The Leading Solution for Real-time Cyber Security and...

The Leading Solution for Real-time Cyber Security and Visibility for

Industrial Control Networks

w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L

Who is Nozomi Networks?

2

October 2013

FOUNDED IN SWITZERLAND

Founder worked in a large Oil & Gas company

that lacked visibility and control over its ICS/OT

environment, needed a solution

CREATED TO ADDRESS MARKET NEED

Received European Union Commission Award to

research SCADA Security Threat

INITIAL GLOBAL RECOGNITION

Founders conducted PhD research on SCADA

Security/Malware and Artificial Intelligence

GROUNDED IN RESEARCH

MORENO CARULLOCTO and Co-Founder

PhD in Artificial intelligenceeXtreme Programming Expert

ANDREA CARCANOCPO and Co-Founder

PhD in CybersecuritySCADA Security Researcher & Expert


Nozomi Networks: The Leader in Industrial Cyber Security

3

+300,000 Monitored

+1,000 Global Installations

DEVICES

CUSTOMERS

Local Support

GLOBAL REACH

In 5 Continents

DEPLOYMENTS

POWER / ELECTRIC

CHEMICALS

PHARMACEUTICALS

OIL & GAS

MINING

MANUFACTURING

WATER

TRANSPORTATION

...and more.

European HQMendrisio, Switzerland

Global HQSan Francisco, USA

Sales OfficeSydney, Australia

Sales OfficeMunich, Germany

Sales OfficeLondon, England

Sales OfficeCalgary, Canada

Sales OfficeMilan, Italy

Sales OfficeRio de Janeiro, Brazil

Sales OfficeDubai, UAE

w w w . n o z o m i n e t w o r k s . c o m / C O N F I D E N T I A L 4

Industry Awards


Market Drivers

5

Safety (Personnel and Environmental)

Failure of cyber-physical system maintenance

and a safety systems (i.e. SIS)

Corporate Espionage State-sponsored or independently led IP theft,

corporate espionage and sabotage

Reputation Risk (indirect loss of revenue)

Degradation of company reputation due to data-

loss, system shutdown and safety negligence

National Security Responsibility Regulatory and tort responsibility to adhere to

regional and vertical standards and practice

Resilience & Uptime (direct loss of revenue)

Cyber-born or preventative maintenance

issues that result in system failure / downtime

IT/OT Convergence Interconnectedness of non-homogenous

systems, applications and platforms


Nozomi Networks SCADAguardian

6

Process NetworksControl Network SCADAguardian

SCADAguardian protects your control networks from cyber attacks and operational disruptions by providing unprecedented visibility and rapid detection of threats and process risks – in a completely passive way.

An appliance (physical or virtual) that passively and non-

intrusively connects to the industrial network

Listens to all traffic within the control and process networks,

passively analyzing it at all levels of the OSI stack (L1 to L7)

