TAP vs. SPAN in OT Environments

Securing and monitoring your network is the ultimate goal. To accomplish this goal, teams utilize ICS security solutions designed to respond and manage threats in OT environments efficiently. To properly identify, detect, and respond to security threats and breaches, many ICS security tools focus on network visibility, threat detection and monitoring, and asset visibility and management.

When implementing these security solutions, OT teams face complex challenges around architecting connectivity throughout these large, and sometimes aging, infrastructures that weren’t initially designed with network security in mind, including:

• Relying on legacy switch SPAN ports for visibility, that aren’t secure, reliable or available
• Facing different media or speed connections between the network and various tools
• Network sprawl with a need to reduce network complexity
• May require unidirectional connectivity for their monitoring tools
• Require a secure air-gapped solution for virtual environments

Fortunately, these challenges have solutions. Optimized security and performance strategies start with 100% visibility into network traffic. And visibility starts with the packet.

A common access point for network visibility in OT environments has been from SPAN ports on a network switch. Many times, an engineer will connect directly to intrusion detection systems (IDS), or network monitoring tools.

But today, in modern ICS networks there is a more reliable option to access network packets for security and monitoring solutions to properly analyze threats and anomalies - network TAPs.

TAP vs. SPAN in OT Environments

Determining when you use SPAN ports or network TAPs comes down to a multitude of issues. And many times, a combination of both is a visibility architecture reality. But there are some significant differences which affect the integrity of the traffic that is being analyzed, as well as the performance of the network traffic. Let’s review some of the pros and cons of each to help you decide what works best for your network.

1. Switch SPAN Ports

A common visibility use case is to route mirrored traffic from a SPAN port on the switch to a security or monitoring tool. Port mirroring also known as SPAN (Switched Port Analyzer), is a designated port on a network switch that is programmed to mirror, or send a copy, of network packets seen on a specific port, where the packets can be analyzed.

SPAN Port Pros:

• Provides access to packets for monitoring
• SPAN sessions do not interfere with the normal operation of the switch
• Configurable from any system connected to the switch

The concept is simple enough — the switch is already architected into the environment. Just hook up your security solution. Done. But many times, the simplest path isn't the best path.

SPAN Port Cons:

• SPAN takes up high value ports on the switch
• Some legacy switches do not have SPAN ports even available
• SPAN ports can drop packets, an additional risk for security and regulatory solutions

One of the fundamental reasons security teams do not like to use SPAN is because of dropped packets. This usually happens when the port is heavily utilized or oversubscribed. In OT environments, network switches tend to run 10M, 100M, up to 1G so you may think this will never happen. Unfortunately, ICS switches are prone to drop packets at a lower speed, even when network links are not saturated. This can happen for a variety of reasons:

• Packets sometimes can’t be stored because of a memory shortage
• 'PAUSE' frame attack. A bad actor can flood the SPAN disguised as a loopback, hiding bad data and forcing dropped packets
• Packets showing a broken cyclic redundancy check (CRC) will be dropped
• Frames smaller than 64 bytes or bigger than the configured maximum transmission unit (MTU) can be dropped because of an ingress rate limit

If dropping the packets isn’t an eye opener, SPAN also:

• Will not pass corrupt packets or errors
• Can duplicate packets if multiple VLANs are used
• Can change the timing of the frame interactions, altering response times

The SPAN concept may have sounded easy because it was available, but after weighing packet loss and altered frames, additional SPAN security considerations include:

• Bidirectional traffic opens back flow of traffic into the network, making switch susceptible to hacking
• Administration/programming costs for SPAN gets progressively more time intensive and costly

2. Network TAPs

The industry best practice for packet visibility are network TAPs (test access points). Network TAPs are purpose-built hardware devices that create an exact full duplex copy of the traffic flow, continuously, 24/7 without compromising network integrity.

Instead of connecting two network segments, such as routers and switches, directly to each other, the network TAP is placed between them to gain complete access to traffic streams. TAPs transmit both the send and receive data streams simultaneously on separate dedicated channels, ensuring all data arrives at the monitoring or security device in real time.

• Network TAPs make a 100% full duplex copy of network traffic
• Network TAPs do not alter the data or dropping packets
• Network TAPs are scalable and can provide a single copy, multiple copies (regeneration), or consolidate traffic (aggregation) to maximize the production of your monitoring tools

Following critical infrastructure’s guiding principles — you want your network to be built to last, while ensuring minimal to no network downtime. These concepts rest on the network infrastructure and visibility architecture. Incorporating best practices like TAPs in your network will help you achieve these goals. To learn more about ICS network visibility best practices, download this ICS Visibility Guide.