Nozomi Fortinet Accelerate18
•Download as PPTX, PDF•
1 like•1,121 views
Nozomi Networks extends the Fortinet Cybersecurity Fabric with innovative ICS/OT protocol intelligence and network visualization capabilities.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Nozomi Fortinet Accelerate18
Similar to Nozomi Fortinet Accelerate18 (20)
Recently uploaded
Recently uploaded (20)
Nozomi Fortinet Accelerate18
- 1. © Copyright Fortinet Inc. All rights reserved.© Copyright Fortinet Inc. All rights reserved. Extending Fabric-Ready into ICS Chet Namboodri
- 2. 2 Convergence of IT and Traditional OT What was air gapped and proprietary is now connected and general purpose In the past, they were … Isolated from IT Run on proprietary control protocols Run on specialized hardware Run on proprietary embedded operating systems Connected by copper and twisted pair Now they are … Bridged into corporate networks Riding on common internet protocols Running on general purpose hardware with IT origins Running mainstream IT operating systems Increasingly connected to wireless technologies
- 3. 3 Typical SCADA Components are Vulnerable Domain-specific technologies: Many technologies require specialized knowledge of industrial control systems technology & communications. Enterprise IT security technologies are not ICS-aware Operational Technology deficiencies: PLCs and RTUs are low computational computers built for controlling physical components such as valves, pumps, motors, etc. Lack of authentication Lack of encryption Backdoors Buffer overflow Tailored attacks on physical control components
- 5. 5 ICS Cybersecurity: Making the Headlines A Worm in the Centrifuge- Stuxnet 30 Sept. 2010 An unusually sophisticated cyber-weapon is mysterious but important. A new software “worm” called Stuxnet … A Cyberattack Has Caused Confirmed Physical Damage 30 Sept. 2015 Massive damage by manipulating and disrupting control systems at German steel mill U.S. Finds Proof: Cyberattack on Ukraine Power Grid 3 Feb. 2016 Almost immediately, investigators found indications of a malware called BlackEnergy. Industroyer; A Cyberweapon can disrupt Power Grids 12 June 2017 Hackers allied with the Russian government have devised a cyberweapon that has the potential to be the most disruptive yet against electric systems that Americans depend on for daily life, according to U.S. researchers. The Ukraine’s Power Outage Was a Cyber Attack 18 Jan. 2017 A power blackout in Ukraine's capital Kiev last month was caused by a cyber attack and investigators are trying to trace other potentially infected computers. Hackers halt plant operations in watershed cyberattack 15 Dec. 2017 Schneider confirmed that the incident had occurred and that it had issued a security alert to users of Triconex, which cyber experts said is widely used in the energy industry, including at nuclear facilities, and oil and gas plants. Triton: hackers take out safety systems in 'watershed' attack on energy plant 15 Dec. 2017 Sophisticated malware halts operations at power station in unprecedented attack which experts believe was state-sponsored
- 6. 6 Top Threat Vectors for OT - 2017 SANS Survey What are the top three threat vectors you are most concerned with? Rank the top three, with “First” being the threat of highest concern. 0% 10% 20% 30% 40% Other Industrial espionage Internal threat (intentional) External threats (supply chain or partnerships) Integration of IT into control system networks Malware families spreading indiscriminately Phishing scams Extortion, ransomware or other financially… External threats (hacktivism, nation states) Internal threat (accidental) Devices and “things” (that cannot protect… First Second Third Source: SANs: The 2017 State of Industrial Control System Security: July 2017
- 7. 7 2017 SANS Survey: Security Technologies In Use 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Anti-malware/Antivirus Access controls Assessment and audit User and application access controls Monitoring and log analysis Vulnerability scanning Security awareness training for staff,… Asset identification and management Control system network security monitoring… Industrial intrusion prevention systems (IPS) Industrial intrusion detection systems (IDS) In Use Planned What security technologies or solutions do you currently have in use? What new technologies or solutions would you most want to add for control system security in the next 18 months? Source: SANs: The 2017 State of Industrial Control System Security: July 2017
- 8. 8 Capabilities Required of an Integrated Solution Rapidly Detect Cybersecurity Vulnerabilities, Threats and Incidents Reduce Troubleshooting and Remediation Efforts Quickly Recognize and Remediate Operational Anomalies Track Industrial Assets and Corresponding Cybersecurity Risks Deploy at Enterprise Scale with Proven Performance Centrally Supervise and Monitor Distributed Networks
