Claroty Edge Reference

Guide
Edge Version 1.4.15

Confidential & Proprietary | Copyright © 2023 Claroty Ltd. All rights reserved
20-Jul-2023
 Edge Reference Guide

TABLE OF CONTENTS

1. Claroty Edge Overview ...................................................................................................... 3

2. Deployment Architecture .................................................................................................. 4
2.1. On-premise Deployment ........................................................................................ 5
2.2. Standalone Deployment ......................................................................................... 5
3. Host Action Reference ....................................................................................................... 7
3.1. Edge Supported AppDB Formats ............................................................................ 7
4. Network Action Reference ................................................................................................. 8
5. FAQ ................................................................................................................................. 10

20-Jul-2023 Edge Version 1.4.15 Page 2 of 10

 Edge Reference Guide Claroty Edge Overview

1. Claroty Edge Overview

Claroty Edge is designed to bring fast, easy, and simple visibility into the OT environment. Claroty
has used all of its deep knowledge of OT, IT, and IOT environments to design a probe that gathers
rich information from assets, in a safe and secure manner. From a high level, Claroty Edge will
install onto Windows hosts throughout the OT / IT / IOT environment, and gather the following
data:

• Local Windows host information, such as:

• IP address
• MAC address
• Windows version
• Installed patches
• Installed programs
• USBs connected
• Identify all neighboring network assets
• Gather configuration information for neighboring OT assets, such as:
• IP address
• MAC address
• Asset type (for example, PLC, HMI, Engineering workstation)
• Model number
• Serial number
• Firmware version

All of this data is then sent to an upstream CTD site, where this data will be aggregated from
multiple Edges to give the following:

• Full asset identification of the environment

• Visibility into IT / OT / IOT assets
• Vulnerability information for assets (for example, CVEs)
• Risk identified for assets (for example, misconfigurations)

20-Jul-2023 Edge Version 1.4.15 Page 3 of 10

 Edge Reference Guide Deployment Architecture

2. Deployment Architecture

The Edge component has several methods of deployment:

• Into an existing on-premise CTD site

• Standalone offline deployment

Table 1. Main Methods of Deployment

NOTE
Edge must send its data to a CTD site for processing. It cannot communicate to a
CTD Sensor or Enterprise Management Console (EMC). If the CTD site is connected
to an EMC, the data will populate into the EMC as normal like all other data on the
CTD site.

For all deployment scenarios, Edge will be installed onto various Windows workstations within the
OT, IT, or IOT environments. After it is installed, it will capture information for that local host, and
gather information about neighboring network devices based on the configuration for that host.
This means if you install Edge onto a device with the following network settings, it will evaluate
this, and look for devices in all of the areas it can immediately route to (for example, 192.168.0.1 -
192.168.0.255):

• IP Address: 192.168.0.42
• Subnet Mask: 255.255.255.0
• Gateway: 192.168.0.1

20-Jul-2023 Edge Version 1.4.15 Page 4 of 10

 Edge Reference Guide On-premise Deployment

If a device has multiple network cards, it will perform this same function for every network card
installed.

For each of the following deployment scenarios, the only change is how this data from Edge is sent
back to the upstream CTD system. The following section will give examples of how to install into
these various environments.

2.1. On-premise Deployment

The on-premise deployment of Edge will use installations onto Windows based workstations,
which will then communicate to an on-premise CTD site.

The general architecture can be seen in the diagram below:

The only limitation for on-premise deployments is the networking connectivity from the host
running Edge, and the local CTD site. The following port must be open:

Source Destination Port

Edge Host Local CTD site TCP 443

2.2. Standalone Deployment

The standalone deployment of Edge is intended for scenarios where the Edge cannot reach a
CTD system, generally because the host is in an air-gapped network, or because of other network
limitations. In this scenario, the Edge will be run on the host, and an encrypted file will be created
with the results, which can then be uploaded into a CTD site. For the data to be uploaded to a CTD
site, it will require Edge to be configured in one of the previous deployment scenarios in order to
process the data.

20-Jul-2023 Edge Version 1.4.15 Page 5 of 10

 Edge Reference Guide Standalone Deployment

The general architecture can be seen in the diagram below:

Standalone deployments do not require any network connectivity to perform. After successfully
running Edge, it will create a .ctd file, which can then be retrieved for processing.

After the encrypted zip file (by default called results.ctd) is captured for the standalone deploy-
ment, it must be uploaded into Edge in one of the other deployment methods in order to send its
data to a CTD for processing. Please see the previous deployment scenarios for the requirements
for these Edge scenarios.

