Select Page

Meeting U.S. Government Cybersecurity Guidelines for Pipelines


Selecting an ICS Monitoring Solution that Meets/Exceeds
Government Considerations

Escalating attacks on critical infrastructure have spurred the U.S. government to take numerous actions to accelerate improvements in cyber resiliency.

This includes an initiative to improve the ICS cybersecurity of pipelines. To that end, a set of 17 considerations for evaluating ICS/OT monitoring technology was created. While initially developed for electric utilities, the considerations are also being recommended to pipeline asset owners.

The Nozomi Networks solutionhelps you meet and exceed government guidelines for ICS/OT monitoring technology.


Build a Secure Future Using the Solution Preferred by Energy Organizations

Energy and utilities companies give Nozomi Networks the top score for operational technology security, as demonstrated in Gartner Peer Insights customer reviews. They acknowledge our:

  • Comprehensive OT and IoT visibility
  • Advanced threat detection
  • Accurate anomaly alerts
  • Proven scalability
  • Easy IT/OT integration
  • Global partner ecosystem
  • Exceptional customer engagement and support

Learn how we’re helping organizations like yours –simply click on the links to the right.


Meeting and Exceeding
the 17 U.S. Government Considerations

According to its guidance, the U.S. government does not select, endorse or recommend any specific technology or provider as part of their initiative. Instead, each entity must assess and select the technology or provider that’s best for it.

Furthermore, the agencies that  developed the 17 DOE recommendations (CESER, CISA and the NSA) state:

“The highest priority for the Industrial Control Systems (ICS) Cybersecurity Initiative is for owners and operators to enhance their detection, mitigation, and forensic capabilities.”

With that in mind, the table below lists each of the 17 considerations and describes how the Nozomi Networks solution addresses each of them.

Built for ICS: Continuous Cybersecurity Network Monitoring

Government Consideration
Nozomi Networks Solution


Technologies built for ICS networks with integration compatibility with ICS protocols and communications.

“Nozomi Networks has superior ICS protocol support and asset visibility in their products. Nozomi is a good fit for electric utilities, oil and gas, and manufacturing companies worldwide.”

Forrester Research


Technologies that provide sensor-based continuous network cybersecurity monitoring, detection, and facilitate response capabilities for ICS/OT (i.e., the technology is ICS-focused and already understands ICS communications, such as deep packet inspection capabilities for ICS protocols).

  • Provides “always on” continuous monitoring of OT, IoT and IT protocols for assets from all vendors
  • Analyzes network communications using protocol-specific Deep Packet Inspection (DPI) for dozens of industrial protocols

  • Detects cybersecurity and process reliability threats

  • Accelerates incident response with actionable intelligence and time-saving response tools

Insight and Information Sharing



Nozomi Networks CPO Andrea Carcano on why security incident information sharing needs to be vendor neutral:

U.S. v. Cyber Criminals: Critical Infrastructure Edition


Nozomi Networks CTO Moreno Carullo on how an open source incident reporting system, that preserves privacy, can be created. Plus, what Nozomi Networks is doing about it:

An Open Source Approach for Cybersecurity Information Sharing

Government Consideration
Nozomi Networks Solution


Technology software that has a collective-defense capability/framework to allow the sharing of insights and detections rapidly with the Federal government, participants, and trusted organizations such as relevant information sharing and analysis centers (ISACs)/information sharing and analysis organizations (ISAOs). Data and insights collected must be sharable across the Federal government, to the greatest extent possible, and should be compatible with other sector sensing partnerships.

  • Provides highly accurate ICS attack, vulnerability, and anomaly data, the foundation for information sharing
  • Integrates out-of-the-box with SIEM/SOAR, threat sharing platforms, and other products for rapid information-sharing across the organization and beyond
  • Shares data more broadly via reporting and exporting capabilities, as well as through an Open API
  • Receives continuously updated Threat Intelligence and Asset Intelligence, reducing the Mean-Time-to-Detect (MTTD) and the Mean-Time-to-Respond (MTTR)


Technologies that do not collect or store sensitive data off the participants’ site (e.g., perform analysis at the edge); however, certain insights or analysis outputs, such as whether a threat was present and relevant indicators of compromise, may be stored off premises.

  • Provides customizable data storage options
  • Available in the widest range of on-premises hardware/virtual/software sensor options
  • Analyzes data 100% within the sensor, without the need for input from outside analysts or remote access connections
  • Shares data off premises via optional cloud product (Vantage), integration with many IT, OT and security products, or via an Open API


Technologies must protect or anonymize participant identity, and ensure that risks and vulnerability information is not inadvertently disclosed between participants unless explicitly authorized by the participating entity.

  • Protects participant identity when sharing sensitive data
  • Granular anonymization features are in development

Technology that Correlates Data and Has Flexible Data Storage

Government Consideration
Nozomi Networks Solution


The technology allows for centralized queries and correlation. Sensitive information that contextualizes anomalies that may indicate adversary presence may be stored off-premises for analysis.

