Designing and deploying network monitoring solutions in industrial environments is rarely straightforward. Every facility has its own unique blend of legacy systems, bandwidth demands, physical constraints, and security requirements. At Enaxy, we’ve worked alongside OT and IT teams across industries to solve these challenges in the field. We’ve translated plans into practical deployments that enable deep visibility, proactive threat detection, and operational resilience.
This section explores two real-world implementations that highlight the practical challenges and trade-offs of deploying SPAN and TAP solutions in OT/ICS environments. These examples underscore the importance of thorough infrastructure validation, understanding hardware limitations, and choosing the right visibility strategy from the start.
Case 1: Overcoming SPAN Deployment Challenges – Managed Switch Limitations
Background
A cell-based manufacturing client aimed to improve their cybersecurity posture by deploying a Network Security Monitoring (NSM) solution. Their goal: gain visibility into communication between key assets, PLCs, HMIs, and engineering workstations, without disrupting the physical network.
Objective
The client intended to leverage their existing physical infrastructure to support NSM deployment without pulling additional fiber or ethernet cables. The architecture featured dual single-pair fiber links providing redundant connectivity to each manufacturing cell cabinet. These fibers terminated on redundant managed switches within each cabinet.
The planned approach involved installing a dedicated NSM sensor in each cabinet and using the managed switches to mirror traffic (via SPAN) from connected devices. This mirrored data would be forwarded to the sensors, enabling real-time monitoring, analysis, and threat detection.
The Challenge
During the design phase, Enaxy coordinated with the client’s onsite automation technician to perform a comprehensive switch inventory. This included documenting the vendor, model, and firmware versionof all 32 managed switches.
Upon reviewing the collected data, Enaxy determined that the deployed switch models did not support SPAN or port mirroring functionality. Further discussions with the vendor confirmed that there was no available firmware or hardware upgrade path to enable SPAN on the existing infrastructure.
This presented a major obstacle. Without the ability to mirror traffic, the client could not route network data to the NSM sensors, effectively stalling the deployment. The client was left with two alternatives:
- Upgrade the switch infrastructure to models that support SPAN.
- Deploy inline TAPs to gain the required traffic visibility independently of switch capabilities.
Recommended Solution
Following a detailed analysis of the environment and operational requirements, Enaxy recommended a phased switch upgrade strategy. This involved systematically replacing the non-capable switches with managed models that natively support SPAN.
This approach enabled reliable traffic mirroring across the network and allowed the NSM solution to function as intended, delivering continuous visibility, proactive threat detection, and improved response capabilities.
Impact
The lack of SPAN capabilities significantly delayed the NSM deployment. Since budgeting for a switch upgrade or TAP deployment had not been accounted for in the original project scope, the client was forced to postpone the required infrastructure changes until the next fiscal budget cycle, nearly 10 months later.
This deferral had long-term consequences. From the initial design to full implementation, it took over two years for the client to achieve the level of network visibility needed to meet their security and monitoring objectives. The experience underscored the importance of aligning network capabilities with cybersecurity goals early in the planning phase.
Lessons Learned
Even managed switches do not guarantee SPAN support. Vendors often offer tiered feature sets across their product lines, and capabilities can vary by model and firmware version.
Key takeaway: Always verify switch model and firmware compatibility before committing to SPAN as a monitoring solution.
Case 2: Overcoming TAP Deployment Challenges – Fiber Compatibility and Hardware Mismatch
Background
An oil and gas midstream operator had rolled out an NSM solution across their storage facilities, deploying centralized consoles and one sensor per critical site. While North-South traffic was already being monitored, they wanted to extend visibility to East-West traffic across cabinets and buildings.
Objective
The client intended to leverage their existing fiber-based network infrastructure to capture East/West traffic. The architecture of each site has multiple pairs of fiber between cabinets and buildings, with a few having 6 pairs at a minimum and most having at least 12 pairs. An additional requirement is the site is unable to take down time for an inline deployment.
