SB Securing Industrial Control Systems With Fortinet
SB Securing Industrial Control Systems With Fortinet
SB Securing Industrial Control Systems With Fortinet
CONTROL SYSTEMS
WITH FORTINET
IEC-62443 Compliant End-to-End Security
SOLUTION GUIDE
SOLUTION GUIDE: SECURING INDUSTRIAL CONTROL
EXECUTIVE SUMMARY
In recent years, the Industrial Control Systems (ICS) upon which much of our critical infrastructure and manufacturing industry depends,
have come under increasingly frequent and sophisticated cyber-attacks.
In part, this is a consequence of the inevitable convergence of Operational Technology (OT) with Information Technology (IT). As in all
spheres of computing, the advantages of increased network connectivity through open standards such as Ethernet and TCP/IP, as well
as the cost savings derived from replacing dedicated proprietary equipment with off-the-shelf hardware and software, come at the cost
of increased vulnerability.
However, while the impact of a security breach on most IT systems is limited to financial loss, attacks on ICS have the added potential
to destroy equipment, threaten national security, and even endanger human life.
With this critical distinction also comes a troubling difference in the profiles and motivations of potential attackers. While the lion’s share
of modern cybercrime is motivated by financial reward, ICS have recently become attractive targets for terrorism and cyber-warfare.
As a consequence, the financial and human resources available to its perpetrators can be an order of magnitude greater than those of
conventional cybercriminals. This is especially true of highly targeted state-sponsored attacks, of which STUXNET (first appearing back
in 2010) is considered one of the most sophisticated examples so far.
The purpose of this solution guide is to show how, in spite of these and many other challenges, Fortinet’s Solutions can help to ensure
the safety and reliability of ICS, and in particular those employing Supervisory Control and Data Acquisition (SCADA).
2
SOLUTION GUIDE: SECURING INDUSTRIAL CONTROL
POTENTIAL VULNERABILITIES
Due to their unique history and conception, separate from the evolving world of IT, ICS present a number of unique challenges:
nnInherent lack of security: Much of the technology underpinning ICS, while extremely robust and reliable, was never designed to
be accessible from remote networks, and so security relied instead upon restricted physical access, and the relative obscurity of
its components (e.g., RTUs, PLCs, etc.) and their (mostly serial) communications protocols (e.g., Modbus, RP-570, PROFIBUS,
Conitel, etc.).
nnThe “air-gap” fallacy: The superficially seductive idea of creating an “air-gap” between the ICS and all other networks is no longer
realistic for the vast majority of real-life applications. As more and more of today’s ICS components rely on software updates and
periodic patching, it is now virtually impossible to avoid at least occasional data transfer into the ICS. Even in the absence of
permanent network connections (or those employing only unidirectional devices such as optical data diodes), “air-gapped” networks
are still vulnerable to the connection of infected PCs or storage devices such as USB drives (one of the infection vectors
of STUXNET).
nnExpanding attack surface: As proprietary, dedicated solutions are replaced with off-the-shelf hardware and software, employing
open standards such as Ethernet, TCP/IP, and Wi-Fi, the number of potential vulnerabilities increases exponentially. The recent
proliferation of mobile devices together with trends such as BYOD only exacerbate the problem further.
nnContinued use of outdated hardware and software operating systems (sometimes pre-dating even the very notion of cybersecurity)
which may be incompatible with standard modern defenses such as antivirus software.
nnInfrequent updates and patching due to the complexity, cost, and potential service disruption entailed. It is not always practical, for
example, to interrupt a plant’s operations whenever one of its operational servers needs patching.
nnLarge numbers of simple, unsecured telemetry devices such as sensors and pressure gauges, whose data, if manipulated, could
nevertheless carry huge consequences for the safety and reliability of the overall system.
nnUse of embedded software written with scant adherence to the security techniques and best practices of modern coding.
nnInsufficient regulation of component manufacture and supply chain, introducing the possibility of equipment compromise, even prior
to installation.
nnLimited access control / permission management: As previously isolated or closed systems have been interconnected, the controls
imposed on exactly who can access what, have not always kept pace with IT security best practices.
nnPoor network segmentation: The standard security practice of partitioning networks into functional segments which, while still
interconnected, nevertheless limit the data and applications that can overlap from one segment to another, is still underutilized
within ICS as a whole.
nnLack of security expertise among the engineers who have traditionally designed and maintained the systems.
3
SOLUTION GUIDE: SECURING INDUSTRIAL CONTROL
One way this is occurring is through the help of government bodies such as the The Industrial Control Systems Cyber Emergency
Response Team (ICS-CERT) in the US, and the Centre for Protection of National Infrastructure (CPNI) in the UK, both of which publish
advice and guidance on security best practices for ICS.
Another way is through the definition of common standards such as ISA/IEC-62443 (formerly ISA-99). Created by the International
Society for Automation (ISA) as ISA-99 and later renumbered 62443 to align with the corresponding International Electro-Technical
Commission (IEC) standards, these documents outline a comprehensive framework for the design, planning, integration, and
management of secure ICS.
Although still a work in progress, the standard provides practical guidance, such as the model of “zones, conduits, boundaries, and
security levels,” and addresses the most pressing deficiencies of ICS network security.
Implementation of the zones and conduits model, which is recommended by both ICS-CERT and CPNI, greatly reduces the risk of
intrusion, as well as the potential impact should such a breach occur.
The basic strategy outlined in the standard, is to segment the network into a number of functional “zones” (which may also include
sub-zones), and then to clearly define the “conduits” as all essential data and applications allowed to cross from one zone to another.
Each zone is then assigned a security level from 0 to 5, with 0 representing the highest level of security and 5 the lowest. Strict access
controls can then be imposed limiting access to each zone and conduit based on the authenticated identity of the user or device.
