Dragos

Introduction

Dragos is a specialist supplier of OT cybersecurity solutions for industrial automation, critical infrastructure and Cyber-Physical Systems. The company focuses on protecting industrial environments from cyber threats through network monitoring, threat intelligence, incident response and risk analysis.

Dragos is used in:

• power supply
• oil and gas
• water treatment
• production environments
• transport sector
• chemical industry
• pharmaceuticals
• critical infrastructure

In modern IT OT Convergence architectures, Dragos plays an important role in detecting threats within complex OT and ICS environments where traditional IT security tools are not sufficiently effective.

The platform is specifically designed for industrial networks in which:

• high availability
• real-time communication
• legacy systems
• safety functionality
• operational continuity

are critical constraints.

🏗️ Positioning in OT security

Dragos positions itself primarily within:

• Monitoring
• IDS
• threat intelligence
• incident response
• OT visibility
• risk management
• threat hunting

The platform stands out through a strong focus on:

• industrial threat actors
• ICS-specific attack techniques
• operational impact analysis
• OT threat intelligence

Unlike traditional IT security, Dragos explicitly focuses on industrial protocols, OT assets and process safety.

🌐 Platform architecture

The Dragos solution typically consists of several components.

Key elements:

The platform is typically placed within:

• OT Network
• Control Network
• Supervisory Network
• IDMZ
• SOC environments

Monitoring is mainly passive via:

• SPAN ports
• network TAPs
• mirror ports

Impact on production processes is therefore kept minimal.

🔎 Asset Discovery and Asset Inventory

A key capability of Dragos is automatic Asset Discovery and Asset Inventory.

The platform identifies:

• PLC
• HMI
• SCADA
• RTUs
• industrial switches
• engineering stations
• historians
• IoT devices

Key metadata collected:

Many organisations lack a complete overview of their OT assets, making effective risk management difficult.

📡 Passive OT monitoring

Dragos mainly uses passive monitoring to analyse OT networks safely.

Characteristics:

• no active network load
• minimal disruption
• real-time visibility
• protocol analysis

Supported protocols include:

• Modbus
• Modbus TCP
• Ethernet IP
• DNP3
• OPC UA
• S7
• BACnet
• IEC 61850

Passive monitoring is crucial because aggressive scans within industrial networks can lead to:

• controller failures
• HMI crashes
• network congestion
• process disruption
• safety risks

🧠 Threat intelligence

A key differentiator of Dragos is extensive OT-specific threat intelligence.

Dragos analyses:

• ICS malware
• state-sponsored threat actors
• attack campaigns
• TTPs
• supply-chain threats

The platform uses, among other things:

• MITRE ATT&CK for ICS
• IOCs
• behavioural analysis
• threat hunting
• OT protocol analysis

Dragos regularly publishes analyses of industrial threat groups targeting critical infrastructure.

⚠️ Threat detection

Dragos detects OT-related threats and anomalies.

Examples:

Key threat categories:

• Ransomware
• supply-chain attacks
• remote compromise
• insider threats
• protocol abuse
• malware

In OT, detection is not just about IT compromise but also about potential impact on physical processes.

🔐 Incident response

Dragos provides extensive OT-oriented incident response services.

Key characteristics:

• OT forensics
• industrial threat analysis
• containment strategies
• recovery support
• root cause analysis

OT incident response differs significantly from traditional IT response because:

• systems cannot easily be shut down
• production continuity is crucial
• safety systems can be affected
• physical consequences are possible

OT response therefore requires close collaboration between:

• operations
• OT engineering
• SOC teams
• process operators
• management

🛡️ OT cybersecurity and critical infrastructure

Dragos is widely used in critical infrastructure.

Examples:

• electricity grids
• water treatment
• oil and gas installations
• industrial production
• transport systems

These environments require:

• high availability
• real-time detection
• minimal downtime
• secure remote access
• compliance

The platform supports integrations with:

• SIEM
• SOAR
• SOC
• incident management workflows

⚡ Network performance and OT requirements

OT networks require predictable real-time behaviour.

Important considerations:

Dragos is designed to:

• operate passively
• cause minimal network load
• safely analyse industrial protocols
• support real-time monitoring

This is essential in environments where network disruption can have direct operational consequences.

☁️ XIoT and cloud integration

Modern OT environments contain increasingly more connected systems.

Dragos therefore focuses on broader XIoT environments including:

• ICS
• IoT devices
• smart buildings
• edge infrastructure
• industrial sensors

Cloud integrations support:

• central monitoring
• threat intelligence distribution
• analytics
• SOC integrations

At the same time, cloud connectivity and remote operations expand the attack surface.

🔄 Vulnerability management

Dragos supports OT-specific Vulnerability Management.

Within industrial environments, classic IT patching strategies are often not feasible due to:

• legacy systems
• vendor lock-in
• limited maintenance windows
• validation requirements
• production continuity

Dragos therefore also focuses on:

• compensating controls
• network segmentation
• risk prioritisation
• exposure reduction

This better matches operational OT reality.

🔄 Integration with SOC and IT security

Dragos integrates with existing enterprise security platforms.

Commonly used integrations:

• SIEM
• SOAR
• XDR
• ticketing platforms
• CMDB solutions
• threat intelligence feeds

This creates better correlation between:

• IT events
• OT events
• lateral movement
• supply-chain risks

This supports converged SOC models in which IT and OT security work together.

🧪 Practical example: energy company

An energy company implements Dragos for OT threat detection.

Architecture

Functionality

Dragos detects:

• unauthorised engineering access
• protocol anomalies
• suspicious firmware changes
• new assets
• anomalous network flows

Security challenges

Key risks:

• legacy equipment
• remote vendor access
• insufficient segmentation
• supply-chain threats
• limited patching options

Architectures are therefore designed according to:

• IEC 62443
• Defense in Depth
• Zones and Conduits Model

🔄 Lifecycle Management

Dragos supports organisations in Lifecycle Management of industrial assets.

Key insights:

• unsupported firmware
• end-of-life systems
• vulnerable protocols
• configuration changes
• lifecycle risks

This supports:

• migration planning
• risk assessments
• compliance
• investment decisions

⚖️ Relevant standards

Dragos is often used within compliance programmes based on:

📈 Role in IT/OT convergence

Dragos plays an important role in modern industrial cybersecurity architectures.

Key trends:

• converged SOCs
• XIoT security
• cloud connectivity
• AI-based detection
• real-time OT visibility
• remote operations

Benefits:

• better OT visibility
• faster threat detection
• improved compliance
• better risk management
• higher operational resilience

Challenges:

• complex legacy environments
• scalability
• false positives
• multi-vendor infrastructure
• operational constraints

Dragos is thus an important platform for OT cybersecurity within critical industrial infrastructure.