High-performance security solutions, engineered for

safe and reliable operations

Hartato
Systems Engineer

R3-06-2021
Leader for Network Firewalls and WAN Edge
Convergence of Security and Networking Using Single Platform
Nov. 2020 Magic Quadrant for Oct. 2020 Magic Quadrant for Nov. 2020 Magic Quadrant for
Network Firewalls WAN Edge Infrastructure Wired & Wireless LAN Access Infrastructure

Fortinet Recognized as a Leader Fortinet Recognized as a Leader Fortinet Recognized as a Visionary

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Fortinet
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner
research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research,
including any warranties of merchantability or fitness for a particular purpose. © Fortinet Inc. All Rights Reserved. 2
Fortinet is recognized in 6 Gartner Magic Quadrants
Network WAN Edge
Fortinet recognized as a Leader in 2 Firewalls Infrastructure
Magic Quadrants

Fortinet recognized as a Visionary in 2 Wired and WLAN SIEM

Magic Quadrants

Fortinet recognized as a Challenger or Web Application Endpoint Protection

Niche in 2 Magic Quadrants Firewall Platforms*

Secure Web Indoor Location

Fortinet mentioned in 2 Magic Quadrants Gateway Services

And Fortinet is listed in 8 EDR IDPS Email NAC

Gartner Market Guides
NDR ZTNA OT SOAR

© Fortinet Inc. All Rights Reserved. 3

Understanding Operational
Technology
What’s IT and OT?
Information Technology and Operational Technology (IT/OT)

© Fortinet Inc. All Rights Reserved. 5

Securing inter-connected IT and OT
Information Technology and Operational Technology (IT/OT)

© Fortinet Inc. All Rights Reserved. 6

Digital Innovation is Also Causing Increased Risk
Billions of “Edges” Expanding the Digital Attack Surface

Users and Devices The Network Compute

Campus

Public SaaS
Branch Switch 5G Cloud

Unknown Known Trusted

Hybrid Data
Center
WiFi Hyper- Call
SD-WAN
scale Center

Factory
Core Edge

Mobile

The Perimeter is Everywhere Remote Customers Partners

© Fortinet Inc. All Rights Reserved. 7

Sophisticated Threats
Malware Pre and Post Infection Evolution

© Fortinet Inc. All Rights Reserved. 8

 OT Infrastructure Cyber Attacks
The risk is real • Colonial
Pipeline
Ranswomware
• New York dam • German steel mill • Trisis/Triton: • Ekans attack ($4.4
floodgates furnace destroyed Malware Ransomware million in
compromised designed to attack on Honda, ransom)
• Car transmission and compromise Fresenius
brakes controlled Safety
• Ukraine power grid
knocked offline • SolarWinds Orion

2010 2013 2014 2015 2016 2017 2018 2019 2020 2021

• Stuxnet disrupts • Hospital drug • MIRAI • Merck & Co. • Global • Attempted
Iranian nuclear infusion pumps Botnet global production Aluminum poisoning of
program hacked 145,00 shutdown by producer Tampa Water
IoT ransomware shutdown by Supply
• Michigan traffic
devices ($1B loss) ransomware
light hacked
• Maersk Shipping
global shutdown
• ASCO parts
by ransomware
shutdown by
($250M loss)
ransomware

© Fortinet Inc. All Rights Reserved. 9

Cybercriminal Ecosystem –
Know your enemy !!!

CRIME SERVICES ENABLERS

Hosting
Quality Assurance Infections / Drop Botnet Rentals Money Mules Consulting
Crypters / Packers Zones Installs / Spam / Accounts
Scanners Management SEO / DDoS Receivable
Bank
Accounts COMPOUNDED CYBERCRIME

Credentials
& Data

Digital Real
Estate Victims Criminal Sales, Licensing,
Organizations Maintenance Affiliates
Partnerships

CRIMEWARE CREATOR

Copy & paste

Exploits Packers Special Mobile Senior Junior

Platform Affiliate Programs
Developers Source Code Developers
s FakeAV / Ransomware / Botnets

