Real-Time Visibility and Threat Detection for Manufacturing Using Nozomi Networks Vantage on AWS

This post has contributions from Karthik Srinivasan, Worldwide Head of Operations Technology, AWS.

Industrial systems in manufacturing are evolving to become more digital, cloud-connected and globally distributed. While manufacturers work to harness the potential of IoT systems at scale, they must also manage the cybersecurity risk these systems introduce. They face the challenge of securing heritage OT environments, which rely on equipment and communication protocols not built with security in mind. Devices in these environments are commonly in use well beyond their end of support dates, and organizations may be lacking OT security skillsets or processes. And finally, there is growing recognition that cloud networks need access to physical, real-world data.

Nozomi Networks helps manufacturers address these visibility and cybersecurity challenges at scale as an AWS Partner Solution for Manufacturing & Industrials. Our Vantage SaaS solution, hosted on AWS, is designed to give AWS customers a seamless platform for aggregating, analyzing and monitoring OT systems and data in the cloud with flexible deployment options ideally suited for physical processes.

Below, we’ll share how the Nozomi Networks platform delivers unmatched OT security and visibility to manufacturers by combining network-based and host-based data collection methods at the edge with AI/ML models hosted on Vantage in AWS.

Nozomi Networks Platform Overview

The Nozomi Networks platform allows manufacturers to maintain a real-time asset inventory of their OT and IoT environments, alongside vulnerability registry, anomaly-based and signature-based threat detection, endpoint monitoring and suspicious USB detection.

In a typical manufacturing system deployment, Nozomi Networks Guardian and Arc sensors are deployed at critical locations for monitoring and threat detection. Findings from these deployed sensors – such as real-time asset inventory, vulnerability data and alerts – are aggregated into the Nozomi Networks Vantage cloud management platform, hosted in AWS. Vantage IQ, an AI/ML-based security engine, extends Vantage capabilities for deeper analytics and more automation.

The Nozomi Networks Guardian network sensor monitors manufacturing system traffic traversing through OT network switches and is available in multiple hardware form factors, including virtualized and embedded editions. Deep packet inspection is performed to identify devices and their known vulnerabilities, extract process variable values (such as flow rates, temperature readings and manufacturing system setpoints), and develop a digital-twin that represents typical manufacturing system behavior. Changes – such as atypical flow rates, changes to controller programs, and new device connections on the network – are automatically detected, as are identified matches to known malicious signatures.

The Nozomi Networks Arc endpoint sensor is lightweight software that installs onto Windows, Linux and MacOS devices in the manufacturing environment, such as maintenance laptops, engineering workstations, historian servers and SCADA servers. Arc sensors monitor all network communications to the endpoint, analyze the operating system log entries for indications of malware or rogue applications, detect suspicious USBs, and track user activity.

Nozomi Networks Vantage is a cloud-based OT/IoT network security solution that aggregates and analyzes the network and endpoint data from Nozomi Networks sensors. With Vantage, users have visibility across their networks to monitor any number of devices in one centralized place. Intuitive dashboards enable users to continuously visualize and monitor all OT/IoT assets, protocols, and vulnerabilities to help eliminate critical blind spots.

As manufacturing organizations grow, Vantage on AWS can easily scale without compromising on performance and with minimal increased costs. Deployments are simplified as fewer administrative resources are required to manage multiple sites and the large number of sensors.

Leveraging AI-Powered Analytics for Manufacturing Systems Security

The enhanced value of the Nozomi Networks and AWS solution for manufacturing and industrials is derived from the advanced analytics performed in Vantage. Our AI engine – Vantage IQ – helps manufacturing OT security teams do more with less.

Nozomi Networks Vantage IQ ingests all data and findings collected from the sensors across all manufacturing systems and performs advanced analytics on real-time and historical data sets to identify patterns and outliers. The result is data translated into actionable information, streamlining the process for manufacturers to take action. In effect, Vantage IQ serves as a SOC analyst in the cloud.

