OT network visibility is the foundation of detection, incident response, and safe modernization in ICS/SCADA environments. The safest way to gain it is passive monitoring—observing traffic without inserting devices into control paths.
Two primary methods feed passive sensors:
- Network TAPs: purpose-built hardware that copies traffic with high fidelity and minimal operational risk.
- SPAN ports (port mirroring): switch features that copy traffic to a monitoring port, cheaper and faster but easier to misconfigure and more prone to blind spots under load.
This guide explains, in operational terms, when to use each, how to deploy them safely, where to place sensors across OT zones, how to avoid packet loss and mirror loops, and how to build a visibility architecture that supports availability-first operations.
OT network visibility is best achieved through passive monitoring using network TAPs or SPAN ports to copy traffic to sensors without impacting control communications. TAPs provide the most reliable packet copies and reduce outage risk, while SPAN is cheaper and faster but can drop packets under congestion and is easier to misconfigure. A strong OT visibility design places sensors at key conduits (IT/OT boundary, DMZ-to-OT, and cell/area zones), validates mirror fidelity, and operationalizes alerts into OT-safe runbooks.
Why OT Network Visibility Is Different From IT Monitoring
In enterprise IT, you can often “instrument everything”: agents on endpoints, inline proxies, endpoint detection everywhere, frequent changes, frequent patching.
In OT, that approach can backfire because many industrial environments have:
- deterministic or near-deterministic traffic expectations
- legacy devices that are sensitive to malformed frames, retransmits, or latency
- limited maintenance windows
- vendor constraints on what can be installed or changed
- safety and availability priorities that outrank most “security hygiene” defaults
So OT visibility must be designed to be:
- non-intrusive
- predictable
- recoverable
- auditable
- operationally maintainable
Passive network monitoring—done correctly—meets these goals better than most alternatives.
What “Visibility” Actually Means in OT (Not Just Packets)
It’s tempting to define visibility as “we can capture packets.” In OT, real visibility is broader:
1) Asset visibility
- What devices exist (PLCs, RTUs, HMIs, historians, switches)
- Where they sit (zone/cell)
- What they talk to (peers, services, ports, protocols)
2) Communication visibility
- Which flows are expected vs new/unexpected
- Which protocols are used (e.g., Modbus/TCP, DNP3, EtherNet/IP, PROFINET, OPC UA)
- Which conduits cross zones (DMZ to supervisory, supervisory to control)
3) Behavioral visibility
- New “talkers”
- Scans and sweeps
- Configuration/program changes (where detectable)
- Unauthorized remote access patterns
4) Operational visibility (OT-specific)
- Loss of view indicators (HMI/SCADA disruptions)
- Time drift and sequence-of-events anomalies
- Broadcast storms and topology loops impacting control
A well-designed passive monitoring program supports all four layers.
Passive Monitoring Basics: What You’re Building
At a high level, OT passive monitoring looks like this:
Key architectural idea: copy traffic at choke points (conduits) and analyze it out-of-band.
Benefits in OT
- No inline latency
- Reduced risk of “security device caused outage”
- Easier rollback (remove/disable a mirror; bypass a TAP path)
- Stronger separation between monitoring and control
The tradeoff
Passive monitoring sees what crosses the wire. If an event doesn’t generate network artifacts (e.g., someone changes a setpoint locally on a controller with no network trace), you need complementary sources (logs, engineering workstation auditing, physical access controls). Passive monitoring is foundational—but not the entire program.
TAPs vs SPAN Ports: The Practical Comparison
Below is a field-friendly comparison oriented around OT realities.