This is a strategy that maps extremely well to the range of capabilities delivered by Fortinet’s Firewall Solution, and in particular the
Internal Segmentation Firewall (ISFW).
4
SOLUTION GUIDE: SECURING INDUSTRIAL CONTROL
This will typically look something like the network represented in Figure 1.
FortiAuthenticator FortiManager
Level 5
Internet DMZ
Web Servers Email Servers FortiMail FortiWeb
FortiGate
Firewall
Level 4
Enterprise LAN Authentication Enterprise Business
Servers Desktops Servers
FortiGate
Firewall
Level 3
Operations DMZ Domain Web Servers &
Historian AV Server
Controller 3rd Party Applications FortiWeb
Level 2
Supervisory
HMI LAN
FortiGate
Rugged Firewall
Level 1
Controller LAN
Level 0
Instrumentation
bus network
5
SOLUTION GUIDE: SECURING INDUSTRIAL CONTROL
Using the Internal Segmentation Firewall (ISFW) deployment mode, which combines functional and physical segmentation, the
FortiGate combines high-performance, next-generation firewall functionality and robust two-factor authentication, with antivirus,
intrusion prevention, URL filtering, and application control. With a wide selection of high-speed LAN interfaces and the hardware
acceleration derived from its custom ASIC design, the FortiGate has been proven to deliver inter-zone performance in excess of
100 Gbps. Using the granular security policies available with FortiGate’s ISFW deployment mode, ICS zones and conduits can be
enforced based on criteria such as user identity, application, location, and device type. In this way, the FortiGate can effectively lock
down each zone, ensuring that only legitimate, prescribed traffic, originating from authorized endpoints can pass from one zone to
another. The embedded security of these highly flexible and scalable products comes from a combination of their operating system,
FortiOS, the FortiAuthenticator and FortiToken authentication solutions, and the automated, 24/7, self-learning, continuous threat
response resources of FortiGuard. However, for a thorough analysis of ICS networks, their processes and protocols, a more proactive
approach is required.
TAKING ICS SECURITY TO THE NEXT LEVEL WITH FORTINET AND NOZOMI NETWORKS
JOINT SOLUTION
Fortinet and Nozomi Networks are collaborating to provide ICS environments with a comprehensive security solution. The solution
combines Nozomi Networks’ SCADAguardian and its deep understanding of ICS networks, protocols, and device behavior with
Fortinet’s extensive network security expertise through its FortiGate. SCADAguardian’s non-intrusive ICS protocol monitoring
capabilities profile the behavior of industrial devices and detect anomalies and critical states in the ICS network. It works closely with
FortiGate to respond and provide a secure gateway between the OT and IT networks as shown in Figure 2. Designed to minimize
system downtime and limit data loss, the Fortinet-Nozomi Networks solution optimizes productivity and business continuity in industries
reliant on ICS networks.
How do we do this? By placing a Nozomi Networks SCADAguardian appliance in the OT network, it will passively monitor the network
traffic creating an internal representation of the entire network, its nodes, and the state and behavior of each device in the network.
By doing so, the solution provides advanced visibility, monitoring, alerting, reporting, troubleshooting, and forensic capabilities. If an
anomaly or suspicious behavior is detected, an alarm is generated and sent to security operators and network administrators. At
the same time, SCADAguardian is capable of automatically modifying the right policy in FortiGate to block the suspicious traffic. The
proactive Fortinet-Nozomi Networks solution provides sophisticated detection of ICS security issues with proactive threat remediation
and containment within an industrial environment.
NOZOMI
Remote Access Business
Historian
PLC/RTU
6
SOLUTION GUIDE: SECURING INDUSTRIAL CONTROL
This is done through the configuration of security policies in which multiple services, such as IPS, antivirus, and application control can
be mapped to each protocol.
In parallel to this specific protocol support, additional vulnerability protection is provided for applications and devices from the major ICS
manufacturers (see list below) through a complementary set of signatures.
This provides a more granular application-level control of the traffic between zones and enables the FortiGate to detect attempted
exploits of known vulnerabilities relating to any of the supported vendors’ solutions.
With the deployment of the integrated Fortinet-Nozomi solution, the following additional protocols are supported:
Moreover, the solution is able to learn the behavior of all other protocols as well as define custom ones.
7
SOLUTION GUIDE: SECURING INDUSTRIAL CONTROL
SUMMARY
Adequately securing ICS presents many significant challenges, some of which clearly go beyond the scope of this solution guide. Yet
by following the best practices set forth by ICS-CERT / CPNI, and deploying government accredited solutions such as those of the
Fortinet portfolio outlined above, the probability of a successful cyber-attack, as well as its likely impact on the ICS, can be greatly
reduced.
With dedicated support for the ICS / SCADA environment as well as its proven success as a leading provider of multi-layered enterprise
security, Fortinet is uniquely positioned to help our industrial customers overcome their security challenges and protect the safety and
reliability of our most critical infrastructure and services.
GLOBAL HEADQUARTERS EMEA SALES OFFICE APAC SALES OFFICE LATIN AMERICA HEADQUARTERS
Fortinet Inc. 905 rue Albert Einstein 300 Beach Road 20-01 Sawgrass Lakes Center
899 Kifer Road 06560 Valbonne The Concourse 13450 W. Sunrise Blvd., Suite 430
Sunnyvale, CA 94086 France Singapore 199555 Sunrise, FL 33323
United States Tel: +33.4.8987.0500 Tel: +65.6513.3730 Tel: +1.954.368.9990
Tel: +1.408.235.7700
www.fortinet.com/sales
Copyright © 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common
law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance
and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether
express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same
ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to
change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. January 19, 2017