Abstract: There is provided a packet monitoring apparatus for monitoring packets copied from an industrial control system (ICS) network, the apparatus being configured to perform an analysis of a plurality of packets copied from the ICS network and generate a digital command signal responsive to the analysis for transmission via a digital input/output channel. There is also provided an active prove that is configured to generate and transmit at least one query packet into the ICS network responsive to a digital command signal, optionally received from the packet monitoring apparatus.

Abstract: There is provided a packet monitoring apparatus for monitoring packets copied from an industrial control system (ICS) network, the apparatus being configured to perform an analysis of a plurality of packets copied from the ICS network and generate a digital command signal responsive to the analysis for transmission via a digital input/output channel. There is also provided an active prove that is configured to generate and transmit at least one query packet into the ICS network responsive to a digital command signal, optionally received from the packet monitoring apparatus.

Abstract: A method for monitoring or controlling one or more packets propagating through a plant communication network of an industrial control system (ICS) comprising sensors, end devices, and programmable logic controllers (PLCs), the method comprising: receiving at least one packet traversing the plant communication network; detecting a control plane (CP) action associated with the at least one packet, responsive to one or more features of the at least one packet; determining at least one firewall rule responsive to the at least one packet and the detected CP action; and performing a firewall action on a packet comprised in the at least one packet responsive to the determined firewall rule, the firewall action comprising one or more of: allowing the packet, blocking the packet, requesting user authentication, and logging the packet.

Abstract: A network apparatus comprising: a packet payload compressor (PPC) operable to: receive a packet copied from a network, the packet comprising a source, destination, and a payload; extract a value of a field comprised in the payload; provide a computed value of the field based on the source and destination of the packet; compare the extracted value and the computed value; and compress the field if the extracted value is the same as the computed value, and a traffic shaper operable to transmit a compressed packet comprising the compressed field.

Abstract: A network apparatus comprising: a packet payload compressor (PPC) operable to: receive a packet copied from a network, the packet comprising a source, destination, and a payload; extract a value of a field comprised in the payload; provide a computed value of the field based on the source and destination of the packet; compare the extracted value and the computed value; and compress the field if the extracted value is the same as the computed value, and a traffic shaper operable to transmit a compressed packet comprising the compressed field.

Abstract: An embodiment of the disclosure provides a communication network having a plurality of end devices protected by multilayer switches that receive data packets in different formats for transmission to the end devices, translate received data packets to a common data format for inspection to determine if they pose a security threat, and if they do not pose a threat, forward the data packets to their end device destinations.

Abstract: An embodiment of the disclosure provides a communication network having a plurality of end devices protected by multilayer switches that receive data packets in different formats for transmission to the end devices, translate received data packets to a common data format for inspection to determine if they pose a security threat, and if they do not pose a threat, forward the data packets to their end device destinations.

Abstract: An embodiment of the disclosure provides a communication network having a plurality of end devices protected by multilayer switches that receive data packets in different formats for transmission to the end devices, translate received data packets to a common data format for inspection to determine if they pose a security threat, and if they do not pose a threat, forward the data packets to their end device destinations.

Abstract: A communication network comprising: a plurality of end devices; and a plurality of multilayer switches connected to the end devices that direct transmission of data packets between the end devices, wherein each switch comprises: a plurality of communication ports for receiving and transmitting data packets in different data formats; a data format translator that receives data packets configured in different data formats via the ports and reconfigures the data to a common data format; an application aware engine that receives data packets in the common format and inspects content of the received packets at a plurality of OSI layers, which plurality includes layer 7, to determine if they represent a security threat; and a wire speed packet switch that directs packets, which the application aware engine determines do not represent a security threat, to their destinations.