© Fortinet Inc. All Rights Reserved. 10

BACnet and Modbus devices publicly exposed

© Fortinet Inc. All Rights Reserved. 11

IPS/ Application Control for Industrial Systems
159 Vulnerabilities Shielded
▪ Schneider.ClearSCADA.OPF.File.Parsing.Out.of.Bounds.Array.Index (CVE-2014-
0779)
▪ Schneider.ClearSCADA.Remote.Authentication.Bypass
▪ Schneider.Electric.Accutech.Manager.SQL.Injection
▪ Schneider.Electric.DTM.development.kit.Buffer.Overflow (CVE-2014-9200)
▪ Schneider.Electric.GP-Pro.EX.ParseAPI.Heap.Buffer.Overflow
▪ Schneider.Electric.InduSoftWebStudioAgent.Remote.Code.Execution (CVE-
2015- 7374)
▪ Schneider.Electric.Interactive.Graphical.SCADA.Buffer.Overflow (CVE-2013-
0657)
▪ Schneider.Electric.OSF.Configuration.File.Buffer.Overflow (CVE-2014-0774)
▪ Schneider.Electric.Pelco.DSNVs.Rvctl.RVControl.Buffer.Overflow (CVE-2015-
0982)
▪ Schneider.Electric.ProClima.Atx45.ocx.ActiveX.Access (CVE-2014-8511, CVE-
2014-8512)
▪ Schneider.Electric.ProClima.MDraw30.ocx.ActiveX.Access (CVE-2014-8513,
CVE-2014-9188)
▪ Schneider.Electric.ProClima.MetaDraw.Buffer.Overflow (CVE-2014-8514)
▪ Schneider.Electric.SCADA.Expert.ClearSCADA.XSS (CVE-2014-5411)
▪ Schneider.Electric.VAMPSET.CFG.File.Handling.Buffer.Overflow (CVE-2014-
8390)
© Fortinet Inc. All Rights Reserved.
▪ Schneider.Modicon.M340.Password.Buffer.Overflow (CVE-2015-7937)
▪ Schneider.Quantum.Module.Backdoor.Access (CVE-2011-4859)
▪ Schneider.SCADA.Expert.ClearSCADA.Authentication.Bypass (CVE-2014-
5412)
▪ SchneiderElectric.ProClima.F1BookView.Memory.Corruption (CVE-2015-
7918,
CVE-2015-8561)
▪ SearchBlox.File.Exfiltration (CVE-2015-7919)
▪ Sielco.Sistemi.Winlog.File.Access.Directory.Traversal (CVE-2012-4356)
▪ Siemens.0day.40142
▪ Siemens.ALM.almaxcx.dll.ActiveX.Arbitrary.File.Overwrite (CVE-2011-4532)
▪ Siemens.Automation.License.Manager.DoS (CVE-2011-4529, CVE-2011-
4531)
▪ Siemens.S7300.Hardcoded.Credentials.Security.Bypass
▪ Siemens.Simatic.WinCC.Default.Password (CVE-2010-2772)
▪ Siemens.SIMATIC.WinCC.Flexible.HmiLoad.Multiple.Vulnerabilities
(CVE-2011-4877)
▪ Siemens.SIMATIC.WinCC.Flexible.miniweb.DoS (CVE-2011-4879)
▪ Siemens.Tecnomatix.FactoryLink.Multiple.Vulnerabilities
12
Profile OT Attack: Ukraine Grid

• APT Initial Intrusion

• Attack Preparation
• Execution
• Impact

© Fortinet Inc. All Rights Reserved. 13

Ukraine Grid Attack – Initial Intrusion

Firewall

IT Network
Firewall

BLCKNRG.XLSX
OT Network

Step 1. Malware in the Mail

SCADA/DMS Gateway
SOURCE: Ukrainian Power Grids Cyberattack

© Fortinet Inc. All Rights Reserved. 14

Ukraine Grid Attack – Initial Intrusion

Firewall

IT Network

One way
Firewall

BLCKNRG.XLSX
OT Network

Step 2: Attack preparation,

network scans, and APT

8 month develop exploit SCADA/DMS Gateway

© Fortinet Inc. All Rights Reserved. 15

Ukraine Grid Attack – Initial Intrusion

Firewall

IT Network
Firewall

BLCKNRG.XLSX
OT Network

Step 3: Triggering the

cyberattack -Password had been changed
-HDD wipeout
-Overwriting firmware
-DC UPS took down
-DDOS SCADA/DMS Gateway