With the amount of available fiber at the site and the inability to take production downtime, it was determined that dedicated fiber could be backhauled to the sensor without impacting production network traffic. In addition, the site had managed switches with port mirroring capability to feed passive TAPs.
The Challenge
During the design phase, Enaxy collaborated with the client onsite to perform a detailed infrastructure assessment. This included identifying fiber types (single-mode, multi-mode) and interfaces (ST, LC, etc.), documenting the switch inventory, and verifying the availability of open fiber pairs needed for the TAP deployment. Once the infrastructure was confirmed, Enaxy developed a deployment plan that included installing eight passive TAPs connected to a packet aggregator. The aggregator would consolidate mirrored traffic, which would then be forwarded to an NSM sensor for real-time visibility, threat detection, and traffic analysis.
Due to the facility’s layout, a critical fiber run extended from the server room in Building L to a centralized location, Building T, which served as a hub for backhauling site-wide traffic. Enaxy installed the packet aggregator in Building T and deployed the TAPs across various facility locations. Once the TAPs were operational, it was confirmed that the aggregator was successfully receiving traffic from all sources.
The final step involved routing the mirrored traffic from the aggregator in Building T through the 1,987-meter fiber link back to the NSM sensor in Building L. However, when the fiber pairs were connected and the TAP-to-aggregator link was established, Enaxy connected a field laptop running Wireshark to the TAP’s output port, only to find no traffic was being captured.
After extensive troubleshooting, including testing various link configurations and validating signal integrity, the root cause was identified: the fiber run was multimode, and while it functioned reliably for the existing production network at 100 Mbps, it could not support the 1 Gbps link required by the TAP and aggregator hardware. The production network equipment had been operating near the maximum distance limits of multimode fiber at 100 Mbps, but the aggregator and TAP models used in the NSM deployment supported only 1 Gbps interfaces, with no option to downgrade to 100 Mbps.
Recommended Solution
After confirming that the existing TAP and aggregator hardware could not support 100 Mbps fiber connections, Enaxy and the client met with the TAP vendor to discuss the issue. Upon reviewing the deployment scenario, the vendor recommended an alternative TAP model specifically designed to support 100 Mbps multimode fiber environments. Once the new TAP model was procured and installed, it was successfully integrated into the network. As a result, the NSM sensor began receiving full East-West traffic visibility across the site, completing the deployment and restoring the network monitoring capabilities as intended.
Impact
While the client could still monitor North-South traffic, a combination of the fiber type and the initially selected TAP hardware prevented them from capturing the critical East-West traffic within the facility. Fortunately, the client was able to quickly procure the appropriate TAP models, and the issue was resolved quickly, giving the client full network visibility as intended.
Lessons Learned
Even when fiber availability appears sufficient, media compatibility matters. Physical layer limitations, such as fiber type, speed, and distance, must be validated during design.
Key takeaway: Always test fiber capabilities and match them with hardware requirements before finalizing TAP-based designs.
The Value of Real-World Readiness
These real-world scenarios reinforce an essential truth: network visibility design cannot rely on assumptions. Hardware limitations, physical media constraints, and vendor-specific feature sets must all be considered early in the design phase. Overlooking any of these factors can lead to costly delays, budget overages, and reduced visibility into critical systems.
Whether deploying SPAN or TAPs, success hinges on detailed infrastructure assessments, precise hardware selection, and hands-on implementation expertise, especially in the complex, high-stakes environments that define OT and ICS networks.
How Enaxy Can Help
At Enaxy, we bring a field-tested approach to network visibility, combining deep industrial expertise with proven implementation strategies. Whether you’re retrofitting a legacy network or building out a new monitoring architecture, we work alongside your team to:
- Perform infrastructure audits and network assessments
- Validate hardware compatibility and fiber requirements
- Design and deploy SPAN, TAP, and hybrid monitoring solutions
- Integrate NSM, IDS, and SIEM platforms for full-stack visibility
- Minimize operational disruption while maximizing security posture
Have a visibility challenge? We’re here to help. Contact us at info@enaxy.com to schedule a consultation.