Quick Comparison Table
| Category | Network TAP | SPAN / Port Mirroring |
|---|---|---|
| Reliability of packet copies | High (purpose-built) | Medium (depends on switch load/config) |
| Risk of dropping mirrored packets | Low | Higher under congestion/oversubscription |
| Impact on production traffic | Typically none (out-of-band) | Typically none, but misconfig can cause issues |
| Failure modes | Usually fail-open for link (varies by TAP type) | Misconfig can mirror wrong VLANs/ports or create loops |
| Visibility fidelity | High (captures errors/physical-layer characteristics depending on TAP type) | Lower (often won’t mirror certain errors; depends on platform) |
| Deployment speed | Moderate (requires hardware insertion) | Fast (configuration change only) |
| Cost | Higher (hardware + sometimes aggregation) | Lower (uses existing switches) |
| Best use cases | Critical conduits, high assurance monitoring, compliance | Quick wins, lab/temporary monitoring, low-risk segments |
What Is a Network TAP?
A TAP (Test Access Point) is a hardware device inserted into a network link that copies traffic to one or more monitor ports.
Common types:
- Copper TAPs for electrical Ethernet links
- Fiber TAPs that use optical splitting
- Aggregation TAPs that combine RX/TX into one monitor stream
- Regeneration TAPs that feed multiple tools
- Bypass TAPs used with inline tools (not the focus here, but relevant)
Why TAPs are loved in OT
OT teams want predictability. TAPs are simple in concept: they copy what traverses the link, regardless of switch CPU load or mirror configuration quirks.
A key OT caution
Installing a TAP often requires a brief link interruption to insert it—so you must coordinate downtime windows, redundancy, and rollback plans.
What Is a SPAN Port?
A SPAN (Switched Port Analyzer) port is a switch feature that mirrors traffic from one or more source ports/VLANs to a destination (monitor) port.
Variants include:
- Local SPAN: source and destination on the same switch
- RSPAN: mirrored traffic carried across switches via a dedicated VLAN
- ERSPAN: mirrored traffic encapsulated (often in GRE) and sent to a remote analyzer
Why SPAN is popular in OT
- No hardware insertion
- Quick to enable for troubleshooting
- Often “free” if you already own managed switches
Why SPAN can be risky for “truth-grade” monitoring
- The mirror can drop packets under load
- Oversubscription is common (mirroring multiple sources into one destination)
- Misconfiguration can create confusing blind spots (wrong VLANs, directionality issues)
Choosing TAP vs SPAN: A Decision Framework for OT
If you only remember one thing, remember this:
Use SPAN for speed and troubleshooting. Use TAPs for accuracy and long-term OT security monitoring—especially at critical conduits.
Use TAPs when…
- The link is a critical conduit (DMZ-to-OT, supervisory-to-control, control-to-safety where applicable)
- You need high fidelity for detection/forensics
- You expect high utilization or bursty traffic
- You need consistent evidence for audits or incident response
- You can schedule a maintenance window for insertion
Use SPAN when…
- You need a fast visibility win without touching cabling
- The segment is lower criticality (e.g., operations services zone)
- You are troubleshooting and can accept potential drops
- You have a trusted switch platform and skilled admins
- You can validate mirror fidelity with a test plan
A practical hybrid approach (recommended)
- Start with SPAN to get early visibility.
- Migrate critical conduits to TAPs over time.
- Keep SPAN capability as a “break glass” diagnostic tool.
Where to Place Passive Monitoring in OT (Visibility by Conduit)
You get the best results when you monitor where zones connect.
The highest-value sensor placements (in priority order)
1) IT/OT boundary
Goal: detect threats crossing from enterprise into industrial environments and track data exfiltration or misuse of broker services.
Monitor points:
- firewall outside interface (IT side)
- firewall inside interface (DMZ side)
Why it matters:
A large share of OT incidents start as IT compromise and pivot.
2) OT DMZ to OT (supervisory/operations services)
Goal: observe remote access, historian replication, patch staging traffic, identity/auth dependencies, and any “oops we bridged networks” events.
Monitor points:
- DMZ firewall OT-facing interfaces
- jump host outbound segments
- data broker links
3) Supervisory to control (Level 2 to Level 1)
Goal: detect lateral movement and suspicious commands or scanning behavior near PLCs.
