Fortinet OT Security Platform Innovations Address Critical OT Challenges

Recently, Fortinet announced exciting enhancements to our OT Security Platform to support the unique needs of operational technology (OT) environments. Thanks to our unified operating system, FortiOS, the OT products and services that comprise the OT Security Platform combine to reduce organizational risk. With the Fortinet OT Security Platform, enterprises across any sector, including critical infrastructure, can securely connect, catalog, and manage thousands of remote sites and adhere to increasing regulatory compliance, such as the ENISA NIS2 and NERC CIP.

Importance of Securing OT Environments

As bad actors increasingly target critical infrastructure, governments worldwide strengthen cybersecurity regulations for OT and industrial control systems (ICS). These changes include stricter security directives, incident reporting requirements, and a focus on building resilience against cyber incidents.

Because of a breach’s political and societal ramifications, OT networks are an extremely valuable target for well-funded and often state-sponsored threat actors. Although some notable OT disruptions have occurred because of attacks on linked IT systems, such as ERP, MES, or billing, other OT breaches were caused by custom malware designed to exploit OT networks. The OT Security Platform includes OT-specific capabilities and controls to protect against the latest, highly targeted attacks. Organizations with OT infrastructure must build a comprehensive OT security strategy to meet these requirements, and the recent updates to the Fortinet OT Security Platform can help.

Enhanced OT Visibility

The Fortinet OT Security Platform provides enhanced visibility into OT infrastructures. Asset and network visibility is a basic challenge for any organization with an OT environment. As OT infrastructure transforms and connects to more external networks, such as enterprise IT, the internet, and the cloud, visibility into OT networks is often extremely limited or nonexistent. The unique assets typically found in OT networks operate on unique protocols. Traditional IT visibility solutions can’t see the assets, their vulnerabilities, or the traffic traversing the OT network, which makes OT security challenging to plan or implement.

Gaining visibility into OT assets and networks is a common first step in securing OT. However, it is not the end of that journey. The Fortinet OT Security Platform reveals OT-specific assets, network communication, and vulnerabilities and includes enforcement mechanisms for organizations to respond to threats.

Fortinet has enhanced its FortiGuard OT Security Service to deepen visibility and asset discovery capabilities. OT asset owners can now add known exploited vulnerabilities (KEVs) information to Internet-of-Things and OT vulnerabilities in the user and device store. They can also display KEV counts and warnings on the GUI Asset Identity Center page and see OT protocol bandwidth traffic and inbound connections. These enhancements to the OT Security Service can help OT security teams better understand the assets, traffic, and users on their OT networks.

Beyond Visibility: Segmentation, Virtual Patching, and Secure Connectivity

After asset and network visibility are in place and the teams tasked with OT security can see OT-specific assets, communication, and vulnerabilities, the next step is to protect those assets and networks from cyberthreats. Some OT asset and network visibility solutions provide visibility into OT assets and networks but need security solutions to enable protection. That protection may be performed by a FortiGate Next-Generation Firewall (NGFW) to make the visibility information actionable. The NGFW is used to block malicious network traffic. In these cases, partnerships and external integrations with visibility solutions are key for enforcement. Because of Fortinet’s cybersecurity solution domain expertise, OT enforcement and integrations with visibility vendors are natively supported within the OT Security Platform.

Segmentation

After revealing OT-specific systems, KEVs, OT protocol traffic, and applications, the Fortinet OT Security Platform gives asset owners rich controls to implement security protections that reduce risk and help prevent cyberthreats. These protections include segmenting their OT networks to the individual switch port level. When connected to a FortiGate NGFW, a FortiSwitch essentially becomes a secure switch, with firewall protections and security policies implemented at each port and deep visibility provided for each asset, traffic, user, and activity enabled through the switch. This marriage between firewall and switch, called FortiLink, provides secure Layer 2 capability.

Virtual Patching

Compensating controls like virtual patching is a critical next step for OT security. Often, legacy systems can’t be patched because of their continuous operation of critical processes. However, they can be shielded from vulnerabilities using targeted IPS signatures to protect them from exploits. With the OT Security Platform, you can perform this virtual patching in the same management platform.

