Dragos Industrial Cybersecurity Lacks Cross-Vendor Fleet-Health

Vendor and Product Reality

Dragos was founded by veterans of the U.S. intelligence community's ICS mission and has become the reference vendor for OT cybersecurity in electricity, oil and gas, water, manufacturing, and rail. The Dragos Platform performs passive deep-packet inspection of industrial protocols (Modbus, DNP3, IEC-61850, EtherNet/IP, S7, OPC-UA, and dozens more), maintains an asset inventory derived from observed traffic, and applies behavior analytics tuned to ICS threat groups such as VOLTZITE, ELECTRUM, and CHERNOVITE. WorldView delivers curated threat intelligence on these adversaries, while Neighborhood Keeper allows participating utilities to share anonymized detections across the community.

The platform's design philosophy is deliberately passive and non-intrusive, reflecting the operational constraint that ICS environments cannot tolerate the active probing routine in IT security tools. This is a strength — Dragos is trusted in environments where active scanners are forbidden — but it also means the platform's view of any given asset is limited to what that asset emits on the wire. The platform infers device identity, firmware version, and configuration from protocol fingerprints rather than from cryptographic attestations rooted in the device itself.

Architectural Gap

Network-inferred device state is necessary but not sufficient for the regulatory and insurance regimes now coming online for critical infrastructure. NERC CIP-013 supply-chain requirements, the EU NIS2 directive, the U.S. Executive Order on cybersecurity (and its CISA SBOM guidance), and the TSA's pipeline and rail security directives all increasingly demand evidence that a given device is the device it claims to be, that its firmware matches an attested SBOM, and that any tamper event is detected and recorded with cryptographic non-repudiation. None of these claims can be satisfied by passive network inference alone, because a sufficiently capable adversary can spoof protocol fingerprints while having compromised the underlying device.

The gap is most visible in the supply-chain and insider-threat scenarios that increasingly drive ICS incident response. When a programmable logic controller, protective relay, or smart actuator is replaced during a maintenance window, Dragos can observe that a device with matching protocol behavior is now on the network — but it cannot independently verify that the new device is the genuine OEM unit, that its firmware has not been modified in transit, or that its configuration matches the engineering change order. Cross-vendor fleet health, rooted in device-side attestation, is the missing layer.

What the AQ Health-Monitoring Primitive Provides

The Adaptive Query health-monitoring primitive provides a layered device-integrity substrate composed of physically unclonable function (PUF) challenge-response for hardware-rooted identity, tamper-evident telemetry signed by an on-device attestation key, SBOM attestation that binds running firmware to a cryptographically signed bill of materials, and a zero-trust device-management policy plane that consumes these signals as first-class evidence. The primitive does not replace passive network monitoring; it complements it by supplying the cryptographic attestations that turn observed network behavior into a verifiable claim about the device that produced it.

Concretely, each managed device carries a PUF-derived identity that cannot be cloned by extracting keys from non-volatile memory, an attestation agent that signs periodic health reports with that identity, and an SBOM manifest that the agent re-attests whenever firmware changes. The policy plane evaluates these signals against a cross-vendor schema, so that a Schneider Modicon PLC, a Siemens S7-1500, a GE Multilin relay, and an Emerson DeltaV controller can all be reasoned about within a single fleet-health view despite their disparate vendor toolchains.

Composition Pathway

Composition with the Dragos Platform is natural because Dragos already occupies the role of authoritative ICS observability, and the health-monitoring primitive supplies a complementary signal class rather than a competing one. The first integration increment exposes attested health reports as a Dragos data source, allowing Platform analytics to correlate network-observed events with device-side attestation state. A device that begins emitting anomalous Modbus traffic and simultaneously fails its next attestation cycle is a substantively different incident from one whose attestation remains valid; the Platform's existing detection logic gains a powerful disambiguation signal.

A second increment binds Dragos's asset-inventory module to the PUF-rooted identity, so that the Platform's view of "what is on the network" is anchored to cryptographic identity rather than to inferred fingerprints alone. A third increment exposes SBOM-attestation status as a first-class Dragos detection, allowing analysts to see firmware drift and unsigned-firmware events alongside protocol-layer alerts. Each increment is incremental, non-disruptive to existing Dragos deployments, and provides immediate operational value to customers under NERC CIP, NIS2, or TSA reporting obligations.

Commercial

Dragos competes against Claroty, Nozomi Networks, Tenable OT Security, and Microsoft Defender for IoT in a market that is rapidly maturing from threat-detection-only into evidence-grade compliance reporting. The vendors that win the next cycle will be those that can produce cryptographic, audit-defensible claims about fleet health rather than narrative-grade observations derived from passive monitoring. Adding a device-integrity attestation layer positions Dragos to lead that transition, and to defend its premium pricing against lower-cost detection-only entrants.

For Dragos's customers — utilities, pipeline operators, water authorities, large manufacturers — the commercial value is a measurable reduction in the cost of compliance evidence generation and in the residual cyber-insurance premium attached to OT estates. Insurers underwriting critical-infrastructure cyber risk are increasingly demanding attestation-grade evidence, and a Dragos deployment that natively emits such evidence is materially more valuable than one that does not.

Licensing Implication

The health-monitoring primitive is offered as a licensable architectural substrate suitable for integration into vendor platforms such as the Dragos Platform, with field-of-use and OEM-distribution terms designed to support cross-vendor fleet composition. Licensing into Dragos secures freedom-to-operate for the integrated product, preserves the primitive's cross-vendor neutrality, and provides Dragos with a defensible attestation layer that competing OT-security platforms cannot trivially replicate. The licensing posture is explicitly non-exclusive at the OEM tier, which preserves the cross-vendor fleet-health claim that is the primitive's central commercial proposition.