© Copyright Fortinet Inc. All rights reserved.

Taipei, 15th November 2018

Protecting Operational Technology (OT)

Stuart Phillips

Global Enablement Engineer

Fortinet Operational Technology

Critical Infrastructure Team

2

What is Operational Technology (OT)?

Manipulation of Physical Things

» Opening a valve, measuring flow,

recording temperature etc.

AKA SCADA or Industrial Control

Systems (ICS)

Much older than IT

» 1980’s automobile manufacturing

Traditionally Physically Segmented

or Air Gapped

Long term deployment – 10-30

years or older

3

Critical Infrastructure Sectors

• Chemical Sector

• Commercial Facilities Sector

• Communications Sector

• Critical Manufacturing Sector

• Dams Sector

• Defense Industrial Base Sector

• Emergency Services Sector

• Energy Sector

• Financial Services Sector

• Food and Agriculture Sector

• Government Facilities Sector

• Healthcare and Public Health Sector

• Information Technology Sector

• Nuclear Reactors, Materials, & Waste Sector

• Transportation Systems Sector

• Water and Wastewater Systems Sector

4

OT and IT: Different Roots, Different Priorities

OT

Manipulate information Manipulate physical things

CIA (IT) Triangle

• Confidentiality

• Integrity

• Availability

OT Triangle

• Safety

• Availability

• Confidentiality

Standardization Specialization

IT

5

Main Elements of an OT/ICS Environment

Valve

Fan

Pump

FIELD NETWORK

PLANT FLOOR

OT DMZ

NETWORK

Historian

PROCESS

NETWORK

HMI

ICS

Server

CONTROL

NETWORK

YOKAGAWA

ABB

SIEMENS

ROCKWELL

EMERSON

SCHNEIDER ELECTRIC

MITSUBISHI

HONEYWELL

ETC.

MODBUS

PROFINET

S7

BACNET

DNP3

ELCOM

OPC

ETC.

WINDOWS

LINUX

WINDOWS

SERVERS

IT Network

ICS

PROTOCOLS

TCP/IP

ICS SENSOR

VENDORS

NOZOMI

CLAROTY

DRAGOS

SECURITY

MATTERS

INDEGY

ETC.

FIREWALL

TO KEEP

OUT IT

THIS ENVIRONMENT IS CHANGING, WHETHER THE OPERATORS WANT IT TO OR NOT

6

Real Threats To Manufacturing

Taken from Verizon 2017 Data Breach Investigations Report

ICS customers are primary targets for industrial cyber espionage

Attacks are often sponsored by competitors with state connections

Seek to replicate the target products for sale in local markets and in effect steal the entire company IP and Brand

Data stolen includes formulas, purchase orders, the equipment used in production, device settings etc.

7

Critical Manufacturing Insider Threat

Unintentional: Malware coming into the network though traditional means and

infecting the more vulnerable outdated systems in OT/ICS networks, particularly

older Windows systems.

» “Maersk Shipping Reports $300M Loss Stemming from NotPetya Attack”

https://threatpost.com/maersk-shipping-reports-300m-loss-stemming-from-notpetya-attack/127477/

Intentional: Spear-phishing attacks against employees and supply partners to

gain information and access. Often escalated to bribery of a targeted employee.

» “American Superconductor Destroyed For A Tiny Bribe”

https://www.forbes.com/sites/joanlappin/2011/09/21/american-superconductor-destroyed-for-a-tiny-

bribe/#3f08fe856958

8

IPS & Application Control for Industrial Systems

Some of the Supported Protocols -------------------------------- BACnet

DNP3

Elcom

EtherCAT

EtherNet/IP

HART

IEC 60870-6

(TASE 2) /ICCP

IEC 60870-5-104

IEC 61850

Supported Applications and Vendors ----------------------------------------------------- 7 Technologies/

Schneider Electric

ABB

Advantech

Broadwin

CitectSCADA

CoDeSys

Cogent

DATAC

Eaton

GE

Iconics

InduSoft

IntelliCom

Measuresoft

Microsys

MOXA

PcVue

Progea

QNX

RealFlex

Rockwell Automation

RSLogix

Siemens

Sunway

TeeChart

VxWorks

WellinTech

Yokogawa

Deep Packet Inspection (DPI) Application Control Context Signatures Modbus, IEC 60870-6 (ICCP) and IEC.60870-5.104

