Communications in an operational technology (OT) environment are complex: both logical and physical architectures must be managed to achieve the desired performance and security goals. Furthermore, the industrial control systems used in OT environment face a unique set of cybersecurity challenges, particularly when it comes to visibility and segmentation.

One way to address these challenges is to incorporate out-of-band (OOB) monitoring, which provides a separate, isolated communication path for observing and managing industrial networks without interfering with primary traffic. But expanding or modifying network infrastructure to support OOB monitoring is often not feasible due to cost, complexity, or risk to ongoing operations. However, a new technology developed by Johns Hopkins Applied Physics Laboratory (APL) provides a novel solution to this issue.

The Out-of-Band on Existing Communications (OBEC) module introduces a practical, drop-in solution for creating physically segmented networks over an existing Ethernet infrastructure. Designed to support cybersecurity functions such as monitoring and administration without interfering with operational traffic, OBEC provides organizations a path to enhanced network resilience that doesn’t require an infrastructure overhaul.

Bridging the Gap Between Lab and Market

Originating as an internal research project at APL, OBEC was later selected by the Department of Homeland Security (DHS) to participate in its lab-to-market initiative called the Commercialization Accelerator Program (CAP). The goal of CAP is to identify and fund technologies for advancement into the commercial market where they are available to all homeland security end users. While the promise of OBEC was clear at this point, realizing commercial viability required demonstrating the technology in realistic operational environments.

ACE, an experienced industrial control systems integrator, was selected to test OBEC in simulations closely mirroring the OT systems we regularly see deployed at customer sites. This collaboration provided not only technical validation, but critical insights into practical considerations such as installation, usability, compatibility with existing systems, and market fit.

The Problems OBEC Solves

Traditional OOB networking relies on one of two solutions:

• Duplicating physical infrastructure, an expensive and often impractical proposition
• Logically separating traffic over shared infrastructure, which can conflict with security goals or can strain legacy infrastructure.

In brownfield facilities, where pulling new cable is disruptive or risky and existing systems may be years behind in network throughput, neither option is ideal.

To overcome these limitations, OBEC introduces a new category of solution: physically isolated communication over an existing Ethernet infrastructure. Installed at all networking equipment endpoints, the OBEC modules couple the OOB networking signals to the existing network cables in an electrically isolated manner, preventing signal interference or detection. This opens up new options for:

• OOB distributed monitoring that doesn’t impact the primary network
• OOB management and maintenance
• Resilient networking to avoid some “common mode” failures from the software and signaling perspective if multiple signal sources are needed

Importantly, OBEC can help do all this while maintaining the security and reliability expected in regulated or high-integrity environments.

ACE’s Role: Real-World Testing and Evaluation

To validate OBEC's performance, we were brought in to design and stage two pilot scenarios:

1. Adding security monitoring to existing equipment
2. Adding out-of-band measurement for high-integrity systems

Our evaluation included comprehensive testing of installation processes, device durability, and communication performance alongside recommendations for enclosure design, power supply, configuration interfaces, and certification priorities for commercial deployment. Recommendations emphasized the importance of meeting UL 508 and related industrial certifications to meet North American market expectations.

Overall, in both test scenarios, OBEC preserved physical segmentation, transmitted data reliably, and did not introduce latency or interference to critical system functions.

What’s Next: A Closer Look at OBEC in Action During Field Testing

In the next post in this four-part series exploring OBEC’s development and application, we will dive into the details of the first test scenario and highlight how OBEC enables more secure and scalable network monitoring. From there, post three will cover challenges in developing OT cybersecurity products. Finally, post four will discuss test scenario two in more detail and how OBEC can be used to support high-integrity systems and anomaly detection. Together, these posts will trace the exciting journey of OBEC from concept to the initial stages of commercialization and highlight the role integrators like ACE can play in advancing the commercialization of cybersecurity solutions.

Learn more about ACE’s cybersecurity expertise.