Extending Fabric-Ready into ICS

Chet Namboodri

© Copyright Fortinet Inc. All rights reserved.

Convergence of IT and Traditional OT
What was air gapped and proprietary is now connected and general purpose

In the past, they were … Now they are …

 Isolated from IT  Bridged into corporate networks

 Run on proprietary control  Riding on common internet

protocols protocols

 Run on specialized hardware  Running on general purpose

hardware with IT origins
 Run on proprietary embedded
operating systems  Running mainstream IT operating
systems
 Connected by copper and twisted
pair  Increasingly connected to wireless
technologies

2
Typical SCADA Components are Vulnerable

 Domain-specific technologies: Many technologies require specialized knowledge of industrial control

systems technology & communications. Enterprise IT security technologies are not ICS-aware

 Operational Technology deficiencies: PLCs and RTUs are low computational computers built for
controlling physical components such as valves, pumps, motors, etc.

 Lack of authentication  Buffer overflow

 Lack of encryption  Tailored attacks on physical
 Backdoors control components

3
Market Realities
ICS Cybersecurity: Making the Headlines
A Worm in the Centrifuge- Stuxnet
30 Sept. 2010
An unusually sophisticated cyber-weapon is
mysterious but important. A new software
“worm” called Stuxnet …
The Ukraine’s Power Outage Was a Cyber Attack
18 Jan. 2017
A power blackout in Ukraine's capital Kiev last month was
caused by a cyber attack and investigators are trying to
trace other potentially infected computers.

A Cyberattack Has Caused Confirmed Industroyer; A Cyberweapon can disrupt Power Grids
Physical Damage 12 June 2017
30 Sept. 2015 Hackers allied with the Russian government have devised a
Massive damage by manipulating and cyberweapon that has the potential to be the most disruptive
disrupting control systems at German steel mill yet against electric systems that Americans depend on for
daily life, according to U.S. researchers.

U.S. Finds Proof: Cyberattack on Ukraine
Power Grid
3 Feb. 2016
Almost immediately, investigators found
indications of a malware called BlackEnergy.
Hackers halt plant operations in watershed cyberattack
15 Dec. 2017
Schneider confirmed that the incident had occurred and that
it had issued a security alert to users of Triconex, which
cyber experts said is widely used in the energy industry,
including at nuclear facilities, and oil and gas plants.

Triton: hackers take out safety systems in

'watershed' attack on energy plant
15 Dec. 2017
Sophisticated malware halts operations at
power station in unprecedented attack which
experts believe was state-sponsored 5
Top Threat Vectors for OT - 2017 SANS Survey

What are the top three threat vectors you are most concerned with? Rank the top three, with
“First” being the threat of highest concern.

Devices and “things” (that cannot protect…

Internal threat (accidental)
External threats (hacktivism, nation states)
Extortion, ransomware or other financially…
Phishing scams
Malware families spreading indiscriminately
Integration of IT into control system networks
External threats (supply chain or partnerships)
Internal threat (intentional)
Industrial espionage
Other
First Second Third
0% 10% 20% 30% 40%

Source: SANs: The 2017 State of Industrial Control System Security: July 2017

6
2017 SANS Survey: Security Technologies In Use

What security technologies or solutions do you currently have in use? What new technologies
or solutions would you most want to add for control system security in the next 18 months?

Industrial intrusion detection systems (IDS)

Industrial intrusion prevention systems (IPS)
Control system network security monitoring…
Asset identification and management
Security awareness training for staff,…
Vulnerability scanning
Monitoring and log analysis
User and application access controls
Assessment and audit
Access controls
Anti-malware/Antivirus
In Use Planned 0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Source: SANs: The 2017 State of Industrial Control System Security: July 2017

7
Capabilities Required of an Integrated Solution

Reduce Rapidly Detect Cybersecurity Quickly Recognize and

Troubleshooting and Vulnerabilities, Threats Remediate Operational
Remediation Efforts and Incidents Anomalies

Track Industrial Assets Deploy at Enterprise Centrally Supervise and

and Corresponding Scale with Proven Monitor Distributed
Cybersecurity Risks Performance Networks

8
Fabric-Ready ICS Cybersecurity
The Fortinet / Nozomi Networks Integrated Solution
Nozomi Networks’ Solution Architecture

10
Comprehensive Security for ICS
Selected threats SIEM SOC Corporate
Firewall
detected
Level 4
• Monitoring of remote access connection to networks www
• ConnectionProduction
to Internet\corporate network DMZ
• Scheduling
MITM & Scanning Attacks (Port, Network)
Remote
• Unauthorized cross level communication
Access
• IP conflicts

