Busting Myths About Network TAPs 

• Network TAPs (Test Access Points) and Data Diode TAPs are superior alternatives to SPAN ports for OT (Operational Technology) environments.

• Network TAPs offer reliable, secure, and scalable network visibility.  

• TAPs are a critical visibility layer in OT cybersecurity architecture.  

• They ensure data integrity, tool optimization, and network resilience, making them a strategic investment over SPAN ports for OT network engineers.

• Several myths persist that may hinder their adoption, but these are easily debunked with facts. 

Introduction 

Industries that spread across huge complexes, generate energy, or manufacture large quantities of products face significant challenges in securing and monitoring their operational technology (OT). Unfortunately, many of the legacy network infrastructure in place today are not ideal for security, especially regarding network visibility. 

To address this issue, many manufacturers and utility companies rely on port mirroring through a switched port analyzer (SPAN) to create copies of data packets from designated ports to an intrusion detection system (IDS) for analysis. 

Despite their usefulness, SPAN ports may be off limits from network security personnel to reconfigure or even connect an IDS. Additionally, they may not always collect data packets reliably or send them to the appropriate destination, which can hinder the threat intelligence-gathering process. 

Network TAPs are the Ultimate Visibility Solution, But There Are Some Misconceptions  

The reality is that the best alternative for feeding data into an industrial IDS is through installing a network test access point (TAP). TAPs are hardware devices deployed between two network devices to create exact copies of network packet data and route them to a connected monitoring or security solution such as an IDS. When comparing Network TAPs vs. SPAN for OT networks, there are clearcut TAP benefits:  

• 100% Reliable: TAPs are guaranteed to collect and transmit complete copies of network data packets to the IDS tool. They don't drop packets and they will pass errors and corrupt packets.    

• Highly Secure: TAPs don't contain an internet protocol (IP) address or a media access control (MAC) address and, therefore, cannot get hacked by an outside threat actor.   

• Cost-Friendly and Scalable: TAPs have no required configuration overhead costs and only minimal maintenance requirements. They're also more scalable over their lifecycle as it has a longer mean time between failures (MTBF) and allows industrial OT engineers to maximize the production output of other monitoring tools through packet regeneration and aggregation.    

• Multi-Functional: TAPs often have multiple modes in a single device giving operators flexibility in deployment. Common TAP modes include Breakout, Aggregation, Regeneration, and Filtering.    

• Built-in Failsafe: Passive fiber TAPs accomplish failsafe in a truly passive manner, with no power needed to pass the traffic.​ Garland Technology’s active TAPs that are powered have built-in failsafe. This means that in the rare case of a TAP losing power, the TAP fails open ensuring the link between the two network devices is kept up and running.
  
   

Despite the clear-cut value offered by Network TAPs over SPAN, some false claims regarding TAPs as an alternative to SPAN exist. Let’s clear up common misunderstandings of Network TAPs:  

Claim: TAPs Are Insecure Because of Software Vulnerabilities  

This claim is more misleading than false. Software vulnerabilities are only a concern if the system is reachable and hackable. In the case of network TAPs, they are neither of these things. They don't come with any traceable IP or MAC addresses that an outside hacker could penetrate.  

While they can, however, target the tools a TAP is connected to, it won't impact the TAP itself. Better yet, the TAP will capture the intrusion attempt's data activity because it sends all packet-level data to connected tools.   

Claim: TAPs Lack the Proper Certifications and Accreditations   

The claim that TAPs don't have any certifiable approved uses is just blatantly false. In fact, the Commission on Accreditation for Law Enforcement Agencies (CALEA), whose responsible for setting law enforcement standards for what can be used for data intercepts and forensics, has approved TAPs as a legitimate and reliable source thanks to its 100% reliability of both the data and timestamp. (Pretty powerful acknowledgment all industries can appreciate.) 

A similar claim is also that TAPs don't have stamp-of-approval on the unidirectionality of data traffic. Data Diode TAPs, however, disprove this claim by transmitting traffic in one direction from OT devices to the IDS, which helps maintain packet visibility, prevent back-door network attacks, and reduce data packet errors. Data Diode TAPs enforce one-way traffic flow out the monitoring ports based on hardware design. 

Claim: TAPs Are a Narrow-Focused Solution to OT Security  

The claim that TAPs cannot address a broader scope of OT network perimeter security other than just traffic monitoring between the OT and IDS sensor, another untrue assertion. In many ways, TAPs are preventive solutions to the entire network.  

They ensure the proper configuration and performance of network security tools like intrusion protection systems (IPS), network firewalls, and application firewalls by eliminating SPOF and producing reliable data on targeted IT network components. TAPs also work seamlessly with SIEM, network detection and response (NDR) tools, and other threat intelligence solutions to guarantee no blind spots in the network.   

Claim: A Large Quantity of TAPs is Needed to Adequately Cover the Network  

Finally, we get to the claim that many TAPs are required to be effective. In an ideal world with an unlimited budget placing Network TAPs at every link would be the ultimate in network visibility. Unfortunately, budgets are finite and choices must be made on the most critical links to tap. Fortunately, there are different TAPs for different scenarios. Aggregating TAPs combine copies from multiple links into a single feed, ensuring tools are fully utilized and no bandwidth is wasted versus dedicating individual monitoring tools to each TAP or SPAN port. Multiple out-of-band monitoring or security tools can receive the exact same copies of network packets. In essence, Aggregating TAPs allow you to do more with less investment. 

Looking to utilize network TAPs in your industrial environment but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it's what we love to do.