The ICS-Defender LITE/DPI Is the Plant Floor Security Appliance for Comprehensive Allen-Bradley PLC Security!

Everything in the NAT/RA plus controlled Allen-Bradley PLC access using EtherNet/IP Deep Packet Inspection


ICS-Defender Plus LITE/DPI Security Appliance


Built BY Control Engineers FOR Control Engineers

Datasheet Userguide

What is the ICS-Defender LITE/DPI?

The ICS-Defender LITE/DPI is the ICS-Defender security appliance for control engineers requiring more comprehensive protection from cybersecurity attacks on their Allen-Bradley PLCs.

There is little plant floor engineers can do about stolen credentials but there is an option for preventing cyber attackers with those stolen credentials from creating havoc in your control system.

Of course, the controls staff should be able to switch a PLC into and out of program mode, modify logic, monitor tag values and change configuration values in the data table, but should every user have that kind of access? Of course not! The Deep Packet Inspection Engine looks at every CIP message entering your PLC (and other CIP devices) and blocks CIP messages you didn’t specifically authorize. That means if you authorized a user to read the data table, they can’t read other tags, modify logic, write the data table or perform other unauthorized operations.

With the ICS Defender LITE/DPI, you have protection in place for when (not if) your IT systems get hacked and an intruder starts attacking your control system from inside your organization.

Just like the Defender NAT/RA, it includes a set of features not found in any competitive device:

  • An analyzer to auto-learn your network traffic and create DPI (Deep Packet Inspection) rules without knowing CIP (Common Industrial Protocol)
  • EtherNet/IP and Modbus TCP support with PROFINET IO and DNP3 on the road map
  • A stateful firewall to ensure that only traffic you authorize will access your control network
  • An asset data collection tool to interrogate your control network and report on assets found
  • A Restful API to make asset list available to high level systems
  • All the NAT services you’ll ever need: 1:1 NAT, 1:many NAT, port forwarding, and outbound NAT
  • A VPN server and client for all the Remote Access (RA) services you’ll ever use
  • An easy-to-use graphical user interface – no complicated CLI (Command Line Interface) required
  • A configurable dashboard and various historical and real-time graphs
  • Troubleshooting tools like Ping, Traceroute, PCAPS, and more
  • 1-Click easy firewall rule creation from firewall logs
  • Historical and real-time graphing of network activity
  • IP20 DIN (other options available)
  • Reporting and monitoring to understand what the security platform is seeing on the network
  • No subscriptions and constant updates of malware signatures to update

Want Even More? See the comparison to the Defender PRO!

Why You Might Need Defender LITE/DPI

Today, more than ever, your control systems must provide data to the enterprise and the Cloud. To accomplish that, your control system is connected to a number of servers and Windows computers. Those computers reach into your control systems to request data, send recipes down, change operating parameters, and more. With more and more attacks against manufacturing systems, you’ll never know when one of those computers is hacked. The last thing you want is someone with free reign to access PLCs, drives, valve blocks, and everything else in your control system. With the ICS-Defender LITE/DPI you have the ability to restrict exactly what each of those computers can do and block anything else.

To avoid your production operation becoming the next story in the Wall Street Journal, you need to restrict access to your control system with ICS-Defender LITE/DPI.

What is Deep Packet Inspection?

When external devices want to talk to an Allen-Bradley PLC or other EtherNet/IP device, they use CIP (Common Industrial Protocol). A CIP message uses an operation code to tell the target device what to do. The operation code tells the device that the originating device wants to read an attribute, write an attribute, or perform some other operation like reset or switch to Program Mode. CIP messages can tell a pump to stop pumping or a motor to speed up, slow down, or stop.

A Deep Packet Inspection Engine (DPI) opens Ethernet messages to identify those operations. That’s much more than other devices, like Firewalls, do. Those devices simply evaluate the originator’s address, the destination address, and the port number to determine if a message should be passed to the destination or not. Devices with DPI engines do the same thing but they also open the message and evaluate the operations being requested. If the user has authorized that operation, the message is passed to the sender. If the operation is not on the authorized operation list for that user, it’s blocked.

DPI engines protect a control system from viruses and worms at wire speeds. DPI engines are also effective at preventing denial-of-service (DoS) and buffer overflow attacks.

Other Versions of ICS-Defender

ICS-Defender NAT/RA is the entry-level product for users needing simple Network Address Translation and Remote Access. It includes:

  • Various types of Network Address Translation including 1:1 NAT, 1:many NAT, Port Forwarding, and outbound NAT
  • A Captive Portal where users can be authenticated from a local database or from your active directory
  • Remote Access using a VPN server
  • A stateful firewall to implement a security policy for the control network
  • A graphical user interface – no CLI required
  • A configurable dashboard and various historical and real-time graphs

The ICS-Defender PRO license provides everything in the LITE/DPI license plus high availability and redundancy features, scheduled policy rules, and other valuable features. The PRO includes:

  • Extended firewall support to include multiple WAN support and scheduled rules to restrict traffic to specific days and hours
  • Configuration of the Defender as a primary or secondary in high availability applications
  • A host of valuable applications like a DHCP Client and Server, NTP Server, Dynamic DNS, FTP, and TFTP
  • APC UPS Control

About ICS-Defender

The Defender series of products from Dynics provides a powerful layer of protection to the control engineer; protecting everything from machine to tools to standalone computers to full scale control systems. The Dynics Defense-in-Depth strategy provides safe and secure remote access, controls how suppliers access your networks and equipment, blocks unauthorized operations (using a Deep Packet Inspection engine), hides internal addresses from external users (Network Address Translation), and block unwanted messages from unauthorized devices such as USB flash drives, tethered phones, wireless devices, and laptops.

Weight3 lbs
Dimensions10 × 12 × 8 in
  • 113 Page Manual
  • 3 Year Warranty