
DEEP PACKET INSPECTION
Detect threats to your factory floor by inspecting every CIP message and restrict those that contain threats. The DPI engine is compatible with Modbus TCP and EtherNet/IP devices.

REMOTE ACCESS FIREWALL
Protect everything from individual machines to full-scale control systems using remote access. Secure your factory by blocking unauthorized operations and hiding internal addresses from external users.

NETWORK ADDRESS TRANSLATION
All the NAT services you’ll ever need without the annoying CLI. The ICS-Defender is an all-in-one Network Address Translator: 1:1 NAT, 1:many NAT, Port Forwarding and outbound NAT.
Introducing
The ICS-Defender NAT/RA
Your Entry Level Security Appliance
It’s three products in one!
The ICS-Defender NAT/RA is a manufacturing router with a stateful firewall, a Remote Access Secure SSL VPN server and Network Address Translation server. With the NAT/RA you can:
- Limit NAT access to your PLC to only those users you have authorized.
- Control who can use the Remote Access server and what devices they are authorized to access.
- Allow access to your programmable controllers to ONLY a select set of on-site personnel.
- Authorize users from either a local list or your Active Directory (AD) or Radius Server.
Plus, you’ll enjoy the historical and real-time graphs, logging, alerting and built-in network troubleshooting.
Buy now

FOR EVEN MORE SECURITY, ADD DEEP PACKET INSPECTION
THE ICS-DEFENDER LITE/DPI
The ICS-Defender LITE/DPI includes all the features of the NAT/RA plus an additional layer of protection for your Allen-Bradley PLCs. With the Deep Packet Inspection engine, you can authorize only specific CIP commands. With Defender DPI, you can secure your PLC from a remote user (attacker) from:
- Viewing confidential PLC tags.
- Writing a single tag or all tags in the data table.
- Modifying the PLC operating mode (Prog/Run).
- Executing any CIP command that you haven’t explicitly authorized.
The LITE/DPI Defender is the only device that can prevent an attacker, even if they manage to impersonate a legitimate user, from accessing your PLC. The attacker will only be able to execute the routine, authorized operations normally performed by that user.
Buy Now…AND FOR THE POWER USER SECURING CRITICAL INFRASTRUCTURE
THE ICS-DEFENDER PRO
The ICS-Defender PRO, with all the features of the LITE/DPI Defender and a large assortment of additional features, is what every security professional needs to secure critical Allen-Bradley PLC based infrastructure. With Defender PRO you can:
- Ensure operation of your critical process using the seamless failover built into your Defender PRO.
- Double your bandwidth by adding a second path from your control network to your IT network through the Defender and have the Defender automatically load share the two connections.
- Not only limit what your vendors can access, but schedule when your vendors can access your PLCs and other network devices.
The Defender PRO is the best choice for flexible, reliable and redundant security.
Buy now
Which ICS-Defender is Right for You? | NAT/RA | LITE/DPI | PRO |
Network Address Translation, including: 1:1, 1:many NAT, Port Forwarding and outbound NAT | ![]() | ![]() | ![]() |
Captive portal where users can be authenticated from a local database or from your active directory | ![]() | ![]() | ![]() |
Remote Access using a VPN server | ![]() | ![]() | ![]() |
Stateful firewall to implement security policy for the control network | ![]() | ![]() | ![]() |
Graphical user interface – no CLI required | ![]() | ![]() | ![]() |
The Deep Packet Inspection engine supporting EtherNet/IP and Modbus TCP | ![]() | ![]() | |
Network Asset Detection | ![]() | ![]() | |
Support for the Rockwell FactoryTalk® AssetCentre | ![]() | ![]() | |
Extended firewall support to include multiple WAN support and scheduled rules to restrict traffic to specific days and hours | ![]() | ||
Configuration of the Defender as a primary or secondary in high availability applications | ![]() | ||
APC UPS Control | ![]() |
