What is an IPS (Intrusion Prevention System)?
An IPS, or Intrusion Prevention System, is a security system that not only detects suspicious or malicious activity (like an IDS), but also actively intervenes to block or interrupt these attacks.
The goal of an IPS is to stop threats immediately, often without administrator intervention.
⚙️ How does an IPS work?
An IPS inspects inbound and/or outbound network traffic in real time. On detecting a threat, it can:
- Block traffic (e.g. by IP address, port or session)
- Interrupt connection attempts
- Redirect or reconfigure traffic
- Generate logs or alerts
IPS systems typically use:
- Signatures of known attacks
- Heuristics or behavioural analysis
- Integration with SIEM or Firewalls for coordinated action
🏭 IPS in industrial networks (OT)
In OT environments, an IPS must be deployed carefully in order to avoid disrupting processes. Industrial IPS solutions are therefore often:
- Used in passive or “detection only” mode (like an IDS)
- Deployed at the edge of the OT environment, e.g. between DMZ and the IT network
- Specifically tuned to industrial protocols such as Modbus, DNP3, OPC UA
🔄 IDS vs IPS
| Property | IDS | IPS |
|---|---|---|
| Detection | ✅ | ✅ |
| Intervention / blocking | ❌ (detection only) | ✅ (takes action) |
| Location | Often passively on network segments | Inline between network segments |
| Use in OT | Widely used for monitoring | Limited and cautiously used |
🔐 IPS and Defence in Depth
IPS is one of the outermost defence layers within a Defense in Depth strategy and works alongside:
- Firewalls
- IDS
- SIEM systems
- VPN and network segmentation
- The Zone and Conduits model within industrial networks
📌 In summary
An IPS is an active security system that detects suspicious or malicious network activity and immediately blocks it. In OT environments, it is deployed with care to avoid disrupting production, but it provides a valuable layer in a modern Cybersecurity architecture.