Monitor points:
- distribution switch uplinks into control cells
- inter-zone firewalls/ACL choke points
This is often where an attacker’s actions start to translate into process risk.
4) Cell/area boundaries (within control)
Goal: reduce blast radius and detect east-west spread across lines/skids.
Monitor points:
- line switches uplinks
- between vendor skid and plant network (excellent ROI)
5) Remote access ingress points
Goal: tie visibility to identity and sessions.
Monitor points:
- remote access gateway segments in DMZ
- jump host NICs (via TAP/SPAN on their switchports)
A reference monitoring layout
Designing for Availability: OT-Safe Passive Monitoring Principles
Passive monitoring is “safer” than inline security—but it still has failure modes. Design to avoid becoming the cause of a production incident.
Principle 1: Monitoring must be out-of-band
- No inline dependencies
- No “monitoring port also used for production”
- No accidental bridging between zones
Principle 2: Prefer “do no harm” network changes
- SPAN configuration should be change-controlled
- TAP insertion should be planned with a rollback
- Avoid touching PLC switchports during peak operations
Principle 3: Monitoring should not overload switches
- SPAN uses switch resources; excessive mirroring can impact performance
- RSPAN/ERSPAN can add overhead and complexity
Principle 4: Monitoring must be survivable
- If the sensor dies, operations should continue normally
- If the monitoring link saturates, production should not be impacted
SPAN Port Best Practices in OT (Avoiding the Common Traps)
SPAN is deceptively easy. In OT, small mistakes become long outages or silent blind spots.
Trap #1: Oversubscribing the destination port
If you mirror two 1 Gbps links into one 1 Gbps monitor port, you’re asking for drops. Even mirroring one busy link into a 1 Gbps destination can drop during bursts.
Rule of thumb:
- Mirror less, not more.
- Prefer mirroring uplinks or conduits instead of many edge ports.
- Use higher-speed monitor ports where possible.
Trap #2: Mirroring the wrong direction or missing VLAN tags
Some switches allow:
- ingress only
- egress only
- both
If you mirror only one direction, you may miss request/response context for ICS protocols.
Also ensure your sensor understands VLAN tags if mirrored traffic includes them.
Trap #3: Mirror loops and accidental flooding
Misconfiguring a SPAN destination port as a normal access/trunk port, or connecting it into another switch incorrectly, can create weird behavior.
Hard requirement:
- The destination SPAN port should connect only to the sensor and be configured appropriately (often as a dedicated monitor port with no normal switching).
Trap #4: RSPAN/ERSPAN complexity and troubleshooting overhead
RSPAN/ERSPAN is attractive when sensors aren’t physically nearby. But it adds:
- encapsulation overhead (ERSPAN)
- special VLAN handling (RSPAN)
- extra failure points and configuration drift risk
In OT, prefer simple unless you truly need remote mirroring.
A SPAN validation checklist (operationally realistic)
Before you trust SPAN for security monitoring:
- Confirm you are mirroring both directions
- Confirm you are mirroring the correct source (port or VLAN)
- Measure mirror drop rate during peak operations (if possible)
- Validate VLAN tagging behavior end-to-end
- Confirm the destination port cannot accidentally forward traffic
- Document the change, owner, and rollback steps
TAP Best Practices in OT (High Fidelity Without Surprises)
TAPs are generally more reliable, but you still need to deploy them correctly.
TAP deployment considerations
1) Link interruption planning
Inserting a TAP usually requires disconnecting the link briefly.
Mitigation:
- do it during maintenance windows
- consider redundancy (dual uplinks) where possible
- coordinate with operations (alarm handling, mode changes)
2) Copper vs fiber
- Fiber TAPs can be extremely stable and are common in high-reliability designs.
- Copper TAPs are simpler where fiber isn’t present.
