Ransomware groups bank on the fact that utility companies will be more likely than other sectors to pay to restore services quickly. Nor does the risk end with financial losses as shown in the 2021 attack on the Oldsmar treatment plant that included tampering with a public water supply.

To avoid the costly, sometimes catastrophic fallout resulting from attacks on critical infrastructure (CI), government-run utilities worldwide have launched initiatives to modernize their cybersecurity stacks to prevent attacks on IT from threatening operational technology (OT) resilience. One middle eastern power and water authority partnered with Nozomi Networks and Keysight to improve visibility, monitoring and detection that protects a large city’s public safety networks, fire alarms, and city-wide transportation systems.

Step one was deploying intrusion detection systems (IDS) at 14 substations across the city to accelerate threat detection and incident response (IR). Deploying hardware-based OT monitoring at each substation would prove cost-prohibitive so the team sought a cost-effective alternative, a search that led to the selection of the Nozomi Networks IDS solution.

Step two was choosing the ideal solution to optimize network traffic for analysis by Nozomi.

The challenge? Achieving the scalable, cost-effective capture, filtering, and delivery of network data to IDS agents.

IT/OT convergence demands modern edge visibility

To ensure the Nozomi IDS agents had full visibility into traffic flowing across IT and OT systems, the team’s key visibility requirements included:

• Complete coverage across distributed substations
• Efficient traffic capture and aggregation, and filtering of traffic at the edge
• Centralized optimization and cost-efficient delivery of traffic for analysis
• Elimination of unnecessary data prior to analysis

Where a proof of concept (PoC) might ordinarily have been conducted, the authority was familiar with the benefits of using a Keysight Network Visibility Platform. Prior experience had shown:

• Keysight’s successful track record partnering with government agencies
• Successful collaborations with Nozomi Networks to secure OT environments
• The ability of the Keysight visibility architecture to minimize hardware requirements while scaling aggregation to 48 ports – a powerful total cost of ownership (TCO) advantage compared with competing solutions

After a detailed site survey, the implementation moved forward quickly within a couple of weeks. 

Three-part visibility solution optimizes traffic for analysis

Highlights of the updated monitoring infrastructure include:

• Traffic collection at the edge using Keysight taps at all 14 substations  

• Edge aggregation and filtering performed by Keysight Vision Edge 40 (E40) network packet brokers (NPBs) to filter out unwanted traffic like CCTV streams  

• Centralized, advanced network visibility using a Keysight Vision ONE packet broker

Key functions of the Vision ONE include:

• Removing duplicate packets
• Sending clean traffic to Nozomi IDS solutions for analysis
• Improving bandwidth and tool utilization even further

Joint solution protects CI

The joint Keysight – Nozomi solution:

• Improves access to relevant threat data
• Avoids the deployment of hardware monitoring stacks at every site
• Scales monitoring coverage without driving up cost
• Delivers efficient centralized management and operational stability

With its scalable visibility and OT security monitoring architecture in place, the authority is well positioned to extend coverage to additional substations and integrate future OT security tools.

The end goal and name of the game? A sustainable advantage against advanced, AI-led ransomware and other cyberattacks. Learn more about joint Keysight-Nozomi Networks solution or read the full case study.