Choosing between TAP and SPAN ports for an ICS security solution

Securing and monitoring an industrial network is the ultimate goal for companies. To accomplish this goal, teams utilize industrial control system (ICS) security solutions designed to respond and manage threats in OT environments efficiently. To properly identify, detect, and respond to security threats and breaches, many ICS security tools focus on network visibility, threat detection and monitoring, and asset visibility and management.

When implementing these security solutions, OT teams face complex challenges around architecting connectivity throughout these large, and sometimes aging, infrastructures that weren’t initially designed with network security in mind, including:

• Relying on legacy switch SPAN ports for visibility, that aren’t secure, reliable or available
• Facing different media or speed connections between the network and various tools
• Network sprawl with a need to reduce network complexity
• May require unidirectional connectivity for their monitoring tools
• Require a secure air-gapped solution for virtual environments.
• Fortunately, these challenges have solutions. Optimized security and performance strategies start with 100% visibility into network traffic. And visibility starts with the packet.

A common access point for network visibility in OT environments has been from SPAN ports on a network switch. Many times, an engineer will connect directly to intrusion detection systems (IDS), or network monitoring tools.

But today, in modern ICS networks there is a more reliable option to access network packets for security and monitoring solutions to properly analyze threats and anomalies – network TAPs.

TAP vs. SPAN in OT environments

Determining when you use switched port analyzer (SPAN) ports or network TAPs comes down to a multitude of issues. Many times, a combination of the two is a visibility architecture reality. But there are some significant differences which affect the integrity of the traffic that is being analyzed, as well as the performance of the network traffic. Consider the pros and cons of each to help decide what works best for the particular network.

1. Switch SPAN ports

A common visibility use case is to route mirrored traffic from a SPAN port on the switch to a security or monitoring tool. Port mirroring, also known as SPAN, is a designated port on a network switch that is programmed to mirror, or send a copy, of network packets seen on a specific port, where the packets can be analyzed.

SPAN port pros:

• Provides access to packets for monitoring
• SPAN sessions do not interfere with the normal operation of the switch
• Configurable from any system connected to the switch.

The concept is simple enough — the switch is already architected into the environment. Just hook up the security solution. Many times, though, the simplest path isn’t the best path.

SPAN port cons:

• SPAN takes up high value ports on the switch
• Some legacy switches do not have SPAN ports even available
• SPAN ports can drop packets, an additional risk for security and regulatory solutions.

One of the fundamental reasons security teams do not like to use SPAN is because of dropped packets. This usually happens when the port is heavily utilized or oversubscribed. In OT environments, network switches tend to run 10 MB, 100 MB, up to 1 GB so you may think this will never happen. Unfortunately, ICS switches are prone to drop packets at a lower speed, even when network links are not saturated. This can happen for a variety of reasons:

• Packets sometimes can’t be stored because of a memory shortage
• ‘PAUSE’ frame attack. A bad actor can flood the SPAN disguised as a loopback, hiding bad data and forcing dropped packets
• Packets showing a broken cyclic redundancy check (CRC) will be dropped
• Frames smaller than 64 bytes or bigger than the configured maximum transmission unit (MTU) can be dropped because of an ingress rate limit.

If dropping the packets isn’t an eye opener, SPAN also:

• Will not pass corrupt packets or errors
• Can duplicate packets if multiple VLANs are used
• Can change the timing of the frame interactions, altering response times.

The SPAN concept may have sounded easy because it was available, but after weighing packet loss and altered frames, additional SPAN security considerations include:

• Bidirectional traffic opens back flow of traffic into the network, making switch susceptible to hacking
• Administration/programming costs for SPAN gets progressively more time intensive and costly.

2. Network TAPs

The industry best practice for packet visibility are network TAPs (test access points). Network TAPs are purpose-built hardware devices that create an exact full duplex copy of the traffic flow, continuously, 24/7 without compromising network integrity.

Instead of connecting two network segments, such as routers and switches, directly to each other, the network TAP is placed between them to gain complete access to traffic streams. TAPs transmit the send and receive data streams simultaneously on separate dedicated channels, ensuring all data arrives at the monitoring or security device in real time.

• Network TAPs make a 100% full duplex copy of network traffic
• Network TAPs do not alter the data or dropping packets
• Network TAPs are scalable and can provide a single copy, multiple copies (regeneration), or consolidate traffic (aggregation) to maximize the production of monitoring tools.

– This article originally appeared on Industrial Defender’s website. Industrial Defender is a CFE Media content partner. Edited by Chris Vavra, web content manager, CFE Media, cvavra@cfemedia.com.

Original content can be found at www.industrialdefender.com.

Do you have experience and expertise with the topics mentioned in this content? You should consider contributing to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.