The Leading Solution for Real-time Cyber Security and Visibility for
Industrial Control Networks
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Who is Nozomi Networks?
2
October 2013
FOUNDED IN SWITZERLAND
Founder worked in a large Oil & Gas company
that lacked visibility and control over its ICS/OT
environment, needed a solution
CREATED TO ADDRESS MARKET NEED
Received European Union Commission Award to
research SCADA Security Threat
INITIAL GLOBAL RECOGNITION
Founders conducted PhD research on SCADA
Security/Malware and Artificial Intelligence
GROUNDED IN RESEARCH
MORENO CARULLOCTO and Co-Founder
PhD in Artificial intelligenceeXtreme Programming Expert
ANDREA CARCANOCPO and Co-Founder
PhD in CybersecuritySCADA Security Researcher & Expert
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Nozomi Networks: The Leader in Industrial Cyber Security
3
+300,000 Monitored
+1,000 Global Installations
DEVICES
CUSTOMERS
Local Support
GLOBAL REACH
In 5 Continents
DEPLOYMENTS
POWER / ELECTRIC
CHEMICALS
PHARMACEUTICALS
OIL & GAS
MINING
MANUFACTURING
WATER
TRANSPORTATION
...and more.
European HQMendrisio, Switzerland
Global HQSan Francisco, USA
Sales OfficeSydney, Australia
Sales OfficeMunich, Germany
Sales OfficeLondon, England
Sales OfficeCalgary, Canada
Sales OfficeMilan, Italy
Sales OfficeRio de Janeiro, Brazil
Sales OfficeDubai, UAE
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L 4
Industry Awards
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Market Drivers
5
Safety (Personnel and Environmental)
Failure of cyber-physical system maintenance
and a safety systems (i.e. SIS)
Corporate Espionage State-sponsored or independently led IP theft,
corporate espionage and sabotage
Reputation Risk (indirect loss of revenue)
Degradation of company reputation due to data-
loss, system shutdown and safety negligence
National Security Responsibility Regulatory and tort responsibility to adhere to
regional and vertical standards and practice
Resilience & Uptime (direct loss of revenue)
Cyber-born or preventative maintenance
issues that result in system failure / downtime
IT/OT Convergence Interconnectedness of non-homogenous
systems, applications and platforms
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Nozomi Networks SCADAguardian
6
Process NetworksControl Network SCADAguardian
SCADAguardian protects your control networks from cyber attacks and operational disruptions by providing unprecedented visibility and rapid detection of threats and process risks – in a completely passive way.
An appliance (physical or virtual) that passively and non-
intrusively connects to the industrial network
Listens to all traffic within the control and process networks,
passively analyzing it at all levels of the OSI stack (L1 to L7)
Uses artificial intelligence and machine learning techniques to
create detailed behavior profiles for every device according to the
process state to quickly detect critical state conditions
Provides best-in-class network visualization, asset management,
ICS anomaly intrusion, vulnerability assessment, as well as
dashboards and reporting
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Industrial Organizations Require Particular OT Capabilities
7
Rapidly Detect Cyber
Threats/Risks and Process
Anomalies
Quickly Monitor ICS
Networks and Processes
with Real-time Insight
Significantly Reduce
Troubleshooting and
Forensic Efforts
Accurately Visualize the
Network and Automatically
Track Industrial Assets
Reliably Monitor
Multinational
Installations
Centrally or Remotely
Secure Large, Distributed
Industrial Networks
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Nozomi Networks - Our Mission
8
Rapidly DetectVulnerabilities, Threats &
Incidents
ReduceTroubleshooting &
Remediation Efforts
Achieve Complete Visibilityinto Your OT Network
Successfully Deploy at
Scale in the Largest
Distributed Environments
Agile Development & Integrations with Rapid
New Protocol Support
Centrally Monitor &
Control Distributed
Networks
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Network Visualization and Monitoring
9
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Network Visualization and Monitoring
10
Nodes Variables
Go deep in details…
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Network Visualization and Monitoring
11
Links Contents
Go deep in details…
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Serious Networking Issues
12
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Asset Inventory
13
OT Vendor, Product, Serial
Firmware version of the PLCs
Operating System
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Asset Inventory
14
Firmware version of the PLCs
Hardware Components
Product Name Vendor
Vulnerabilities
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Common Discovery: Software Vulnerabilities
15
Identifies high risk vulnerabilities open to exploitation
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L 16
Common Discovery: Multiple OS/Firmware Versions
Identifies opportunities to reduce operational risk by closing vulnerability gaps
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Common Discovery: Unknown & Misconfigured Devices
17
Identifies device misconfigurations and possible indicators of compromise by threat actors
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Common Discovery: Unencrypted / Weak Credentials
18
Detects default and easily guessed credentials, and systems open to compromise by threat actors
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Nozomi Networks - Our Mission
19
Rapidly DetectVulnerabilities, Threats &
Incidents
ReduceTroubleshooting &
Remediation Efforts
Achieve Complete Visibilityinto Your OT Network
Successfully Deploy at
Scale in the Largest
Distributed Environments
Agile Development & Integrations with Rapid
New Protocol Support
Centrally Monitor &
Control Distributed
Networks
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L 20
Behavior-based anomaly detection enriched with A.I
and analytics engine
Rule-based analysis, using (Yara, Packet, etc.)
