The document discusses the convergence of IT and operational technology (OT), highlighting the vulnerabilities of industrial control systems (ICS) and the increasing threats from cyber attacks such as Stuxnet and Industroyer. It emphasizes the need for integrated cybersecurity solutions tailored for ICS, showcasing Fortinet and Nozomi Networks' products that monitor and protect against various threats while ensuring system performance. The document also includes insights from a SANS survey on threat vectors and security technologies in use within the ICS environment.

1. © Copyright Fortinet Inc. All rights reserved.© Copyright Fortinet Inc. All rights reserved.
Extending Fabric-Ready into ICS
Chet Namboodri

2. 2
Convergence of IT and Traditional OT
What was air gapped and proprietary is now connected and general purpose
In the past, they were …
 Isolated from IT
 Run on proprietary control
protocols
 Run on specialized hardware
 Run on proprietary embedded
operating systems
 Connected by copper and twisted
pair
Now they are …
 Bridged into corporate networks
 Riding on common internet
protocols
 Running on general purpose
hardware with IT origins
 Running mainstream IT operating
systems
 Increasingly connected to wireless
technologies

3. 3
Typical SCADA Components are Vulnerable
 Domain-specific technologies: Many technologies require specialized knowledge of industrial control
systems technology & communications. Enterprise IT security technologies are not ICS-aware
 Operational Technology deficiencies: PLCs and RTUs are low computational computers built for
controlling physical components such as valves, pumps, motors, etc.
 Lack of authentication
 Lack of encryption
 Backdoors
 Buffer overflow
 Tailored attacks on physical
control components

4. Market Realities

5. 5
ICS Cybersecurity: Making the Headlines
A Worm in the Centrifuge- Stuxnet
30 Sept. 2010
An unusually sophisticated cyber-weapon is
mysterious but important. A new software
“worm” called Stuxnet …
A Cyberattack Has Caused Confirmed
Physical Damage
30 Sept. 2015
Massive damage by manipulating and
disrupting control systems at German steel mill
U.S. Finds Proof: Cyberattack on Ukraine
Power Grid
3 Feb. 2016
Almost immediately, investigators found
indications of a malware called BlackEnergy.
Industroyer; A Cyberweapon can disrupt Power Grids
12 June 2017
Hackers allied with the Russian government have devised a
cyberweapon that has the potential to be the most disruptive
yet against electric systems that Americans depend on for
daily life, according to U.S. researchers.
The Ukraine’s Power Outage Was a Cyber Attack
18 Jan. 2017
A power blackout in Ukraine's capital Kiev last month was
caused by a cyber attack and investigators are trying to
trace other potentially infected computers.
Hackers halt plant operations in watershed cyberattack
15 Dec. 2017
Schneider confirmed that the incident had occurred and that
it had issued a security alert to users of Triconex, which
cyber experts said is widely used in the energy industry,
including at nuclear facilities, and oil and gas plants.
Triton: hackers take out safety systems in
'watershed' attack on energy plant
15 Dec. 2017
Sophisticated malware halts operations at
power station in unprecedented attack which
experts believe was state-sponsored

6. 6
Top Threat Vectors for OT - 2017 SANS Survey
What are the top three threat vectors you are most concerned with? Rank the top three, with
“First” being the threat of highest concern.
0% 10% 20% 30% 40%
Other
Industrial espionage
Internal threat (intentional)
External threats (supply chain or partnerships)
Integration of IT into control system networks
Malware families spreading indiscriminately
Phishing scams
Extortion, ransomware or other financially…
External threats (hacktivism, nation states)
Internal threat (accidental)
Devices and “things” (that cannot protect…
First Second Third
Source: SANs: The 2017 State of Industrial Control System Security: July 2017

7. 7
2017 SANS Survey: Security Technologies In Use
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Anti-malware/Antivirus
Access controls
Assessment and audit
User and application access controls
Monitoring and log analysis
Vulnerability scanning
Security awareness training for staff,…
Asset identification and management
Control system network security monitoring…
Industrial intrusion prevention systems (IPS)
Industrial intrusion detection systems (IDS)
In Use Planned
What security technologies or solutions do you currently have in use? What new technologies
or solutions would you most want to add for control system security in the next 18 months?
Source: SANs: The 2017 State of Industrial Control System Security: July 2017

8. 8
Capabilities Required of an Integrated Solution
Rapidly Detect Cybersecurity
Vulnerabilities, Threats
and Incidents
Reduce
Troubleshooting and
Remediation Efforts
Quickly Recognize and
Remediate Operational
Anomalies
Track Industrial Assets
and Corresponding
Cybersecurity Risks
Deploy at Enterprise
Scale with Proven
Performance
Centrally Supervise and
Monitor Distributed
Networks