3) Aggregation and tool port sizing
Many TAPs output separate RX and TX monitor streams, which may require:
- two sensor interfaces, or
- an aggregator that combines them
Make sure your sensor can ingest what the TAP produces.
4) Power and fail modes
Some TAP designs are passive; others need power (especially aggregation/regeneration). Understand fail-open behavior and document it.
TAP placement patterns that work well
- Between DMZ firewall and OT firewall/switch
- Between supervisory distribution and control distribution
- Between plant core and a vendor skid switch
- Between wireless bridges and the wired control segment (if applicable)
These locations maximize “visibility per TAP.”
Sensor and Collector Architecture: What Happens After the Copy
Passive visibility isn’t just TAP/SPAN. You need a pipeline that turns packets into useful outcomes.
Reference architecture (vendor-neutral)
[TAP/SPAN] --> [Packet sensor] --> [Local collector/storage] --> [Analytics + alerting] --> [SIEM/SOAR + OT runbooks]Components (what they do)
- Packet sensor: captures traffic, extracts metadata, decodes ICS protocols
- Collector/storage: stores flows, logs, sometimes PCAP samples
- Analytics: baselines, anomaly detection, asset mapping, alerting
- Integration: forwarding critical events to SOC; OT-facing dashboards for engineers
OT-specific requirement: local survivability
Design so monitoring continues even if:
- the enterprise SIEM is unreachable
- WAN links fail
- IT network is down during incident containment
Sizing: How to Avoid Packet Loss and Blind Spots
Packet loss is the silent killer of monitoring programs. In OT, you may not need to capture everything, but you must be deliberate about what you capture and at what fidelity.
Three common capture strategies
1) Metadata/flow-first (recommended baseline)
Capture:
- flow records
- protocol transactions
- asset inventory data
- selected payload fields (where safe/appropriate)
Pros: scalable, lower storage
Cons: less forensic detail than full PCAP
2) Full PCAP at key conduits (selective)
Capture full packets:
- only at critical choke points
- often with rolling buffers (hours/days), not permanent
Pros: strong forensics
Cons: storage and processing heavy
3) Event-triggered PCAP
Always collect metadata; only save PCAP when:
- an alert triggers
- a new talker appears
- an engineering action is detected
Pros: balances cost and depth
Cons: depends on good triggering logic
Throughput math (simple, planning-grade)
If a mirrored link averages R Mbps and you retain T seconds of PCAP, approximate storage is:
Storage (MB)≈8R⋅T
Example: R=50 Mbps, T=86,400 seconds (1 day)
Storage≈850⋅86,400=540,000 MB≈540 GB/day
That’s why most OT programs do selective PCAP plus broad metadata.
Protocol Context: What Passive Monitoring Can Reveal in OT
Passive monitoring becomes powerful when it understands industrial protocols—not just ports and IPs.
Common OT protocol visibility outcomes
- Identify PLCs, HMIs, engineering stations by traffic signatures
- Detect unauthorized programming traffic (where protocol supports it)
- Detect unexpected function codes (e.g., write operations vs reads)
- Alert on new communications paths crossing zones
- Baseline normal cyclic traffic and spot deviations
Practical examples of “high-signal” detections
- New host sending write commands to controllers
- Engineering protocol traffic outside maintenance windows
- Unusual scan behavior near PLC address ranges
- Remote access host initiating connections into control cells
- Unexpected SMB/RDP/HTTP traffic appearing in Level 1/2 areas
Important: Implement detections in a way that’s operationally actionable. OT teams don’t need 500 low-confidence alerts; they need a small set of “this could impact process” signals.
Implementation Playbook: Deploying Passive Visibility Step-by-Step
Below is a pragmatic plan you can run as a project—without boiling the ocean.
