The ICS-Defender LITE/DPI Is the Plant Floor Security Appliance for Controlling Access to Your PLCs!

Everything in the NAT/RA plus controlled PLC access using EtherNet/IP Deep Packet Inspection

SKU: ICSD-PLUS

ICS Defender Plus LITE/DPI Security Appliance

Price $2,495.00

Product Description

Built by Control Engineers for Control Engineers

Datasheet Userguide

What is the ICS Defender LITE/DPI?

The ICS-Defender LITE/DPI is the ICS-Defender security appliance for control engineers who need to restrict access to their Allen-Bradly PLCs. Of course, the controls staff should be able to switch a PLC into and out of program mode, change programs and read or write anything in the data table, but should your other users have that access? Of course not! The Deep Packet Inspection Engine looks at every CIP message coming to the PLC (and other devices) and blocks messages you didn’t specifically authorize. That means if you authorized them to read the data table, they can’t put the PLC in program mode, write variables or do other unauthorized operations. You now have protection in place for when (not if) your IT systems get hacked and an attacker gets control of a PC with access to your control system.

Just like the Defender NAT/RA, it includes a set of features not found in any competitive device:

  • An analyzer to auto learn your network traffic and create DPI (Deep Packet Inspection) rules without knowing CIP (Common Industrial Protocol)
  • No subscriptions and constant updates of malware signatures to update
  • EtherNet/IP and Modbus TCP support with PROFINET IO and DNP3 on the road map
  • An asset data collection tool to interrogate your control network and report on assets found
  • A Restful API to make asset list available to high level systems
  • All the NAT services you’ll ever need: 1:1 NAT, 1:many NAT, Port Forwarding and outbound NAT
  • A VPN server and Client for all the Remote Access services you’ll ever use
  • A Stateful Firewall to ensure that only traffic you authorize will access your control network
  • An easy-to-use graphical user interface – no complicated CLI (Command Line Interface) required
  • A configurable dashboard and various historical and real-time graphs
  • Troubleshooting tools like Ping, Traceroute, PCAPS and more
  • 1-Click easy firewall rule creation from firewall logs
  • Historical and Real Time Graphing of network activity
  • Asset Detection and Monitoring (compatible with Rockwell AssetCentre®)
  • IP20 DIN (other options available)
  • Reporting and Monitoring to understand what the security platform is seeing on the network

Want More? See the comparison to the Defender Defender PRO!

Why You Might Need Defender LITE/DPI

Today, more than ever, your control systems must provide data to the enterprise and the cloud. To accomplish that, your control system is connected to a number of Servers and Windows computers. Those computers reach into your control systems to request data, send recipes down, change operating parameters and more. With more and more attacks against manufacturing systems, you’ll never know when one of those computers is hacked. The last thing you want is someone with free reign to access PLCs, drives, valve blocks and everything else in your control system. With the ICS Defender LITE/DPI you have the ability to restrict exactly what each of those computers can do and block anything else.

To avoid your production operation becoming the next story in the Wall Street Journal, you need to restrict access to your control system with ICS Defender LITE/DPI.

What is Deep Packet Inspection?

When external devices want to talk to an Allen-Bradley PLC or other EtherNet/IP device, they use CIP (Common Industrial Protocol). A CIP message uses an operation code that to tell the target device what to do. The operation code an tell the device that the originating device wants to read an attribute, write an attribute or perform some other operation like reset or switch to Program Mode. CIP messages can tell a pump to stop pumping or a motor to speed up, slow down or stop.

A Deep Packet Inspection Engine (DPI) opens Ethernet messages to identify those operations. That’s much more than other devices, like Firewalls, do. Those devices simply evaluate the originator address, the destination address and the port number to determine if a message should be passed to the destination or not. Devices with DPI engines do the same thing but they also open the message and evaluate the operations being requested. If the user has authorized that operation, the message is passed to the sender. If the operation is not on the authorized operation list for that user, it’s blocked.

DPI engines protect a control system from viruses and worms at wire speeds. DPI engines are also effective at preventing denial-of-service (DoS) and buffer overflow attacks.

Other Versions of ICS Defender

ICS-Defender NAT/RA is the entry level product for users needing simple Network Address Translation and Remote Access. It includes:

  • Various types of Network Address Translation including: 1:1 NAT, 1:many NAT, Port Forwarding and outbound NAT
  • A Captive Portal where users can be authenticated from a local database or from your active directory
  • Remote Access using a VPN server
  • A stateful firewall to implement security policy for the control network
  • A graphical user interface – no CLI required
  • A configurable dashboard and various historical and real-time graphs

The ICS-Defender PRO license provides everything in the LITE/DPI license plus high availability and redundancy features, scheduled policy rules and other valuable features. The PRO includes:

  • Extended firewall support to include multiple WAN support and scheduled rules to restrict traffic to specific days and hours
  • Configuration of the Defender as a primary or secondary in high availability applications
  • A host of valuable applications like: a DHCP Client and Server, NTP Server, Dynamic DNS, FTP and TFTP
  • APC UPS Control

About ICS Defender

The Defender series of products from Dynics provides a powerful layer of protection to the control engineer; protecting everything from machine to tools to standalone computers to full scale control systems. The Dynics Defense-in-Depth strategy provides safe and secure remote access, controls how suppliers access your networks and equipment, blocks unauthorized operations (using a Deep Packet Inspection engine), hides internal addresses from external users (Network Address Translation) and block unwanted messages from unauthorized devices such as USB flash drives, tethered phones, wireless devices and laptops.

RTA’S COMPLETE SATISFACTION GUARANTEE

Every RTA gateway comes with a 30 DAY 100% SATISFACTION GUARANTEE. If an application falls through, you find an alternative, or if you just wanted to try out a gateway -if for any reason you are not 100% satisfied, you can return the unit for a refund of the purchase price.

In addition, every RTA gateway comes with a 5 YEAR BETTER THAN INSURANCE WARRANTY.You will never have to blame the dog for eating your gateway. We don’t care if you let out the magic black smoke confusing AC with DC power or if you run the unit over with a forklift. Even if you break it, we will fix it or replace it at no cost for 5 years after purchase. That’s the RTA way.

  • 113 Page Manual
  • 3 Year Warranty