Select Page

Addressing U.S. Dept. of Energy Cybersecurity Considerations


Selecting an ICS Monitoring Solution that Meets/Exceeds
DOE Considerations

Escalating attacks on critical infrastructure have spurred the U.S. government to take numerous actions to accelerate improvements in cyber resiliency.

This includes a Department of Energy (DOE) initiative to improve the ICS cybersecurity of electric utilities. To that end, the DOE developed a set of 17 considerations for evaluating ICS/OT monitoring technology for the electricity subsector. They can be found here.

The Nozomi Networks solution helps you meet and exceed DOE recommendations.


Build a Secure Future Using the Solution Preferred by Global Electric Utilities

Electric utilities give Nozomi Networks the top score for operational technology security, as demonstrated in Gartner Peer Insights customer reviews. They acknowledge our:

  • Comprehensive OT and IoT visibility
  • Advanced threat detection
  • Accurate anomaly alerts
  • Proven scalability
  • Easy IT/OT integration
  • Global partner ecosystem
  • Exceptional customer engagement and support

Learn how we’re helping organizations like yours –simply click on the links to the right.

Meeting and Exceeding
the 17 DOE Considerations

According to DOE guidance, the U.S. government does not select, endorse or recommend any specific technology or provider as part of their initiative. Instead, each entity must assess and select the technology or provider that’s best for it.

Furthermore, the agencies that  developed the 17 DOE recommendations (CESER, CISA and the NSA) state:

The highest priority for the Industrial Control Systems (ICS) Cybersecurity Initiative is for owners and operators to enhance their detection, mitigation, and forensic capabilities.”

With that in mind, the table below lists each of the DOE considerations and describes how the Nozomi Networks solution addresses each of them.

Technology Built for ICS Networks and Protocols

Nozomi Networks Solution


Technologies built for ICS networks with integration compatibility with ICS protocols and communications.

“Nozomi Networks has superior ICS protocol support and asset visibility in their products. Nozomi is a good fit for electric utilities, oil and gas, and manufacturing companies worldwide.”

Forrester Research


Technologies that provide sensor-based continuous network cybersecurity monitoring, detection, and facilitate response capabilities for ICS/OT (i.e., the technology is ICS-focused and already understands ICS communications, such as deep packet inspection capabilities for ICS protocols).

  • Provides “always on” continuous monitoring of OT, IoT and IT protocols for assets from all vendors
  • Analyzes network communications using protocol-specific Deep Packet Inspection (DPI) for dozens of industrial protocols

  • Detects cybersecurity and process reliability threats

  • Accelerates incident response with actionable intelligence and time-saving response tools

Vantage - network visualization aid security and cyber security

Click to enlarge.

The Nozomi Networks Solution is Built for ICS Networks and Protocols

A key requirement for good cybersecurity is identifying all assets in the ICS environment and mapping the communications between them.

The Nozomi Networks solution automates asset inventory and provides real-time visualization that identifies communication and other issues. This improves situational awareness and accelerates incident response.

that Shares Information



Nozomi Networks CPO Andrea Carcano on why security incident information sharing needs to be vendor neutral:

U.S. v. Cyber Criminals: Critical Infrastructure Edition


Nozomi Networks CTO Moreno Carullo on how an open source incident reporting system, that preserves privacy, can be created. Plus, what Nozomi Networks is doing about it:

An Open Source Approach for Cybersecurity Information Sharing

Nozomi Networks Solution


Technology software that has a collective-defense capability/framework to allow the sharing of insights and detections rapidly with the Federal government, participants, and trusted organizations such as relevant information sharing and analysis centers (ISACs)/information sharing and analysis organizations (ISAOs). Data and insights collected must be sharable across the Federal government, to the greatest extent possible, and should be compatible with other sector sensing partnerships.

