Iiot and Industrial Control System (Ics) Security: Palo Alto Networks and Nozomi Networks
Iiot and Industrial Control System (Ics) Security: Palo Alto Networks and Nozomi Networks
Iiot and Industrial Control System (Ics) Security: Palo Alto Networks and Nozomi Networks
Nozomi Networks
Nozomi Networks is a global ICS cybersecurity solutions company providing comprehensive asset visibility, network
monitoring and cybersecurity detection for industrial networks.
The Nozomi Networks solution set is comprised of a suite of application modules to visualize, monitor, detect and take
remediation action against cyber threats when integrated with a firewall. It works in real-time to improve cyber resiliency and
deliver consolidated OT (Operational Technology) visibility across SCADA networks, including multiple geo-separated plants.
Deploying non-intrusively, it automatically learns all assets within the host network, with no impact on control network
latency, determinism or packet jitter. Once the learning phase is completed, the solution works in concert with the existing
security infrastructure to automatically monitor and detect cyberattacks, cyber risks and process anomalies. When
coupled with integration partner Palo Alto Networks, the joint solution extends IT/OT cybersecurity strategies to be more
intelligent, protective and comprehensive.
The Threat Prevention service works with Content-ID to further secure the allowed traffic by natively blocking known
threats to both IT and OT including ICS-specific exploits, malware, and associated command and control (C2) traffic. This
helps organizations protect their currently unpatched or unpatchable systems until they can be updated or replaced.
For more sophisticated unknown threats, the Wildfire service quickly analyzes files to determine their malicious/benign
nature then quickly send protections back to the firewall to prevent malware propagation and C2 communications.
The NGFW runs the PANOS operating system which includes a powerful XML-based API which can be used to access
and manage the firewall through a third-party service, application, or script. This allows for the realization of closed-loop
and fully automated OT threat detection and response.
Palo Alto Networks and Nozomi Networks have integrated their technologies to offer enterprise and industrial cybersecurity
stakeholders a scalable cybersecurity solution that seamlessly bridges the gap between IT and OT operations.
With the Palo Alto Networks API and the Nozomi Networks Open API, both solutions are able to work in concert to
extend threat detection and remediation actions beyond what was once possible. In addition, both Palo Alto Networks
and Nozomi Networks offer powerful threat hunting capabilities using rule-based signature analysis, allowing customers
to extend policy enforcement proactively. With the Palo Alto Networks / Nozomi Networks integration, customers can
reliably use Palo Alto Networks Next-Generation Security Platform with added benefits gained from SCADAguardian’s
hybrid ICS threat detection and Dynamic Learning capabilities.
A node inside a highly-trusted subnet (the Process Network, governing the Control Network) tries to perform an anomalous,
and perhaps malicious, action in the form of a permissible command, for example, reprogramming a PLC. Using different
backdoors, the malware beacons out to an external C2 server, and initiates an attack using an DNP3 payload.
Attack vector: Unauthorized personnel, social engineering, tailored malware installed during system updates.
Details: Two known machines in two different network segments start to communicate utilizing a previously
unseen protocol or application. For example, malware is injected onto a SCADA (Supervisory Control and Data
Acquisition) machine and is able to read state conditions / context and send commands. This machine is now
trying to reprogram the PLC or RTU in a malicious or anomalous manner.
Solution: Integration between Nozomi Networks and Palo Alto Networks solutions enables the organization to
take automated action to limit DNP3 protocol access to ‘read only’ status in response to the misbehaving, albeit
trusted, SCADA asset. First, the malware is immediately recognized using rule-based analysis. If the malware
is a new version, not yet accounted for within a rule, SCADAguardian’s behavior-based anomalous activity
recognition capability will discover the malware’s commands. It will also coordinate with Palo Alto Networks
NGFW to flag, remediate and block the attack. If this incident were merely a policy violation, DNP3 protocol
access may remain limited, allowing for the monitoring function, but not control access.
Coupling the Nozomi Networks API and the user ID function within the Palo Alto Networks
NGFW, administrators can apply user ID to limit or block suspicious users.
Process Manufacturing / Oil and Gas - An unrecognized device is discovered and starts
communicating.
In this scenario an unknown node belonging to a trusted subnet is completely isolated from control within the extensive
DCS (Distributed Control System) network.
Attack vector: Unauthorized personnel, social engineering, brownfield system integration error, and tailored
malware installed during system updates.
Details: A machine plugs into the LAN and starts to communicate with another machine in another network
segment. Since it’s a new source node, the operator wants to block any communication originating from it.
Moreover, no other machines should connect to this one. The operator does not know how long the node has
been there, its manufacturer nor why it was deployed.
Solution: Integration between Nozomi Networks and Palo Alto Networks enables the organization to discover
the device immediately, examine the details of the devices and take automated remediation actions via the
NGFW. This includes blocking the IP address and examining it for malicious intent and level of risk. Moreover,
this scenario can be incorporated into a standard operational approach for future scenarios.
Use Cases
A node inside a highly-trusted subnet (the Process Network, governing the Control Network) tries to perform an
anomalous and perhaps malicious action in the form of a permissible command (e.g. reprogramming a PLC.)
Attack vector: Unauthorized personnel, social engineering, tailored malware installed during system updates.
Details: Two known machines in two different network segments start to communicate with a previously
unseen protocol/application. In one case the malware is injected onto a MES (Manufacturing Execution System)
application or SCADA, allowing it to read state and send commands in order to reprogram the PLC itself. This
could be an act of corporate espionage or sabotage.
Solution: Integration between Nozomi Networks and Palo Alto Networks enables the organization to discover
this attack before it is able to gain full access to PLCs or extract manufacturing intelligence. SCADAguardian
identifies the attack, alerts and initiates an automated action against the NGFW to block the IP address using
Palo Alto Network’s firewall and then takes PCAPs of the incident.
Additional Resources
NN-PAN-SB-8.5x11-001