Nozomi Networks is the leader of industrial cybersecurity, delivering real-time visibility to manage cyber risk & improve resilience for industrial operations. With one solution, customers gain advanced cybersecurity, improved operational reliability & easy IT/OT integration. Innovating the use of artificial intelligence, the company helps the largest industrial sites around the world See and Secure™ their critical industrial control networks. Today Nozomi Networks supports over a quarter of a million devices in the critical infrastructure, energy, manufacturing, mining, transportation & utility sectors, making it possible to tackle the escalating cyber risks to operational networks (OT).
1. The Leading Solution for
Real-time Cybersecurity and Visibility
for Industrial Control Networks
2. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L
Nozomi Networks; Leading ICS Cybersecurity
2
Since Oct 2013 ~$24m invested
+200,000 Monitored
+200 Global Installations
FOUNDED
DEVICES
CUSTOMERS
SERVING VERTICALS
3. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L
Convergence of Industrial Control Networks and Traditional IT
3
In the past, they were …
• Isolated from IT
• Run on proprietary control
protocols
• Run on specialized hardware
• Run on proprietary embedded
operating systems
• Connected by copper and
twisted pair
Now they are …
• Bridged into corporate networks
• Riding on common internet
protocols
• Running on general purpose
hardware with IT origins
• Running mainstream IT operating
systems
• Increasingly connected to wireless
technologies
What was air gapped and proprietary is now connected and general purpose
4. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L 4
• Connectivity: ICSs are growing more automated, efficient and intelligent. This has also exposed the typical
ICS (MES, DCS, etc.) to new vulnerabilities and cyber threats that must be managed with new technologies.
• Domain-specific technologies: Many technologies require specialized knowledge of industrial control
systems technology & communications. Enterprise IT security technologies are not ICS-aware.
• Operational Technology deficiencies: PLCs and RTUs are low computational computers built for controlling
physical components such as valves, pumps, motors, etc.
Typical SCADA Components are Vulnerable
v Lack of authentication
v Lack of encryption
v Backdoors
v Buffer overflow
v Tailored attacks on physical
control components
PLCs,
Controllers,
RTUs, PACs
5. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L
ICS Cybersecurity: Making the Headlines
5
A Worm in the Centrifuge- Stuxnet
30 Sept. 2010
An unusually sophisticated cyber-weapon is
mysterious but important. A new software “worm”
called Stuxnet …
A Cyberattack Has Caused Confirmed Physical
Damage
30 Sept. 2015
Massive damage by manipulating and disrupting
control systems at German steel mill
U.S. Finds Proof: Cyberattack on Ukraine Power
Grid
3 Feb. 2016
Almost immediately, investigators found indications of
a malware called BlackEnergy.
The Ukraine’s Power Outage Was a Cyber Attack
18 Jan. 2017
A power blackout in Ukraine's capital Kiev last month was
caused by a cyber attack and investigators are trying to trace
other potentially infected computers.
Industroyer; A Cyberweapon can disrupt Power Grids
12 June 2017
Hackers allied with the Russian government have devised a
cyberweapon that has the potential to be the most disruptive
yet against electric systems that Americans depend on for
daily life, according to U.S. researchers.
Hackers halt plant operations in watershed cyberattack
15 Dec. 2017
Schneider confirmed that the incident had occurred and that
it had issued a security alert to users of Triconex, which
cyber experts said is widely used in the energy industry,
including at nuclear facilities, and oil and gas plants.
Russian Government Cyber Activity Targeting
Energy and Other Critical Infrastructure Sectors
This joint Technical Alert (TA) from the U.S.
Department of Homeland Security (DHS) and the
Federal Bureau of Investigation (FBI) and covers
Russian cyber actions targeting U.S. Government
entities, and critical manufacturing sectors.
6. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L
What is SCADAguardian?
6
Process NetworksControl Network SCADAguardian
SCADAguardian implements an innovative technology for monitoring
and assessing Industrial Control Systems.
