Nozomi Networks - What's New in Update 19.0

With the big update to 19.0, Nozomi is changing many things in its products. We would like to give you an overview of the most important changes.

The name

SCADAGuardian and SCADAGuardian Advanced are history in terms of name. The product is now only called Guardian. This is to emphasise that the monitoring solution is suitable for both OT and IT. The functional scope of SCADAGuardian Advanced is now available as a separate licence instead. The hardware was the same for the models, nothing has changed.

The product line

Apart from the name, nothing has changed with the previous models. However, there is now also the small and inexpensive Remote Collector. This is particularly suitable for very small external locations and is mainly available as a VM. A hardware deployment is nevertheless possible on request.

The software / functions

This is where most has changed. As already mentioned, there is no longer a distinction between SACAGuardian or SCADAGuardian Advanced when ordering or deploying. All additional functions of SCADAGuardian Advanced can be activated in Guardian by booking a licence. This gives the customer more flexibility and freedom in how the solution is used.

This add-on licence also includes the "Windows Data Collection for Smart Polling", which allows detailed information to be retrieved from Windows machines. This includes, among other things:

• Domain affiliation
• Hardware information (size of RAM, size of hard disk space, Windows patch level, interfaces used, etc.)
• User accounts (activated, domain, full name, lock status, password expiry date, etc.)
• Installed software (name, version, installation date)
• Ports & services in use
• USB devices plugged in
• Antivirus status (product name, version, signature information, last update, last scan, running services etc.)
• And more

Especially with USB sticks, it is possible to monitor which user account has used which USB stick on the computer. This would also help in a forensic investigation to find out how a certain malware could get onto the system or how data could be stolen from a company. For this functionality, the Smart Polling licence must be booked!

In addition to the Smart Polling licence, there is also the OT Threat Feed. This records the current threat situation for IT, Operational Technology (OT) and Industrial Internet of Things (IIoT). This can then be used to easily create signatures and rules for known OT malware so that it can be automatically detected and, depending on the configuration, also averted.

Nozomi has also made further improvements to reports and alerts. With 19.0, it will be possible to define at which alarm level an alarm should be triggered and, for example, an email sent. This has no influence on the logging of an event. Even if an alarm should not take place, the event would still be logged.

In the Central Management Console (CMC), the clarity has been improved first and foremost. For example, units can be grouped to make it easier to assign them to certain field offices or operating sections.

When creating graphs, for example the logical representation of the network, not only has the generation speed been increased, but further filters and display options have also been added in order to be able to highlight the information even better.

In the world of OT, Nozomi has not stood still either and has further expanded the already impressive support of OT protocols. Not only can the protocols be recognised, but they can also be understood. This means a deep packet inspection of OT protocols. This means that not only can it be detected when someone foreign tries to communicate with an OT device, but also when, for example, a careless employee accidentally enters wrong values that could harm the device. Additional protocols supported by Deep Packet Inspection are:

• Wonderware SuiteLinkDA
• Weatherford Cygnet
• Mitsubishi Melsoft
• Mitsubishi SLMP
• GE Cimplicity Replica
• GE Cimplicity View
• GE Mark IV
• ABB TotalFlow
• Siemens CAMP
• ZMTP
• Foxboro IA
• OPC-UA

If the protocol used in your company is not on the list of supported protocols, Nozomi will be happy to add this protocol in cooperation with you.

Just as Nozomi already cooperates with Fortinet to turn a passive monitoring solution into an active protection solution in cooperation with a FortiGate firewall, this is now also possible with Cisco ASA, Cisco ISE and Cisco FTD solutions.