© Fortinet Inc. All Rights Reserved. 16

Ukraine Attack Impact and Takeaways

• Lack of appropriate
email and network
intrusion detection,
malware detection
• Lack of network
supervision, scans,
and vulnerability
checks
• Lack of visibility and
automated controls to
stop the attack
• Lack of two factor
authentication

© Fortinet Inc. All Rights Reserved. 17

Fortinet Approach for
Securing OT
 Fabric Management
Center

Fortinet NOC SOC

Security
Fabric
Adaptive Cloud
Security
Broad
visibility and protection of the entire
digital attack surface to better Zero Trust
Access
manage risk
FORTIOS
Integrated
solution that reduces management
complexity and shares threat
intelligence

Automated Security-Driven
Open
Ecosystem
self-healing networks with AI-driven Networking
FortiGuard Threat
security for fast and efficient Intelligence

operations

© Fortinet Inc. All Rights Reserved. 02012021 19

Digital Security, everywhere you need it.

SOC & NOC User Security Endpoint Breach Incident Response

FortiGuard Security Services

Content Security User Security FortiSandbox
Fabric FortiManager

Fabric Management Center - SOC Management Center - Open Ecosystem

FortiEDR
FortiAnalyzer FortiSIEM
NOC Connector Fabric API

Web Security Device Security FortiDeceptor FortiCloud

Advanced Bundled Security FortiMonitor

SOC/NOC FortiAI FortiISOAR FortiGuard MDR DevOps Extended Fabric
FortiXDR Service Ecosystem

LAN Edge WAN Edge DC Edge Cloud Edge Network Platform Applications

Zero Trust Access Security-Driven Networking Adaptive Cloud Security

FortiClient FortiNAC FortiVoice FortiAP FortiGate FortiGate FortiSASE FortiGate Cloud FortiCASB FortiCWP FortiWeb FortiMail
SD-WAN VM Networking

FortiToken FortiAuthenticator FortiCamera FortiSwitch FortiExtender FortiProxy FortiISolator FortiDDos FortiSegment AWS Native Azure Native FortiADC FortiGSLB

Appliance VM Hosted Cloud Software Container

© Fortinet Inc. All Rights Reserved. 20

FortiGuard Labs
ACTIONABLE THREAT
VISIBILITY INNOVATION
INTELLIGENCE

Telemetry
Network
Web IPS Application Web
Anti-Virus
Sandbox Control Filtering
SECURITY
Email
FABRIC
Endpoint
CERTs PROTECTIONS
AI / Machine Fortinet Anti- Endpoint Indicators of
Learning Distribution Spam Vulnerability Compromise (IoCs)
Enforcement Network
Partnerships
Zero-Day FortiGuard PROACTIVE
Labs RESEARCH
Adversary
Playbooks
Security
Blogs
Threat Intel Threat
Briefs Signals
Virtual
Patches
OSINT Detection and Federated
protection in Machine
milliseconds Learning
CTA feeds
THREAT
INTELLIGENCE
Trusted SERVICES Penetration Phishing Incident
Testing Service Response
Partnerships

© Fortinet Inc. All Rights Reserved. 21

FortiGuard Industrial Security Service MAR 2021

ICS/OT Protocols – Application Control and IPS Signatures

⇶ - Additional Parameters supported for the signatures in the GUI (requires FortiOS v6.4 and above)

FortiGuard Industrial Security Service provides broader coverage for Industrial Control System and
Operational Technology protocols through Application Control and IPS Signatures.
For up to date list of supported signatures, please visit fortiguard.com
Application Intrusion
Control Prevention
FortiGuard Industrial Protocol Coverage

© Fortinet Inc. All Rights Reserved. 22

FortiGuard Industrial Security Service
Virtual Patching Zero-day Vulnerabilities Internet
Remote Attacker

Virtual patching or vulnerability DMZ Network

shielding — acts as Secure Gateway

FortiGate FortiGate
compensatory security measure with IPS Signature

against threats that have ICS Network 1 ICS Network 2

potential to exploit known or HMI HMI HMI HMI
Process
unknown vulnerabilities. Virtual Network
Unpatched
patching works by implementing Vulnerable Network Assets

layers of security controls that

intercept and prevent an exploit
FortiSwitch
from compromising the FortiSwitch
Control
vulnerable assets connected on Network
Unpatched
the network(s). RTU PLC Vulnerable Network Assets RTU PLC