9. Fabric-Ready ICS Cybersecurity
The Fortinet / Nozomi Networks Integrated Solution

10. 10
Nozomi Networks’ Solution Architecture

11. 11
SIEM SOC Corporate
Firewall
Remote
Access
Historian Firewall DNS
Local SCADA
& HMI
Local SCADA
& HMI
Local SCADA
& HMI
www
Site #1 Site #2 Site #N
PLCs RTUs PLCs RTUs PLCs RTUs
Comprehensive Security for ICS
Level 4
Production
Scheduling
Level 3
Production
Control
Level 2
Plant
Supervisory
Level 1
Direct Control
Level 0
Field Level
Selected threats
detected
• Monitoring of remote access connection to networks
• Connection to Internetcorporate network DMZ
• MITM & Scanning Attacks (Port, Network)
• Unauthorized cross level communication
• IP conflicts
• Weak passwords (FTP /
TFPTP / RDP / DCERPC)
• Traffic activity summaries
Bad configurations (NTP /
DNS / DHCP/ etc.)
• Network topologies
• Used ports of assets
• Unencrypted
communications (Telnet)
• Insecure Internet
connections
• Anomalous protocol behavior
• Online edits to PLC projects
• Communication changes
• Configuration downloads
• New assets in the network
• Non-responsive assets
• Corrupted OT packets
• Firmware downloads
• Logic changes
• Authentication to PLCs
• PLC actions (Start, Stop, Monitor, Run, Reboot,
Program, Test)
• Fieldbus I/O monitoring

12. 12
SCADAguardian with FortiGate
Automatically learns ICS
behavior and detects
suspicious activities
Security Policy
Enforcement
Flexibility to enforce security policies
with different degree of granularity
Deep understanding of all
key SCADA protocols, open
and proprietary
Active Traffic
Control
Proactive filtering of malicious and
unauthorized network traffic
Real-time passive monitoring guarantees
no performance impact and permits
visibility at different layers of the Control
and Process Networks
In-line
Protection
In-line separation between IT
and OT environments
Turn–key Internal and
Perimeter Visibility
Fine Tuning, Control and
Monitoring of the Firewall Ruleset
Proactive SCADA
Security
Behavioral
Analysis
Deep SCADA
Understanding
Non-intrusive
Passive
Monitoring

13. 13
Fortinet / Nozomi Networks Integrated Solution
Full Protection, Visibility and
Monitoring Thanks to Nozomi
Networks and Fortinet
The Nozomi Networks solution
passively monitors the network,
thus not affecting the performance
of the control system
The appliance is connected to the
system via a SPAN or mirror port
on a switch
Valve
Fan
Pump

14. 14
Responding to Threats in Real Time
Monitor
A threat is detected by SCADAguardian
and an alert is generated
Detect
User-defined policies are examined
and the appropriate corresponding
action is triggered
Protect
FortiGate responds according to the user-
configured action (Node Blocking, Link
Blocking, or Kill Session) in order to
mitigate the issue
2
1
3
Valve
Fan
Pump
3
1
2

15. 15
Three Use Case Scenarios: Blocking Attack Vectors
Blocking Reconnaissance
Activity
Blocking Unauthorized Activity
Blocking Advanced Malware or
Zero Day Attack
 New unknown node joins trusted
control network (or process
network)
 SCADAguardian detects it and
triggers alert to FortiGate
 FortiGate enforces policy and
blocks node from all access
 Node in trusted networks issues
a command to reprogram a PLC
 SCADAguardian detects anomaly
and triggers alert to FortiGate
 FortiGate enforces policy and
blocks communication
 SCADA Master changes process
in subtle way towards a critical
state
 SCADAguardian detects anomaly
and triggers alert for FortiGate
 FortiGate enforces policy and
blocks SCADA Master from all
access
1 2 3

16. 16
Switch
HMI
Local
SCADA
PLC
PLC
PLC
RTU
RTU
RTU
Replicated
Historian
Corporate
Firewall
Remote
Access
Control Room
Central
Management
Console (CMC)
SIEM
Firewall
Firewall
Historian
DNS
Jump
Box
Patching
Server
Web
Firewall Switch
HMI
Local
SCADA
Real-time Visibility - IT/OT Convergence

17. 17
Switch
HMI
Local
SCADA
PLC
PLC
PLC
RTU
RTU
RTU
Replicated
Historian
Corporate
Firewall
Remote
Access
Control Room
Central
Management
Console (CMC)
SIEM
Firewall
Firewall
Historian
DNS
Jump
Box
Patching
Server
Web
Firewall Switch
HMI
Local
SCADA
Real-time Visibility - Support Multi-tenant Deployments
Control Room
CMC
CMC
Area 1
Control Room
Onshore
Area 2
Control Room
Onshore
CMC

18. 18
Nozomi Networks: Fortinet Fabric Ready for ICS
 Leverages Security Fabric APIs to deliver pre-
integrated, end-to-end security offerings
 Integrated products improve threat awareness
& intelligence, broaden & coordinate threat
response and policy enforcement
 Faster time-to-deployment & reduced costs
due to pre-validation of solutions
NETWORK
MULTI-CLOUDPARTNER API
EMAILUNIFIED ACCESS
IOT-ENDPOINT WEB APPS
ADVANCED THREAT PROTECTION
MANAGEMENT-ANALYTICS

19. Questions?

21. 21
Nozomi Networks: Leading ICS Cybersecurity
Since Oct 2013 ~$24m invested
+200,000 Monitored
+200 Global Installations
FOUNDED
DEVICES
CUSTOMERS
SERVING VERTICALS