  • Provides highly accurate ICS attack, vulnerability, and anomaly data, the foundation for information sharing
  • Integrates out-of-the-box with SIEM/SOAR, threat sharing platforms, and other products for rapid information-sharing across the organization and beyond
  • Shares data more broadly via reporting and exporting capabilities, as well as through an Open API
  • Receives continuously updated Threat Intelligence and Asset Intelligence, reducing the Mean-Time-to-Detect (MTTD) and the Mean-Time-to-Respond (MTTR)


Technologies that do not collect or store sensitive data off the participants’ site (e.g., perform analysis at the edge); however, certain insights or analysis outputs, such as whether a threat was present and relevant indicators of compromise, may be stored off premises.

  • Provides customizable data storage options
  • Available in the widest range of on-premises hardware/virtual/software sensor options
  • Analyzes data 100% within the sensor, without the need for input from outside analysts or remote access connections
  • Shares data off premises via optional cloud product (Vantage), integration with many IT, OT and security products, or via an Open API


Technologies must protect or anonymize participant identity, and ensure that risks and vulnerability information is not inadvertently disclosed between participants unless explicitly authorized by the participating entity.

  • Protects participant identity when sharing sensitive data
  • Granular anonymization features are in development
Vantage - U.S. Dept. of Energy Cybersecurity

For a comprehensive, up-to-date list of integrations, visit our techspecs
Click to enlarge.

The Nozomi Networks Solution Shares Data and Insights with Many Systems

Unifying security, visibility and monitoring across all IT/OT assets is important for improving cyber resiliency.

The Nozomi Networks solution integrates with a wide range of IT, OT and security systems, facilitating convergence and coordinated responses.

Technology that Correlates Data and Has Flexible Data Storage

Nozomi Networks Solution


The technology allows for centralized queries and correlation. Sensitive information that contextualizes anomalies that may indicate adversary presence may be stored off-premises for analysis.

  • Includes powerful query capabilities, providing fast access to security and operational data
  • Queries can be imported/exported between systems
  • Data can be aggregated with on-premises CMC or cloud-based Vantage.


Technologies that do not collect or store sensitive data off the participants’ site (e.g., perform analysis at the edge); however, certain insights or analysis outputs, such as whether a threat was present and relevant indicators of compromise, may be stored off premises.

  • Stores data short-term or medium-term (> 1 year)
  • Allows tuning of raw data collection for relevant streams
  • Provides long-term storage via SIEM integration and automated data exports for data warehousing


The technology is passive in its deployment, using isolation technologies to ensure that the technology itself cannot be used as a vector for adversaries to gain access into sensitive ICS networks.

  • Conducts passive network analysis
  • Select from the widest array of hardware/virtual/software sensor options
  • Works in air gapped environments, without cloud or remote analyst connectivity


The ICS sensing technology is capable of working with correlation and aggregation technologies to allow for OT/IT sensing cross correlation and analysis.

  • Integrates with SIEM and other IT and security tools for IT/OT correlation of data
  • Combines vulnerability assessment, threat and anomaly detection, asset inventory and risk monitoring in a single tool. Internal correlation of data reduces some cross-tool requirements.

The Nozomi Networks Solution Includes Many On-Premises Sensors with Flexible Data Storage & Aggregation Options

The Nozomi Networks solution is available in a wide-range of on-premises sensors.

In addition, a SaaS-powered solution, Vantage, is available for those companies who want to analyze data or share information in the cloud.

1 Guardian Sensors: Passive appliances that collect and analyze ICS data on-premises.

2 Central Management Console: On-premises appliance that aggregates ICS monitoring and visibility across distributed sites.

Guardian1 Sensors

Large Enterprises

Protecting the U.S. Dept. of Energy Cybersecurity


Mid-enterprise Energy Cybersecurity

Ruggedized Environments

Rugged appliance for network visibility, security, and cybersecurity

Portable Scenarios

Portable appliances for ICS security

Remote Sites

Remote appliance for network visibility and security

Virtual Environments
and Containers

Virtual Sensor

Container Edition  – Gatewatcher, Siemens RUGGEDCOM

Central Management Console2


Portable Scenarios

Virtual Environments
and Containers

Cloud – Amazon AWS and Microsoft Azure

Virtual – Hyper-V 2012+, KVM 1.2+, VMware ESX 5.x+, XEN 4.4+

that Performs Anomaly and Threat Detection

Nozomi Networks Solution


Technology has the capability of baselining normal ICS operations and can compare/detect abnormal operations from a known good baseline.