• Weak passwords (FTP / • Network topologies

Level 3
TFPTP / RDP / DCERPC) • Used ports of assets Historian Firewall DNS
• Traffic activity summaries • Unencrypted
Production
Bad configurations (NTP / communications (Telnet)
DNS / DHCP/ etc.) Control • Insecure Internet
connections

Local SCADA Local SCADA Local SCADA

& HMI & HMI & HMI
• Anomalous protocol behavior
• Online edits to PLC projects
• CommunicationLevel
changes 2
• Configuration downloads
• Plant
New assets in the network
• Supervisory
Non-responsive assets
• Corrupted OT packets
• Firmware downloads
• Logic changes

• Authentication to PLCs
Level 1
• PLC actions (Start, Stop, Monitor, Run, Reboot,
Direct PLCs RTUs PLCs RTUs PLCs RTUs
Program, Test) Control

Level 0
• Fieldbus I/O monitoring
Field Level
Site #1 Site #2 Site #N

11
SCADAguardian with FortiGate

Real-time passive monitoring guarantees

no performance impact and permits Non-intrusive In-line In-line separation between IT
visibility at different layers of the Control Passive Protection and OT environments
and Process Networks Monitoring

Deep understanding of all

Deep SCADA Active Traffic Proactive filtering of malicious and
key SCADA protocols, open
Understanding Control unauthorized network traffic
and proprietary

Automatically learns ICS Behavioral Security Policy Flexibility to enforce security policies
behavior and detects
Analysis Enforcement with different degree of granularity
suspicious activities

Turn–key Internal and Fine Tuning, Control and Proactive SCADA

Perimeter Visibility Monitoring of the Firewall Ruleset Security

12
Fortinet / Nozomi Networks Integrated Solution

Full Protection, Visibility and

Monitoring Thanks to Nozomi
Networks and Fortinet

The Nozomi Networks solution

passively monitors the network,
thus not affecting the performance
of the control system

Valve The appliance is connected to the

Fan system via a SPAN or mirror port
Pump on a switch

13
Responding to Threats in Real Time
Monitor
1 A threat is detected by SCADAguardian
and an alert is generated

2
2 Detect
User-defined policies are examined
and the appropriate corresponding
action is triggered
Valve

Fan 3 Protect
Pump
FortiGate responds according to the user-
1
configured action (Node Blocking, Link
Blocking, or Kill Session) in order to
mitigate the issue

14
Three Use Case Scenarios: Blocking Attack Vectors

1 2 3
Blocking Reconnaissance Blocking Advanced Malware or
Blocking Unauthorized Activity Zero Day Attack
Activity

 New unknown node joins trusted
control network (or process
network)
 SCADAguardian detects it and
triggers alert to FortiGate
 FortiGate enforces policy and
blocks node from all access
 Node in trusted networks issues
a command to reprogram a PLC
 SCADAguardian detects anomaly
and triggers alert to FortiGate
 FortiGate enforces policy and
blocks communication
 SCADA Master changes process
in subtle way towards a critical
state
 SCADAguardian detects anomaly
and triggers alert for FortiGate
 FortiGate enforces policy and
blocks SCADA Master from all
access

15
Real-time Visibility - IT/OT Convergence
HMI
Local
SCADA

HMI
Firewall Local
Switch SCADA Central
Management
Firewall Console (CMC)

Firewall Switch
RTU

RTU
Historian
RTU

PLC SIEM
DNS Web

PLC
Patching
PLC Server

Jump Control Room

Box Corporate
Firewall

Replicated Remote
Historian Access

16
Real-time Visibility - Support Multi-tenant Deployments
HMI
Local
SCADA

HMI
Firewall Local
Switch SCADA Central
Management
Firewall Console (CMC)

CMC
Firewall Switch
RTU

RTU
Area 2
Historian
RTU Control Room
Onshore
PLC SIEM
DNS Web

PLC CMC
Patching
PLC Server
Control Room
Jump Control Room
Box Corporate
Firewall
Area 1
Control Room
CMC Replicated Remote
Historian AccessOnshore

17
Nozomi Networks: Fortinet Fabric Ready for ICS
MANAGEMENT-ANALYTICS

PARTNER API MULTI-CLOUD

 Leverages Security Fabric APIs to deliver pre-

IOT-ENDPOINT WEB APPS
integrated, end-to-end security offerings

 Integrated products improve threat awareness NETWORK

& intelligence, broaden & coordinate threat

response and policy enforcement
UNIFIED ACCESS EMAIL

 Faster time-to-deployment & reduced costs

due to pre-validation of solutions
ADVANCED THREAT PROTECTION

18
Questions?
Nozomi Networks: Leading ICS Cybersecurity
FOUNDED Since Oct 2013 ~$24m invested

CUSTOMERS +200 Global Installations

DEVICES +200,000 Monitored

SERVING VERTICALS

21