William Noto

OT Segment Marketing Director

Fortinet

Our Experts
Jon Speer
SecOps Product Marketing Director
Fortinet

© Fortinet Inc. All Rights Reserved. 2

 Fundamental challenges of a cyberattack
01 in OT

Here’s what FortiSIEM for IT/OT Visibility

we will cover 02
MITRE ATT&CK Framework
03 for Enterprise & ICS

© Fortinet Inc. All Rights Reserved. 3

Foundation for Secure
Operational Technology
Securing Operational Technology Challenges

Most industrial control systems lack security by design

and are brittle to change.

The attack surface for cyber-physical assets is expanding

as a dependence on air-gap protection diminishes with
Digital Transformation initiatives driving IT-OT network
convergence.

Increasing adoption of new technologies, such as 5G, IoT,

and Cloud.

Remote access requirements for third-parties and

employees causing additional risks.

Asset owners’ reliance on OEMs and SIs exposes critical

systems to additional risks.

© Fortinet Inc. All Rights Reserved. 5

The Industry Agrees…
Incidents
IT / OT Convergence Long Lifespan Underreported
“OT environments that were traditionally “The automation hardware in a process “15% of survey respondents have experienced
separated are no longer completely automation system is often capable of running 20 a security incident last year that crippled
isolated. They now have direct connections to 30 years.” operational or mission-critical systems.”
for business, OEMs and other third parties.”
Automation’s Life Cycle Management of Processing Gartner, Emerging Technologies: Critical Insights
Gartner, Reduce Risk to Human Life by Automation Control Systems, published April 2021 for Operational Technology Security
Implementing This OT Security Control Framework published November 10, 2021
published 17 June 2021

Connectivity Driving Mixing legacy and Insecure Remote

Risk modern tech Access
“Connectivity to external systems continues “Technical integration of legacy and aging OT “42% indicate that their control systems had
as the overwhelming root cause of incidents, technology with modern IT systems is the biggest direct connectivity to the internet up from 12%
an indications that organizations still fail to challenge facing securing OT technology and in 2019.”
follow network segmentation best practices.” process.”
SANS 2021 Survey: OT/ICS Cybersecurity,
SANS 2021 Survey: OT/ICS Cybersecurity, SANS 2021 Survey: OT/ICS Cybersecurity, published August 2021
published August 2021 published August 2021

© Fortinet Inc. All Rights Reserved. 6

Security Fabric – Operational Technology
Common Challenges
Cloud & Cloud
External Zones Digital Transformation Remote Access Convergence Threats & Vulnerabilities

MAJOR ENFORCEMENT BOUNDARY

How to Secure IT/OT Converged Operations?

Business & IT
Enterprise Zones

Users need Secure Remote Access to OT

Data from Industrial Networks to Cloud
SIEM
Cloud Security Insecure and Legacy
ZTNA
Assets
CONVERGED IT & OT

SOAR
MAJOR ENFORCEMENT BOUNDARY

SD-WAN / 5G VPN
Cyber Intrusions and
Operations & ICS / OT Security Violations
Honeypot
Control Zones

NGFW Single Sign-On

MINOR ENFORCEMENT BOUNDARY
Centralized Policy
Process Control Management
HMI Vulnerabilities and
Zones Exposures

Secure Switch Multi-factor

Authentication
Centralized Logging
& Reporting 3rd Party Integrations

Rugged Firewalls, Network

MAJOR ENFORCEMENT BOUNDARY Switches, Access Control
Access Point Endpoint Detection Integration
& Response
Safety & Complexities

Protection Zones

© Fortinet Inc. All Rights Reserved. 7

Security Fabric – Operational Technology
Typically Deployed Solutions
Cloud & Cloud
External Zones Secure Networking Zero Trust Access Security Operations Security Services

MAJOR ENFORCEMENT BOUNDARY

Business & IT
Enterprise Zones
FortiSIEM
FortiCNP OT Specialized
ZTNA
FortiGuard Services
CONVERGED IT & OT

Secure IT/OT Convergence

Secure Digital Networks

Secure Remote Access

FortiSOAR
MAJOR ENFORCEMENT BOUNDARY

SD-WAN / 5G FortiGate
2,000+ OT Application
Operations & ICS / OT Signatures
FortiDeceptor
Control Zones

FortiGate FortiAuthenticator
MINOR ENFORCEMENT BOUNDARY
FortiManager /
Process Control FortiPolicy
HMI 500+ OT Threat
Zones Signatures

FortiSwitch FortiToken

FortiAnalyzer
Ecosystem Partners

Rugged FortiGate FortiNAC

MAJOR ENFORCEMENT BOUNDARY Rugged FortiSwitch
Rugged FortiAP FortiEDR Fabric Ready
Safety & Ecosystem

Protection Zones

© Fortinet Inc. All Rights Reserved. 8

FortiSIEM for IT/OT Visibility
 Threat Helpdesk
External Device Integration
Intelligence
Log FortiGuard, VirusTotal,
RiskIQ, ThreatConnect, ServiceNow, Salesforce,
Perf Jira, ConnectWise, Custom
Anomali, Custom STIX
OT/IoT Cloud Vulnerability Perf Application
IOC
Lookup

Security Fabric
FortiSIEM FortiSOAR

FortiAP
Real Time Correlation, Incident Advanced Incident
FortiGate Alerting, CMDB, Reporting, Response Orchestration
Log Dashboards, UEBA, STM
Perf
FortiSwitch

