Summary

In a recent roundtable discussion hosted by ICS Village, various industry experts, including Garland Technology's very own CEO Chris Bihary, sat on a panel to discuss passive and active monitoring, their functional differences, how each can help to maintain visibility on operational technology (OT) networks, and the factors to consider when selecting these solutions. 

Intro

Managing an operational technology (OT) network requires swift action. Whether detecting and responding to security breaches or ensuring uninterrupted production, critical infrastructure businesses need fast insights to make informed decisions. Time truly is of the essence.

The significance of network visibility cannot be overstated. More specifically, generating and sending packet-level data throughout an environment to monitor OT assets, user activity, equipment health, and identifying security threats are pivotal in securing your network.

Here, we explore passive and active monitoring for gaining network visibility, along with the benefits and downsides of each solution.       

Passive Monitoring Explained 

Passive monitoring is a way of getting visibility on OT networks and industrial control systems (ICS) without interacting with traffic or pushing data packets outside the network. As the name suggests, this solution works "passively" to help collect data on your OT assets without alerting users or potential intruders.

It's also helpful to ensure throughput and uptime. Because ICS systems are often brittle and sensitive, they typically have a maximum threshold for the number of transmission control protocol (TCP) connections allowed before OT and ICS devices will overload and shut down.

Passive solutions can give you surface-level network data without disrupting operations. As our CEO Chris Bihary likes to say, "the truth is in the packet," and passive monitoring is a reliable way to get packet-level data because the devices used are physically attached to the network. They use the laws of physics to maintain quality control and system visibility. 

Passive Monitoring Approaches 

Businesses with a strong OT foundation, such as manufacturers and energy producers, can utilize two primary methods for passive monitoring and retrieving packet-level data from the network.

• SPAN Ports: Sometimes called "mirror" ports, these are software solutions built into a managed switch or router, which create copies of selected packets to send back to the SPAN port. 
• Network TAPs: Test access points (TAPs) or when you insert a wiretap between two network devices that copy traffic data to your passive monitoring tool. 

Though an affordable option, SPAN ports often require complex device configurations that can be difficult to manage and may lead to errors. Additionally, there are risks associated with packet dropping and incomplete data insights in the event of a network breach. The most notable problem, however, is that SPAN ports move packet traffic bidirectionally to AND from the network — making the switches susceptible to hacking and security breaches.  

Another issue is that most OT environments use older technology, so engineering teams will incorporate SPAN ports due to their compatibility. Little do they know, other components, such as their backplane, do not support SPAN, and the entire network will shut down after activation. Network TAPs solve many of the challenges of SPAN ports. 

TAPs offer reliable security by only allowing data packets to move in one direction and not containing any IP address — making them immune to hacking threats. Additionally, TAPs are permanently connected to the infrastructure and use robust data diode technology. Therefore, there is no need to worry about user misconfigurations or packet-dropping issues; it's guaranteed to obtain all traffic and packet data.

With its high level of accuracy, this passive monitoring solution is not only effective for security purposes but can also be used as legal evidence and to ensure compliance during audits.

Another Potential Passive Monitoring Option? 

Those looking to get the cost benefits of a SPAN port with the reliability of network TAPs can turn to an alternative passive monitoring solution: OT engineering teams can deploy hardware data diodes into SPAN ports. 

The benefit here is more reliable packet transmissions, better security since data packets can only move in one direction, and compliance with regulatory requirements such as North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (NERC CIP) standards.    

Active Monitoring Explained 

Active monitoring goes beyond passive solutions by actually talking with the endpoint. It works by deploying agents on endpoint devices that report and log the network traffic data back to the monitoring source. Assuming you're within the threshold, you can get far more detailed information, like firmware, IP addresses, operating systems (OS), etc, on your OT assets than a passive solution. 

Aaron Crow, Chief Technology Officer for Industrial Defender, explained the differences best during the panel discussion: 

"Passive [monitoring] is really good at deducting 'hey, this looks like a Windows machine.' This looks like this, and I can look at the Mac address and make some assumptions based on the communications. But I don't have all of the information about that. It's just not going to tell everything. If I need to get to that level of detail, that's where I may need to go active [monitoring] so I can actually talk about the things that it does. I want to understand not just that it's Windows 10, but which build of it, which KB articles, what software is installed, what user accounts and active directory. All of those things, I can't get that passively."

Active Monitoring as a Defensive Tool  

Active monitoring is more proactive than passive. It provides "active" device blocking for your OT network, similar to an IT firewall. This enables you to get activity logs on command and utilize it as a defensive and responsive solution that engages in threat hunting instead of only "passive" monitoring.

The counterargument for active visibility solutions is that you might alert a hacker of what you know. By actively searching for threats, you could tip off an advanced persistent threat (ATP) or other adversaries — allowing them to rethink their attack strategy.  

Passive vs. Active Monitoring: How to Choose? 

Every OT management expert, including those on the ICS Village panel, will tell you that a robust plan includes both passive and active monitoring. You need to consider your network's makeup, the types of OT assets included, and your visibility objectives. Additionally, consider your capacity for TCP connections. While active gives you more granular details, if you're cutting it close to the threshold, conducting active monitoring could risk an operational shutdown. 

Ultimately, each OT asset should get evaluated independently. Decipher which are critical vs. non-critical, then calculate the return on investment (ROI), risk, regulatory requirements, and the potential cost of doing nothing (CODN) in the context of applying passive or active monitoring solutions.    

Looking to take your first step toward enhanced network flexibility, visibility, and security but not sure where to start? Join us for a brief network  Design-IT consultation or demo. No obligation - it’s what we love to do.

Key Definitions

• Operational Technology (OT): Hardware and software controlling and monitoring physical processes in an industrial operation, such as manufacturing. 
• Passive Monitoring: A technique of capturing OT network data using SPAN ports or TAPs to obtain visibility without comprising OT asset operability.    
• Active Monitoring: A technique of obtaining OT network visibility by applying monitoring agents directly on the endpoint and OT assets for more detailed and proactive insights.  
• Transmission Control Protocol (TCP): A communications standard for OT devices, industrial control systems (ICS), and other network components to exchange reliable data packets between one another.