During a customer presentation, the customer asked me an important question: “If the IDS device connected to the core switch in the plant gets hacked, wouldn’t it become a major security concern? The hacker could then easily access the OT network, which contains legacy devices and vulnerabilities.”
The main concerns were:
- How safe is it to connect an IDS solution (Nozomi Guardian, Armis, Claroty, D4IoT etc.) to the OT network?
- Can the IDS be hacked?
- What impact will there be on the production network if the IDS device encounters issues?
So is IDS device really safe to connect to OT network?
So the answer “YES”. It is completely safe to connect an IDS device for network monitoring to an OT Core switch. Below mentioned are the reasons for that.
- For connecting a SPAN/Mirror port to the appliance, the configuration on the switch is set to allow only output traffic. That means the traffic is configured to flow only from the switch to IDS device. No traffic flows back from IDS device to switch.
2. The IDS appliance ports are configured to accept only read-only traffic and not to inject any packets
3. In Nozomi, around 90 different types of alerts can be triggered, and each alert typically has an associated PCAP file for detailed analysis. However, not all alert types generate PCAPs in Nozomi. Specifically, alerts related to malware do not have an attached PCAP. This indicates that Nozomi avoids storing any malware-related files on the IDS device.
4. All the appliances function as passive monitoring devices, with no agents installed on any OT devices. The IDS device simply listens to traffic from the SPAN port. Consequently, even if the device encounters issues, the OT network remains unaffected.
Hope now everyone is clear why IDS device is absolutely safe to connect to an OT network 🙂
