Rethinking Visibility: The Challenges of Passive Network-Based Monitoring in OT Cybersecurity
In the world of Operational Technology (OT) cybersecurity, getting a complete view of network traffic is often seen as a key step in ensuring the security and reliability of industrial systems. However, relying solely on passive network-based monitoring has its limitations that can make it hard to detect and respond to threats effectively. In this post, we will look at these limitations and highlight the need for a more comprehensive approach to OT cybersecurity.
Limited Insight from Network Traffic
One of the main challenges with passive monitoring is that it does not provide enough information about what is happening on the systems and devices in the OT network. Network packets can give a general idea of communication patterns and have useful information, but they often lack the details needed for a thorough analysis. For instance, to find out important details like the firmware version running on a Programmable Logic Controller (PLC), you might need to use an engineering workstation to directly probe the device to get useful traffic. This shows a significant limitation of passive monitoring: while it can help detect unusual activity, it often fails to give the context needed for informed decision-making. You are limited to what information is actually sent on the network at that time.
The Purdue Model and Traffic Complexity
Another important factor to consider is that a lot of relevant industrial traffic occurs at the lower levels of the Purdue Model. This traffic usually requires multiple SPAN ports for effective monitoring that all need to go back to the monitoring sensors. However, some network switches do not support this feature, leading to a need for many sensors, network taps and additional cable pulls, which can be complicated and resource-intensive.
In centralized SCADA systems, monitoring is a bit easier due to often having the presence of a central core switch over which most of the industrial traffic flows. In contrast, a Distributed Control System (DCS) or a basic PLC/Human-Machine Interface (HMI) setup complicates the monitoring landscape significantly. Additionally, the process of reconfiguring industrial switches for network monitoring is not without risk, as often claimed.
“I remember a situation where a client mistakenly selected the wrong port while configuring an industrial switch for monitoring, which nearly led to a trip of the Safety Instrumented System (SIS) of the plant. Thankfully, a quick response from the engineer prevented the issue.”
Ignoring Critical Security Factors
Moreover, passive network monitoring tends to overlook other important factors that can greatly impact cybersecurity. The status of operator workstations, engineering workstations and servers—whether they have the latest vendor-approved patches installed, are protected by proper firewall rules, and have reliable backup solutions—are often more telling of an organization’s security security posture than network traffic alone can tell. Without addressing these elements, passive monitoring might create a false sense of security, leading organizations to underestimate their exposure to risks.
Conclusion
While passive network-based monitoring can be a useful part of OT cybersecurity strategies, its limitations are significant and should not be ignored. It is a helpful tool, but it should be seen as icing on the cake rather than the main way to secure systems. A complete approach that includes active probing, diligent patch management, and a careful look at organizational processes is essential for strengthening the security of industrial systems. By recognizing the limitations of passive monitoring, organizations can better prepare themselves to handle the changing landscape of OT cybersecurity threats.