Network Security
TAP vs SPAN: packet visibility challenges in OT environments SOURCE: GARLAND TECHNOLOGY
The convergence of Operational Technology (OT) with Information Technology (IT) has exposed challenges for the industrial space, including increased vulnerability to cyber-attacks and network blindspots. Teams are utilizing ICS security solutions designed to efficiently address and manage threats in OT environments.
SPAN (Switched Port Analyzer), is a designated port programmed to mirror network packets seen on specific ports where the packets can be analyzed. AS INDUSTRIAL COMPANIES WITH CRITICAL infrastructures invest in digital transformation to improve operational efficiency, cyber risks have significantly increased, leading to unscheduled downtime, negative corporate brand perception, as well as data and safety concerns. Securing and monitoring your network is a core goal for most companies. To accomplish this goal, teams utilize ICS security solutions designed to respond to and manage threats in OT environments efficiently. To properly identify, detect, and respond to security threats and breaches, most ICS security tools focus on threat detection and monitoring, and asset visibility and management. Implementing these security solutions, OT teams face complex challenges when it comes to architecting connectivity throughout these large and sometimes aging infrastructures. Many weren’t initially designed with network security in mind, like having to rely on legacy switch SPAN ports for visibility, that aren’t secure, reliable or available. According to SANS State of OT/ICS Cybersecurity Survey, “visibility is critical for managing OT/ICS systems. According to survey respondents, increased visibility into control 06.202 1
system cyber assets and configurations is the top initiative organizations are budgeting for in the next 18 months.” Security and performance strategies start with 100% visibility into network traffic. Security tools need to see every bit, byte and packet or they could miss a threat, and that visibility starts with the packets traversing the network. A common access point for packet visibility in OT environments has been SPAN ports on a network switch. Many times an engineer will connect a SPAN directly to intrusion detection systems (IDS) or network monitoring tools. But today, in modern ICS networks, network TAPs (test access points) are considered an industry best practice as a more reliable and secure option to access network packets for security and monitoring solutions to properly analyze threats and anomalies. This high level network topology diagram, following the Purdue model, illustrates how an ICS network monitors various segments. From Level 1 control networks of DCS and PLCs, Level 2 process networks of HMI and engineer workstations, and Level 3 DNS operations to Level 4 data center and security control centers. Instead of mirroring traffic directly
i n d u str i a l e th e r n e t b o o k
from the various switches, this diagram showcases how to properly access the packets with network TAPs and unidirectional Data Diode TAPs, providing complete and reliable visibility to ensure the monitoring solutions are seeing every bit, byte, and packet.
TAP vs SPAN in OT environments
Determining when you use SPAN ports or network TAPs comes down to a multitude of issues. And many times a combination of both is a visibility architecture reality. But there are some significant differences which affect the integrity of the traffic that is being analyzed, as well as the performance of the network traffic. Let’s review some of the pros and cons of each to help you decide what works best for your network.
Switch SPAN ports
A common visibility use case is to route mirrored traffic from a SPAN port on the switch to a security or monitoring tool. Port mirroring, also known as SPAN (Switched Port Analyzer), is a designated port on a network switch that is programmed to mirror, or send a copy of, network packets seen on specific ports where the packets can be analyzed.
51
