Constant Guardian® | OT/ICS Network Security Monitor

Industrial-Strength OT Security

OT/ICS operations assurance technology compliant with IEC 62443-4-2 Security Level 2 (SL2), specifically designed to protect critical infrastructure from operations threats of all types and sources.

What Is Constant Guardian®?

An OT appliance that monitors your OT/ICS facility 24/7 to prevent electronic disruptions of operations.

Constant Guardian® is a passive network monitoring appliance designed specifically for operational technology (OT) and industrial control system (ICS) environments.

Unlike traditional security tools, it operates completely passively—monitoring network traffic without actively interfacing with your control systems, ensuring zero impact on operations while providing comprehensive visibility into your industrial network.

IEC 62443-4-2 Security Level 2 (SL2) certified, Constant Guardian® meets the rigorous security standards required for critical infrastructure protection.

Who Needs It?

Critical infrastructure operators across water/wastewater, energy, oil & gas, and manufacturing sectors.

Constant Guardian® is essential for organizations operating critical infrastructure:

• Water & Wastewater Treatment: Protect SCADA systems controlling clean water delivery
• Electric Power Grid: Monitor substations and generation facilities
• Oil & Gas Pipelines: Secure remote pumping and distribution networks
• Manufacturing Plants: Safeguard industrial automation systems

If your facility relies on OT/ICS networks to operate safely and reliably, Constant Guardian® provides the security visibility you need without operational disruption.

Why Constant Guardian®?

Reliably detects operations threats of all types by learning contextually valid facility electronic communications, then flagging or optionally correcting everything else.

Comprehensive Protocol Support: Deep packet inspection for 7 industrial protocols—S7comm, Modbus, Profinet, OPC UA, DNP3, EtherNet/IP, and BACnet.

Automatic Device Discovery: Protocol-based fingerprinting automatically builds and maintains your asset inventory without manual configuration.

Behavioral Analysis: Detects anomalous protocol behavior and policy violations that indicate cyber attacks or equipment failures.

Zero-Trust Design: Outbound-only connectivity, mTLS encryption, TPM 2.0 integration, and encrypted storage ensure the monitoring system itself cannot be compromised.

Compliance Ready: Meets IEC 62443, NERC CIP-015, and NIST SP 800-82 security requirements.

Enterprise-Grade Product Technical Specifications

Compliant with IEC 62443-4-2 Security Level 2 (SL2) for critical infrastructure protection

Industrial Protocol Support

S7comm (Siemens), Modbus/TCP (SCADA), Profinet, OPC UA, DNP3, EtherNet/IP (Rockwell), BACnet

Security Compliance

IEC 62443-4-2 SL2 | NERC CIP-015 | NIST SP 800-82 Rev.2

Network Performance

1Gbps+ Ethernet line rate monitoring | <1 second threat alerting | Zero packet or throughput loss

Deployment Model

Passive TAP-based monitoring | 30-minute installation | No OT network reconfiguration required

Device Discovery

Automatic protocol-based fingerprinting | 95%+ discovery rate | 1-4 week learning period

Management Interfaces

Web UI (HTTPS/mTLS) | REST API | SIEM integration (Splunk, QRadar, Sentinel) | 4G/LTE out-of-band access

Security Architecture

TPM 2.0 hardware security | AES-256 encrypted storage | Outbound-only connectivity / No write-back to facility OT network | Multi-factor authentication

Target Industries

Water/Wastewater | Electric Utilities | Oil & Gas | Manufacturing | Chemical Processing

Comprehensive Industrial Support

Deep packet inspection and logic state analysis for 7 major OT/ICS protocols

S7comm

Siemens PLCs

S7-300, S7-400, S7-1200, S7-1500 series monitoring

Modbus/TCP

SCADA Systems

Function code analysis, register monitoring

Profinet

Industrial Ethernet

Real-time I/O monitoring, cyclic data

OPC UA

Industry 4.0

Client/server monitoring, subscription tracking

DNP3

Utility SCADA

Outstation communication, event detection

EtherNet/IP

Rockwell Automation

CIP protocol analysis, ControlLogix monitoring

BACnet

Building Automation

HVAC, access control, fire systems

Flexible Deployment Models

Customizable Constant Guardian® deployment methods to meet your operational assurance and security needs

Edge Deployment

On-Premise at Each Site

Deploy a Constant Guardian® appliance directly at each facility for maximum control and minimal latency. Ideal for single-site operations or environments requiring air-gapped security.

Complete data sovereignty
Sub-millisecond detection
Works with air-gapped networks
Local web interface access

Central Monitoring

Multi-Site Aggregation

Connect multiple Constant Guardian® appliances to a centralized management platform for enterprise-wide visibility. Perfect for utilities and organizations with distributed infrastructure.

Unified dashboard for all sites
Automated policy enforcement
Cross-site threat correlation
Enterprise reporting

MSP/MSSP Model

Managed Security Service

Partner with remote off-premises managed service providers for 24/7 monitoring and optional incident response. Reduces operational overhead while maintaining security expertise.

Expert 24/7 SOC monitoring
Reduced staffing requirements
Compliance management
Predictable OpEx model

Critical Infrastructure Protection

Industry-specific OT security for America's essential services

Water & Wastewater

Protect drinking water treatment, distribution systems, and wastewater facilities from operational and cyber threats while maintaining EPA compliance.