Step 1: Define monitoring goals (outcomes, not tools)
Examples:
- “Detect new device in control zone within 15 minutes”
- “Detect remote access sessions into OT with user attribution”
- “Baseline supervisory-to-control conduits and alert on new flows”
- “Maintain 24–72 hour rolling PCAP at DMZ-to-OT boundary”
Step 2: Choose your first monitoring point
Best first targets (choose one):
- DMZ-to-OT conduit
- supervisory-to-control conduit
- vendor skid boundary
Pick the location that gives you:
- high visibility
- manageable change risk
- clear ownership
Step 3: Decide TAP vs SPAN for that point
- If it’s critical and you can schedule downtime: TAP
- If you need quick deployment or downtime is impossible: SPAN (with validation)
Step 4: Build the sensor pipeline
- Decide metadata vs PCAP retention
- Plan storage and data lifecycle
- Define alert destinations (OT vs SOC)
- Document runbooks (what to do when X triggers)
Step 5: Validate with a test plan
Validation should include:
- asset discovery accuracy (compare to known inventory)
- mirror fidelity checks (for SPAN)
- baseline creation (normal traffic profiles)
- alert tuning (reduce noise before expanding)
Step 6: Expand by conduits, not by “more sensors everywhere”
Scale in this order:
- boundary conduits (IT/OT, DMZ-to-OT)
- supervisory-to-control
- cell/area segmentation points
- special networks (wireless bridges, vendor skids, remote sites)
This keeps complexity manageable and outcomes clear.
Operationalizing OT Visibility: From Alerts to Actions
Visibility that doesn’t change operations is just telemetry.
Define alert tiers that match OT reality
Tier 1: Safety/availability risk
Examples:
- suspected controller write activity from unknown host
- loss of view indicators paired with scanning or malware indicators
- sudden network storm impacting control communications
Action: immediate OT escalation, isolation-by-zone playbooks, safety-first response.
Tier 2: High-confidence security anomaly
Examples:
- new remote access pattern
- new host in supervisory zone
- SMB traffic in control zone
Action: investigate, validate change ticket, contain if unauthorized.
Tier 3: Hygiene and drift
Examples:
- new but low-risk flows
- asset inventory changes
Action: review in weekly change review and update baselines.
Build OT runbooks (simple and executable)
A good OT runbook answers:
- What does this alert mean in process terms?
- What are the first 3 safe checks?
- Who owns the decision to isolate?
- What is the rollback path?
Example runbook skeleton:
Alert: New device communicating with PLC subnet
1) Safety check:
- Confirm process is stable and no alarms indicate abnormal behavior.
2) Validate change:
- Check for approved work orders / vendor maintenance window.
- Ask control engineer if device addition is expected.
3) Containment options (least disruptive first):
- Restrict device at cell firewall/ACL (if present).
- Disable switchport (only if safe and approved).
- Isolate cell/area zone (if escalation required).
4) Evidence:
- Save flow logs and relevant PCAP buffer timeframe.
- Record timestamps (confirm time sync).
5) Escalation:
- Notify OT lead + site incident commander + SOC as appropriate.
Common Failure Modes (and How to Avoid Them)
Failure mode 1: “We mirrored everything and the sensor fell over”
Fix:
- monitor conduits, not every edge port
- use metadata-first collection
- move to higher-speed capture interfaces where needed
- use TAP aggregation/filtering approaches when appropriate
Failure mode 2: “SPAN looked fine in the lab but drops in production”
Fix:
- validate under peak load
- reduce sources
- upgrade monitor port speed
- move critical links to TAPs
Failure mode 3: “Great dashboards, but nobody responds”
Fix:
- route alerts to the right team (OT vs SOC)
- tune to a small, high-signal rule set
- create runbooks and practice them (tabletops)
Failure mode 4: “Monitoring became a dependency”
Fix:
- ensure sensors are out-of-band
- avoid making firewalls, switches, or identity services rely on monitoring tools
- design monitoring to fail silently (from operations’ perspective)
Failure mode 5: “We can’t trust timestamps”
Fix:
- deploy consistent time synchronization
- verify sensor and collector time sources
- document time hierarchy in OT zones
Advanced Topics (When You’re Ready)
ERSPAN in OT: When remote mirroring makes sense
ERSPAN can help when:
- you can’t place a sensor physically near the conduit
- remote sites need central analysis
- you have controlled transport and understand encapsulation overhead
OT caution:
- Don’t let ERSPAN become a “shadow network” with unclear ownership.