for threat hunting
Signature assertions &queries with out-of-box
and custom functions
CASE STUDY 3 - Hybrid ICS Threat Detection
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
CASE STUDY 3 - Hybrid ICS Threat Detection
21
A new communication is detected
A ”rogue” MAC address is identified
A new Modbus connection is detected
INCIDENT DETAILSA Modbus Reprogram Command is detected
NEW INCIDENT
pcap traces of the attack are automatically
generated
Thanks to Anomaly Detection, all deviations from the baseline can be alerted at different levels
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Common Discovery: Level 1 & 2 Devices Connected to the Internet
22
Identifies potential threat actor access points into the network
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Less-Common Discovery: An Infected Network
23
Detects known malware and ransomware at all three phases of attack (infection, reconnaissance and lateral movement)
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Common Discovery: Abnormal Device Behavior
24
Detects when asset and processes are deviating from normal, and moving toward states that could disrupt operations
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Hybrid ICS Anomaly Detection
25
Rule-based analysis allows to you identify, in real-time, known attacks and malware
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Nozomi Networks - Our Mission
26
Rapidly DetectVulnerabilities, Threats &
Incidents
ReduceTroubleshooting &
Remediation Efforts
Achieve Complete Visibilityinto Your OT Network
Successfully Deploy at
Scale in the Largest
Distributed Environments
Agile Development & Integrations with Rapid
New Protocol Support
Centrally Monitor &
Control Distributed
Networks
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Reduce Troubleshooting & Remediation effort
27
Links Contents
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Alert - Network Visualization and Monitoring
28
Link Persistency
.... and create your own alerts, for example:
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Alert- Network Visualization and Monitoring
29
Public Connections
.... and create your own alerts, for example:
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Nozomi Networks - Our Mission
30
Rapidly DetectVulnerabilities, Threats &
Incidents
ReduceTroubleshooting &
Remediation Efforts
Achieve Complete Visibilityinto Your OT Network
Successfully Deploy at
Scale in the Largest
Distributed Environments
Agile Development & Integrations with Rapid
New Protocol Support
Centrally Monitor &
Control Distributed
Networks
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Nozomi Networks Central Management Console (CMC)
31
Easily manage cyber security for hundreds of distributed industrial installations with consolidated and remote access to your ICS data from SCADAguardian and SCADAguardian Advanced appliances.
Immediate visualization of industrial networks, with real-time
network visualization and flexible navigation and filtering.
Consolidated, comprehensive OT threat monitoring, with up-to-
the-minute threat and vulnerability detection and best-in-class
ICS threat detection.
Reduce troubleshooting and forensic efforts, with effective,
efficient incident response and informative insights and querying.
Fast ROI with swift deployment in days and weeks, and
immediate ICS visibility, cyber security and reliability.
Centralized monitoring of distributed industrial facilities, with
aggregated summaries and details by remote site.