Uses artificial intelligence and machine learning techniques to

create detailed behavior profiles for every device according to the

process state to quickly detect critical state conditions

Provides best-in-class network visualization, asset management,

ICS anomaly intrusion, vulnerability assessment, as well as

dashboards and reporting


Industrial Organizations Require Particular OT Capabilities

7

Rapidly Detect Cyber

Threats/Risks and Process

Anomalies

Quickly Monitor ICS

Networks and Processes

with Real-time Insight

Significantly Reduce

Troubleshooting and

Forensic Efforts

Accurately Visualize the

Network and Automatically

Track Industrial Assets

Reliably Monitor

Multinational

Installations

Centrally or Remotely

Secure Large, Distributed

Industrial Networks


Nozomi Networks - Our Mission

8

Rapidly DetectVulnerabilities, Threats &

Incidents

ReduceTroubleshooting &

Remediation Efforts

Achieve Complete Visibilityinto Your OT Network

Successfully Deploy at

Scale in the Largest

Distributed Environments

Agile Development & Integrations with Rapid

New Protocol Support

Centrally Monitor &

Control Distributed

Networks


Network Visualization and Monitoring

9



10

Nodes Variables

Go deep in details…



11

Links Contents

Go deep in details…


Serious Networking Issues

12


Asset Inventory

13

OT Vendor, Product, Serial

Firmware version of the PLCs

Operating System


Asset Inventory

14

Firmware version of the PLCs

Hardware Components

Product Name Vendor

Vulnerabilities


Common Discovery: Software Vulnerabilities

15

Identifies high risk vulnerabilities open to exploitation


Common Discovery: Multiple OS/Firmware Versions

Identifies opportunities to reduce operational risk by closing vulnerability gaps


Common Discovery: Unknown & Misconfigured Devices

17

Identifies device misconfigurations and possible indicators of compromise by threat actors


Common Discovery: Unencrypted / Weak Credentials

18

Detects default and easily guessed credentials, and systems open to compromise by threat actors



19


Incidents


Remediation Efforts







Centrally Monitor &

Control Distributed

Networks


Behavior-based anomaly detection enriched with A.I

and analytics engine

Rule-based analysis, using (Yara, Packet, etc.)

for threat hunting

Signature assertions &queries with out-of-box

and custom functions

CASE STUDY 3 - Hybrid ICS Threat Detection


CASE STUDY 3 - Hybrid ICS Threat Detection

21

A new communication is detected

A ”rogue” MAC address is identified

A new Modbus connection is detected

INCIDENT DETAILSA Modbus Reprogram Command is detected

NEW INCIDENT

pcap traces of the attack are automatically

generated

Thanks to Anomaly Detection, all deviations from the baseline can be alerted at different levels


Common Discovery: Level 1 & 2 Devices Connected to the Internet

22

Identifies potential threat actor access points into the network


Less-Common Discovery: An Infected Network

23

Detects known malware and ransomware at all three phases of attack (infection, reconnaissance and lateral movement)


Common Discovery: Abnormal Device Behavior

24

Detects when asset and processes are deviating from normal, and moving toward states that could disrupt operations


Hybrid ICS Anomaly Detection

25

Rule-based analysis allows to you identify, in real-time, known attacks and malware



26


Incidents


Remediation Efforts







Centrally Monitor &

Control Distributed

Networks


Reduce Troubleshooting & Remediation effort

27

Links Contents


Alert - Network Visualization and Monitoring

28

Link Persistency

.... and create your own alerts, for example:


Alert- Network Visualization and Monitoring

29

Public Connections

.... and create your own alerts, for example:



30


Incidents


Remediation Efforts







Centrally Monitor &

Control Distributed

Networks


Nozomi Networks Central Management Console (CMC)

31

Easily manage cyber security for hundreds of distributed industrial installations with consolidated and remote access to your ICS data from SCADAguardian and SCADAguardian Advanced appliances.

Immediate visualization of industrial networks, with real-time

network visualization and flexible navigation and filtering.

Consolidated, comprehensive OT threat monitoring, with up-to-

the-minute threat and vulnerability detection and best-in-class

ICS threat detection.

Reduce troubleshooting and forensic efforts, with effective,

efficient incident response and informative insights and querying.

Fast ROI with swift deployment in days and weeks, and

immediate ICS visibility, cyber security and reliability.

Centralized monitoring of distributed industrial facilities, with

aggregated summaries and details by remote site.


