Visibility In, Out, All Around: OT East-West Traffic Monitoring

In the never-ending quest for visibility and security in your industrial control system (ICS) environment, you’ve probably run into different types of traffic in, out, and through your network.

If you maintain compliance with frameworks like NERC CIP and NIST, you’re likely very familiar with both east-west and north-south traffic.

This blog will focus on what’s happening across east-west traffic and why monitoring it can help you secure your OT (operational technology) environment.

East-West vs. North-South

When operators think of network traffic, they commonly think of traffic traversing multiple network segments or physical locations. This is also known as north-south traffic. Examples of north-south traffic include connections to the internet, the greater business network, or another centralized point within the system.

On the other hand, east-west traffic refers to the communications and traffic between connected devices within a network segment. Usually, these devices are closest to where data originates.

Most of the traffic in OT environments consists of east-west traffic. Remember the previous blog that discussed the devices and data at the OT edge? East-west traffic is usually traffic between OT edge devices. East-west traffic allows OT edge devices (or others within a segment) to operate efficiently and resiliently, with or without external input.

Why Does East-West Traffic Matter?

Common examples of east-west traffic include the data that passes between devices in a production environment. This can include edge devices like sensors, controllers, and PLCs (programmable logic controllers). East-west traffic could also include switch-to-switch traffic within the same network segment.

When it comes to keeping an OT system running and available, east-west traffic and data is key. Consistently monitoring this traffic within your network to maintain consistent visibility has numerous advantages, including making it easier to identify unexpected or anomalous activity. East-west traffic data also arms operators and analysts with enriched data they can use for correction and remediation.

Understanding the assets and devices within a system, along with each asset’s purpose and how it interacts in an OT environment, is essential to maintaining operational safety, efficiency, and detecting threats.

Achieving Near-Complete OT East-West Traffic Monitoring

Properly securing ICS networks requires a little extra thought and care for the assets in the environment. This is partly due to the networks being typically more critical and proprietary than the standard enterprise IT environment, but also due to the simplicity of the device communications.

Though OT environments may not generate a lot of traffic, the communication data they do generate is often extremely important. However, OT environments can be difficult to monitor because they often use legacy hardware. This is especially true when network monitoring is focused on routers, firewalls, or other network boundaries that don’t capture the communication between devices.

Effectively monitoring and assessing network traffic across OT and IT environments requires a thorough understanding of both the networks’ segmentation and their topology. That knowledge is also vital to ensure secure communication. Without consistent visibility into your OT environment and a full understanding of its devices and segments, you can not secure the OT environment properly.

EmberOT offers a low-footprint, low- to no-hardware monitoring solution that gives you the visibility you need across your ICS environment. It’s painless to deploy Embers (our software-based sensors) wherever you need them, including at the OT edge.

Our vendor-agnostic solution decouples data collection and analysis from event management. It can send data to any detection platforms, SIEMs, and data lakes. This creates consistent visibility across different network segments and provides a full picture of your environment, enabling operators to leverage actionable insights into targeted, direct security efforts.

Interested in learning more? Reach out to us for a demo of the full product. Or, if you want to start with the first few steps on your ICS visibility journey, download our free OT PCAP Analyzer.