  • Learns normal network and process behavior
  • Detects security and process anomalies
  • Uses continuously updated Asset Intelligence to eliminate benign alerts
  • Knows when “new” or “different” is not a risk, focusing your attention on true incidents


Data at rest should be cryptographically protected, (e.g., leverage NIST FIPS 140-3 certified cryptology to protect the data).


Technology has the capability to detect known unauthorized remote access operations.

  • Detects anomalies of all types, including invalid remote access connections
  • Supports in depth security policies such as alerting if a VPN connection writes to a safety controller
  • Integrates with remote access solutions for increased data granularity and correlation


Technology has the capability to detect unauthorized movement from the IT to the OT environment including via non-Internet Protocol (IP) communication pathways.

  • Detects anomalous traffic including infections from outside the OT networks
  • Shows anomalous traffic on network visualization graph
  • Tracks attacker movements across IT, OT and IoT assets
MITRE OT Device Security

Click to enlarge.

The Nozomi Networks Solution Provides Superior ICS and IoT Threat Detection

The Nozomi Networks solution has highly accurate threat detection and tracks threat movement across assets. It combines behavior-based anomaly detection with signature-based threat detection and Asset Intelligence for comprehensive, accurate risk monitoring.

Threat detection and vulnerability analysis is kept up-to-date via the Threat Intelligence service, which provides detailed threat information created and curated by Nozomi Networks Labs.

Technology that Supports the MITRE ATT&CK for ICS Framework

Nozomi Networks Solution


Technology has the capability to detect unauthorized network activity and actions consistent with the MITRE ATT&CK for ICS framework including detecting potential tactics that may be used for disruptive or destructive actions.


Technology has analytic and detection capabilities, which are dynamically updatable leveraging timely, validated, and trusted external or internal threat intelligence.

  • Employs behaviour-based anomaly detection and multiple types of signature and rules-based detection
  • Correlates results with operational context for rapid insights
  • Applies dynamically updated Threat Intelligence and Asset Intelligence provided by the highly regarded Nozomi Networks Labs team


Technology has the capability to detect access credential misuse.

  • Detects failed logins and some instances of credential misuse
  • Raises alerts and sends notifications when multiple failed logins are detected


Technology to identify violations of implemented application allowlisting policies enforced on IT and OT systems.

  • Shows a graphical view of network patterns for human inspection, improving situational awareness
  • Monitors and evaluates all behaviors for policy failures on an ongoing basis
  • Identifies violations with more granularity than simple allow/deny analysis
  • Provides operational context for fast response
Vantage Screen Network Visualization

Click to enlarge.

The Nozomi Networks Solution Supports the MITRE ATT&CK for ICS and Enterprise Frameworks

The Nozomi Networks solution associates malicious activity with techniques in the MITRE ATT&CK for ICS and Enterprise frameworks.

For example, a request to stop a process using the well-known TRITON malware generates an  “OT Device Stop Request” alert.

Included in the alert is the Change Program State technique (T875), which is associated with both Execution and Impair Process Control tactics.

This information helps analysts understand the behavior and improves response time.

For more details, read Enhancing Threat Intelligence with the MITRE ATT&CK Framework.

Addressing U.S. Dept. of Energy Cybersecurity Considerations

The Nozomi Networks solution helps you meet and exceed the 17 DOE recommendations.

Start building a secure future today, using the solution preferred by global electric utilities.

More Challenges


Automating My OT/IoT Asset Inventory

Creating an inventory of my industrial control system assets and keeping it up-to-date is extremely difficult.

Learn More


My System Vulnerabilities

Knowing which vendor’s RTUs, PLCs and other devices are at risk would help me focus my cybersecurity efforts.

Learn More


Mitigating OT/IoT Security Incidents

I need to reduce my operational risk by proactively identifying accidental and unintentional cyber incidents.

Learn More

U.S. Dept. of Energy Cybersecurity

Want to Know More?