Is an appliance (physical or virtual) that passively connects to the
industrial network non-intrusively
Listens to all traffic within the control and process networks,
analyzing it at all levels of the OSI stack, passively (L1 to L7)
Uses Artificial Intelligence and Machine Learning techniques to
create detailed behavior profiles for every device according to the
process state to quickly detect critical state conditions
Provides best-in-class network visualization, asset management,
ICS anomaly intrusion, vulnerability assessment, as well as
dashboards and reporting
7. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L
One Comprehensive Solution for ICS Cybersecurity & Visibility
7
Nozomi Networks’ Solution Architecture
8. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L 8
Multitenant OT Cybersecurity Protection
SCADAguardian and Central Management Console (CMC)
Multitenant CMC for large
distributed / hierarchical
enterprise deployments
Supports MSSPs for the
scalable management of
many customers/sites
A single instance of the
CMC can monitor, manage
& remediate threats for
numerous industrial
installations or customers
9. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L 9
New Hybrid ICS Threat Detection
SCADAguardian and Central Management Console (CMC)
Phase 1 –
INFECTION
Phase 2 -
DISCOVERY
Phase 3 -
ATTACK
Behavior-based anomaly
detection enriched with A.I
and analytics engine
Rule-based analysis,
using (Yara, Packet, etc.)
for threat hunting
Signature assertions &
queries with out-of-box
and custom functions
Behavior Anomaly Detection
Rules
Yara/Packet
Rules
Yara/Packet
Rules
Assertions Assertions
Attack Phases
10. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L 10
Extended IT/OT Integration
SCADAguardian and Central Management Console (CMC)
Extended open API for
improved integration with
IT/OT applications
Protocol SDK for
extended integration
capabilities
New protocols support for
diverse enterprise and
industrial environments
Firewall
Historian
PLCS/RTU
Switch
Nozomi Networks
SCADA Master HMI Operator
SIEM
Internet
Remote
Access
Business
CORPORATE NETWORK INDUSTRIAL NETWORK
11. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L
Nozomi Networks Solution: Key Benefits
11
Rapidly Detect Cybersecurity
Vulnerabilities, Threats
and Incidents
Reduce Troubleshooting
and Remediation Efforts
Quickly Recognize
and Remediate
Operational Anomalies
Track Industrial Assets
and Corresponding
Cybersecurity Risks
Deploy at Enterprise
Scale with Proven
Performance
Centrally Supervise
and Monitor
Distributed Networks
12. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L
“Anomaly detection suppliers must offer
both operational and cybersecurity benefits
with solution that passively monitor and
detect anomalies on the network and
industrial endpoints. Suppliers need to
offer integration into cybersecurity
management solutions and facilitate
incident management.”
“I’ll be interviewing a panel of technical
vendors on stage including Andrea
Carcano from Nozomi Networks, and
others with pointed questions and follow
ups in an attempt to get past the
generalities.”
“Nozomi's release of asset
management and vulnerability
assessment modules is a move in
the right direction – it allows the
company to more easily identify
known threats…these product
releases is a sign that the company
is listening to the needs of its
customers and following through
with efforts to reduce the burden of
ICS security on the business.”
“ ““
12
Momentum & Credibility with the Experts
451 Impact Report
April 2017
Sid Snitkin, ARC Forum
February 2017
Dale Peterson, Digital Bond
May 2017
13. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L
Gartner Cool Vendor
13
Nozomi Networks | San Francisco, California | nozominetworks.com
Analysis by Ruggero Contu
“Focus on the security of
their OT environments and
evaluate solutions that
mitigate risk and enhance
overall security.”
“
RUGGERO CONTU
Gartner Research Director
Why Cool: Calling itself a pioneer in the area of real-time cybersecurity for industrial control
systems, this provider has developed technology that addresses the highly specialized
requirements of industrial OT environments. The approach is notable for its intention to
enhance security for utilities and energy providers, which stand as tempting targets for
cyber-intrusion. Nozomi technology will passively monitor the network traffic, creating an
internal representation of the entire network, its nodes, and the state and behavior of each
device in the network. The deployment of its technology with well-established global utility
and energy companies is a confirmation of the viability of this provider's offering in an
emerging market. Nozomi Networks is one of the first vendors in the OT security space to
introduce artificial intelligence and machine learning to create detailed behavior profiles for
every device tracked. https://www.gartner.com/document/3738032
14. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L 14
Nozomi selected for ICS expertise and technology
“After extensive review, we chose Nozomi Networks because their platform provides industry-leading
capabilities which allow us to detect anomalies and proactively hunt for threats within industrial
environments."
