Today’s Challenging Threat Environment Demands Better Visibility

Author photo: Sid Snitkin
By Sid Snitkin


Critical infrastructure cybersecurity has never been more important or more challenging. These organizations have become prime targets for cybercriminals and unfriendly state actors. At the same time, digital transformation is expanding attack surfaces with new devices and external connections.

While most critical infrastructure facilities have invested in some cybersecurity defenses, many lack the resources to Threat Environmentsustain security hygiene and deal with security alerts. Poor visibility of vulnerabilities and threats adds to the problem. Lack of good asset information hampers efforts to manage the constant stream of new security alerts and patches. Unfiltered alerts and the lack of good contextual information aggravates efforts to investigate and respond to potential threats.

This situation is leaving many facilities at high risk of serious cyber incidents that impact safety and operational continuity. No organization can afford to operate under these conditions. Addressing OT and IoT cybersecurity security program deficiencies needs to be a top priority in every critical infrastructure installation. 

This ARC report discusses today’s critical infrastructure cybersecurity challenges and offers some recommendations for what companies can do to manage these cyber risks. ARC discussed these issues with executives of Nozomi Networks, a leading supplier of OT and IoT cybersecurity solutions, and a review of what they are doing to help companies address these challenges is included.

OT Cybersecurity Is Under Attack

The risks of cyber compromises in critical infrastructure facilities have grown significantly over recent years. Manufacturers, healthcare organizations, and other critical infrastructure operators around the world are facing more challenging threat environments. At the same time, changes companies are making to their operations are opening new attack pathways for compromises of critical operations.

Yesterday, critical infrastructure operators were primarily focused on blocking general malware that was floating around the internet. Today, security teams need to defend facilities against targeted attacks by sophisticated adversaries and compromised software downloads from suppliers. Findings in a recent research report showed that one-third of all ransomware attacks are being launched against industrial companies. Political unrest has also increased cyberwarfare attacks against critical infrastructure.

Digital transformation is occurring at a rapid pace across the critical infrastructure landscape. Operators, inspectors, and Threat Environmentmaintenance personnel are using mobile devices, augmented reality (AR), and digital twins to improve efficiency and effectiveness. Robots and autonomous vehicles are being deployed to drive higher productivity and process consistency. Managers are investing in multitudes of new IoT sensors and cloud analytics to help them optimize workflows, improve product quality, and reduce safety incidents. Facilities are enabling more use of remote access by vendors and home workers to get the fast, 24x7 support they need to minimize operational disruptions.

All of these digital transformation developments increase the risks of serious cyber incidents that can jeopardize safety and business continuity. Every new connection with external systems and devices creates a potential pathway for remote attacks. Every new IoT device creates a potential launchpad for attacks from within. Mobile devices create new opportunities for exfiltration of confidential information and injection of malware into critical business workflows. Limited security teams simply can’t keep up with these growing risks without solutions that give them the information they need to focus their efforts on the most critical vulnerabilities and threats. 

Broad Visibility Is Essential for Survival

Visibility is vital for effective management of cybersecurity risks, and this includes visibility of all threats and vulnerabilities. Threat visibility needs to span potential attacks from systems, devices, and networks within facility perimeters as well as external threats that are targeting facilities in the same region or industry. Vulnerability visibility needs to span all weaknesses in all system devices as well as any vulnerabilities that may be in systems or devices that gain access to the systems controlling operations. In both cases, security teams need prompt notification of any changes in threats and vulnerabilities so that they can triage their efforts and adjust defenses.

Historically, critical infrastructure environments and systems were stable. So, companies could reasonably operate assuming that annual security assessments and general vulnerability alerts were enough visibility to manage their security risks. But visibility in today’s dynamic world needs real-time threat intelligence and continuous monitoring of systems to detect new devices, connections, and vulnerabilities.

Some facilities have already invested in passive visibility solutions to help them automate asset inventories, identify devices with known vulnerabilities, and detect anomalies in internal network communications. But lack of resources and concern about operational disruptions has constrained more widespread implementation of these critical capabilities. Overcoming these roadblocks is essential to defend systems against today’s attacks.