Multitenant OT Cybersecurity ProtectionSCADAguardian and Central Management Console (CMC)

Multitenant CMC for large

distributed / hierarchical

enterprise deployments

Supports MSSPs for the

scalable management of

many customers/sites

A single instance of the

CMC can monitor, manage

& remediate threats for

numerous industrial

installations or customers


Control Room

33

Support Multi-tenant Deployments

CMC

CMC

Area 1

Control Room

Onshore

Area 2

Control Room

Onshore

CMC

Switch

HMI

Local

SCADA

PLC

PLC

PLC

RTU

RTU

RTU

Replicated

Historian

Corporate

Firewall

Remote

Access

Central

Management

Console (CMC)

SIEM

Firewall

Firewall

Historian

DNS

Jump

Box

Patching

Server

Web

FirewallSwitch

HMI

Local

SCADA


Nozomi Networks SCADAguardian Advanced

34

SCADAguardian Advanced extends the value of SCADAguardian with Smart Polling – a precise, low volume active technology that provides a complete set of ICS data for full asset inventory and advanced network monitoring.

Discovers firmware versions and patch levels for a full asset

inventory, providing accurate, deep details.

Improves network monitoring, threat detection and vulnerability

assessment for faster, more efficient response.

Provides maximum control, with easy-to-use default

configuration, or manual options for applying Smart Polling to

specific devices and network segments.

Flexible adoption options – deploy SCADAguardian Advanced or

begin with passive SCADAguardian and migrate to active later.

Uses Smart Polling™ for precise asset inventory, vulnerability

assessment and ICS network monitoring.


Nozomi Networks OT ThreatFeed

35

Delivers up-to-date, contextual threat information that helps you effectively detect threats and identify vulnerabilities

Timely detection of known and emerging threats and

vulnerabilities – curated by Nozomi Networks Labs.

Full threat analysis and vulnerability assessment of your

environment – without the cost and complexity of

maintaining multiple tools.

Up-to-date threat information that’s fully integrated into

SCADAguardian and SCADAguardian Advanced

Respond faster to threats with complete network visibility

and contextual threat information.


Technology Alliances

36

SIEMs MDR / MSSPs Analytics / Other ITSecurity Tools ICS / OT


Broad Support for Industrial Control Systems and ICS / IT Protocols

37

ABB PGP2PGP, Aspentech Cim/IO, BACNet, Beckhoff ADS, BSAP IP, CC-LINK IE, CEI 79-

5/2-3, COTP, DNP3, Emerson DeltaV, Enron Modbus, EtherCAT, EtherNet/IP - CIP,

Foundation Fieldbus, Foxboro IA, Generic MMS, GE EGD, GE iFix2iFix, GE SRTP, GOOSE,

Honeywell Experion protocols, Kongsberg Net/IO, IEC 60870-5-7 (IEC 62351-3 + IEC 62351-

5), IEC 60870-5-104, IEC-61850 (MMS, GOOSE, SV), IEC DLMS/COSEM, ICCP,

Modbus/RTU, Modbus/TCP, Modbus/TCP - Schneider Unity extensions, MQTT, OPC,

OPC UA, PCCC, PI-Connect, Profinet/DCP, Profinet/I-O CM, Profinet/RT, ROC, Sercos III,

Siemens S7, S7 Plus, Telvent OASyS DNA, Triconex TSAA, Vnet/IP

Industrial Protocols

ARP, Bittorrent, BROWSER, CDP, DCE-RPC, DHCP,

DNS, DRDA (IBM DB2), Dropbox, eDonkey (eMule),

FTP, FTPS, GVCP, HTTP, HTTPS, ICMP/PING, IGMP,

IKE, Indigo Vision, IMAP, IMAPS, ISO-TSAP/COTP,

Kerberos, KMS, LDAP, LDAPS, LLDP, LLMNR, MDNS,

Mitsubishi Melsoft, Mitsubishi SLMP, NTP, MS SQL

Server, MySQL, NetBIOS, NTP, OSPF, POP3, PTPv2,

RDP, STP, RTCP, RTP, SSH, SNMP, SMB, SMTP,

SSDP, STP, Symantec Endpoint Manager, Syslog,

TeamViewer, Telnet, TNS, VNC

IT Protocols

ICS Vendors

.New protocols and vendors are being added to the support matrix on a continuous basisFor current information, visit: nozominetworks.com/techspecs