- Grady Summers, CTO
FireEye
15. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L
Customers and Use Cases
15
Multi National Power Company (Fortune 500)
Security monitoring of operational network plus distributed deployment in
all Regional Control Centers and TSO Interconnection Centers.
Super Major Oil & Gas Company (Fortune 500)
ICS security assessment to analyze the security levels of process
networks at onshore and offshore sites in several countries.
Large Refinery Company
ICS security assessment and real-time monitoring of the main company
plant in a distributed multi-vendor environment.
Multi-Utility Gas & Water Distribution
ICS and IT monitoring of a hydro plant production environment.
Metropolitan City Water Treatment Company
Security monitoring of the network communications and process variables
of the water distribution system.
Pharmaceutical Company
ICS monitoring of the pharma production network communications and
process variables.
16. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L
“When it came to cybersecurity protection
for critical systems, we wanted the most
advanced technology available. After
extensive review, we chose Nozomi
Networks. They brought superior know-
how in ICS cybersecurity, and a proven
track record with other industry leaders.
We're using SCADAguardian as the
basis of our ICS Cyber program, from
operational monitoring to ICS threat
detection.”
“At Vermont Electric our mission is to
provide safe, affordable, and reliable
energy services to our members. In order
to do that, we need both operational
visibility and cybersecurity protection
for our critical operations
systems. We’re working with Nozomi
Networks because their deep industrial
cybersecurity expertise is embedded in
one clean, comprehensive solution,
from network modeling to process
anomaly and intrusion detection.
“ ““
16
What Customers are Saying
Gian Luigi Pugni
Global ICT Cybersecurity
Andrew Dutton
Group Lead
Kris Smith
SCADA & Operations Engineering Manager
“Enel Power Plants are a
strategic asset we are
committed to protect.
Malfunctions or damage
to this infrastructure
would be a threat to our
national security. With
Nozomi Networks’
SCADAguardian we can
now detect and collect
operational and
cybersecurity issues in
real time, and take
corrective actions before
the threat can strike.”
Federico Bellio
Head of Controls
“Through this
partnership, we have
made a substantial
improvement in our
Remote Control System.
Nozomi Networks’
SCADAguardian is now
a fundamental element
of our network
infrastructure and an
essential tool for our
daily activities … to
substantially improve the
reliability, efficiency, and
cybersecurity.”
18. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L
Sample Deployment Architecture
18
Level 4
Production
Scheduling
Level 3
Production
Control
Level 2
Plant
Supervisory
Level 1
Direct Control
Level 0
Field Level
Selected detected threats
• Monitoring of remote access connection to networks
• Connection to Internetcorporate network DMZ
• MITM & Scanning Attacks (Port, Network)
• Unauthorized cross level communication
• IP conflicts
• ICS DDoS Attacks
• Weak passwords (FTP /
TFPTP / RDP / DCERPC)
• Traffic activity summaries Bad
configurations (NTP / DNS /
DHCP/ etc.)
• Vulnerability False Positives
• Network topologies
• Used ports of assets
• Unencrypted
communications (Telnet)
• Insecure Internet
connections
• Subnet collisions
• Anomalous protocol behavior
• Online edits to PLC projects
• Communication changes
• Configuration downloads
• New assets in the network
• Non-responsive assets
• Corrupted OT packets
• Firmware downloads
• Logic changes
• Authentication to PLCs
• PLC actions (Start, Stop, Monitor, Run, Reboot,
Program, Test)
• Fieldbus I/O monitoring
19. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L
SCADAguardian - Standard Deployment Scenario
19
• The SCADAguardian
appliance must be connected
to the SPAN/Mirror port of
network devices.
• This guarantees a complete
isolation of the appliance
from the working network,
thus enabling a hot deploy
with no interference on
active communications.
