Every week, I hear from industrial companies about their cybersecurity tools needing access to the data flowing through their OT networks.
In a previous post, I shared why companies are constantly looking to improve their OT network visibility. That article is a great foundation for this one. Here, we’ll dig into the benefits that come from using a TAP fabric, which is some combination of Network TAPs and Packet Brokers, in your OT environment.
Companies favor TAPs over SPAN ports for OT traffic access because of these 3 primary benefits:
Unidirectional, or one-way data flows, are often required in OT networks. These safeguard the network from external threats while also providing the out-of-band data necessary to monitor the network for cybersecurity purposes.
Many of Garland’s Network TAPs have built-in Data Diode functionality. This sends unidirectional copies of the traffic to out-of-band tools for monitoring purposes, without any effect on the link between the two network elements.
Since there is no physical connection between a Data Diode TAP’s monitoring and network ports, there’s no possibility of intrusion from the destination. These TAPs physically do not send traffic back onto the network, providing “no injection” TAP visibility for 10/100/1000M networks.
For industrial companies, it’s critically important to keep the manufacturing lines running, power plants generating power, water treatment facilities providing clean drinking water, etc. Anything that would impact production has serious consequences.
One benefit of using a TAP fabric is the lack of impact on production, which otherwise could be the biggest potential business disruptor. Since Network TAPs are typically passive and deployed out-of-band, they don’t have to be certified by whoever runs the plant, approved by whoever makes the control system decisions or endorsed by whoever certifies the changes to new hardware put in place. Customers are simply putting in a TAP, which is passive and out-of-band. It doesn’t have any impact on the live production network!
A TAP also improves an organization’s resiliency. Should a TAP go down for some reason, or if any of the devices connected to the TAP were to lose power, there wouldn’t be any impact on the organization's operations. But if a switch goes down, that does potentially impact operations.
Many industrial environments are physically large, often geographically dispersed, and outdated in terms of IT infrastructure. If a company is looking to deploy cybersecurity tools to prevent threats, ransomware attacks, and breaches, there is often a struggle to gain access to the network traffic.
Legacy switching fabrics often lack the ability to configure SPAN ports, or they are running at capacity and there are no available ports to configure. Rather than upgrading the entire switching fabric and enduring the business cost of interrupting operations, organizations are finding another way.
Companies are adding a TAP fabric with passive network TAPs (sometimes also paired with smaller packet brokers) at each location. It is a much more cost-effective solution. A TAP fabric allows you to deploy cybersecurity tools today, while also providing permanent access for more tools in the future.
Watch our latest roundtable webinar with Dragos where we discuss tactics and strategies for strengthening your ICS/OT visibility.