An Insights dashboard in Vantage IQ provides a higher level of actionable intelligence that focuses priorities. For example, Vantage IQ will identify if a higher frequency of high-severity alerts are being detected at a facility than is typical, pointing security teams to where investigative efforts should be focused. Data is correlated across Vantage to streamline forensic analysis, tuning and security enhancements.

Analytics in Vantage IQ, running on AWS, maximize the value of the security and monitoring solution – and by extension, the security team – by pinpointing data which would be most beneficial to focus efforts on, indicating how likely security risks are so teams can plan ahead, and more.

Reference Manufacturing Architecture on AWS

The diagram below shows the reference architecture for the Nozomi Networks platform. Nozomi Networks sensors are deployed in an on-premises manufacturing network, with data aggregation, analytics, and platform management components on AWS.

1. Level 0 comprises sensors and actuators, field devices, solenoid valves, and motors. This level also comprises IoT sensors and smart devices. Level 1 consists of Programmable Logic Controllers (PLC), Distributed Control Systems (DCS) Controllers, and Safety Instrumented System (SIS) that interface with the electromechanical devices in Level 0 to provide basic control.
2. In Level 2, DCS servers, Supervisory Control and Data Acquisition (SCADA), and human-machine interfaces (HMIs) provide control and monitoring of the manufacturing process. Network traffic traversing through network switches in the OT and IoT network are collected by Nozomi Networks Guardian sensors, with Remote Collectors available for remote sites. Arc sensors monitor endpoints in the OT and IoT environment. Network traffic and endpoint information is processed for real-time network visibility, anomaly-based threat detection and signature-based threat detection.
3. Level 3 consists of line operator, engineering & supervisory workstations. Guardian and Arc sensors are deployed at this level for data collection.
4. Level 3.5 denotes the demilitarized zone (DMZ) that separates the corporate network from the industrial control systems (ICS) environment through a firewall. One or more IoT gateways that collect wireless sensor data from Level 0 resides behind the firewall.
5. Sensor data can be sent to a Nozomi Networks Central Management Console (CMC) hosted on Amazon EC2 for more centralized sensor management and reporting. CMCs residing in separate VPCs can enable multi-site access. The CMC can also be deployed on-premises depending on customer needs.
6. Vulnerability and alert information, asset information, connected sensors and licensing management is done using Vantage SaaS in Nozomi Networks VPC. Vantage IQ performs advanced analytics for forecasting, pattern detection and additional insights.
7. The OT/IoT security event data from Vantage can be accessed via APIs in a security incident and event management system (SIEM) or security operations center (SOC) that features AWS Security Hub, Amazon GuardDuty, Amazon Macie, AWS CloudTrail, among other services. Learn more.
8. Syslog data associated with OT/IoT security events can be stored in Amazon S3 data lake and analyzed using Amazon Athena, Amazon OpenSearch, and Amazon SageMaker. This together with IT security data provides a centralized view of all OT & IT security events to enable alerting and automatic remediation.

Nozomi Networks Vantage on AWS – a Perfect Cybersecurity Solution for Manufacturing

Nozomi Networks Vantage is designed to give AWS customers a seamless platform for aggregating, analyzing and monitoring OT systems and data in the cloud with a range of flexible, cost-effective deployment options ideally suited for physical processes. As an AWS Partner Solution for Manufacturing & Industrials, AWS customers who choose Vantage can benefit from enhanced cybersecurity monitoring, analytics, and asset intelligence across their global enterprises.

Nozomi Networks is the leader in OT & IoT security, deployed in manufacturing facilities worldwide. From day one, our solutions have been deeply rooted in addressing the complex requirements of the largest industrial and critical infrastructure environments. We’ve earned a global reputation for unmatched service, superior cyber and physical system visibility, advanced OT and IoT threat detection, and scalability across distributed environments.

You can learn more about the Nozomi Networks and AWS partnership on AWS marketplace.

‍