  • Includes powerful query capabilities, providing fast access to security and operational data
  • Queries can be imported/exported between systems
  • Data can be aggregated with on-premises CMC or cloud-based Vantage.


Technologies that do not collect or store sensitive data off the participants’ site (e.g., perform analysis at the edge); however, certain insights or analysis outputs, such as whether a threat was present and relevant indicators of compromise, may be stored off premises.

  • Stores data short-term or medium-term (> 1 year)
  • Allows tuning of raw data collection for relevant streams
  • Provides long-term storage via SIEM integration and automated data exports for data warehousing


The technology is passive in its deployment, using isolation technologies to ensure that the technology itself cannot be used as a vector for adversaries to gain access into sensitive ICS networks.

  • Conducts passive network analysis
  • Select from the widest array of hardware/virtual/software sensor options
  • Works in air gapped environments, without cloud or remote analyst connectivity


The ICS sensing technology is capable of working with correlation and aggregation technologies to allow for OT/IT sensing cross correlation and analysis.

  • Integrates with SIEM and other IT and security tools for IT/OT correlation of data
  • Combines vulnerability assessment, threat and anomaly detection, asset inventory and risk monitoring in a single tool. Internal correlation of data reduces some cross-tool requirements.

that Performs Anomaly and Threat Detection

Government Consideration
Nozomi Networks Solution


Technology has the capability of baselining normal ICS operations and can compare/detect abnormal operations from a known good baseline.

  • Learns normal network and process behavior
  • Detects security and process anomalies
  • Uses continuously updated Asset Intelligence to eliminate benign alerts
  • Knows when “new” or “different” is not a risk, focusing your attention on true incidents


Data at rest should be cryptographically protected, (e.g., leverage NIST FIPS 140-3 certified cryptology to protect the data).


Technology has the capability to detect known unauthorized remote access operations.

  • Detects anomalies of all types, including invalid remote access connections
  • Supports in depth security policies such as alerting if a VPN connection writes to a safety controller
  • Integrates with remote access solutions for increased data granularity and correlation


Technology has the capability to detect unauthorized movement from the IT to the OT environment including via non-Internet Protocol (IP) communication pathways.

  • Detects anomalous traffic including infections from outside the OT networks
  • Shows anomalous traffic on network visualization graph
  • Tracks attacker movements across IT, OT and IoT assets

Technology that Supports the MITRE ATT&CK for ICS Framework

Government Consideration
Nozomi Networks Solution


Technology has the capability to detect unauthorized network activity and actions consistent with the MITRE ATT&CK for ICS framework including detecting potential tactics that may be used for disruptive or destructive actions.


Technology has analytic and detection capabilities, which are dynamically updatable leveraging timely, validated, and trusted external or internal threat intelligence.

  • Employs behaviour-based anomaly detection and multiple types of signature and rules-based detection
  • Correlates results with operational context for rapid insights
  • Applies dynamically updated Threat Intelligence and Asset Intelligence provided by the highly regarded Nozomi Networks Labs team


Technology has the capability to detect access credential misuse.

  • Detects failed logins and some instances of credential misuse
  • Raises alerts and sends notifications when multiple failed logins are detected


Technology to identify violations of implemented application allowlisting policies enforced on IT and OT systems.

  • Shows a graphical view of network patterns for human inspection, improving situational awareness
  • Monitors and evaluates all behaviors for policy failures on an ongoing basis
  • Identifies violations with more granularity than simple allow/deny analysis
  • Provides operational context for fast response
Cybersecurity Guidelines for Pipelines

Click to enlarge.

The Nozomi Networks Solution Supports the MITRE ATT&CK for ICS and Enterprise Frameworks

The Nozomi Networks solution associates malicious activity with techniques in the MITRE ATT&CK for ICS and Enterprise frameworks.

For example, a request to stop a process using the well-known TRITON malware generates an  “OT Device Stop Request” alert.

Included in the alert is the Change Program State technique (T875), which is associated with both Execution and Impair Process Control tactics.

This information helps analysts understand the behavior and improves response time.

For more details, read Enhancing Threat Intelligence with the MITRE ATT&CK Framework.

U.S. Government Cybersecurity Considerations for Pipelines

The Nozomi Networks solution helps you meet and exceed the 17 government cybersecurity recommendations.

Start building a secure future today, using the solution preferred by the midstream oil & gas industry.

More Challenges


OT and IoT

Without visibility into my entire oil & gas network and its activities, it’s hard to effectively monitor, manage and secure it.

Learn More


Preventing Unplanned Downtime

Identifying pipeline devices slipping out of scope would help me avoid equipment failure and costly downtime.

Learn More


Detecting Malware Before
It Strikes

I need to know if a persistent threat is on my oil & gas network before it hijacks my data or disrupts my processes.

Learn More

U.S. Government Cybersecurity Guidelines for Pipelines

Want to Know More?