At the 2025 Ovation Users’ Group Conference, Emerson’s Thomas Kizer and Alejandro Cruz presented Network Security Monitoring Features and Functions Comparison: Dragos and Nozomi. Their presentation addressed general characteristics of network security monitoring (NSM), typical functions performed, architectural considerations, and specific capabilities in each of the two platforms. The capabilities of these platforms continue to evolve. This post reflects the presenters’ views on where these solutions currently stand at the time of this writing.

They opened by defining the NSM space. These solutions monitor network traffic, trying to detect malicious activity. NSMs are broader than intrusion detection systems (IDS) or network intrusion detection (NID). Detection can be based on patterns, signatures/, or behavioral detection (also known as heuristic detection). These solutions can work in conjunction with firewalls or routers to block traffic, much like an intrusion prevention system (IPS) would do. Emerson does not recommend using this capability, since automatic blocking can affect availability and reliability.

Network security monitoring can detect zero-day attacks and cover legacy systems without extensive security controls, so at least they can be monitored. As cybersecurity regulations and standards, such as NIS2, NERC CIP 015, and IEC 62443, advance, the need for network security monitoring grows. The recently approved CIP-015-1 will require Internal Network Security Monitoring for medium- and high-impact sites with external routable connectivity (ERC).

NSMs can reduce downtime by enhancing troubleshooting with better network data. They are a primary tool for advanced persistent threats (APTs), where attackers possess advanced skills, may be well-funded, and have access to large pools of resources. An APT can be characterized by the use of patient, scalable, and stealthy strategies and vectors.

Monitoring operational Technology (OT) networks presents unique challenges. Network switches can monitor traffic, mirror traffic, and capacity is based on performance. Typically, copper and fiber media are available for new connections, as well as physical ports. In many cases, network drawings are outdated, which can affect the initial setup before being resolved by the NSM project installation.

NSM solutions perform these typical functions:

• Asset inventory
• Threat Management / Intrusion Detection
• Vulnerability Assessment
• Passive Scanning
• Threat Intelligence
• Network Mapping

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) recommends the following actions for water utilities:

1. Reduce Exposure to the Public-Facing Internet
2. Conduct Regular Cybersecurity Assessments
3. Change Default Passwords Immediately
4. Inventory OT/IT Assets
5. Develop and Test Incident Response Plans
6. Backup Systems Regularly
7. Patch and Reduce Vulnerabilities
8. Conduct Cybersecurity Awareness Training

Here is an architectural look at an NSM with multiple Ovation distributed control system networks:

With a Dragos NMS solution, the SiteStore aggregates the Dragos Sensor asset, vulnerability, and threat information across the connected sensors. The sensors provide comprehensive passive monitoring via physical sensor appliances and virtual sensors, ensuring extensive coverage, minimal network disruption, and flexible virtual deployments. A central store (not tested by the Ovation team) provides SiteStore management, enabling a central location for multi-enterprise aggregation, central dashboards, searching, and reporting.

The SiteStore and Sensor can be virtual or physical devices. These can be hosted in the Power and Water Cybersecurity Suite (PWCS) if sufficient resources are available. Data collection includes sensor, platform agent, project file imports, and NP-View Network Modeling. Key capabilities include:

• Automated Asset Discovery and Inventory
• OT Network Monitoring and Deep Packet Inspection
• Risk-Based Vulnerability Management
• Intelligence-Driven Threat Detection
• Response Playbooks and Digital Forensics
• Segmentation Policy Validation

Nozomi Networks NSM solutions within PWCS include management, network sensors, and endpoint sensors. Vantage is a NIST Federal Information Processing Standards (FIPS)-compliant SaaS solution. Also, from a management perspective, the Central Management Console (CMC) provides centralized management and visibility of sensors. Network sensors include Guardian industrial-strength sensors that are ANSI-certified and FIPS-compliant. A Remote Collector is used as a low-resource sensor for remote and challenging locations. The sensors and CMS can be virtual or physical, and can be hosted in the PWCS host if there are sufficient resources.

Some enhanced capabilities that are compatible with PWCS include Asset Intelligence, Threat Intelligence, TI Expansion Pack, and Vantage IQ (cloud access).

Protocol integration with Ovation is done through Ovation DDB. Assets are identified passively, and variables are extracted for the Emerson Ovation DDB protocol. Passively detected assets are enriched with active polling (not validated), the Asset Intelligence Enhancement, and a Machine Learning Engine in Vantage (cloud platform).

Visit the links above and the Power and Water Cybersecurity Suite section on Emerson.com for more information on network monitoring systems and their role in a comprehensive cybersecurity strategy.