East-West Traffic in OT Environments blog featured image

Visibility In, Out, All Around: Monitoring East-West Traffic in OT Environments

Cybersecurity Musings

In the never-ending quest for visibility and security in your ICS (industrial control system) environment, you’ve probably run into different types of traffic in, out, and through your network.

If you need to maintain compliance with frameworks like NERC CIP and NIST, you’re likely very familiar with both east-west and north-south traffic.

This blog will focus on what’s happening across east-west traffic and why monitoring it can help you secure your OT (operational technology) environment.

East-West vs. North-South

When people think of network traffic, they commonly think of traffic traversing multiple network segments, or physical locations, which is also known as north-south traffic. This could include connections to the internet, the greater business network, or another centralized point.

On the other hand, east-west traffic refers to the communications and traffic within a network segment, between connected devices. These devices most often reside closest to where data originates.

Most of the traffic in OT environments consists of east-west traffic. Remember when we talked about devices and data at the edge? East-west traffic is the most common type of traffic between OT edge devices, which is what allows them to operate efficiently and resiliently with or without external input.

Why Does East-West Traffic Matter?

Common examples of east-west traffic in an OT environment include the data that passes between devices in a production environment, like sensors, controllers, and PLCs (programmable logic controllers). East-west traffic could also include switch to switch traffic within the same network segment.

The data and information contained within east-west traffic in an ICS environment is often the key to keeping the system running and available. Maintaining consistent visibility into the traffic within your network makes it easier to identify unexpected or anomalous activity. This also allows you to arm operators and analysts with enriched data they can use for correction and remediation.

Understanding the assets and devices along with their purpose and how they interact in an OT environment is essential for safety, efficiency, and threat detection.

Achieving Near-Complete Visibility

ICS networks are typically more critical and proprietary than the standard enterprise IT environment. Properly securing these networks requires a little extra thought and care for the assets in the environment and how they interact, especially given the simplicity of their communications.

OT environments with legacy hardware can be difficult to monitor. Though they may not generate a lot of traffic, the communication data they generate is often highly important. This is especially true when network monitoring is focused on routers and firewalls or other network boundaries that don’t capture the communication between devices.

Network traffic across OT and IT environments also requires a thorough understanding of both networks’ segmentation and topology to ensure secure communication. Visibility into your OT environment and knowing the devices and segments that are there are key to securing them properly.

SynSaber offers a low-footprint, low- to no-hardware monitoring solution that gives you the visibility you need across your ICS environment. Deploy Sabers (our software-based sensors) wherever you need them, including at the OT edge.

Visibility across different network segments provides a full picture of your environment with actionable insight so you know where to direct your security efforts. SynSaber’s vendor-agnostic solution decouples data collection and analysis from event management and can send data to any detection platforms, SIEMs, and data lakes.

Interested in learning more? Reach out to us for a demo of the full product, or download our free OT PCAP Analyzer to get started on your ICS visibility journey.