- 9. Fabric-Ready ICS Cybersecurity The Fortinet / Nozomi Networks Integrated Solution
- 10. 10 Nozomi Networks’ Solution Architecture
- 11. 11 SIEM SOC Corporate Firewall Remote Access Historian Firewall DNS Local SCADA & HMI Local SCADA & HMI Local SCADA & HMI www Site #1 Site #2 Site #N PLCs RTUs PLCs RTUs PLCs RTUs Comprehensive Security for ICS Level 4 Production Scheduling Level 3 Production Control Level 2 Plant Supervisory Level 1 Direct Control Level 0 Field Level Selected threats detected • Monitoring of remote access connection to networks • Connection to Internetcorporate network DMZ • MITM & Scanning Attacks (Port, Network) • Unauthorized cross level communication • IP conflicts • Weak passwords (FTP / TFPTP / RDP / DCERPC) • Traffic activity summaries Bad configurations (NTP / DNS / DHCP/ etc.) • Network topologies • Used ports of assets • Unencrypted communications (Telnet) • Insecure Internet connections • Anomalous protocol behavior • Online edits to PLC projects • Communication changes • Configuration downloads • New assets in the network • Non-responsive assets • Corrupted OT packets • Firmware downloads • Logic changes • Authentication to PLCs • PLC actions (Start, Stop, Monitor, Run, Reboot, Program, Test) • Fieldbus I/O monitoring
- 12. 12 SCADAguardian with FortiGate Automatically learns ICS behavior and detects suspicious activities Security Policy Enforcement Flexibility to enforce security policies with different degree of granularity Deep understanding of all key SCADA protocols, open and proprietary Active Traffic Control Proactive filtering of malicious and unauthorized network traffic Real-time passive monitoring guarantees no performance impact and permits visibility at different layers of the Control and Process Networks In-line Protection In-line separation between IT and OT environments Turn–key Internal and Perimeter Visibility Fine Tuning, Control and Monitoring of the Firewall Ruleset Proactive SCADA Security Behavioral Analysis Deep SCADA Understanding Non-intrusive Passive Monitoring
- 13. 13 Fortinet / Nozomi Networks Integrated Solution Full Protection, Visibility and Monitoring Thanks to Nozomi Networks and Fortinet The Nozomi Networks solution passively monitors the network, thus not affecting the performance of the control system The appliance is connected to the system via a SPAN or mirror port on a switch Valve Fan Pump
- 14. 14 Responding to Threats in Real Time Monitor A threat is detected by SCADAguardian and an alert is generated Detect User-defined policies are examined and the appropriate corresponding action is triggered Protect FortiGate responds according to the user- configured action (Node Blocking, Link Blocking, or Kill Session) in order to mitigate the issue 2 1 3 Valve Fan Pump 3 1 2
- 15. 15 Three Use Case Scenarios: Blocking Attack Vectors Blocking Reconnaissance Activity Blocking Unauthorized Activity Blocking Advanced Malware or Zero Day Attack New unknown node joins trusted control network (or process network) SCADAguardian detects it and triggers alert to FortiGate FortiGate enforces policy and blocks node from all access Node in trusted networks issues a command to reprogram a PLC SCADAguardian detects anomaly and triggers alert to FortiGate FortiGate enforces policy and blocks communication SCADA Master changes process in subtle way towards a critical state SCADAguardian detects anomaly and triggers alert for FortiGate FortiGate enforces policy and blocks SCADA Master from all access 1 2 3
- 16. 16 Switch HMI Local SCADA PLC PLC PLC RTU RTU RTU Replicated Historian Corporate Firewall Remote Access Control Room Central Management Console (CMC) SIEM Firewall Firewall Historian DNS Jump Box Patching Server Web Firewall Switch HMI Local SCADA Real-time Visibility - IT/OT Convergence
- 17. 17 Switch HMI Local SCADA PLC PLC PLC RTU RTU RTU Replicated Historian Corporate Firewall Remote Access Control Room Central Management Console (CMC) SIEM Firewall Firewall Historian DNS Jump Box Patching Server Web Firewall Switch HMI Local SCADA Real-time Visibility - Support Multi-tenant Deployments Control Room CMC CMC Area 1 Control Room Onshore Area 2 Control Room Onshore CMC
- 18. 18 Nozomi Networks: Fortinet Fabric Ready for ICS Leverages Security Fabric APIs to deliver pre- integrated, end-to-end security offerings Integrated products improve threat awareness & intelligence, broaden & coordinate threat response and policy enforcement Faster time-to-deployment & reduced costs due to pre-validation of solutions NETWORK MULTI-CLOUDPARTNER API EMAILUNIFIED ACCESS IOT-ENDPOINT WEB APPS ADVANCED THREAT PROTECTION MANAGEMENT-ANALYTICS
- 19. Questions?
- 21. 21 Nozomi Networks: Leading ICS Cybersecurity Since Oct 2013 ~$24m invested +200,000 Monitored +200 Global Installations FOUNDED DEVICES CUSTOMERS SERVING VERTICALS
Editor's Notes
- SCRIPT: …”BUT DON’T TAKE OUR WORD FOR IT. LISTEN TO ICS STAKEHOLDERS ACROSS THE GLOBE”