Where would be the best mirroring point to accurately detect OT assets?

-



Where would be the best mirroring point to accurately detect OT assets?

The most common method for safely/widely identifying and detecting assets in OT security is 'Packet mirroring' to monitor and analyze network traffic for anomaly detection, intrusion detection, and forensic analysis. And NetFlow, SNMP, and WMI etc also could be additional options.

So, where would be the best mirroring point to accurately detect OT assets?

Data Collected by Mirroring, NetFlow, SNMP, and WMI

Data Collection MethodWhat It CapturesUse Case in OT Security
Packet MirroringFull packet data (headers + payload)Deep packet inspection (DPI), signature-based IDS (Snort, Suricata), forensic analysis
NetFlow / sFlowFlow metadata (source/dest IP, port, protocol, bytes, duration)Traffic anomaly detection, DDoS mitigation, bandwidth monitoring
SNMP (Simple Network Management Protocol)Device performance (CPU, memory, interfaces, uptime)Monitoring network device health, detecting performance degradation
WMI (Windows Management Instrumentation)Windows system logs, processes, registry changesMonitoring OT workstations, detecting unauthorized software, system changes

Recommendation:

  • Packet Mirroring is essential for in-depth security analysis, especially in OT where protocol-specific threats need to be detected.

  • NetFlow is useful for high-level traffic monitoring without full packet capture.

  • SNMP and WMI help in network and endpoint health monitoring but do not provide security visibility like mirroring.


Most Appropriate Location for the Mirroring Point in OT Security

Selecting the optimal mirroring point is crucial for effective traffic monitoring. Below are the best locations based on security and network architecture:

Primary Mirroring Points in OT Security

  1. Mirroring Point #01: Between Purdue Level 4(IT) and Level 3/3.5 (OT Network/DMZ)

    • Purpose: Monitors traffic entering and leaving the OT environment, detecting unauthorized access attempts.

    • Detects: Lateral movement from IT to OT, unauthorized remote access, VPN tunneling attempts.

  2. Mirroring Point #02: Between Purdue Level 3 (SCADA/Historian) and Level 2 (HMI/EWS) Network

    • Purpose: Ensures visibility into command and response messages between SCADA/Historian and HMI/EWS.

    • Detects: Unauthorized command injection, abnormal communication patterns, Process data manipulation.

  3. Mirroring Point #03: Between Purdue Level 2 (HMI/EWS) and Level 1 (Controllers: PLC/DCS)

    • Purpose: Identifies rogue devices, unauthorized firmware updates, or abnormal control commands.

    • Detects: Unauthorized command injection, abnormal communication patterns, PLC/DCS manipulation.

Recommendation: For best coverage, deploy mirroring at multiple layers (IT/OT boundary, SCADA/Historian-HMI/EWS communication, and HMI/EWS-PLC/DCS layer).


Recap: By following these best practices, OT security teams can ensure robust monitoring and rapid response to cyber threats in industrial environments. 


#CPS #OT #XIoT #IoT #IIoT #IoMT #CPSSecurity #OTSecurity #IoTSecurity #CPS보안 #OT보안 #IoT보안


Comments

Post a Comment

Popular posts from this blog

Don't confuse DCS, PLC and SCADA in front of OT specialists

-
Image
DCS, PLC and SCADA are not the same. If you keep talking only about PLC security in front of the Oil&Gas industry executives where DCS is the main focus, they will not recognize you as a proper expert. We need to understand the characteristics of OT systems such as DCS, PLC, and SCADA accurately, also respect each OT culture uniquely and finally approach the sites in the right way. Don't be confused, here’s a clear and accurate explanation of DCS, PLC, and SCADA . 1. Distributed Control System (DCS) Concept A DCS (Distributed Control System) is an automated control system used for large-scale industrial processes that require continuous operation and high reliability. It consists of multiple controllers distributed throughout the system, which communicate with each other to manage complex processes. Key Features Used in large-scale, continuous processes (e.g., oil refineries, power plants). Decentralized control architecture with multiple controllers working together. Pr...
Read more

Top 20 Threat Scenarios & Playbooks for OT Security

-
Image
A comprehensive list of 20 threat scenarios in OT security along with detailed descriptions and detection rules that can help identify and respond to these threats. This playbook-style table covers different types of attacks—from unauthorized access to insider abuse—with corresponding rules and indicators to alert security teams. # Threat Scenario Detailed Description Detection Rules & Indicators 1 Unauthorized Remote Access Attempt An attacker uses stolen or weak credentials to access OT networks remotely. - Log Analysis: Monitor VPN/RDP logs for unusual login times, geolocation mismatches, and failed/successful login bursts. - User Behavior Analytics (UBA): Alert on deviations from normal remote access patterns. - Anomaly Detection: Trigger an alert when a remote session is initiated from an unusual IP or geographic region. 2 Malware/Ransomware Infiltration in OT Network Malicious code is introduced into the OT network via compromised endpoints or phishing, potentially encr...
Read more

Let's create our own ICS Labs in the VMs!

-
Image
Let's create our own ICS Labs in the VMs: A Step-by-Step Guide Building an Industrial Control System (ICS) lab in a virtualized environment allows security researchers, engineers, and penetration testers to safely simulate industrial networks, study threats, and test security defenses. Below is a detailed step-by-step guide to creating an ICS lab , including HMI, EWS, PLC, and other critical components. 1. Lab Architecture Overview Key Components in an ICS Lab: HMI: Graphical interface for controlling industrial processes. Engineering Workstation (EWS): Used to configure PLCs and SCADA systems. PLC: Controls physical processes (e.g., motors, valves). SCADA System: Supervisory control and monitoring of ICS networks. Historian: Logs and stores process data for analysis. Networking Components: Virtualized switches, routers, and firewalls to segment ICS networks. Attacker Machine: Kali Linux or Metasploit for penetration testing. 2. Choosing the Virtualization ...
Read more