By Dragos, Inc.

Enabling Broader ICS Cybersecurity

Today, Dragos, Inc. announced the acquisition of NexDefense and, simultaneously, the free release of two previously paid, well-known industrial control system (ICS) asset identification and discovery tools: Cyberlens and Integrity.  

History of Integrity

Integrity was originally developed as “Sophia” in 2012 at Idaho National Laboratory (INL). The tool was created by wonderfully innovative INL researchers, and it was apparent that Sophia had a role to help the community as a private sector offering. NexDefense, co-founded by Michael Assante and Derek Harp, was awarded the exclusive rights to commercialize Sophia and continue its development in late 2013.  NexDefense enlisted the help of numerous colleagues and developers, including Loney Crist, Greg Williams, Jeff Barber, and John Brown, to extend Sophia beyond the initial vision and turn it into an even more highly-capable and scalable tool. With the significant changes, the tool was renamed Integrity and continued to be sold until the acquisition, garnering positive recognition as an RSAC Innovation Sandbox finalist, Gartner Cool Vendor, and best network security solution by Cyber Defense Magazine. While the ICS cybersecurity market is vibrant today (especially with a focus on passive asset identification, threat detection, and response technologies), in 2013 the market looked very different. Early evangelism was key to highlighting the need for monitoring in the operations technology (OT) and ICS networks. NexDefense helped that need significantly.

History of Cyberlens

Separately, around the same time NexDefense was founded, another tool was being created. The Department of Defense gave permission to employees Justin Cavinee, Jon Lavender, and Robert Lee to develop a tool in their off hours–the CyberLens tool. Cyberlens was intended to be a passive ICS asset identification and visualization tool to enable cybersecurity assessment in OT environments. The analysts were later joined by Matt Luallen and formed an LLC called Dragos Security. The purpose of the LLC was a protective legal entity for the housing of CyberLens, so development could continue in the off-time hours with the intent of getting it out to the community for training and assessment purposes. By 2015 the founders of NexDefense and Dragos Security were in discussion about joining forces driven by a common dedication to serving the ICS community. Their first-hand experiences of the problems faced in industrial cybersecurity motivated both teams. However, the visions of what the products could become didn’t align at the time.

History of Dragos, Inc.

CyberLens was essentially an “after work” project, and the Dragos Security founders envisioned a much more robust product that was built off the insights from an intelligence and threat operations team. Jon, Justin, and Robert left the government in 2015, and with it, put an end to work on CyberLens and Dragos Security. They founded Dragos, Inc. in 2016 and created a team that had the support and time required to focus on the larger vision of what “right” looked like for an ICS cybersecurity technology–that technology was the Dragos Platform.

NexDefense Acquisition and Free Community Tools

In 2018, as Dragos’ growth continued to skyrocket with significant traction for the Dragos Platform and a team more than 100 people strong, the opportunity to work with the NexDefense team resurfaced. None of the technology from Integrity made sense to put into the Dragos Platform; the Dragos technology’s asset identification and threat detection capabilities were already far superior, but there are many ICS community members that will never gain access to professional, paid products.

Most enterprise level software are too costly for small businesses and municipalities to afford even at the basic level. The acquisition of NexDefense and the release of CyberLens and Integrity, both built for ICS networks, will help the community perform the basic tasks of identifying assets and monitoring the network for change. For many of these businesses and municipalities, these tools offer the start down the path of securing their environments.

NexDefense Integrity will now become a free community tool for safe and continuous, passive discovery of ICS networks and assets. Integrity can easily handle the networks of smaller infrastructure sites and provides ongoing industrial asset identification, ICS network and data flow visualization with basic deep packet inspection of major ICS protocols–such as ModbusTCP, DNP3, EthernetIP, BacNet, and OPC UA–and customizable fingerprints based on ports.

CyberLens will also become a free community tool intended for quick assessments of ICS networks. It has basic visualization and timeline analysis capabilities with basic deep packet inspection of common ICS protocols, such as ModbusTCP and DNP3, and also has customizable fingerprints based on ports.

Building a Better ICS Community

The ICS industry, as a whole, has matured substantially since Sophia was developed at INL and three young government employees built the assessment tool CyberLens. Those seeking a robust security strategy for their ICS will need more than these tools. The realization of far more advanced and robust ICS asset identification capabilities with deep packet inspection, as well as the more difficult ICS-specific threat detection and response capabilities, exists within the Dragos Platform; however, Integrity and CyberLens represent a base-level capability that we are proud to now offer free to the community. It is our hope that this acquisition and product release pays homage to all the wonderful community members who worked on Sophia/Integrity over the years and provides a significant step forward for the members of the community just beginning their ICS cybersecurity journeys. It’s a long journey, but it is a worthy one to safeguard civilization.