If there’s one thing industrial networks share, it’s complexity. Each is designed to support high production volumes and optimal uptime requirements, but depending on the manufactured products or processes, they’re made up of diverse systems and assets spread across multiple locations. To simplify management and maintenance, systems are often grouped on the network under a single IP address, using Network Address Translation (NAT) techniques. These IP groupings can contain identical systems with the same configuration or they might contain all of the systems on a critical production line.

Many organizations, especially manufacturing plants, face significant challenges in gaining clear network visibility. Network Address Translation (NAT) is widely used in industrial plants for many reasons. A classic use case is to avoid IP conflicts in environments with legacy machinery when multiple devices share the same IP.

There’s just one problem: traffic from all network devices coming into monitoring and security tools is only visible as the IP address of their group. There is no way to visualize the individual traffic from each device. If one is down or malfunctioning, you can’t quickly identify it or assess what’s happening. When you need to secure a group of diverse assets or patch individual systems, you can’t simply apply a blanket policy to the group. This is why most OT Intrusion Detection Systems (IDS) and security solutions can only provide incomplete coverage. They just can’t see the individual assets within the IP group.

At Opscura, we’ve heard countless stories of companies struggling to deploy IDSs to enhance visibility and security, only to face failure because these systems couldn’t differentiate devices behind shared IPs. You’re not alone in this challenge—which is why we took action to provide a solution.

Opscura gives you the ability to see—and to manage and secure—individual assets without removing or re-architecting your existing IP addressing schemes. Based on traffic, we can identify and label each device within the IP group. Now you know which device is which. 

Plus, your partner tools (such as visibility platforms) can work more effectively since they can recognize behaviors of each machine. In short, refining NAT visibility makes other tools work better and unlocks more of their capabilities—all providing greater insights and control.

Deployment is completely flexible. Opscura’s Vias can be inserted in front of individual assets, production lines, or entire locations, as shown below. Traffic is collected and sent to existing security monitoring and threat management tools, with each device’s traffic labeled. This eliminates the need to deploy multiple tools for multiple groups or locations.

You can also deploy Opscura’s Protection Platform as a standalone solution for gaining full visibility into the OT network and its assets. We make it easy to segment network portions and critical assets, apply policy, and monitor devices, regardless of hardware or operating system. Protect an entire group of devices by applying policy to the appropriate level of risk and prevent attacks from getting started. Micro-segmentation also allows you to cloak legacy assets that can’t be upgraded or replaced—making them the bane of your cybersecurity team. Now you can simply make these systems invisible to potential attackers conducting discovery.

Whether you’re enriching an existing solution or implementing OT security for the first time, you can use NATing to reduce costs by minimizing your environment’s complexity. Most importantly, you can improve visibility and security.

Let us show you how to quickly ramp up your monitoring and security effectiveness – without disruption or downtime. Contact us today to book a meeting.