What’s New in Nozomi Networks v19.0 ICS Security Solution

What’s New in Nozomi Networks v19.0 ICS Security Solution

This post was updated on March 3, 2020.

Cyberattacks on industrial control systems continue to make headlines around the world (Triton, LockerGoga, Industroyer to name a few…). And to make things worse, over one-third of organizations with ICS environments reported that they weren’t sure if their systems had been infiltrated in the last year – suggesting a real need for security monitoring and threat detection in those environments. With this in mind, we began working on our vision for v19.0…

At Nozomi Networks, we believe that having full visibility into your environment is key to reducing cyber risk. But true visibility goes beyond SCADA – it means bridging the gap between IT, OT, and IoT.  In v19.0, our primary focus is on expanding – how can we help you expand past the lines of ICS and manage security in a more holistic and efficient way.

New Name, Same Great Solution

From SCADA systems to Smart Cities, the need for cybersecurity spans all environments. The Nozomi Networks solution has always gone far beyond SCADA but our product name hasn’t always shown that. So, to better reflect the scope of the solution, we’ve changed the name of our flagship product to GuardianTM (previously SCADAguardian).

The Nozomi Networks v19.0 solution showing new product names and its scalable, modular architecture.
The Nozomi Networks v19.0 solution showing new product names and its scalable, modular architecture.

Along the same lines, we’ve also renamed our active asset discovery solution to Smart PollingTM (previously SCADAguardian Advanced). Rather than being a completely separate product, Smart Polling is now available as an add-on module for Guardian.

While the names may have changed for both products, the core technology and functionality remains the same (with some enhancements in v19.0, of course!).

New Features & Improvements in v19.0

With a strong focus on end-to-end visibility and cybersecurity, we’ve added quite a few new features and improvements in our latest release. Let’s take a quick look at what’s new in v19.0:

Extend Your Reach with Remote Collectors

Not all environments are created equal – especially in ICS. Whether you have locations offsite or even offshore, you still need to monitor that part of your network for threats. As part of v19.0, we’ve introduced Remote Collectors – cost-effective, low-resource appliances to help you gather asset and network data from those hard-to-reach locations. Once deployed, Remote Collectors send data to Guardian for analysis and reporting.

Extend ICS threat and network monitoring to remote and unmanned locationsusing low-resource Remote Collectors.

Extend ICS threat and network monitoring to remote and unmanned locations
using low-resource Remote Collectors.

Get Insight into Your Compliance Risk & Security Posture with New Built-In Reports

Achieving regulatory compliance was ranked as a top business concern this year for organizations with ICS environments. In the latest release, we’ve made it easier for you to quickly build and run custom reports across all the data in your environment.

And, starting in v19.0, you’ll get access to new built-in reports that provide visibility into your current security posture and help you understand your compliance risk. Reports for Asset Inventory and CIS Controls for Industrial Control Systems now come out-of-the-box for Guardian. We’ll continue to build out our library with more reports over the next few months… Stay tuned!  

Asset inventory
CIS Controls

New built-in reports for compliance and asset inventory help you efficiently improve your organization’s security posture.

Automate Incident Response with New Cisco Integrations

Threats evolve quickly and can move through your environment at a rapid pace. And, as we all know, the more time that passes between compromise and containment, the more likely you are to encounter a breach.

To speed up incident response time and help reduce your time to remediation, we’ve added integrations with Cisco ASA and Cisco Firepower Threat Defense (FTD) that automate response actions for suspicious activities. By connecting your Cisco device to Guardian, you can automate the following actions based on alerts in your environment:

  • Prevent new devices from joining the network
  • Block newly attempted connections between devices on your network
  • Kill suspicious sessions from the firewall
Easy to integrate the Nozomi Networks solution with security infrastructure
It’s easy to integrate the Nozomi Networks solution with security infrastructure and v19.0 adds new Cisco integrations that automate incident response.

Centralize Access Controls with Aruba Clearpass & Cisco ISE Integrations

It’s no secret, the greatest threat to your security posture is: people. Whether its external actors targeting your systems, or a simple mistake made by Karen in accounting, “people” carry the greatest risk to securing your environment. Through our integrations with Aruba Clearpass and Cisco ISE, security teams now have full visibility and access control across all their IT and OT networks.

Know What’s Happening on Your Windows Assets

SANS 2019 State of OT/ICS Cybersecurity reported that server assets running commercial OS (Windows, Unix, Linux) create the highest risk for ICS organizations in 2019 – mostly due to the use of legacy OS and infrequent patching. For those of us coming from the IT world, the thought of someone still running Windows XP or even Windows 2000 sounds like a nightmare, but these operating systems are commonplace on the OT floor.

