Nozomi Networks Finishes Strong in S4 ICS Detection Challenge

Nozomi Networks Finishes Strong in S4 ICS Detection Challenge

This article was updated on October 1, 2019.

Nozomi Networks has had a strong finish and was a top contender in the ICS Detection Challenge at the S4 conference.

This event brought together key vendors in passive ICS network monitoring and threat detection to take part in a first ever competition, which had two phases. Phase 1 involved analyzing the network traffic of a U.S. oil and gas installation to identify a high number of diverse assets. Then, in Phase 2, IT and ICS cyber incidents were introduced into the system, and were analyzed in a 2.5-hour timeframe.

Nozomi Networks finished a strong second in a competition that was very close, with the judges commenting on the unique strengths of each solution. The Nozomi Networks result comes just one week after we announced $15MM in Series B funding and a five-fold increase in customer acquisition in 2017. We now have more than 200 deployments across 5 continents, spanning energy, manufacturing, pharmaceuticals, chemicals, mining, utilities and other sectors.

We commend our competitors and the organizers for creating a contest that highlights what the latest ICS cyber security products bring to industrial cyber security programs.

The S4 ICS Detection Challenge

This Challenge was intended to help operators understand the value of passive ICS cyber security and operational visibility solutions. Here is how it was conducted.

  • Each team consisted of three people. The Nozomi Networks team included Andrea Carcano (CPO), Moreno Carullo (CTO) and Paul Smith (Technical Specialist)
  • We each connected our products to a SPAN port on a switch. Packet captures, or PCAPs were then played on switch, and copied to and analyzed by each team’s products.
  • In Phase I the goal was to identify the asset inventory of the system, which consisted of a pipeline SCADA system, a DCS at a terminal and some HMI / PLC installations at middle to small terminals. When the results of Phase I were announced, our results were described as “being more detailed and more accurate” than the other entrants.
  • In Phase II, a new PCAP was played and each team had to identify the IT and ICS cyber incidents it contained. More than 50 cyber incidents were included the in PCAP.
  • The S4 Challenge organizers did a lot of work to create the PCAPs that were used in this event.  They noted however, that the Challenge was “harder than the real world” because of the limited time duration of the sample and the lack of context, including not knowing the points in the process where the sensor the traffic came from. Our solution had only 50 minutes of data to learn the system, whereas normally our neural networks undergo a learning period of two days to two weeks.

ICS Cyber Security and Operational Visibility for the Real-world

In line with our robust showing at S4, when tested head-to-head against our competitors in the field, our solution has a strong track record of winning. Guardian’s unique hybrid threat detection (behavior + signature), its ability to model and understand the industrial process, and its maturity and ease-of-use stand out. Coupled with our team’s intense focus on meeting and exceeding customer expectations, we have gained a reputation for excellence around the world.  

“The company won every product bake-off in which it participated in ’17 and the industry is taking note.”

Glenn Solomon, GGV Capital, Nozomi Networks investor

“FireEye’s recent discovery of Triton malware in the wild highlights how critical infrastructure facilities are increasingly at risk.

After extensive testing, we’ve partnered with Nozomi Networks because they provide the right solution customers need to detect these attacks at the earliest stages and minimize the impact before the safety and reliability of their critical operations is threatened.”

Grady Summers, CTO, FireEye

We commend our competitors who had the fortitude to participate in this event. This competition makes us all better and reinforces a larger mission to keep critical infrastructure safe.

We thank the organizers, particularly Eric Byres (ICS Secure) and Ron Brash. We respect the high technical skills and the large amount of work it took to create this contest.  Kudos to you, as well as to Dale Peterson (Digitalbond) and John Cusimano (aeSolutions), for this initiative.

Finally, we would like to give a big thank you to our customers in the field for the opportunities they have provided us and for their support. We look forward to winning more of you in 2018 and continuing to grow our market leadership!

To find out how the Nozomi Networks solution can improve ICS cyber security and operational visibility at your installation, request a demo today.


Following the event Dale Peterson, the S4 organizer, published two articles about the Challenge. In these articles he described problems with scoring system and concluded:

“I view Claroty, Nozomi Networks and Security Matters finishing together in a clump.”

Dale also called out Nozomi Networks level of detail, accuracy and helpfulness in both phases of the competition:

“Nozomi clearly provided the most detail in their asset inventory and was the only competitor to identify the key SCADA system.”

“… [it] was most notable in that only  Nozomi (congratulations) provided answers  and context related to the  Telvent OASyS DNA SCADA (the most critical ICS in this large environment).”