or more network cards.
When merging, you instruct the sensor to combine the device properties of two devices into one. When you do this, the Device Properties window and sensor reports will be updated with the new device property details.
For example, if you merge two devices, each with an IP address, both IP addresses will appear as separate interfaces in the Device Properties window. You can only merge authorized devices.
The event timeline presents the merge event.
You cannot undo a device merge. If you mistakenly merged two devices, delete the device and wait for The sensor to rediscover both.
To merge devices:
Select two devices (shift-click), and then right-click one of them.
Select Merge to merge the devices. It can take up to 2 minutes complete the merge.
In the set merge device attributes dialog box, choose a device name.
Select Save.
Authorize and unauthorize devices
During the Learning period, all the devices discovered in the network are identified as authorized devices. The Authorized label does not appear on these devices in the Device Map.
When a device is discovered after the Learning period, it appears as an unauthorized device. In addition to seeing unauthorized devices in the map, you can also see them in the Device Inventory.
New device vs unauthorized
New devices detected after the Learning period will appear with a New
and Unauthorized
label.
If you move a device on the map or manually change the device properties, the New
label is removed from the device icon.
Unauthorized devices - attack vectors and risk assessment reports
Unauthorized devices are included in Risk Assessment reports and Attack Vectors reports.
Attack Vector Reports: Devices marked as unauthorized are resolved in the Attack Vector as suspected rogue devices that might be a threat to the network.
Risk Assessment Reports: Devices marked as unauthorized are:
- Identified in Risk Assessment Reports
To authorize or unauthorize devices manually:
- Right-click the device on the map and select Unauthorize
Mark devices as important
You can mark significant network devices as important, for example business critical servers. These devices are marked with a star on the map. The star varies according to the map's zoom level.
Important devices - attack vectors and risk assessment reports
Important devices are calculated when generating Risk Assessment reports and Attack Vectors reports.
Attack Vector reports devices marked as important are resolved in the Attack Vector as Attack Targets.
Risk Assessment Reports: Devices marked as important are calculated when providing the security score in the Risk Assessment report.
Generate Activity reports from the map
Generate an activity report for a selected device over the 1, 6, 12 or 24 hours. The following information is available:
Category: Basic detection information based on traffic scenarios.
Source and destination devices
Data: Additional information defected.
The time and date last seen.
You can save the report as a Microsoft Excel or Word file.
To generate an activity report for a device:
Right-click a device from the Map.
Select an Activity Report.
Generate Attack Vector reports from the map
Simulate an Attack Vector report to learn if a device on the map you select is a vulnerable attack target.
Attack Vector reports provide a graphical representation of a vulnerability chain of exploitable devices. These vulnerabilities can give an attacker access to key network devices. The Attack Vector simulator calculates attack vectors in real time and analyzes all attack vectors per a specific target.
To view a device in an Attack Vector reports:
Right-click a device from the map.
Select Simulate Attack Vectors. The Attack Vector dialog box opens with the device you select as the attack target.
Add the remaining parameters to the dialog box and select Add Simulation.
Export device information from the map
Export the following device information from the Map.
Device details (Microsoft Excel)
A device summary (Microsoft Excel)
A word file with groups (Microsoft Word)
Robotic Slots Warframe
To export:
Robotslot Scooter
Select the Export icon from the Map.
Select an export option.