Key Protocols: Modbus/TCP, DNP3, BACnet

Compliance: EPA Water Security, AWWA J100

SCADA system monitoring
Pump station security
Chemical feed control protection

Energy & Utilities

Safeguard power generation, transmission, and distribution infrastructure with NERC CIP-compliant monitoring solutions.

Key Protocols: DNP3, Modbus/TCP (SCADA), IEC 61850

Compliance: NERC CIP-015, IEC 62443

Substation monitoring
Generation control security
Smart grid protection

Oil & Gas

Secure upstream, midstream, and downstream operations including refineries, pipelines, and offshore platforms.

Key Protocols: Modbus (SCADA), OPC UA, DNP3

Compliance: API 1164, TSA Pipeline Security

Pipeline monitoring systems
Refinery process control
Remote site security

Manufacturing

Protect industrial automation, robotics, and production lines from disruptions while maintaining operational efficiency.

Key Protocols: Profinet, EtherNet/IP, S7comm

Compliance: ISA/IEC 62443, ISO 27001

PLC network monitoring
Robotics security
Production line protection

How Constant Guardian® Works

Comprehensive monitoring and alerting for industrial control systems

Constant Guardian® continuously monitors your OT/ICS network using deep packet inspection across 7 industrial protocols, providing real-time visibility with no impact on operations.

Passive Network Monitoring: TAP-based traffic capture with zero operational impact
Automatic Device Discovery: Protocol-based fingerprinting builds comprehensive asset inventory
Stateful Contextual Analysis: Detects anomalous protocol deviations and policy violations by detecting even tiny aberrations in facility electronic command-and-control logic chain sequence, order, timing, meaning or intent, regardless of the type, degree, method, or source of attack.
Multi-Interface Architecture: Separated TAP, Internet, and Cellular interfaces for security isolation
7 Industrial Protocols: S7comm, Modbus (SCADA), Profinet, OPC UA, DNP3, EtherNet/IP, BACnet
Compliance Ready: IEC 62443-4-2 SL2, NERC CIP-015, NIST SP 800-82
Zero-Trust Design: Outbound-only connectivity / no write-back to OT network, mTLS encryption, TPM 2.0 integration

Request Information →

Technical FAQs

Common questions about deploying and operating Constant Guardian®

Does Constant Guardian® disrupt OT network operations?

No. Constant Guardian® uses passive TAP-based monitoring that creates a one-way mirror of network traffic. The device has zero operational impact on your industrial control systems. It cannot introduce latency, block traffic, or cause network loops. Even if the device fails or loses power, your OT network continues operating normally.

What happens if internet connectivity is lost?

Constant Guardian® continues monitoring and protecting your OT network even without Internet connectivity. All detection, analysis, and alerting functions operate locally. Internet is only used for remote management and cloud-based analytics. The device includes cellular failover (optional) and can buffer alerts for later transmission. For air-gapped deployments, the device operates entirely offline with local web interface access.

How long does it take Constant Guardian to become fully operational?

Discovery Mode typically runs for 1-4 weeks depending on network complexity and operational cycles. During this period, Constant Guardian® passively learns normal behavior patterns, builds a comprehensive asset inventory, and establishes baseline traffic profiles. The device provides immediate visibility, but the longer discovery period ensures accurate behavioral baselines that reduce false positives once in Protection Mode. Additionally, as may be necessary Constant Guardian's configuration time can be substantially sped up through selective manual configuration by our team or if so desired, by your team.

Is it compatible with legacy OT equipment?

Yes. Because Constant Guardian® uses passive monitoring at the network layer, it's compatible with any Ethernet-based OT equipment regardless of age. It doesn't require agents, configuration changes, or integration with or reconfiguration of existing devices such as HMIs and PLCs. The device recognizes 7 major industrial protocols and can fingerprint devices even when using proprietary or undocumented protocol variants. This makes it ideal for protecting legacy systems that cannot be modified or upgraded.

What are the hardware installation requirements?

Minimal. We supply all needed hardware, including our appliance, and our team performs the installation onsite at your facility.

Specifically, Constant Guardian® requires: (1) Network TAP or SPAN port installed on your OT switch, (2) Standard 120V power outlet, (3) Optional internet connection (cellular or Ethernet). The device is rack-mountable (1U) or can be shelf-mounted in control panels. No special cooling or environmental controls needed beyond typical industrial equipment ranges (-10°C to 60°C). Our installation process typically takes 1-2 hours including TAP placement, initial configuration, and testing.

How is sensitive OT data secured?

Constant Guardian® implements defense-in-depth security: TPM 2.0 hardware encryption for data at rest, mTLS encryption for all cloud communications, outbound-only network connectivity (cannot be remotely accessed), encrypted local database, and role-based access controls. The device only transmits metadata and alerts to the cloud, never full packet captures or process values. For maximum security, our team deploys Constant Guardian in air-gapped mode with no external connectivity.

Can it monitor multiple network segments?

Yes. A single Constant Guardian® appliance can monitor traffic from multiple TAP ports or VLANs simultaneously. For large facilities with multiple isolated OT networks, deploy multiple appliances that report to a centralized management platform. This provides unified visibility across your entire industrial infrastructure while maintaining network segmentation and security zones. As an included part of our deployment process, we will work with you to determine the optimum configuration of Constant Guardian in your facility or facilities.

24/7 OT Security