Physical Appliances

SCADAguardian NSG-M 1000 NSG-M 750 NSG-L 250 NSG-L 100 NSG-R 150 R50A

SCADAguardian Advanced NSG-M 1000A NSG-M 750A NSG-L 250A NSG-L 100A NSG-R 150A R50A

Description A powerful appliance for very large, demanding scenarios

A rack-mounted appliance for large scenarios

A rack-mounted appliance for medium scenarios

A rack-mounted appliance forsmall scenarios

A rugged rack-mounted appliancefor medium scenarios

A rugged DIN-rail mounted appliance for small scenarios

Form Factor 1 Rack Unit 1 Rack Unit 1 Rack Unit 1 Rack Unit 2 Rack Units Din mountable

Monitoring Ports 7 RJ45 + 4 SFP 7 RJ45 + 4 SFP 5 RJ45 5 RJ45 7 RJ45 4 RJ45

Expansion slot 11 11 11 11 n.a. n.a.

Max Protected Node 10,000 2,500 750 300 500 200

Max Throughput 1 Gbps 500 Mbps 200 Mbps 100 Mbps 200 Mbps 50 Mbps

Storage 256 Gb 256 Gb 64 Gb 64 Gb 64 Gb 64 Gb

H x W x Lmm/in

44 x 429 x 438

1.73 x 16.89 x 17.24

44 x 429 x 438

1.73 x 16.89 x 17.24

44 x 438 x 300

1.7 x 17.2 x 11.8

44 x 438 x 300

1.7 x 17.2 x 11.8

88 x 440 x 301.2

3.46 x 17.3 x 118.58

80 x 130 x 146

3.15 x 5.11 x 5.74

Weight 14 Kg 14 Kg 8 Kg 8 Kg 6 Kg 3 Kg

Max Power Consumption 360W 360W 250W 250W 250W 60W

Power supply type 110-240V AC 110-240V AC 110-240V AC 110-240V ACDual Power Mode:

90-264V AC / 100-300V DC12-36V DC

Temperature ranges 0 / +45º C 0 / +45º C 0 / +40º C 0 / +40º C -40 / +70º C -40 / +70º C

Compliance RoHS RoHS RoHS RoHS RoHS, IEC 61850-3, IEEE 1613 RoHS

Certifications CE, FCC, UL CE, FCC, UL CE, FCC, UL CE, FCC, UL CE, FCC CE, FCC, UL

1 Expansion slot can host either 4 additional RJ45 ports OR 4 additional SFPs


Virtual Appliances

Model V1000 V750 V250 V100 V50

Description A powerful appliance for very large, demanding scenarios

A virtual appliance for large scenarios

A virtual appliance for medium scenarios

A virtual appliance for small scenarios

A virtual appliance for very small scenarios

Installation Specs Hyper-V 2012+, KVM 1.2+, VMware ESX 5.x+, XEN 4.4+

Monitoring Ports Unlimited (**) 4 4 4 4

Max Throughput 300 Mbps

Max Protected Node 5,000 1,000 500 200 200

Storage 100+ Gb

Model SCADAguardian Advanced Container Edition Description Embedded container application for switches, routers and other security infrastructure.

Fast, flexible deployment option that leverages hardware units.

Container Edition


Central Management Console (CMC)

Summary Consolidated and remote ICS cybersecurity and visibility for distributed industrial sites.

Installation Specs Amazon AWS AMI, Hyper-V 2012+, KVM 1.2+, VMware ESX 5.x+, XEN 4.4+

Max Managed Appliances

Unlimited (*)

Storage 100+ Gb

UpdatesOptionally connects to the Nozomi Networks customer portal site for CMC, SCADAguardian,

SCADAguardian Advanced and OT ThreatFeed updates. Provides advance, upgrade and rollback

version control.

(*) Based on infrastructure.

Domande?

The Leading Solution for Real-time Cyber Security and...

Documents

Transcript of The Leading Solution for Real-time Cyber Security and...