FIELD NETWORKCONTROL NETWORK
PROCESS NETWORK
Mirrored
Traffic
Mirrored
Traffic
Management port
Pump
Valve
Fan
HMI SCADA Servers
20. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L
SCADAguardian - Physical Appliances
20
N Series NSG-L Series NSG-R Series R Series
1000 750 250 100 150 50
Description
A powerful appliance for very large,
demanding scenarios
A rack-mounted appliance for large
scenarios
A rack-mounted appliance for
medium scenarios
A rack-mounted appliance for small
scenarios
A rugged rack mounted appliance
for medium scenarios
A rugged DIN-rail mounted
appliance for small scenarios
Form Factor 1 rack Unit 1 rack Unit 1 rack Unit 1 rack Unit 2 rack Unit Din mountable
Monitoring Ports 8 4 5 5 7 4
Expansion slot n.a. n.a. 1 1 2 n.a.
Max Protected Node 5,000 1,000 500 200 450 200
Max Throughput 1 Gbps 500 Mbps 200 Mbps 100 Mbps 200 Mbps 50 Mbps
Storage 240 Gb 180 Gb 64 Gb 64 Gb 64 Gb 64 Gb
H x W x L
mm/in
43 x 426 x 356
1.7 x 16.8 x 14
43 x 426 x 356
1.7 x 16.8 x 14
44 x 438 x 300
1.7 x 17.2 x 11.8
44 x 438 x 300
1.7 x 17.2 x 11.8
88 x 440 x 301.2
3.46 x 17.3 x 118.58
80 x 130 x 146
3.15 x 5.11 x 5.74
Weight 10 Kg 10 Kg 8 Kg 8 Kg 6 Kg (13,2 lbs) 3 Kg
Max Power Consumption 260W 260W 250W 250W 250W 60W
Power supply type 110-240V AC 110-240V AC 110-240V AC 110-240V AC
Dual Power Mode:
1) 36-48V DC 2) 90
264V AC / 100-300V DC
12-36V DC
Temperature ranges 0 / +45º C 0 / +45º C 0 / +40º C 0 / +40º C -40 / +70º C -40 / +70º C
Compliance RoHS RoHS RoHS RoHS
RoHS, IEC 61850-3,
IEEE 1613
RoHS
21. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L
V1000 V750 V250 V100 V50
Description
A powerful appliance for very
large, demanding scenarios
A virtual appliance for large
scenarios
A virtual appliance for medium
scenarios
A virtual appliance for small
scenarios
A virtual appliance for very
small scenarios
Installation Specs VMware ESX 5.x+, Hyper-V 2012+, KVM, XEN
Monitoring Ports Unlimited (**) 4 4 4 4
Max Throughput 300 Mbps 300 Mbps 300 Mbps 300 Mbps 300 Mbps
Max Protected Node 5,000 1,000 400 150 50
Storage 100+ Gb 100+ Gb 100+ Gb 100+ Gb 100+ Gb
SCADAguardian - Virtual Appliances
21
22. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L
The Central Management Console (CMC)
22
Summary
Consolidated cybersecurity management and
remote access to distributed appliances
Installation Specs VMware ESX 5.x+, Hyper-V 2012+, KVM 1.2+, XEN 4.4+XEN
Max Managed Appliances Unlimited (***)
Storage 100+ Gb
Updates
Optionally connect to the Nozomi Networks customer portal for vulnerability, rules and
SCADAguardian updates. Easily propagate changes to all appliances in the field.
(***) Based on the infrastructure
23. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L
The Central Management Console (CMC)
23
Summary
Consolidated cybersecurity management and
remote access to distributed appliances
Installation
Specs
VMware ESX 5.x+, Hyper-V 2012+, KVM
1.2+, XEN 4.4+XEN
Max
Managed
Appliances
Unlimited (***)
Storage 100+ Gb
Updates
Optionally connect to the Nozomi Networks
customer portal for vulnerability, rules and
SCADAguardian updates. Easily propagate
changes to all appliances in the field.
CMC
CMC
CMC
CMC
24. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L
Supported Integrations
24
User Authentication &
Authorization
MSSP and SIEM Integration Proactive Firewall Integration
All contextual information not present in network communications can be added to the system (i.e. node names,
variable names, etc.)