20-Jul-2023 Edge Version 1.4.15 Page 6 of 10

 Edge Reference Guide Host Action Reference

3. Host Action Reference

In order to ensure that Edge does not negatively impact the performance of the Windows host, the
following controls are built into the system:

• The system is capped at using either 2GB of RAM, or half of the available RAM, whatever is
smaller
• The process is set to BelowNormal priority, which means it is the lowest Windows priority
process, and will only run CPU resources are available
• All of the file sizes are capped to protect the system disc:
• The log files are limited to 5Mb (configurable)
• The output file for the Standalone deployment is limited to 5Mb (configurable)
• If these limits are exceeded, the system will write partial results / logs and delete the remain-
der
• The system uses the C:/TEMP directory for executing files, and these are deleted at the end of
process execution
• The system does not leave any persistent changes on the host operating system
• The system does not require a persistent executable to be installed

3.1. Edge Supported AppDB Formats

Edge will currently search for the following types of engineering workstation files on the local
Windows host:

• Unity
• Digsi4
• Rockwell Harmony
• RSLogix5000
• TIA
• Yokagawa Systemview
• Schneider Building Operation
• Honeywell DCS

20-Jul-2023 Edge Version 1.4.15 Page 7 of 10

 Edge Reference Guide Network Action Reference

4. Network Action Reference

While the Edge component is executing, it will run commands on the network environment that
are designed to be low impact and safe for the OT environment. These utilize the same active
queries that are built into the CTD platform, which use the same protocols and commands that
OT devices are designed to respond to. It essentially mimics the operation of an engineering
workstation while requesting information from OT devices.

While executing, the following commands are run in the environments:

• Phase 0: Edge Synchronization message (1 packet)

• Phase I: Broadcast:

NOTE
(Overall ~30 packets/interface over 20 seconds)

• EN/IP
• BACnet
• WSD
• ICMP broadcast
• Profinet
• SSDP
• HiDiscovery (Hirschmann Discovery protocol)
• GE Station Manager (GE rx* PLCs)
• mDNS
• Mitsubishi

• Phase II: Subnet Identification:

NOTE
(Overall ~at most ~500 packets 10 seconds for a /24 subnet)

• Unicast ICMP to IPs that did not respond in Phase I

• Phase III: Unicast query - Mapping device MACs to vendor and using:
• Rockwell - CIP
• Siemens - S7, SNMP, MMS, Siprotec5
• Schneider - Modbus, HTTP
• B&R - SNMP (with B&R default credentials) / HTTP
• Mikrotik - HTTP
• Phoenix - HTTP
• Digiboard - HTTP

20-Jul-2023 Edge Version 1.4.15 Page 8 of 10

 Edge Reference Guide Network Action Reference

• Brother - HTTP
• TP-Link - HTTP
• Hirschmann - Telnet
• HP - HTTP / NBNS
• Moxa - Telnet
• GE - GE SRTP
• Prosoft - CIP
• Suspected Windows - NBNS
• Wago - Wago protocol
• Danfoss - Modbus
• TAC-AB - SNMP
• Andover - SNMP
• Lantronix - Lantronix protocol
• Sierra Monitor - Ethernet / IP
• Polycom - HTTP
• Synology - HTTP
• ABB - MMS, Modbus
• Enterasys - SNMP (v1)
• Mobitix - HTTP
• Sigmatek - BACnet
• Teltonika - SNMP
• Westermo - SNMP, Telnet
• Mitsubishi - Melsoft

To ensure no negative impacts on the network environment, the following controls are built into
the system:

• A synchronization begins all queries to ensure only one Edge is operating at a time in every
subnet
• All queries are performed in a serial manner, so the load on the network is not significantly
increased even if numerous Edge's are configured

20-Jul-2023 Edge Version 1.4.15 Page 9 of 10

 Edge Reference Guide FAQ

5. FAQ

Q: How can Edge be uninstalled?

A: Because Edge is a single executable, simply deleting the .exe file will remove Edge from the
system.
Q: What folder does it operate in?
A: While executing, the system creates temporary files in the C:\temp directory, which are
deleted after execution.
Q: What permissions are required to run Edge?
A: Edge requires an administrative account to execute.
Q: What operating systems are supported by Edge?
A: Edge is supported with Win7 and Win10 hosts, both 32 and 64 bit architectures.
Q: How are the assets marked in the CTD site?
A: Assets discovered through Edge have a description indicating the source:

Q: How long does it take to execute?

A: Execution time depends on available resources and number of network interfaces. It typically
ranges between 1-5 minutes.
Q: How do I stop Edge?
A: When running Edge via CLI you can use Ctrl + C to break out of the process. When running
Edge using the Web UI, there is a Quit button you can press at any stage of the execution to
terminate the process.

20-Jul-2023 Edge Version 1.4.15 Page 10 of 10