Secure Connectivity

Many remote sites with OT networks operate in areas where wired connectivity is limited or nonexistent. In these situations, 5G can be used as a wireless WAN link. Fortinet is releasing two new FortiExtender 5G models to meet this need: FortiExtender Rugged 511G and FortiExtender Vehicle 511G. These devices use eSIM technology, so asset owners can effortlessly subscribe to and switch carrier plans as needed. FortiExtender also includes Wi-Fi 6 to offer a unified wireless WAN and wireless LAN experience in a single device. FortiExtender devices include a new 2.5G port to support mGig WAN connections. FortiExtender Rugged 511G is IP67-rated to operate in outdoor deployments, while FortiExtender Vehicle 511G is IP64-rated and operates down to 7V DC to support mobile deployments. These new products also support CBRS Band N48 for private 5G client deployments, such as automated guided vehicles and robotics.

Other Ruggedized Product Updates

Fortinet has also updated its FortiGate Rugged NGFW product family with two new models to serve the needs of segmentation in OT networks and critical infrastructure further. The FortiGate Rugged 70G and FortiGate Rugged 50G-5G provide advanced security and networking performance thanks to proprietary security and networking ASICs. These devices also have an advanced digital I/O (DIO) port. This feature allows the firewall to automate and secure digital and physical processes on site. We’ve also updated the FortiSwitch Rugged 100 series to include two new models: the FortiSwitch Rugged 112F-POE and the FortiSwitch Rugged 108F. These FortiSwitch Rugged models come in a small form factor and are DIN-rail mountable to fit most deployment scenarios. These products are designed to withstand extreme temperatures, vibration, and humidity, so your Fortinet solutions will keep working no matter how harsh your remote site may be.

Additional Capabilities to Reduce Risk

Although segmentation and compensating controls effectively protect OT networks, these protections alone don’t provide complete OT security. Additional capabilities can help organizations reduce risk, prevent cyberthreats, and better adhere to regulatory compliance.

For instance, MITRE ATT&CK Tactics for Industrial Control Systems lists remote access and remote services as top attack vectors for initial access. Understandably, many organizations and critical infrastructure increasingly rely on remote access to their OT networks for third-party consulting and compliance auditing. The OT Security Platform includes agentless secure remote access capabilities such as access controls, secrets and password management, secure file sharing, and over-the-shoulder monitoring and recording, including mouse clicks and keystrokes. These capabilities are offered through our FortiSRA solution, a key component of the OT Security Platform.

Network Detection and Response

In the event of a cyber incident, timing is critical. In some cases, an intruder can enter an OT network and remain undetected for days, months, or even years before their presence is revealed. With our comprehensive OT Security Platform, you can bring OT networks into the security operations center (SOC) and develop incident response plans for immediate action.

Network detection and response in FortiNDR and deception in FortiDeceptor, along with rich analytics from FortiAnalyzer, can simplify the detection and remediation of threats. These solutions can reduce the mean time to detection from many days to a few minutes. These capabilities confuse would-be hackers and automate the ability to expel them from the network when detecting an anomaly. Rich analytics make SOC teams more effective and offer customizable reports for technical and nontechnical stakeholders.

A True Platform for OT Security

An electrical grid, a pharmaceutical manufacturer, a power plant, or even a major dam require connected technologies to operate safely and continuously. OT security is critically important for the operational and financial well-being of the affected organization and the society impacted by the disruption of essential services.

Although visibility and detection in OT networks are important foundational steps in security maturity, they are not the endgame. The comprehensive Fortinet OT Security Platform can effectively reduce risk and stop cyber incidents. Fortinet has meticulously built the OT Security Platform for over 20 years, advancing key capabilities relevant to customers today. This solution can detect the devices, traffic, and vulnerabilities in OT networks and segment those networks, implementing compensating controls for those critical systems. In addition, the OT Security Platform also provides agentless secure remote access so organizations can leverage third-party remote access safely while reducing the time to detect intrusions through advanced SecOps capabilities.