Context Logging to FortiAnalyzer, FortiSIEM, and Syslog

LONTalk

MMS

Modbus

OPC

Profinet

S7

SafetyNET

Synchrophasor

9

IPS/ Application Control for Industrial Systems

244 Granular Application Controls

(DNP3 Example) ----------------------------------------------------- DNP3

DNP3_Assign.Class

DNP3_Cold.Restart

DNP3_Confirm

DNP3_Delay.Measurement

DNP3_Direct.Operate

DNP3_Direct.Operate.Without.Ack

DNP3_Disable.Spontaneous.Messages

DNP3_Enable.Spontaneous.Messages

DNP3_Freeze.And.Clear

DNP3_Freeze.And.Clear.Without.Ack

DNP3_Freeze.With.Time

DNP3_Freeze.With.Time.Without.Ack

DNP3_Immediate.Freeze

DNP3_Immediate.Freeze.Without.Ack

DNP3_Initialize.Application

DNP3_Initialize.Data

DNP3_Operate

DNP3_Read

DNP3_Response

DNP3_Save.Configuration

DNP3_Select

DNP3_Start.Application

DNP3_Stop.Application

DNP3_Unsolicited.Message

DNP3_Warm.Restart

DNP3_Write

10

FortiGuard Industrial Security

Target Market/Segment

» Securing Critical Infrastructure

(Industrial Control and SCADA)

» Need special type of applications

– not generally used in an Enterprise

environment

» Over 1,400 industrial app signatures

11

Purdue Model

ISA-99, IEC-62443, RMF

Effective Layered Security Model

Aligns to Fortinet Fabric

Logical Level Approach

Focused on Business requirements

Stronger Together!