FortiAnalyzer
Log
External
Data Lake
Authentication

FSM EventDB, SAML, RADIUS, AD, FAC,

Web FAC FortiADC FortiMail EMS ElasticSearch, HDFS 2FA(Duo), CyberArk
Log

EDR Deceptor NAC Sandbox DDoS

© Fortinet Inc. All Rights Reserved. 10

 FortiSIEM Integrations
300+ Integrations across vendors and applications

Service Desks
& Cloud

Security &
Intelligence

Applications

Operating
Systems

Infrastructure

Platforms

© Fortinet Inc. All Rights Reserved. 11

 Integrated CMDB: Know Your Environment
Map Devices to the Purdue Level

Cloud Cloud Services

Services Industrial Internet of Things

Remote Access
Internet
Business Services is a 3rd Party Vendors & Employees

logical grouping of Information Technology Authentication Boundary

Devices and Applications Internet Enterprise Corporate
DMZ DMZ Services
Enterprise Corporate
Site Local Area Network
Model your OT Devices
under the Business Operational Technology Authentication Boundary

Management Zone
Service OT DMZ Operational Site DMZ

Manufacturing Zone
Site Operational Site Data Center

Area Supervisory Control

Supervisory Control Network

Basic Process Control

Local Area Network

Physical Physical Plant Floor

Instrument Bus Network

© Fortinet Inc. All Rights Reserved. 12

Integrated CMDB
Asset Visibility & Monitoring
Monitor Devices and Applications for Performance and Availability directly from FortiSIEM

© Fortinet Inc. All Rights Reserved. 13

Report on OT Related Events
Reference your OT Model within Reports

Pre-defined Reports affecting

OT/IoT Device Types.

OT Report using the Assets

Model in the OT/IoT Business
Service Purdue Levels

© Fortinet Inc. All Rights Reserved. 14

Alert on OT Related Events
Real-time detection of OT related Incidents

Pre-defined Rules affecting OT/IoT Device Types.

OT Rules utilizing the Purdue Model defined in the

OT/IoT Business Service

© Fortinet Inc. All Rights Reserved. 15

OT Analytics
Investigate OT related events

© Fortinet Inc. All Rights Reserved. 16

FortiSIEM OT Threat Intel

DRAGOS WORLDVIEW FORTIGUARD IOC

• OT Focused technical indicators (IP’s • Broad set of indicators (IP, Domain,
& Domains. URL)
• Alert in real-time against matching • Alert in real-time against matching
Indicators Indicators
• Tens of thousand indicators • Millions of indicators

© Fortinet Inc. All Rights Reserved. 17

 Supervisor
• Core functionality

Worker Nodes
Shared Storage • Scale out performance
• NFS or Elastic • Distributed query and event processing

VM or HW
Appliance
Collectors
• Physical or virtual
• Local or remote site
• Event collection
• Pre-processing

© Fortinet Inc. All Rights Reserved. 20

Collector Capabilities Supporting OT

Event Collection
• Deploy Collectors to remote or
segmented locations

• Drop irrelevant logs before uploading

• Limit Collector Bandwidth – protect

remote bandwidth

• Compress Logs before Uploading

© Fortinet Inc. All Rights Reserved. 21

FortiSIEM Manager Architecture

FortiSIEM Manager
• Deployed in global SOC
• Performs Incident Management
functionality of local FortiSIEM
configuration

In-Region or Customer FortiSIEM

• Performs in region or local network
FortiSIEM functions
• Stores data on local storage

© Fortinet Inc. All Rights Reserved. 22

 FortiSIEM Manager
Improve Management and Incident Visibility across multiple FortiSIEM Instances

Central Management

FortiSIEM • Manages multiple disparate FortiSIEM

Manager Instances

• Understand the health of all managed

Instances
1 2 3 N
• Manage the Incidents of the managed
FortiSIEM Instances
FortiSIEM FortiSIEM FortiSIEM FortiSIEM
• Drill down from Manager to the
managed Instances
ENT USA EU SEAHK ANZ
• Run FortiSOAR Playbooks and
Connectors from the FortiSIEM
MSSP SHARED DEDICATED DEDICATED DEDICATED Manager

© Fortinet Inc. All Rights Reserved. 23

FortiSIEM Cloud Architecture
• Supports hardware
and virtual Collectors
On Premise
Virtual Collector
• Deploy Collectors on
premise or in the
Hardware Collector
Cloud
• Collect logs from Virtual Collector
FortiSIEM Cloud
Cloud Infrastructure Virtual Collector
Platforms (AWS,
Azure, GCP, OCI) with Roaming Users

and without Collectors* Virtual Collector

FortiSIEM Agent – UEBA and Logs

Oracle Cloud Infrastructure
(OCI)

*See FortiSIEM External System Configuration Guide for details

© Fortinet Inc. All Rights Reserved. 24
 ®
MITRE ATT&CK Framework
for Enterprise
for Industrial Control Systems
© Fortinet Inc. All Rights Reserved. 26
Sandworm Team* ATT&CK Matrix for
Industroyer Malware Enterprise

* aka Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455

© Fortinet Inc. All Rights Reserved. 27

MITRE ATT&CK Enterprise Dashboards

• Rule Coverage
dashboard shows
MITRE ATT&CK
coverage
• Incident Coverage
Dashboard shows
corresponding incidents
• Incident Explorer
shows host centric,
interactive ATT&CK
view

© Fortinet Inc. All Rights Reserved. 28

Mitre ATT&CK Framework for ICS

© Fortinet Inc. All Rights Reserved. 29

Sandworm Team* ATT&CK Matrix for
Industroyer Malware
Industrial Control Systems

* aka Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455

© Fortinet Inc. All Rights Reserved. 30

Mitre ATT&CK for ICS
80+New Rules mapped to the Techniques

© Fortinet Inc. All Rights Reserved. 31

Q&A
For more information, visit
Fortinet.com/OT
Thank You!