Proof of Concept (POC) with Nozomi and Dragos Report
Engr. Mashal Buhamad
Strategic Note
This report was prepared for a major regional operator responsible for critical infrastructure. It highlights the reality that cybersecurity transformation cannot occur in a vacuum—it must align with the unique constraints and architecture of the existing environment. The Proof of Concept (POC) with Nozomi Networks and Dragos made this evident, as key limitations in legacy systems and architectural inconsistencies directly impact visibility and threat detection capabilities.
The findings reinforce that a comprehensive cybersecurity strategy is no longer optional—it is essential. This strategy must orchestrate how the organization will overcome current equipment and protocol limitations, guide procurement decisions, standardize network architectures, and align stakeholders across departments and vendors. Only through a unified, forward-looking strategy can the organization achieve scalable, resilient, and effective OT cybersecurity.
Introduction
In the evolving landscape of industrial cybersecurity, we continually seek advanced solutions to safeguard organizations operating critical infrastructure, particularly in operational technology (OT) environments. One of the primary goals is to establish robust cybersecurity visibility. Two prominent players in this field are Nozomi Networks and Dragos. While other components such as SIEM are essential, these two form the cornerstone of any visibility-driven cybersecurity architecture. Conducting a Proof of Concept (POC) with these technologies is vital to evaluate their capabilities, strengths, and suitability for specific organizational needs. This report outlines the purpose and preliminary outcomes of the POC with Nozomi and Dragos.
Understanding Nozomi and Dragos
Nozomi Networks: Known for its comprehensive OT and IoT security solutions, Nozomi Networks offers extensive visibility, threat detection, and actionable insights to protect critical infrastructure. Its platform enhances situational awareness and streamlines incident response. It is deployed globally across utilities, aviation, oil and gas, and other industrial sectors. The Nozomi POC was conducted using a demo unit provided by the vendor at a selected industrial site.
Dragos: Specializing in OT cybersecurity, Dragos delivers a suite of capabilities including threat detection, incident response, and threat intelligence tailored for industrial control systems (ICS). Dragos is recognized for its deep expertise in identifying and mitigating advanced persistent threats (APTs) in OT environments. The Dragos POC was executed using packet captures collected from multiple sites, with support from a Dragos engineer. Notably, Dragos did not provide their appliance, which could suggest limitations in device readiness or maturity.
Purpose of a POC
Technical Assessment:
The POC enabled a direct evaluation of Nozomi and Dragos in real-world settings. This included assessing their ability to detect/respond to threats, integrate with existing infrastructure, and provide meaningful visibility into OT networks. On-site deployment proved invaluable, providing firsthand insight into practical deployment challenges. Two significant issues were observed:
- Existing network nodes in the field lack port mirroring capabilities, making passive monitoring difficult without alternative solutions such as network taps.
- OT network environments lack standardization, with legacy and modern protocols (e.g., IEC 101 and IEC 104) coexisting within the same location, creating architectural inconsistencies.
Feature Comparison:
The side-by-side evaluation allowed comparison of capabilities including asset discovery, anomaly detection, threat intelligence integration, and incident response workflows. This helps define the most suitable use cases and placements for each solution.
Accuracy:
Testing detection accuracy and the rate of false positives was critical. The POC offered clear insight into each solution’s ability to distinguish legitimate threats while minimizing noise. Additionally, asset detection capabilities were thoroughly evaluated, emphasizing the importance of post-deployment fine-tuning and enhancement.
System Integration:
Based on the POC findings, a comprehensive technical proposal review is necessary to address newly identified challenges. Collaboration with independent international consultants is strongly advised to ensure effective project execution. Given the complexity of industrial cybersecurity environments, this initiative will require seamless coordination among multiple stakeholders.
Conclusion
The POC with Nozomi Networks and Dragos provided actionable insights into their technical strengths and practical deployment within industrial OT settings. Both solutions excel in visibility, threat detection, and response—capabilities essential for protecting high-value critical infrastructure.
Key challenges identified during the POC—such as lack of port mirroring in field network devices and non-standardized communication architectures—must be addressed before full-scale deployment.
To move forward effectively, the technical proposal should be updated to reflect all POC findings. Engaging experienced external consultants will help align stakeholders, coordinate the project, and ensure its long-term success.
In summary, while Nozomi Networks and Dragos present solid options for industrial cybersecurity, overcoming existing environmental limitations and ensuring cohesive integration will be key to delivering a successful and secure implementation.
No responses yet