Field
Network

© Fortinet Inc. All Rights Reserved. 23

Open Ecosystem
450+ Best-in-class integrated solutions for comprehensive protection
Fortinet-developed deep integration automating security operations and policies
Fabric Connectors

Partner-developed integration using Fabric APIs providing broad visibility with end-to-end solutions
Fabric APIs

Community-driven DevOps scripts automating network and security provisioning, configuration, and orchestration
Fabric DevOps

Integrations with threat sharing initiatives and other vendor technologies

Extended Ecosystem
Endpoint
Firewalls Switching Wireless
Security

© Fortinet Inc. All Rights Reserved. Figures as of March 31, 2021 24

Note: Logos are a representative subset of the Security Fabric Ecosystem
FortiOS Overview
Fortinet NGFW

Standalone FortiGate Next Generation Firewalls

Firewall
Advanced Threat Detection

Intrusion
Prevention Threat Prevention

NGFW
Web Proxy

Antivirus
+ + + + + +
Web-Filter Firewall App Intrusion Antivirus URL Filtering VPN SSL Inspection
Control Prevention

VPN

SSL Inspection
Purpose-built Security Processor delivers best performance

▪ Integrate various point products into NGFW Features

© Fortinet Inc. All Rights Reserved. 26
20 Years Of Organic Innovations

Cybersecurity Fabric Security Processing Unit FortiGuard Labs

FortiOS SPU AI

300 13x 10B+

More than 300 new Features Security Compute Rating Events analyzed each day
in FOS 7.0 For Connections Per Second

© Fortinet Inc. All Rights Reserved. 27

Rugged Solutions – NGFW Appliance Virtual Cloud Security-as- Software
Machine a-Service

Ruggedized Design FortiAnalyzer FortiManager FortiSIEM

Fan-less and use of robust components ensure reliable operation in harsh industrial
environments.

Consolidated Security Architecture

FortiGate running FortiOS consolidated security offers better protection and lower FortiAuthenticator FortiToken FortiEDR
cost of ownership than multiple point products. Coupled with FortiGuard Industrial Security
Service, ensures that critical networks receives real-time protection.

Ease of Management FortiNAC

Robust management systems that allow rapid provision and deployment, monitoring of
FortiSandbox FortiDeceptor
device and threat status while providing actionable reports.

Ruggedized Next-Generation Firewalls – FortiGate Rugged Series Industry Certifications

FGR-30D FGR-35D FGR-60F FGR-60F 3G4G

• IP20, Indoor Use • IP67, Outdoor Use • IP20, Indoor Use • IP20, Indoor Use
• Dual power input • Industry Certified • SoC4 Powered • SoC4 Powered
• Industry Certified • By-pass port • By-pass port
• Industry Certified • Industry Certified
• Embedded 3G/4G/LTE

© Fortinet Inc. All Rights Reserved. 28

Rugged Solutions – Switch & AP Appliance Virtual Cloud Security-as- Software
Machine a-Service

Ruggedized Design FortiAnalyzer FortiManager FortiSIEM

Fan-less and use of robust components ensure reliable operation in harsh industrial
environments.

Consolidated Security Architecture

FortiSwitch and FortiAP can be integrated with FortiGate or FortiOS to offer consolidated FortiAuthenticator FortiToken FortiEDR
security for better protection and lower cost of ownership than multiple point products.
Coupled with FortiGuard Industrial Security Service, ensures that critical networks receives
real-time protection.
Ease of Management FortiNAC
Robust management systems that allow rapid provision and deployment, monitoring of
FortiSandbox FortiDeceptor
device and threat status while providing actionable reports.

