East-West Traffic Is the Final Boss

Jori VanAntwerp

CEO and Founder at EmberOT || Web

For over two decades, Jori has enabled industrial and IT organizations to be successful in reducing risk, increasing compliance, and improving their overall security efforts. He has had the pleasure of working with companies such as Gravwell, Dragos, CrowdStrike, FireEye, McAfee, and is now CEO & Founder at EmberOT, a cybersecurity startup focused on making security a reality for critical infrastructure.

Perimeter defenses got you through the early game, and east-west traffic is the stage that matters next.

Most OT security programs have done real work on one front: watching the perimeter. Firewalls at the ESP boundary. Access controls on remote connections. DMZ segmentation between the corporate network and the plant floor. That work matters, and most teams have it well in hand.

The next level is the harder one.

In any decent RPG, the early game teaches you the basic combat system. You learn the controls, level up a bit, get a feel for how the world works. Then the game opens up and the encounters get more interesting. The mechanics change. The bosses have different tells. The skills you built in the early game still matter, but you need new ones to keep up.

Perimeter security is the early game. The next stage is east-west traffic, the lateral communication inside your trust zone, and most monitoring programs are not yet built to see it clearly.

North-South and What Moves Laterally

North-south is the vertical traffic most already watch. Data coming into the environment, data going out. Remote user connections. Updates from vendors. Telemetry to cloud services. Your firewall sees most of it. Your SIEM logs what gets through. Your IT security team has spent a decade perfecting the playbook for this lane.

East-west is the lateral traffic inside your trust zone. PLC talking to PLC. HMI talking to RTU. SCADA server pushing commands to field devices. The engineering workstation pulling configurations from a protective relay. This is where your operation actually lives, and it’s where the work gets done when something or someone is already inside.

Most utilities and operators have spent the vast majority of their security attention on the traffic that crosses the perimeter. The traffic that stays inside gets a lot less.

Why East-West Traffic is Where the Real Work Happens

The work that matters most in an OT environment happens laterally. Commands flow from SCADA to field devices. Configuration pulls run from engineering workstations to protective relays. Historians collect telemetry from dozens of PLCs. Vendor maintenance sessions touch equipment during outage windows. A healthy environment generates a steady, predictable pattern of east-west traffic, and that pattern is a rich source of insight.

When something changes, whether it’s a misconfigured automation script, a piece of equipment starting to fail, or an unauthorized action, the change shows up east-west first. North-south tells you what’s coming in and what’s going out. East-west tells you what’s actually happening.

If your monitoring is watching the perimeter and nothing else, you are watching the tutorial area long after the party has moved on.

Why This Is Harder Than It Sounds

If east-west visibility were easy, everyone would have it. There are real reasons most programs don’t.

OT east-west traffic breaks IT monitoring assumptions. Most flow monitoring tools assume TCP handshakes and bidirectional streams. In OT at Purdue Levels 1 and 2, a huge portion of critical traffic is UDP broadcast, multicast, or raw Ethernet frames. A Modbus command goes out to multiple devices. GOOSE messages multicast across a substation. There is no “flow” in the traditional sense. Tools built for IT flow analysis see a lot of noise and almost no context.

The layers with the most to lose often have the least visibility. Most organizations have decent visibility at Purdue Level 3. The control center is instrumented, the operator dashboards are in place, the network is mostly well-behaved. Below that, at Levels 1 and 2 where the PLCs, RTUs, and protective relays actually run the physical process, the visibility drops off hard. That’s where the physical consequences live. Disruption at those layers is the difference between an inconvenience and a public safety issue. Closing that visibility gap is where the most security and operational value gets unlocked.

Deep packet inspection is the wrong tool for everyday monitoring. DPI is a specialist’s instrument. It’s great for low-level forensic investigation, for incident response deep-dives, for one-off analysis when you need to understand exactly what happened on the wire. It was never meant to be the default engine for continuous, production-scale network monitoring, in IT or in OT. Using DPI as your primary detection mechanism is a tool mismatch, and in OT environments the mismatch gets amplified by hardware constraints that make the deployment hard in the first place. Pick the right tool for the job. For continuous east-west visibility, DPI is not it.

These are solvable problems. They require tooling built for OT realities, not IT tooling dressed up for an industrial audience. That difference is why most “OT security” products from IT vendors perform poorly when they hit the field.

What Good Looks Like

An east-west visibility program that actually works has a few properties that are easy to describe and harder to deliver.

It sees traffic that isn’t TCP. Broadcast, multicast, raw Ethernet frames, all of it. It works at Purdue Levels 1 and 2, not just Level 3. It understands OT protocols well enough to know the difference between a read and a write, between a routine poll and an unusual command. It generates insight that is useful to operators and engineers, not just to security analysts. And it does all of this passively, without injecting latency or introducing new failure modes into control loops that cannot tolerate them.

Whether you build that capability internally, buy it from a vendor, or cobble it together from open-source tooling, the program that delivers those properties is the one that actually earns its keep. The program that skips any of them is still stuck in the early game.

A Place to Start

If you want to see what your east-west traffic actually looks like before you commit to a full monitoring program, grab our OT PCAP Analyzer. It’s a free standalone tool, no strings attached. Feed it a packet capture from your environment and it will identify the OT protocols, map the assets, and give you a human-readable picture of what’s actually moving laterally on your network. It’s built for analysis and learning, a way to see what you have been missing.

Use it. Share it. Bring it to the next team meeting and show your operations folks what their network actually looks like.

The early game got you this far. The next stage is where it gets interesting.

~Jori 🤘🔥