Operational Technology (OT) networks are used in many industries, such as manufacturing, energy, transportation, and healthcare operations. Unlike traditional IT networks, disruptions or failures in OT networks can directly impact physical assets, cause downtime, and compromise safety.
Due to their critical nature, OT systems require a special monitoring approach. The equipment used for monitoring must be able to handle real-time data processing and, under no circumstances, impact the security and performance of the network in which it is deployed.
On the other hand, OT networks typically consist of legacy systems with proprietary industrial network protocols that cannot be easily monitored using traditional IT network monitoring tools. Getting visibility into this data requires specialized equipment that can capture and interpret these unique protocols.
Purdue model
The Purdue Model for Industrial Control Systems (ICS) security is a framework that outlines a multilayered approach to safeguarding sensitive industrial environments. Originally developed at Purdue University and further refined by the International Society of Automation (ISA) as part of the ISA-99 standard, the model defines six distinct layers of network segmentation, each designed to serve a specific function in protecting and managing industrial operations. These layers range from the enterprise level down to the actual physical processes.
The primary objective of the Purdue Model is to create clear, secure boundaries between the various levels of an organization’s network, particularly separating enterprise and production operations. This segmentation helps prevent the propagation of cyber threats across different business areas, thereby enhancing the overall security posture. By implementing this structured approach, companies can better manage and mitigate risks associated with cybersecurity threats, unauthorized access, and data breaches, ensuring the continuous and reliable operation of their industrial control systems.
Following this model, here are the steps to monitor industrial networks with TAPs and NPBs:
Step 1: Identify Critical Assets
The first step in monitoring an industrial network is identifying the critical assets that need protection. This includes all devices and systems essential for the operation of the industrial process.
Step 2: Segment the Network
Next, the network should be segmented according to the Purdue model’s hierarchical levels. This will allow better monitoring and analysis, which will reduce downtime if something needs to be investigated.
Step 3: Deploy TAPs
Network TAPs are hardware devices designed to passively monitor network traffic without interrupting its flow. Deploy them at strategic points in the network, such as between different levels or zones, to capture all data passing through. Special low-latency and 24v models are available for OT environments.
We wrote an article on enhancing OT network monitoring using copper TAPs and IOTA. Copper TAPs, such as those offered by Profitap, are non-intrusive devices that capture all network traffic within a single cable, providing separate TX/RX streams without introducing delays or interfering with existing traffic. This allows for seamless, interaction-free integration into existing networks, which is crucial in industrial environments where timing is critical and disruptions could hinder operations.
https://insights.profitap.com/enhancing-ot-network-monitoring-with-copper-taps-and-iota
.png?width=650&height=354&name=enhancing-ot-network-monitoring-2%20(1).png)
Step 4: Set up the aggregation layer
Network Packet Brokers (NPBs) are intelligent devices that receive traffic from multiple TAPs and aggregate it into a single stream of information for analysis. They also provide advanced filtering capabilities to reduce unimportant data. Network packet brokers can also receive traffic from other sources, such as SPAN connections, offering flexibility in different deployment scenarios. NPBs help optimize monitoring data before sending it to the monitoring tools, for example, by deduplicating traffic.
https://www.profitap.com/network-packet-brokers/
Step 5: Monitor Traffic
The collected traffic can then be analyzed by the IOTA with multiple dashboards and forwarded to a monitoring system like an Intrusion Detection System (IDS) or a Network Detection & Response (NDR).
Step 6: Identify Anomalies
Issues like hardware degradation, network congestion, or failing components can be easily detected using analytics tools. Applicationists can then investigate the issue directly and determine the best course of action.
Step 7: Optimize and implement
Based on insights gained from monitoring traffic, changes can be made to make the network and application more resilient. Also, on the Network TAP and Network Packet Broker level, adding different capture locations and creating new filter rules can further help get a better overview of the network.
Step 8: Regular Updates
It is essential to regularly update security tools used for monitoring the industrial network. This will ensure that they have the latest threat intelligence as well as software functionality and can detect and mitigate new attacks or issues.
By following these steps, organizations can effectively monitor their industrial networks using TAPs and NPBs while adhering to the Purdue model’s layered security approach. This helps protect critical assets from cyber threats, ensure smooth operations, and maintain regulatory compliance.
