Profitap Blog

Recent Posts

Stay up to date


Return to Blog

How Booster TAPs and NDR Systems Safeguard Industrial Control Networks

Operational Technology (OT) networks are the backbone of critical infrastructure sectors such as energy, water, transportation, and manufacturing. These networks control physical processes with direct safety and economic implications, making their security against cyberattacks essential.

To enhance cybersecurity across critical infrastructure, the European Union established the Network and Information Systems Directive 2 (NIS2). This directive recognizes the increasing interconnectedness of IT and OT systems and the growing cyber threats to these environments.

While OT security platforms typically collect data for vulnerability assessment and asset discovery, they may overlook critical threats within network traffic. Deep visibility into network traffic is essential to defend against sophisticated threats like malware, ransomware, data exfiltration, and zero-day attacks and to comply with regulations like NIS2.

Deep Packet Inspection for OT security

OT security solutions that incorporate Deep Packet Inspection (DPI) sensors are vital for any OT network's security architecture. These sensors capture packets and identify anomalies to detect and respond to suspicious activities.

To maximize the effectiveness of these solutions, comprehensive visibility of network traffic for monitoring OT and IoT assets is crucial. Although connecting a DPI sensor via a SPAN port may initially seem cost-effective, managing multiple SPAN ports can lead to scalability issues due to the limited number of network adapters a sensor can handle. Additionally, more capture ports increase acquisition costs. 

Profitap Booster Aggregation TAPs

Traffic aggregation is required to optimize the traffic flow between the capture points and the NDR tool. This is where the Profitap Booster Aggregation TAP comes in. With a small form factor and the ability of lossless traffic aggregation, the Booster brings multiple capture points together for monitoring purposes.

Aggregation TAPs bring enhanced visibility and security by:

  • Bundling traffic from multiple network links into a single output, providing DPI sensors with a complete overview of all critical data flows.
  • Ensuring unidirectional data flow with an integrated Data Diode function, preventing attackers from infiltrating through the switch's SPAN ports.

Booster Aggregation TAPs come in different models:

Booster In-line

Booster SPAN

Dual Output Booster

Aggregation of 8 ports (4 in-line links) RJ45

10/100/1G into 1 SFP+ 1G-10G output

Direct link aggregation, no required management, installation or driver 

Ingress VLAN Tagging 

Data Diode function 

Non-intrusive to the network 

Supports link failure propagation 

PoE passthrough 

Redundant powering 

The fail-safe in-line design ensures uninterrupted network operation in case of power loss 

Network ports are galvanically separated from the monitor port for maximum security

Aggregation of 8 SFP 10/100/1G SPAN ports into 1 SFP+ 1G/10G output

Non-intrusive to the network 

Ingress VLAN Tagging 

Data Diode function 

Redundant powering

100FX support 

Direct link aggregation, no required management, installation or driver

For both the in-line and SPAN models, dual output versions are available. 

This allows for two connected tools to get the same replicated copy of all traffic that is aggregated by the TAP.  

Ingress VLAN tagging

Data Diode function

For example: an OT security system sensor and a network analysis tool

Aggregation TAP deployment 

Profitap Booster aggregation TAPs offer great flexibility and a number of deployment options, suited for different environments and industries. 

While the in-line model offers advanced fail-safe options and ensures lossless aggregation of 4 full-duplex links, we see that in OT environments using SPAN to access network traffic is still a popular option. The illustration below shows how SPAN booster aggregation TAPs are combined to aggregate traffic coming from multiple sites. 

In this use case, multiple physical locations need to be monitored. With multiple switches set up to forward traffic to the NDR tool via SPAN, the total number of incoming SPAN connections is 22. In this analysis scenario, the aggregation can be performed with just three SPAN Booster Aggregation TAPs by setting the output port to 1Gbps and daisy chaining them. This is made possible by the low data rate (sub 10Mbps) on these lines. 

Booster tap-1

Benefits of the Booster Aggregation TAP

Booster Aggregation TAPs are essential for cost-effective aggregation of network traffic from multiple sources and preparing it for analysis by NDR systems. These devices ensure that data is captured reliably from multiple locations and forwarded to monitoring tools without any loss, which is crucial for accurate threat detection and network analysis.

Lossless Aggregation

Speed Conversion

Conventional Aggregation TAP solutions often feature output ports with the same speed as the network links. This causes oversubscription on the output port of the TAP, causing valuable packets to be lost. By aggregating network traffic to a 10 Gbps output, no packet loss occurs. Whether traffic is forwarded to a Network Packet Broker or a Profitap IOTA, the Profitap Booster delivers lossless aggregation, while also reducing network complexity.



Many high-throughput devices, like network packet brokers, feature ports designed for 40/100 Gbps operation. With breakout cables, individual connections at 10 Gbps can be established, but lower speeds are often not a possibility. This means that lower-speed links, such as 10M/100M/1G, cannot be forwarded directly to the toolset.


The Profitap Booster converts these links into a single 10 Gbps output, cost-effectively adding additional speeds to new and existing tools.

 

Conclusion

Profitap's Booster Aggregation TAPs are a great asset in OT security. These TAPs aggregate traffic from multiple sources, ensuring comprehensive network visibility without impacting the network. Their Data Diode function prevents reverse data flow, enhancing security. Coupling these TAPs with NDR systems allows for continuous monitoring and threat detection, ensuring the safety of critical infrastructures.