Beacon Security
ChemicalOT Monitoring and Visibility

IDS Deployment and Asset Visibility Program for a Chemical Processing Facility

March 5, 2025

Background

A specialty chemical facility operating three continuous process units and two shared utility systems engaged Beacon Security after an internal investigation uncovered an unknown device on the process control network. A maintenance technician noticed an unfamiliar IP address responding to a ping sweep during routine troubleshooting. The device turned out to be a wireless bridge installed by a contractor two years earlier and forgotten. It was providing an open wireless path directly into the DCS network.

The discovery prompted a difficult question from the Plant Manager: what else is on our network that we do not know about? The answer was that nobody knew. There was no OT asset inventory, no network traffic monitoring, and no way to detect unauthorized devices, unusual communications, or active threats.

Beacon Security was engaged to deploy an intrusion detection system (IDS) and build full asset visibility across the OT environment.

Note: All identifying details have been removed to protect client confidentiality.

The Challenge

Zero Visibility into OT Network Activity The facility had no OT network monitoring of any kind. IT monitored the corporate network but their tools stopped at the IT/OT firewall. Everything happening on the process control side was invisible. If a device was compromised or behaving abnormally, nobody would know.

No Asset Inventory The engineering team maintained a list of major DCS controllers and PLCs for maintenance scheduling, but no comprehensive inventory existed. Analyzers, network switches, HMIs, historians, engineering workstations, and field devices were not tracked. The team estimated around 180 devices on the OT network.

Mixed Protocols and Legacy Systems The three process units used a combination of Modbus TCP, OPC Classic, OPC-UA, HART, and two proprietary vendor protocols. Several DCS controllers were running firmware over 8 years old. The IDS solution needed to understand all of these protocols to provide meaningful detection.

Operations Team Concerns The operations team was clear: nothing inline, nothing that generates network traffic, and nothing that could affect process stability. Any monitoring solution had to be completely passive with zero risk to production.

Our Approach

Beacon Security designed and deployed an OT IDS and asset visibility platform across an 8-week engagement, structured to build confidence with the operations team at every stage.

Phase 1: Architecture Review and Sensor Placement (Weeks 1-2)

We reviewed the complete OT network architecture to determine optimal sensor placement:

  • Mapped all network switches, VLANs, and trunk links across the 3 process units and 2 utility systems
  • Identified 11 optimal collection points that would provide visibility into all OT traffic
  • Confirmed SPAN/mirror port availability on all managed switches
  • Validated that passive monitoring taps could be deployed without any network reconfiguration

The deployment plan was reviewed and approved by the operations team, DCS vendor, and plant engineering before any equipment was installed.

Phase 2: Sensor Deployment (Weeks 3-4)

Passive monitoring sensors were deployed at all 11 collection points during scheduled maintenance windows:

  • 7 sensors connected via SPAN ports on managed switches
  • 4 network TAPs installed at critical trunk links where SPAN ports were unavailable
  • All sensors confirmed receiving traffic with zero impact on network performance
  • Central analysis platform deployed in the engineering server room

Each sensor installation followed a documented procedure with a rollback plan. Operations held a 4-hour observation period after each deployment to verify process stability.

Phase 3: Asset Discovery and Profiling (Weeks 4-6)

With sensors capturing all OT network traffic, the asset discovery phase mapped the full extent of the OT environment:

  • 267 communicating devices identified across all 3 process units and 2 utility systems
  • 87 more than the engineering team's estimate of 180
  • Every device profiled with manufacturer, model, firmware version, IP address, MAC address, and communication patterns
  • Devices classified by type: 24 DCS controllers, 38 PLCs, 41 HMIs, 19 analyzers, 23 managed switches, 14 engineering workstations, 8 historians and servers, and 100 other networked devices including I/O modules, drives, and field instruments

Notable discoveries:

  • 6 personal laptops connecting intermittently via maintenance network drops
  • 3 legacy data loggers still transmitting to decommissioned systems
  • 1 analyzer sending diagnostic data to an external manufacturer IP address over the internet

Phase 4: Baseline and Detection Tuning (Weeks 6-7)

A traffic baseline was established over 2 full production cycles to capture all normal operating patterns:

  • 1,847 unique communication flows mapped between device pairs
  • Protocol distribution analyzed: 43% Modbus TCP, 28% OPC, 12% vendor proprietary, 17% standard IT protocols
  • Detection rules tuned for the specific environment to minimize false positives
  • Alert categories configured: new device detection, protocol anomalies, unauthorized connections, known vulnerability signatures, and policy violations

Phase 5: Operational Integration and Handover (Week 8)

The IDS was integrated into the facility's operational workflow:

  • Alert dashboard deployed in the control room with clear severity classifications
  • Escalation procedures defined for each alert category
  • 3 control room operators and 2 engineers trained on alert triage and response
  • Weekly report template configured for management review
  • Asset inventory exported to the maintenance management system

Key Findings

Unauthorized Wireless Bridge The wireless bridge that triggered the engagement was confirmed as providing open wireless access into the DCS network. It was broadcasting an unsecured SSID reachable from the facility parking lot.

Action: Removed immediately during Phase 2. Added to the IDS detection rules as a use case for new wireless device detection.

Analyzer with External Communication One process analyzer was transmitting diagnostic data to the manufacturer's cloud service via a direct internet connection. This connection bypassed the IT/OT firewall entirely through a cellular modem attached to the analyzer.

Action: Cellular modem disconnected. Vendor diagnostic access reconfigured to operate through the approved remote access channel.

Cross-Unit Traffic Anomaly The IDS detected regular communication between a PLC in Process Unit 1 and an HMI in Process Unit 3 that did not correspond to any documented process requirement. Investigation revealed it was a test configuration left active after a commissioning exercise 18 months earlier.

Action: Communication path removed. Finding reinforced the case for formal change management procedures.

Outcome

The facility went from zero OT network visibility to full monitoring across all process units and utility systems within 8 weeks. The IDS has been operational continuously since deployment with zero impact on process operations.

Deliverables Provided:

  • Complete OT asset inventory: 267 devices with full profiles and communication maps
  • IDS deployment across 11 monitoring points covering all OT network segments
  • Traffic baseline documenting 1,847 normal communication flows
  • Detection rule set tuned for the facility's specific protocols and operations
  • Alert escalation procedures and control room operator training
  • Weekly and monthly reporting templates for management review

Results:

  • 267 assets discovered and profiled from a baseline of zero
  • 87 previously unknown devices identified, including 6 unauthorized personal laptops
  • 14 anomalies detected and investigated in the first 30 days of operation
  • 1 unauthorized external communication path eliminated
  • 1 rogue wireless bridge removed
  • Asset inventory integrated with maintenance management system
  • Zero process disruptions during deployment or operation

The facility subsequently engaged Beacon Security to design a network segmentation program using the asset inventory and traffic baseline as the foundation.

Beacon Security deploys OT intrusion detection and asset visibility solutions for chemical and process industry facilities. Contact us to discuss your monitoring requirements.

Back to Case Studies
Industrial infrastructure
OT Cybersecurity Experts

Your OT Environment Deserves
Expert Protection

IT security tools were not built for Modbus, OPC, or safety-rated controllers. Get a dedicated OT cybersecurity team that understands industrial protocols, control system architecture, and the operational constraints of your environment.

Book an Assessment+91 98259 94220
IEC/ISA 62443 Aligned
NIST 800-82 Compliant
OTCC Ready
ECC Aligned
Zero Operational Disruption