Today, most large industrial installations are constructed by integrating a variety of equipment procured from specialty OEMs and subcontractors. These third parties include operational technology (OT) assets as part of their packaged solutions and are responsible for configuring the digital devices that ultimately communicate with other systems in the final installation. However, if an end user’s security requirements are not adequately specified at the beginning of a project, procured OT systems may not be configured in a manner to support security objectives such as network monitoring. All too often, end users are stuck making post-installation fixes, and the options to do so are typically costly or physically impractical.

As discussed in the first blog in this series, that’s where the Out-of-Band on Existing Communications (OBEC) module developed by researchers at Johns Hopkins Applied Physics Laboratory (APL) can offer a new option. To make OBEC a commercial reality, the team at APL first needed to answer the following question: Can OBEC provide a way to add security monitoring without touching the OEM configuration or jeopardizing plant operations?

To do this, APL collaborated with Applied Control Engineering (ACE) to test the device in a realistic simulation of the real-world OT systems we encounter every day as an industrial control systems integrator. For this first test scenario, we set out to evaluate the following:

• Could the OBEC device successfully preserve physical segmentation?
• Could the device achieve satisfactory communication both on the primary and secondary (out-of-band [OOB]) channels?
• What was the value-add of the additional functionality added by OBEC?
• Does the introduction of an OBEC device pair introduce any adverse impacts to existing critical functions being performed by the control system?

Testbed Setup

The testbed for this scenario simulated a skidded OEM system with a multi-homed PLC serving as the sole connection point to the plant network. For system integration purposes, all necessary system-wide communications occur with the PLC, and the PLC acts as a gateway for any communication with devices within its local I/O network.

For network monitoring, the sub-system level network is invisible to the plant-wide Dragos-based OT intrusion detection system (IDS), because PLCs do not act as general-purpose routers and the gateway action of the PLC occurs in the application layer. This means that actions like a vendor connecting their engineering laptop directly to a PLC or the same vendor connecting remotely to a cell modem on the I/O network are undetectable by the IDS, despite the ability of these actions to make control logic changes.

For these tests, we simulated a typical scenario where the OEM’s system was originally integrated into the network with only a single Ethernet drop provided to the system. To add monitoring to the local I/O network, an OBEC pair will be used to carry the SPAN traffic on the existing cable back to the server room and Dragos sensor without changing the configuration of the PLC (Figure 1).

Figure 1. Skid monitoring addition.

Enhanced Security Visibility Without Performance Loss

During testing, the OBEC solution clearly demonstrated its capabilities to carry OOB broadband or serial communications simultaneously with existing in-band Ethernet communications while sharing a preexisting physical cable. The capability of OBEC is easily understood as a device that allows a single physical Cat5 or Cat6 Ethernet cable to be utilized as if it were two separate physical cables for the purposes of physical communication signals. OBEC achieves this with a simple device in a compact, industrial-ready form factor.

Adding OBEC also did not degrade primary channel performance. Data throughput, latency, and packet loss on the main control path were nearly identical before and after OBEC was introduced. For example, average primary channel throughput held steady at ~94 Mbps with or without OBEC, and latency remained stable at around 0.25 ms.

The IDS also gained full visibility into previously hidden Level 1 traffic. In one test, we introduced a “rogue” engineering laptop to the system and used it to push configuration changes. This is a highly realistic scenario since maintenance teams and third-party vendors often connect such devices. With OBEC in place, the Dragos system immediately detected and logged these unauthorized changes.

Practical Takeaways from Scenario 1 Testing

Overall, this first test scenario proved out a practical, cost-effective, and low-risk way to enhance OT security monitoring in brownfield environments. Highlights of OBEC for asset owners and integrators demonstrated during this test scenario include:

• No additional cabling needed for OOB monitoring – OBEC uses existing cabling, avoiding costly infrastructure changes and shutdowns.
• OEM design preserved – While a simple change to the network switch was required, the prime design boundary of the OEM (only one point of communication with the system) was preserved.
• No performance impact – Control traffic flowed as normal, with negligible differences in throughput and latency.
• New visibility for security teams – The IDS gained access to traffic it otherwise wouldn’t be able to see.

Looking Ahead

OT cybersecurity is about reducing blind spots while keeping production running. This first test scenario demonstrated that OBEC can deliver on both fronts, enabling deeper visibility without disrupting operations. This testing gave us a glimpse of what’s possible when physical segmentation can be preserved without the cost and complexity of rewiring and also showed that advanced security monitoring can be added safely, even in environments where traditional options fall short.

Learn more about ACE’s cybersecurity expertise.