As technology continues to evolve, the lines between traditional information technology (IT) networks and industrial control systems or operational technology (OT) are blurring. While both domains rely on network analysis, the differences in their underlying protocols, architectures, and requirements make it essential to understand these distinctions. This article will delve into the fundamental concepts that set these two worlds apart and highlight key areas where packet and network analysis differ.
IT networks (traditional networking)
IT networks are the backbone of modern computing, providing the infrastructure for data exchange, communication, and processing. Typical applications include:- Office networks
- Data centers
- Cloud services
- Internet connectivity
Reliability of connection and quality of service play a very important role in the quality of an IT network. Security is also a very important factor and plays a role in content transmission as well.
OT networks (machine-based networks)
OT networks are designed specifically for industrial control systems, SCADA systems, or engine controls, ensuring precise and consistent control of physical and mechanical processes. Typical applications include:
- Manufacturing automation
- Process control systems
- Building automation
- Engine and vehicle control systems (e.g. airplanes, cars, rockets)
- Safety-critical systems
These networks rely on industrial-specific protocols like PROFINET, Sercos III, EtherNet/IP, or Modbus to facilitate real-time data exchange between devices.
IT/OT differences
One of the biggest differences between IT and OT networks lies in the matter of how they are enabled at startup time. IT networks can grow over time, new systems come online, and old systems are taken offline. OT networks are usually started as a whole at the same time. The network itself has one base protocol and all devices communicate either directly with that network using this protocol or over some form of coupler stations, which translate the packet information between different protocols. Also, an OT network has a configuration or bootup phase, which is used to ensure that all devices that are expected to be present are present and configured correctly. Firmware updates may be applied automatically at this phase as well. This phase is often called the asynchronous communication phase.
As soon as an OT network is configured correctly and a central system (in machine applications, this is called a PLC for programmable logic controller), the network will switch to a synchronous or real-time communication mode. This is the main difference between those two types of networks. Where an IT network may exchange any kind of information at any given time, an OT device typically transmits its so-called IO image. This is a set of information detailing the current state of the device. At the same time, this device also expects to receive an IO image from its main counterpart, which will tell the device the state to which it should switch. This phase of information exchange is repeated on a periodic basis called a network cycle.
Real-Time vs Soft Real-Time:
In OT networks, real-time and hard real-time applications require predictable and consistent network cycle times, whereas soft real-time applications can tolerate some degree of latency. For example, a manufacturing automation system might require hard real-time responses for controlling physical processes, while a building automation system might use soft real-time responses for monitoring temperature and humidity levels.
Real-time is often mistaken for being fast communication. This is not the case. The difference between hard and soft real-time lies in the jitter tolerances of the repeated cycles. Hard real-time applications usually expect a jitter to be in a lower nanosecond area, in contrast to soft real-time where milliseconds or even seconds may be tolerated.
Differences in analyzing IT and OT networks
Timestamping
In IT networks, timestamping is crucial for ensuring accurate packet sequencing and detecting anomalies. For example, in a cloud-based environment, timestamping helps identify and troubleshoot issues related to packet reordering or duplication. In contrast, OT networks require high-precision timestamping to maintain synchronized clocks across distributed systems, ensuring consistent control of physical processes. This is particularly critical in applications like manufacturing automation, where milliseconds can make the difference between successful and failed production runs.
Latency & Jitter
IT networks prioritize low latency for seamless communication, aiming for response times in the range of 1-10 ms. In contrast, OT networks focus on minimizing jitter to maintain consistent process control, requiring response times in the range of tens to hundreds of nanoseconds.
Protocols
While IT networks rely heavily on standard protocols like TCP/IP (Transmission Control Protocol/Internet Protocol), UDP (User Datagram Protocol), SIP (Session Initiation Protocol), and HTTP (Hypertext Transfer Protocol) for communication, OT networks employ industrial-specific protocols designed for real-time control and monitoring. PROFINET, a popular protocol in the OT world, is an Ethernet-based fieldbus used for device-to-device communication, whereas CAN (Controller Area Network) and Modbus are widely used protocols in automation systems. These OT protocols prioritize reliability, determinism, and low latency, often requiring custom implementation to ensure seamless integration with industrial devices. In contrast, IT protocols focus on packet switching, error correction, and efficient data transfer for general-purpose communication.
What kinds of protocols are used for OT
OT protocols come in all shapes and sizes. Some, like Modbus or Ethernet/IP, are based on traditional IT protocols (like TCP in the case of Modbus/TCP). Our IOTA has specific dashboards for such protocols, and they can assist in the analysis of a device or PLC network.
Other protocols are based on a completely different physique, such as CAN or PROFIBUS. For those protocols, specific sniffer hardware needs to be used, and as those are not based on RJ45 or similar standards, tracing requires specialized hardware that can adhere to the physical characteristics of the protocol.
Another class of protocol is commonly known by its class name as Industrial Ethernet. Such protocols are usually based on IEEE802.3 and adopt the higher layer protocols for specific needs. Ethernet POWERLINK, for example, uses specific frames on top of standard Ethernet frames to transport its data. TTEthernet, on the other hand, also requires specific hardware components inside switches and endpoints to utilize a time synchronization protocol for hard real-time applications. The most recent protocol of this kind is called TSN. TSN uses a specific type of switches and hardware components to synchronize packets across the whole network. With this protocol, it is possible to guarantee the reception of packets within a few microseconds.
Challenges for packet capture
All industrial ethernet protocols have the same goal: to ensure packets are transmitted and received in a given timeframe. Therefore, analysis needs to be done differently than for IT protocols. It is not as hard a requirement to understand what information is being transmitted, but instead how precise the time intervals are applied and understood. Doing this analysis with a common PC or hardware often leads to wrong analysis. The reason for this is that nearly all Ethernet hardware is implemented to accommodate throughput and guarantee the reception of packets instead of understanding the time at which they are received. If you analyze the network with a Windows-based PC, for instance, packets can often jitter purely through capture in a multitude of milliseconds, which renders any approach of analysis impossible.
Another issue is the Ethernet preamble and suffix. Some OT protocols use those parts to transmit additional information and synchronization. Modern NICs remove those parts from the packets during capture, as an operating system usually does not require or want them.
Therefore, the packets have to be received and properly timestamped as precisely and exactly as possible. Also, information about the packets (where they came from, when they were received, …) as well as additional information in the MAC layer of the packets often can only be read if the packet has been captured directly on the network.
Lastly, as OT networks often require precise timings, which are also dependent on things like cable lengths, etc., packet capture should be done with as little interference in the overall network as possible.
How ProfiShark and IOTA can help you
ProfiShark and IOTA EDGE models both utilize an FPGA-based capture engine, which allows for the complete capture of all information without further interference by the capture itself. Additionally, all packets are timestamped with a very low (ns-based) jitter upon receiving them in the engine. This allows for very precise and concise analysis of timing intervals, delays, jitters, and other issues, which are the most common problems for OT networks.
ProfiShark is used today by many industrial companies to analyze a variety of protocols such as PROFINET, TSN, and Ethernet POWERLINK. Its very precise timestamping is a multitude better than most other solutions available on the market today. Also, the very short network downtimes when switching over and the out-of-band capture engine allow the implementation of ProfiShark and IOTA directly in the machine itself, which makes future analysis a breeze. IOTA can directly be integrated and uses the same power levels as modern machinery, and utilizing its API, it can be tasked to analyze and record traces whenever the overlaying PLC system requires it, making detailed and precise analysis as easy as never before.