Operational Technology (OT) networks are the backbone of critical infrastructure sectors such as energy, water, transportation, and manufacturing. These networks control physical processes with direct safety and economic implications, making their security against cyberattacks essential.
To enhance cybersecurity across critical infrastructure, the European Union established the Network and Information Systems Directive 2 (NIS2). This directive recognizes the increasing interconnectedness of IT and OT systems and the growing cyber threats to these environments.
While OT security platforms typically collect data for vulnerability assessment and asset discovery, they may overlook critical threats within network traffic. Deep visibility into network traffic is essential to defend against sophisticated threats like malware, ransomware, data exfiltration, and zero-day attacks and to comply with regulations like NIS2.
Deep Packet Inspection for OT security
OT security solutions that incorporate Deep Packet Inspection (DPI) sensors are vital for any OT network's security architecture. These sensors capture packets and identify anomalies to detect and respond to suspicious activities.
To maximize the effectiveness of these solutions, comprehensive visibility of network traffic for monitoring OT and IoT assets is crucial. Although connecting a DPI sensor via a SPAN port may initially seem cost-effective, managing multiple SPAN ports can lead to scalability issues due to the limited number of network adapters a sensor can handle. Additionally, more capture ports increase acquisition costs.
Profitap Booster Aggregation TAPs
Traffic aggregation is required to optimize the traffic flow between the capture points and the NDR tool. This is where the Profitap Booster Aggregation TAP comes in. With a small form factor and the ability of lossless traffic aggregation, the Booster brings multiple capture points together for monitoring purposes.
Aggregation TAPs bring enhanced visibility and security by:
- Bundling traffic from multiple network links into a single output, providing DPI sensors with a complete overview of all critical data flows.
- Ensuring unidirectional data flow with an integrated Data Diode function, preventing attackers from infiltrating through the switch's SPAN ports.
Booster Aggregation TAPs come in different models:
|
Booster In-line |
Booster SPAN |
Dual Output Booster |
|
|
|
|
|
Aggregation of 8 ports (4 in-line links) RJ45 10/100/1G into 1 SFP+ 1G-10G output Direct link aggregation, no required management, installation or driver Ingress VLAN Tagging Data Diode function Non-intrusive to the network Supports link failure propagation PoE passthrough Redundant powering The fail-safe in-line design ensures uninterrupted network operation in case of power loss Network ports are galvanically separated from the monitor port for maximum security Low power consumption |
Aggregation of 8 SFP 10/100/1G SPAN ports into 1 SFP+ 1G/10G output Non-intrusive to the network Ingress VLAN Tagging Data Diode function Redundant powering 100FX support Direct link aggregation, no required management, installation or driver Low power consumption |
For both the in-line and SPAN models, dual output variants are available.
Allows for two separate tools to receive the same replicated copy of all traffic that is aggregated by the TAP. For example: an OT security system sensor and a network analysis tool. 2 x SFP+ 1G/10G outputs. Same features as the single output variants. |
Aggregation TAP deployment
Profitap Booster aggregation TAPs offer great flexibility and a number of deployment options, suited for different environments and industries.
While the in-line model offers advanced fail-safe options and ensures lossless aggregation of 4 full-duplex links, we see that in OT environments using SPAN to access network traffic is still a popular option. The illustration below shows how SPAN booster aggregation TAPs are combined to aggregate traffic coming from multiple sites.
In this use case, multiple physical locations need to be monitored. With multiple switches set up to forward traffic to the NDR tool via SPAN, the total number of incoming SPAN connections is 22. In this analysis scenario, the aggregation can be performed with just three SPAN Booster Aggregation TAPs by setting the output port to 1Gbps and daisy chaining them. This is made possible by the low data rate (sub 10Mbps) on these lines.
Benefits of the Booster Aggregation TAP
Booster Aggregation TAPs are essential for cost-effective aggregation of network traffic from multiple sources and preparing it for analysis by NDR systems. These devices ensure that data is captured reliably from multiple locations and forwarded to monitoring tools without any loss, which is crucial for accurate threat detection and network analysis.
|
|
|
|
Lossless Aggregation |
Speed Conversion |
|
Conventional Aggregation TAP solutions often feature output ports with the same speed as the network links. This causes oversubscription on the output port of the TAP, causing valuable packets to be lost. By aggregating network traffic to a 10 Gbps output, no packet loss occurs. Whether traffic is forwarded to a Network Packet Broker or a Profitap IOTA, the Profitap Booster delivers lossless aggregation, while also reducing network complexity. |
Many high-throughput devices, like network packet brokers, feature ports designed for 40/100 Gbps operation. With breakout cables, individual connections at 10 Gbps can be established, but lower speeds are often not a possibility. This means that lower-speed links, such as 10M/100M/1G, cannot be forwarded directly to the toolset. The Profitap Booster converts these links into a single 10 Gbps output, cost-effectively adding additional speeds to new and existing tools. |
Conclusion
Profitap's Booster Aggregation TAPs are a great asset in OT security. These TAPs aggregate traffic from multiple sources, ensuring comprehensive network visibility without impacting the network. Their Data Diode function prevents reverse data flow, enhancing security. Coupling these TAPs with NDR systems allows for continuous monitoring and threat detection, ensuring the safety of critical infrastructures.
