As security needs related to Operational Technology (OT) evolve, so do the complexities and importance of securing these environments. Network baselining plays a crucial role in identifying and mitigating security threats by establishing expected network behavior and detecting anomalies. By monitoring behavior that deviates from an established baseline, security teams can identify potentially malicious activities without relying solely on signature-based detections.
Despite its significance, network baselining is often a poorly defined term. Different interpretations can impact how it is communicated and applied, making it essential to clarify its meaning and categorization.
At its simplest, network baselining refers to defining normal network traffic patterns within an environment. However, the definition varies depending on the level of detail included in the baseline. Some may consider a baseline as merely a record of IP-to-IP communication, while others might incorporate additional factors like ports, protocols, device types, and service-specific behaviors.
To bring clarity, we categorize network baselining into three primary types:
This type of baselining corresponds with very basic information, such as IPs, ports, and/or protocols involved in a communication, or at the overall throughput of communications occurring between devices.
This foundational type of baselining includes basic information such as:
IP addresses involved in communication
Ports and protocols used
Overall network throughput between devices
This type of baselining generally is looking at more specific information, such as the specific patterns of traffic expected between a given pair of device types or other service-specific traffic patterns that are expected within an environment.
This approach goes beyond surface-level data and focuses on expected traffic patterns, such as:
Specific communication behaviors between known device types
Recognized service-specific traffic flows
Established transaction patterns within the network
This type of baselining is the opposite of its twin – it is looking for patterns and behaviors that strictly should never occur within an environment, such as unrelated subnets communicating to one another or connections between device types that should not occur.
This method focuses on identifying traffic that should never occur, such as:
Communication between unrelated subnets
Unauthorized device-to-device interactions
Traffic originating from unusual or unapproved sources
Each of these baseline types can be refined using additional modifiers, including:
Filtering by specific communication protocols
Isolating baselines to particular network segments
Defining granular baselines for individual use cases
Once a baseline is established, the next step is leveraging it for threat detection. Network baselining allows security teams to identify deviations from expected behavior and categorize detections accordingly:
These types of detections tend to calculate statistics related to traffic volume/size and amount of communications of a specific type. Spikes in these numbers can correspond to C2 traffic, exfiltration, or even potentially a firmware upload.
These detections rely on traffic volume and communication frequency analysis. Abnormal spikes may indicate:
Command-and-Control (C2) communication
Data exfiltration attempts
Firmware uploads or unauthorized file transfers
Detections in this category tend to correspond with looking for patterns related to malicious activity such as port scanning or traffic matching the pattern of DDoS traffic or even application-specific protocol detections that relate to issues such as UMAS protocol exploitation in modbus.
Pattern-based detections focus on recognizing malicious activity trends, such as:
Port scanning attempts
Distributed Denial-of-Service (DDoS) patterns
Exploitation of application-specific protocols (e.g., UMAS in Modbus)
Deviation detections tend to look for those things that should specifically never occur in an environment and flag them if they do occur. Examples of this include communications going to an unauthorized port on a device, or devices in different segments of a network communicating when they should not.
Deviation detections can also address general inconsistencies in typical behavior, such as a new IP pair beginning communication for the first time in an environment that is otherwise static.
These detections highlight anomalies that should never occur, including:
Communication attempts on unauthorized ports
Unexpected cross-segment device communication
New IP pairs communicating in a static environment
By mapping these detection categories to their respective baseline types, organizations can create a structured and effective network baselining strategy.
Identifying the need for network baselining is only the first step. To transition from concept to implementation, follow these key steps:
Assess Available Resources
What tools do you currently have?
What data is already being collected?
What expertise is available in your team?
Align Resources with Goals
Determine how your existing tools and data support the end goal
Identify gaps and potential solutions
Develop an Action Plan
Set clear objectives for each baselining type
Implement monitoring and detection rules based on identified baselines
Regularly refine and update baselines to adapt to evolving threats
Network baselining is a powerful technique for improving OT security by understanding normal network behavior and identifying anomalies. By categorizing baselines into Overview, Positive-Space, and Negative-Space types, security teams can systematically detect and mitigate threats. Aligning these baselines with statistical, pattern-based, and deviation detections enhances threat visibility and response effectiveness.
As organizations continue to refine their security postures, implementing a structured network baselining strategy will be essential for proactive defense against evolving cyber threats.
1. Why is network baselining important for OT security?
Network baselining helps identify deviations from normal behavior, allowing security teams to detect anomalies and potential threats before they cause damage.
2. How often should network baselines be updated?
Baselines should be reviewed and updated regularly to adapt to network changes, new devices, and emerging threats.
3. Can network baselining replace traditional security measures?
No, it should be used alongside signature-based detection, firewall rules, and other security controls for a comprehensive defense strategy.
4. What challenges come with implementing network baselining?
Common challenges include defining accurate baselines, managing false positives, and ensuring continuous monitoring for evolving threats.
5. How does network baselining help with compliance?
By providing visibility into normal and abnormal network behavior, baselining supports compliance with industry regulations and standards, such as NIST and IEC 62443.
Our products are designed to work with
you and keep your network protected.
Insane Cyber © All Rights Reserved 2025