As you think about your ICS security plan, it’s critical that you factor in these assets and monitor them for risks and potential attacks. In v19.0 of the Smart Polling add-on, you can now collect data from the Windows devices in your environment.

Reduce ‘the Noise’ with New Alerting Profiles

Alert fatigue is a real issue for security teams worldwide. Regardless of your expertise, too many alerts can reduce your ability to detect threats and respond in a timely manner. In v19.0, we’ve added controls to help you manage the types of alerts you receive. With four, new built-in profiles that are fully customizable, you can decide which alerts get displayed and which are silenced – helping you focus on what’s important.

Quickly Find What You’re Looking for with Simplified Queries

Data is only as good as the insights you can draw from it. To help you get the most out of your Guardian deployment, we’ve made it easier to ask questions about the data in your environment using our new Query Builder. Beyond just finding answers, queries can be transformed into charts and graphs, and used for custom dashboards and reporting. For our advanced users out there, don’t worry – you can still create more complex queries using the existing query syntax.

Guardian’s new Query Builder simplifies reporting and dashboard creation.
Guardian’s new Query Builder simplifies reporting and dashboard creation.

More Protocols, Less Problems  

Getting visibility into the assets and equipment used in industrial environments is not a trivial task. In fact, less than a third (28%) of organizations are collecting data from their control systems. Unlike traditional IT environments that typically operate using TCP/IP, industrial control systems use hundreds of specialized protocols throughout the network. In an effort to continuously support the different assets and equipment found in those environments, we’re adding new protocol support on a regular basis.

Here are just a few of the ones included in the v19.0 release:

ABB TotalFlowOPC-UAFoxboro IAMitsubishi MelsoftGE Cimplicity ReplicaMitsubishi SLMPGE Cimplicity ViewSiemens CAMPGE EGDWeatherford Cygnet SCADAGE Mark VIWonderware SuiteLink DAGE ToolboxZMTP

To see the full list of supported protocols, check out our protocol support library.

Reduce the Overhead of Managing Multiple Sites with New CMC Appliance Management Interface

Time is money, and your time is best spent focused on managing the risk and security of your ICS environment, not managing the technology behind it. That’s why we’ve made it a priority to simplify the management of your deployment through our Centralized Management Console. And, we’ll be investing quite a bit over the next few releases to expand the use cases addressed by the CMC and make it more robust.

The first step on our improvement roadmap is to simplify and improve the usability of the appliance management dashboard. In v19.0, you’ll be able to easily see the hierarchy of your deployment and health status of each of your appliances. Additionally, you can easily manage updates across appliances. Stay on the lookout for more improvements coming to the CMC soon!

Improved appliance management visualization in the CMC
Improved appliance management visualization in the CMC is one-way v19.0 makes it easier to manage your Nozomi Networks deployment.

New Tools for Detecting Emerging Threats & ICS Zero-Days in Threat Intelligence

Although it’s not technically tied to v19.0, since Threat Intelligence is updated on a regular basis (a few times per week), I felt it was important to call out some of the work that’s been done over the past few months. Threat Intelligence is our award-winning subscription that helps you better identify vulnerabilities and detect threats in your environment.

Over the past few months, our team of security researchers at Nozomi Networks Labs has been hard at work analyzing new threats and developing tools to help you detect suspicious activities in your environment.

  • 800+ new rules, signatures, and indicators added for threats like BlackEnergy, DeltaCharlie, LockerGoga, Palevo, Phobos, SmashingCoconut, and more
  • 2 zero-day vulnerabilities discovered by Nozomi Networks Labs and published by ICS-CERT in the last 3 months:
  • Rockwell PLC (ICSA-19-120-01)
  • Mitsubishi PLC (ICSA-19-141-02)
  • 2019 Infosec Award Winner for Threat Intelligence
The Threat Intelligence subscription improves threat detection with threat intelligence from Nozomi Networks Labs.

Improve Your Security Expertise with Nozomi Networks Certified Engineer Course

In 2019, one-third of organizations are planning to invest in cybersecurity education and training for IT, OT, and hybrid IT/OT personnel. The Nozomi Networks Certified Engineer Training course is the perfect first step towards improving cybersecurity knowledge for IT and OT personnel. In the past few months, we’ve invested in improving the Nozomi Networks Certified Engineer Training Course – a three-day, instructor-led program held at your location of choice. The course consists of many hands-on scenarios designed to help you leverage the Nozomi Networks solution to achieve a high level of ICS cybersecurity and operational intelligence.

Learn more about the Nozomi Networks Certified Engineer Training Course.

For more details on these enhancements, join us for our upcoming webinar on “What’s New in Nozomi Networks v19.0” on July 30th.