As ICS/OT environments get upgraded and modernized, challenges surface on deploying asset inventory and threat detection solutions within a distributed network. These include monitoring a network covering a significant geographic location and monitoring locations that cannot support additional hardware and need to utilize existing assets.
In the second of our 3 part ICS Village blog and video series on gaining visibility into your critical infrastructure environments, we are going to focus on overcoming distributed network challenges.
Critical infrastructure organizations are known for their unique and geographically dispersed network environments. Sectors such as water, mining, power distribution and transmission, as well as manufacturing can all face network architectures where you may need to secure various segments from different points within a more extensive network.
In addition, the physical location sometimes cannot support additional hardware within these networks due to space, power, environmental, or budget constraints. So how can organizations add a security solution to a distributed network where the location and the distance may present visibility challenges?
For environments that cannot physically add additional hardware like network TAPs or multiple security sensors into the current infrastructure, leveraging SPAN ports to mirror the traffic from managed switches becomes the next best option.
A managed network switch typically includes port mirroring, also known as SPAN (Switch Port Analyzer). This capability programmatically designates ports on the switch to send duplicate copies of the network packets seen on one or more ports to a specified port. On this specified port, a network monitoring solution resides to analyze the packets traversing the network. But, without the capability to add additional hardware or security sensors at each physical location due to space, power, environmental, or budget constraints, the next challenge is how to get the SPAN links from the various areas to a centralized sensor.
As depicted in the diagram below, this use case illustrates how to aggregate various SPAN links down to a centralized Dragos sensor.
Utilizing Garland’s High-Density Aggregator TAP, organizations can aggregate SPAN traffic from four or more distributed locations into one specific device, feeding all the network packet details and contents to the Dragos sensor.
After receiving the packets, the Dragos sensor performs some initial pre-analysis work. It then sends the appropriate metadata over to the Dragos Platform, which typically sits in Level 3 or 4 of the Purdue Model reference architecture, where primary reporting and notifications happen.
This use case incorporates existing switch infrastructure, aggregating the various links through an aggregator TAP and then to the security sensor without affecting the infrastructure.
Another use case is to TAP instead of relying on the switch SPAN. Utilizing SPAN can be a common challenge in legacy environments or unavailable on unmanaged switches. Suppose the infrastructure has several fiber optic cables running from various sites coming back into one centralized place. We could deploy passive fiber network TAPs and ultimately aggregate those to the sensor.
Adding plug-and-play network TAPs and traffic aggregation allows the legacy infrastructure to remain in the original configuration to continue safe and reliable operations while providing the packet visibility needed to manage and secure assets without making device modifications. Network TAPs are purpose-built hardware devices, which allow you to analyze network traffic by copying packets, without impacting network integrity.
With this deployment scenario, as seen below, network traffic is being fed to the Dragos Platform. A deployment like this gives a complete asset inventory list and a map view of the various locations of the network like firewalls, PLCs, network switches, HMIs or human-machine interfaces, IP addresses, MAC addresses, and more, spread across an extensive network infrastructure.
These are two good use cases for providing packet visibility and a security platform in a distributed network that minimizes the impact to the infrastructure.
In our third iteration of this blog and video series, we will review how to quickly deploy a proof of concept to simultaneously compare multiple asset inventory and threat detection solutions.
Click here to watch the full ICS Village demo ‘Gaining Visibility Into Your Critical Infrastructure.’ Or explore the Dragos and Garland Technology solution brief here.