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L 32
Multitenant OT Cybersecurity ProtectionSCADAguardian and Central Management Console (CMC)
Multitenant CMC for large
distributed / hierarchical
enterprise deployments
Supports MSSPs for the
scalable management of
many customers/sites
A single instance of the
CMC can monitor, manage
& remediate threats for
numerous industrial
installations or customers
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Control Room
33
Support Multi-tenant Deployments
CMC
CMC
Area 1
Control Room
Onshore
Area 2
Control Room
Onshore
CMC
Switch
HMI
Local
SCADA
PLC
PLC
PLC
RTU
RTU
RTU
Replicated
Historian
Corporate
Firewall
Remote
Access
Central
Management
Console (CMC)
SIEM
Firewall
Firewall
Historian
DNS
Jump
Box
Patching
Server
Web
FirewallSwitch
HMI
Local
SCADA
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Nozomi Networks SCADAguardian Advanced
34
SCADAguardian Advanced extends the value of SCADAguardian with Smart Polling – a precise, low volume active technology that provides a complete set of ICS data for full asset inventory and advanced network monitoring.
Discovers firmware versions and patch levels for a full asset
inventory, providing accurate, deep details.
Improves network monitoring, threat detection and vulnerability
assessment for faster, more efficient response.
Provides maximum control, with easy-to-use default
configuration, or manual options for applying Smart Polling to
specific devices and network segments.
Flexible adoption options – deploy SCADAguardian Advanced or
begin with passive SCADAguardian and migrate to active later.
Uses Smart Polling™ for precise asset inventory, vulnerability
assessment and ICS network monitoring.
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Nozomi Networks OT ThreatFeed
35
Delivers up-to-date, contextual threat information that helps you effectively detect threats and identify vulnerabilities
Timely detection of known and emerging threats and
vulnerabilities – curated by Nozomi Networks Labs.
Full threat analysis and vulnerability assessment of your
environment – without the cost and complexity of
maintaining multiple tools.
Up-to-date threat information that’s fully integrated into
SCADAguardian and SCADAguardian Advanced
Respond faster to threats with complete network visibility
and contextual threat information.
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Technology Alliances
36
SIEMs MDR / MSSPs Analytics / Other ITSecurity Tools ICS / OT
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L
Broad Support for Industrial Control Systems and ICS / IT Protocols
37
ABB PGP2PGP, Aspentech Cim/IO, BACNet, Beckhoff ADS, BSAP IP, CC-LINK IE, CEI 79-
5/2-3, COTP, DNP3, Emerson DeltaV, Enron Modbus, EtherCAT, EtherNet/IP - CIP,
Foundation Fieldbus, Foxboro IA, Generic MMS, GE EGD, GE iFix2iFix, GE SRTP, GOOSE,
Honeywell Experion protocols, Kongsberg Net/IO, IEC 60870-5-7 (IEC 62351-3 + IEC 62351-
5), IEC 60870-5-104, IEC-61850 (MMS, GOOSE, SV), IEC DLMS/COSEM, ICCP,
Modbus/RTU, Modbus/TCP, Modbus/TCP - Schneider Unity extensions, MQTT, OPC,
OPC UA, PCCC, PI-Connect, Profinet/DCP, Profinet/I-O CM, Profinet/RT, ROC, Sercos III,
Siemens S7, S7 Plus, Telvent OASyS DNA, Triconex TSAA, Vnet/IP
Industrial Protocols
ARP, Bittorrent, BROWSER, CDP, DCE-RPC, DHCP,
DNS, DRDA (IBM DB2), Dropbox, eDonkey (eMule),
FTP, FTPS, GVCP, HTTP, HTTPS, ICMP/PING, IGMP,
IKE, Indigo Vision, IMAP, IMAPS, ISO-TSAP/COTP,
Kerberos, KMS, LDAP, LDAPS, LLDP, LLMNR, MDNS,
Mitsubishi Melsoft, Mitsubishi SLMP, NTP, MS SQL
Server, MySQL, NetBIOS, NTP, OSPF, POP3, PTPv2,
RDP, STP, RTCP, RTP, SSH, SNMP, SMB, SMTP,
SSDP, STP, Symantec Endpoint Manager, Syslog,
TeamViewer, Telnet, TNS, VNC
IT Protocols
ICS Vendors
.New protocols and vendors are being added to the support matrix on a continuous basisFor current information, visit: nozominetworks.com/techspecs
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L 38
Physical Appliances
SCADAguardian NSG-M 1000 NSG-M 750 NSG-L 250 NSG-L 100 NSG-R 150 R50A
SCADAguardian Advanced NSG-M 1000A NSG-M 750A NSG-L 250A NSG-L 100A NSG-R 150A R50A
Description A powerful appliance for very large, demanding scenarios
A rack-mounted appliance for large scenarios
A rack-mounted appliance for medium scenarios
A rack-mounted appliance forsmall scenarios
A rugged rack-mounted appliancefor medium scenarios
A rugged DIN-rail mounted appliance for small scenarios
Form Factor 1 Rack Unit 1 Rack Unit 1 Rack Unit 1 Rack Unit 2 Rack Units Din mountable
Monitoring Ports 7 RJ45 + 4 SFP 7 RJ45 + 4 SFP 5 RJ45 5 RJ45 7 RJ45 4 RJ45
Expansion slot 11 11 11 11 n.a. n.a.