- Document it like any other conduit.
Monitoring encrypted traffic
Encryption is increasing in OT (e.g., OPC UA with TLS, secure remote access). Passive monitoring can still help via:
- flow metadata (who talks to whom, when, how much)
- certificate and handshake observations (where visible)
- endpoint and session correlation from remote access gateways
But if everything is encrypted end-to-end, you may need:
- logs from endpoints (where feasible)
- broker architectures where inspection is possible without breaking safety
Wireless and serial gateways
Many OT environments have:
- serial-to-IP gateways
- radio/wireless bridges
- fieldbus gateways
Monitor boundaries around these devices. They often become choke points and great sensor locations.
OT Visibility Metrics That Matter (Not Vanity Metrics)
Avoid measuring “number of packets captured” as success. Measure outcomes:
Coverage
- % of critical conduits monitored (IT/OT, DMZ-to-OT, supervisory-to-control)
- % of vendor skids monitored at the boundary
Detection
- Mean time to detect new device in control zones
- Mean time to detect unauthorized remote access attempt into OT
Fidelity
- Estimated mirror drop rate (SPAN links)
- PCAP buffer retention at critical conduits (hours/days)
Operations
- Number of alerts with runbooks and owners
- Reduction in “unknown” assets over time
- Number of monitoring-caused incidents (target: zero)
A Practical Reference Design
Minimal viable OT visibility (Phase 1)
- SPAN on DMZ-to-OT firewall inside interface (validated)
- Passive sensor + metadata collection
- Alerts: new host, new flow, remote access anomalies
- Weekly review with OT engineers
Mature OT visibility (Phase 2–3)
- TAPs on critical conduits (DMZ-to-OT, supervisory-to-control)
- Selective rolling PCAP at those conduits (24–72 hours)
- Cell/area boundary monitoring for high-criticality lines
- Integration to SOC via DMZ log relay
- OT incident runbooks + tabletop exercises
Frequently Asked Questions (FAQ)
What is OT network visibility?
OT network visibility is the ability to identify OT assets, understand industrial communications, and detect abnormal or unauthorized behavior on ICS/SCADA networks—without disrupting operations.
What’s the difference between a TAP and a SPAN port?
A TAP is hardware that copies traffic from a link with high reliability. A SPAN port is a switch feature that mirrors traffic to a monitoring port; it’s easier to deploy but can drop packets under congestion and is more sensitive to configuration errors.
Is passive monitoring safe for PLC networks?
When designed correctly (out-of-band sensors, controlled mirror/TAP placement, validated configurations), passive monitoring is one of the safest ways to improve OT security because it does not sit inline with control traffic.
Can SPAN ports be trusted for OT security monitoring?
They can be used, especially for quick wins, but they must be validated. For high-criticality conduits, TAPs generally provide more reliable evidence and reduce blind-spot risk.
Where should I monitor first in an OT environment?
Start at conduits: IT/OT boundary, DMZ-to-OT, and supervisory-to-control. These points provide the highest “visibility per sensor” and align well with zones-and-conduits architecture.
Conclusion: Visibility Is the Safest Security Upgrade You Can Make in OT
If you want stronger OT security without destabilizing operations, passive network visibility is the best starting point. Deploy it intentionally:
- monitor conduits, not everything
- choose TAPs for high-assurance, long-term monitoring
- use SPAN for speed and troubleshooting—validate it before you trust it
- build a pipeline from packets to actionable OT runbooks
- measure outcomes: coverage, detection time, fidelity, and operational impact