Enhances Model by introducing our Fortinet Fabric

» Greater Visibility and Control

» Policy enforcement with multiple security technologies

» Real-time protection that communicates security information

to other fabric members

» Threat feed integration within entire solution

& Purdue Model

NETWORK

MULTI-CLOUD

PARTNER API

EMAIL UNIFIED ACCESS

IOT-ENDPOINT

WEB APPS

ADVANCED THREAT PROTECTION

MANAGEMENT-ANALYTICS

12

Critical Manufacturing Plant Floor

Level 0

Physical Plant Floor

Instrumentation Bus Network

Level 1

Process Control

Local Area Network

Level 2

Supervisory

Control Network

Industrial Control System

Physically Segmented

Production Line

FortiGate

FortiLink

FortiSwitch

Private VLANs

Micro Segmentation

Fortinet Secure

Unified Access Solution

Fortinet

Operational Technology

Fabric Solution

Remote Edge

Manufacturing Plant

FortiGate

Firewall

Internal Segmentation

Wide Area Network

MPLS, SD-WAN, 3G, 4G, APN, VPN

ADSL, Cable

FortiGate Edge Firewall

Enterprise Protection

Physical Internal

Segmentation of Production Lines

Wide Area

SD WAN

3G 4G Extension

VPN

Authentication

Two Factor

Access Control

FortiGate Firewall

Industrial FortiGuard

Application Control

IPS

Physical Security

Physical Relays

Stack lights

Presence Analytics

FortiCAM

FortiSwitch

FortiAP’s

Micro Segmentation

Layer Two

FortiLink

Operator PC

Serial to IP

Mic

ro

Segm

enta

tio

n

PLC or RTU

Engineering

WorkStation

Purdue, ISA-99, IEC-62443

13

Level 3

Operational DC

Manufacturing Zone

Level 3.5

Operational DC DMZ

Management Zone

FortiGate

FortiLink

FortiSwitch

Private VLANs

Micro Segmentation

Wide Area Network

MPLS, SD-WAN, 3G, 4G,

APN, VPN

ADSL, Cable

FortiSwitch

Remote User

Level 4

External

Enterprise LAN

Corporate Environment

Level 5

Internet DMZ

Enterprise

Corporate Environment

Remote Vendor

Zones of Control

Zones and Conduits

Micro Segmentation

Physical and Virtual

Segmentation

Engineering

Server Zone

Historian

Server Zone

Application

Server Zone

Engineering

WorkStation Zone

Operator

WorkStation Zone

Domain

Controller

FortiClient

EMS Server

FortiAuthenticator

FortiManager

FortiAnalyzer

FSSO

FortiSandbox

FortiSIEM

FortiMail

FortiWeb

Email

Servers

Web

Servers

Enterprise

Desktops

Business

Servers

FSSO

Authentication Services

&

Domain Controllers

Level External

Internet

FortiSwitch

FortiGate

FortiGate

FortiGate

FortiGuard Threat

Intelligence

Service

FortiGuard

Global

Intelligence

Operational Technology (OT) Authentication Boundary

Purdue, ISA-99, IEC-62443

Applying Fortinet’s Reference Architecture to Purdue

14

Best Practice - OT Cyber Security Approach

ISA 99 / IEC 62443

» Separation of networks – Air gapped, network

based or software based

Visibility

» Examine all traffic for known and unknown threats

» Use even in air gapped networks

Context

» Understand network traffic

» Build understanding of device relationships

Control

» Isolate infected devices/systems

» Remove botnets and other malware

» Prevent new infections

15

Addressing the Insider Threat - Visibility

Segmentation

of different

ICS Networks

IT

FortiGate

Process

Network

Control

Network

Secure

Gateway

Plant

Floor

FortSwitch

HMI HMI

RTU PLC

ICS Network 2

Process

Network

Control

Network

Plant

Floor

FortSwitch

HMI HMI

RTU PLC

Granular

Segmentation

within the ICS

Network

Implement ISA-99, IEC-62443

Segment and examine the traffic

as much as possible

Use Next Generation Firewalls to

define North-South traffic – Create

multiple DMZs internally

Enable Microsegmentation on

switch ports to limit traffic East-

West traffic

ICS Network 1

Internet

DMZ Network w/ PI Historians

16

Addressing the Insider Threat - Context

Examine all

traffic

IT

FortiGate

Process

Network

Control

Network

Secure

Gateway

Plant

Floor

FortSwitch

HMI HMI

RTU PLC

ICS Network 2

Process

Network

Control

Network

Plant

Floor

FortSwitch

HMI HMI

RTU PLC

Examine all traffic – Even in

Air Gapped networks

Use FortiAnalyzer to examine

and filter known threats

Use FortiSandbox to detonate

unknown threats safely

Use FortiGuard Labs to get

constant threat intelligence

and artificial intelligence

based threat analysis

ICS Network 1

Internet

DMZ Network w/ PI Historians

FortiSandbox FortiAnalyzer

17

Addressing the Insider Threat - Control

IT

FortiGate

Process

Network

Control

Network

Plant

Floor

FortSwitch

HMI HMI

RTU PLC

ICS Network 2

Process

Network

Control

Network

Plant

Floor

FortSwitch

HMI HMI

RTU PLC

Identify all devices as much as

possible FortiNAC network access

control

Proxy traffic using FortiADC Web

Application Firewall for all updates

Limit or block unwanted applications

on ICS network – Provide separate

Wi-Fi for operators

Use FortiSIEM for all reporting and

compliance

ICS Network 1

FortiNAC Internet

DMZ Network w/PI Historians

FortiADC – Proxy Server

FortiSIEM

Demonstration …

19

20

Key SCADA Components

Human-Machine Interface (HMI): is the

component in charge of displaying process

data to a human operator. The

operator monitors and controls the process

through the HMI.

SCADA Master(TRIDIUM JACE) : is the

component in charge to collect all data

from different devices and control the

entire process.

SCADA Slave(TRIDIUM SEDONA):

connect to sensors and convert their

signals to digital data and send it to the

supervisory system.

SCADA Protocol (Modbus):

Modbus is a "Master/Slave " Protocol.

Some versions of Modbus can also be

sent over Ethernet or TCP/IP.

21

22

Questions?

sphillips@fortinet.com