Max Protected Node 10,000 2,500 750 300 500 200
Max Throughput 1 Gbps 500 Mbps 200 Mbps 100 Mbps 200 Mbps 50 Mbps
Storage 256 Gb 256 Gb 64 Gb 64 Gb 64 Gb 64 Gb
H x W x Lmm/in
44 x 429 x 438
1.73 x 16.89 x 17.24
44 x 429 x 438
1.73 x 16.89 x 17.24
44 x 438 x 300
1.7 x 17.2 x 11.8
44 x 438 x 300
1.7 x 17.2 x 11.8
88 x 440 x 301.2
3.46 x 17.3 x 118.58
80 x 130 x 146
3.15 x 5.11 x 5.74
Weight 14 Kg 14 Kg 8 Kg 8 Kg 6 Kg 3 Kg
Max Power Consumption 360W 360W 250W 250W 250W 60W
Power supply type 110-240V AC 110-240V AC 110-240V AC 110-240V ACDual Power Mode:
90-264V AC / 100-300V DC12-36V DC
Temperature ranges 0 / +45º C 0 / +45º C 0 / +40º C 0 / +40º C -40 / +70º C -40 / +70º C
Compliance RoHS RoHS RoHS RoHS RoHS, IEC 61850-3, IEEE 1613 RoHS
Certifications CE, FCC, UL CE, FCC, UL CE, FCC, UL CE, FCC, UL CE, FCC CE, FCC, UL
1 Expansion slot can host either 4 additional RJ45 ports OR 4 additional SFPs
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L 39
Virtual Appliances
Model V1000 V750 V250 V100 V50
Description A powerful appliance for very large, demanding scenarios
A virtual appliance for large scenarios
A virtual appliance for medium scenarios
A virtual appliance for small scenarios
A virtual appliance for very small scenarios
Installation Specs Hyper-V 2012+, KVM 1.2+, VMware ESX 5.x+, XEN 4.4+
Monitoring Ports Unlimited (**) 4 4 4 4
Max Throughput 300 Mbps
Max Protected Node 5,000 1,000 500 200 200
Storage 100+ Gb
Model SCADAguardian Advanced Container Edition Description Embedded container application for switches, routers and other security infrastructure.
Fast, flexible deployment option that leverages hardware units.
Container Edition
w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L 40
Central Management Console (CMC)
Summary Consolidated and remote ICS cybersecurity and visibility for distributed industrial sites.
Installation Specs Amazon AWS AMI, Hyper-V 2012+, KVM 1.2+, VMware ESX 5.x+, XEN 4.4+
Max Managed Appliances
Unlimited (*)
Storage 100+ Gb
UpdatesOptionally connects to the Nozomi Networks customer portal site for CMC, SCADAguardian,
SCADAguardian Advanced and OT ThreatFeed updates. Provides advance, upgrade and rollback
version control.
(*) Based on infrastructure.
Domande?
Top Related