Typical Industrial Network Topology

Many industrial protocols communicate over Layer 2, and vital information related to device identification is seen in the broadcast domain. Hence, it is recommended that get the stream of packet captures from access switches.

A lot of vital device identity information is seen during the communication between the engineering workstation and the controller layer. Hence, placing a sensor such that we can tap into this layer is critical. Network Passive Sensor should get a copy of the traffic between the SCADA servers / Operator stations / Engineering workstations, PLC / RTU / IEDs / RIOs, etc. Discovery and configuration of the Controllers / Drivers / IOs, etc., is most important and hence ensuring that a copy of traffic between EWS like Studio 5000 / TIA portal to the controller layer is covered. Typically, this is the switch between Purdue level 2 and level 1 devices.

To ensure complete visibility, it is recommended that you forward mirrored traffic to the network passive sensors for the lowest Purdue level. The Network Passive Sensors also help with high-level detection of OT endpoints and other devices, such as the DMZ, Layer 3.5, Layer 3, and Layer 2 Purdue levels. Therefore, it is recommended to acquire a copy of the mirrored traffic from the high Purdue level of the OT environment to a passive sensor for comprehensive visibility. The Network Passive Sensor can check Windows / Linux / other OS-based assets at a high level. This helps to determine the Qualys Cloud Agent and Qualys Authenticated Scan strategies for these devices.