• ActiveDirectory
• LDAP (Lightweight
Directory Access Protocol)
• Import of SCADA/DCS
configurations
• Managed Security Services
& SIEM Logging Partners
• Enterprise Firewall &
Security Partners
25. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L
Broad Support for Industrial Control Systems and ICS / IT Protocols
25
- Aspentech Cim/IO, BACNet, Beckho ADS, BSAP IP, CEI 79-5/2-3,
COTP, DNP3, Enron Modbus, EtherCAT, EtherNet/IP - CIP,
Foundation Fieldbus, Generic MMS, GOOSE, Honeywell, IEC 60870-5-
7 (IEC 62351-3 + IEC 62351-5), IEC 60870-5-104, IEC-61850 (MMS,
GOOSE, SV), IEC DLMS/COSEM, ICCP, Modbus/TCP, MQTT, OPC,
PI-Connect, Pro net/DCP, Pro net/I-O CM, Pro net/RT, Sercos III,
Siemens S7, Vnet/IP
Industrial Protocols
ARP, BROWSER, BitTorrent, CDP, DCE-RCP, DHCP, DNS, DRDA
(IBM DB2), Dropbox, eDonkey (eMule), FTP, FTPS, HTTP, HTTPS,
ICMP/PING, IGMP, IKE, IMAP, IMAPS, ISO-TSAP/COTP, Kerberos,
KMS, LDAP, LDAPS, LLDP, LLMNR, MDNS, MS SQL Server,
MySQL, NetBIOS, NTP, OSPF, POP3, PTPv2, RDP, STP, SSDP,
RTCP, RTP, SSH, SNMP, SMB, SMTP, STP, Syslog, Telnet, VNC
IT Protocols
ICS Vendors
.New protocols and vendors are being added to the support matrix on a continuous basis
26. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L
Industrial Cybersecurity
Anomaly, Intrusion and Risk Detection
Incident Correlation
Vulnerability Assessment
Operational ICS Visibility
Asset Inventory
Network Visualization & Modeling
Real-time Network Monitoring
Dynamic ICS Behavioral Learning
Proven Large-Scale Deployments
Utilities
Oil and Gas
Manufacturing
Meets Enterprise Requirements
Integrates with Security Infrastructure
Delivers Fast ROI
One Solution Delivers
27. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L 27
The Executive Team
MORENO CARULLO
CTO and Co-Founder
PhD in Artificial intelligence
eXtreme Programming Expert
ANDREA CARCANO
CPO and Co-Founder
PhD in Cybersecurity
SCADA Security Researcher & Expert
EDGARD CAPDEVIELLE
Chief Executive Officer
VP Products, Imperva
GM Archiving SW, EMC
CHET NAMBOODRI
VP Business Development
Cisco Industrial Markets,
GE Automation and Controls
KIM LEGELIS
Chief Marketing Officer
Industrial Defender, Cybereason,
Symantec
28. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L
Initial Funding
Glenn Solomon
• Managing Partner
• 10 years at GGV Capital
• Enterprise, Cloud, Security
• @glennsolomon
• Team in the US and China
• $2.6 billion under management
• 6 funds,150+ investments
• 15 years, 27 IPOs
October 2016: GGV Capital & Lux Capital co-led a $7.5M Series A round in Nozomi Networks, Inc.
June 2015: Planven Investments led the Seed round equivalent to $1.1M as first institutional investor
Bilal Zuberi
• Partner in Silicon Valley
• 8 years in Venture Capital
• NextGen Industrial Tech
• @bznotes
• Lux Ventures IV, A $350 million fund
• $700M under management
• Team in New York & Silicon Valley
• Chief Executive Officer
• VC & Operator for a Decade
• Global High-Growth Innovation
• www.planven.com
Giovanni Canetta Roeder
• Family Office of Carlo De Benedetti
• Pioneer in European VC investing
• Team in Lugano, Switzerland
29. w w w . n o z o m i n e t w o rk s . c o m / C O N F I D E N T I A L 29
Series B Round $15m: January 2018
Partners & Investments
PROFILE
Invenergy FutureFund
invests in companies that are
defining the future of energy.
LEADERSHIP
John Tough
Partner at Invenergy
“Nozomi Networks’ superior technology and
team have made them the market leader in
securing energy and other critical
infrastructure industries from escalating cyber
threats”
“
Michael Polsky
CEO of Invenergy & Chairman
of the Invenergy Future Fund