While good, passive scanning solutions are still not enough for today’s challenging environment. Compromises in devices that are off-network or infrequently communicate across firewall boundaries can go undetected until it is too late to stop system-wide attacks. Security teams can also get overwhelmed with alerts that lack adequate filtering and context that facilitates rapid forensics and response. In today’s world companies need solutions that address these issues and extend visibility so that it covers all threats and assets.    

Nozomi Networks Addresses Modern Visibility Needs

Discussions with Nozomi Networks executives revealed that they share ARC’s view of the challenges critical infrastructure companies are facing and the need for better visibility of cyber risks. It also demonstrated their commitment to helping companies address these issues.

Nozomi Networks is a leading provider of critical infrastructure visibility products that are used by companies around the world to minimize cyber risks and maximize operational resilience. Their Guardian and Vantage solutions provide real-time asset visibility, threat detection and actionable intelligence for critical infrastructure. Nozomi Networks solutions are being used to support installations across energy, manufacturing, mining, healthcare, transportation, utilities, building automation, smart cities, and critical infrastructure.

From its founding in 2013 as a passive network scanning solution, Nozomi Networks has continued to enhance and extend its solution portfolio to deal with growing cybersecurity challenges. 

Nozomi Arc is the latest addition to Nozomi Networks solution portfolio. This product turns existing endpoint devices into visibility sensors that provide critical information about endpoint threats. It also extends Guardian’s asset inventory and network anomaly detection capabilities to more assets and isolated systems by enabling local smart polling and remote collector capabilities in local networks.    

Threat Environment

Nozomi Arc provides detailed information about the operations occurring within endpoint devices that is not detectable in network traffic. This includes information about users and erroneous system events that can only be detected by analysis of events reported in device log files. The product also monitors USB communications to detect threats from malicious devices posing as keyboards, etc.

Nozomi Arc extends the use of Guardian visibility capabilities to assets in hard-to-reach network segments. This includes smart polling of local devices to acquire their asset information and monitoring of local, East-West traffic to detect suspicious messages and patterns.

Security relevant information collected by Nozomi Arc is sent to Guardian or Vantage for further analysis. This information is then used to alert users of endpoint threats, filter system alerts, and provide additional context to accelerate defender forensic efforts.

Nozomi Arc communications are secure outbound connections, so they don’t require changes to existing firewalls that could open remote systems to external attacks. This is a major benefit of Nozomi’s approach as it overcomes a common user concern that prevents use of smart polling to expand visibility to remote systems and devices.

Threat Environment

The company indicates that Nozomi Arc can provide all of this functionality without putting undue strain on endpoint device operations or disrupting mission-critical networks. The Nozomi Arc endpoint sensor is deployed as a background executable and can be automatically uninstalled after collecting information to conserve host resources. This allows user policies to govern how frequently the Arc sensor is installed and performs collection.

Nozomi Arc is designed for rapid, remote deployment. So, companies can quickly deploy the product and reap the benefits of improved operational resiliency in all sites and devices regardless of their geographic, operating, or resource constraints.


Threats to critical infrastructure have outpaced the capabilities of existing cybersecurity programs. Most facilities lack the security resources, technologies, and cybersecurity management tools to defend operations against ransomware and sophisticated attackers. They also lack people and expertise to ensure security of new digital transformation efforts and expanded use of remote workers. The risks to safety and operational resilience are too great for any company to ignore the growing risks of serious cyber incidents.

This report provided ARC’s recommendations for what companies need to ensure that their cybersecurity programs can ensure safe and reliable operations. The review of Nozomi Networks’ products and services shows that products are available to give users the visibility demanded in today’s world.  So, the biggest risks to critical infrastructure are users that ignore the urgency of addressing these critical issues.


ARC Advisory Group clients can view the complete report at  ARC Client Portal

If you would like to buy this report or obtain information about how to become a client, please  Contact Us

Keywords: Industrial/OT Cybersecurity, Visibility, Nozomi Networks, ARC Advisory Group.



Engage with ARC Advisory Group

Representative End User Clients
Representative Automation Clients
Representative Software Clients