Ruggedized Network Switches and Wireless Access Points – FortiSwitch and FortiAP Rugged Series Industry Certifications

FortiSwitch Rugged 112D-POE
• IP30, Indoor Use
• Dual power input
• DIN-rail or wall-mountable
• PoE and PoE+ capable
• Industry Certified
FortiSwitch Rugged 124D
• IP40, Indoor Use
• Dual power input
• Rack-mountable
• Industry Certified
FortiAP Rugged 234F
• Internal Antennas
• IP67, Indoor/Outdoor Use
• PoE Powered
• Ceiling, T-Rail, and Wall-
mountable
• Industry Certified
FortiAP Rugged 432F
• External Antennas
• IP67, Indoor/Outdoor Use
• PoE Powered
• Ceiling, T-Rail, and Wall-
mountable *Limited lifetime warranty
• Industry Certified

© Fortinet Inc. All Rights Reserved. 29

Deployment Options

• OFF-LINE IDS
FortiGate monitors network segment(s)
and detects known attacks including 0-
day.
FortiGate receives traffic from
OFF-LINE IDS configured port mirroring. No traffic
ONE-ARM SNIFFER flows through it. FortiGate is a network
(PORT MIRRORING) sensor.
FortiGate
• IN-LINE IPS/IDS
Network traffic goes through FortiGate.
Network attacks can be detected (IDS)
IN-LINE IPS/IDS
VIRTUAL PATCHING
and/or blocked (IPS).
In IPS mode, vulnerable devices are
protected. This is virtual patching.

© Fortinet Inc. All Rights Reserved. 30

FortiOS: Switch and Access Point Controller

• FortiGate to manage
FortiSwitch/FortiAP
• Policy Enforcement between interfaces
(VLAN, SSIDs, physicals)
• Port level visibility
• Help to implement the best practices
• ISA99/IEC-62443
• NIST
• Defense in Depth
• Zones and Conduits definitions
• Segmentation
• Micro Segmentation

© Fortinet Inc. All Rights Reserved. 31

Plain Network OT environment Fine grained control
enforcement on FortiGate with
the traffic subjected to IP
Firewall Policy, Application
Control & IPS.

© Fortinet Inc. All Rights Reserved. 32

Micro-Segmentation with Access VLAN

• Host isolation
• Firewall policy to control the L2 communications
• L7 inspection if required

© Fortinet Inc. All Rights Reserved. 33

Virtual Domain (VDOM) Technology
Lower TCO achieving multiple functions with a single NGFW appliance

Zones of Control
Real-time control loop
Zones and Conduits
1 Sense

}
Micro Segmentation M-FortiSwitch vLANxxx.process
IED
vLANxxx.control
Access
Act 3 vLANxxx.mgmt vLANs
OT Domain 2 Think
Engineering
WorkStation
WAN
ISP1 Zones of Control
vDOM
Zones and Conduits
Micro Segmentation vLANxxx.function
vLANxxx.function
M-FortiSwitch vLANxxx.function

SD-WAN vLANxxx.function
ISP2 LAN Domain

FortiSandbox
(On Prem)

Jump Hosts
Zones of Control
Zones and Conduits
Micro Segmentation VPN Domain

IPsec
to HQ/PVC
FortiGate Appliance
© Fortinet Inc. All Rights Reserved. 34
FortiGuard IOC Service

• Compromised terminals as
determined by FortiAnalyzer
IOC detection are visible on
FortiView and Topology maps
• Supports drill-in for details
• Actionable

© Fortinet Inc. All Rights Reserved. 35

FortiOS Security Fabric Automation

© Fortinet Inc. All Rights Reserved. 36

SD-WAN for OT
A few use cases
Enterprise SD-WAN Use Cases
MPLS Backup with Local Breakout
Critical Apps (Voice and Video)
Best path is chosen depending
on latency, jitter, and packet
loss

MPLS
Private Cloud

Critical Apps (Voice and Video)

Redirected to a new tunnel in case the WAN
Branch
conditions are worse than the threshold
IPsec VPN

Business Apps
Load balanced across different
lines so bandwidth is optimized
Public Cloud

Internet

© Fortinet Inc. All Rights Reserved. 38

Enterprise SD-WAN Use Cases—MPLS Migration
MPLS Backup with Local Breakout
Critical Apps (Voice and Video)
Best path is chosen depending
on latency, jitter, and packet
loss

MPLS
Private Cloud

Critical Apps (Voice and Video)

Redirected to a new tunnel in case the WAN
Branch
conditions are worse than the threshold
IPsec VPN

Business Apps Direct secure access to Internet,

Load balanced across different SaaS, and IaaS content
lines so bandwidth is optimized Load balanced if needed
Public Cloud

Internet

© Fortinet Inc. All Rights Reserved. 39

Converged IT/OT edge with SD-WAN
Zones of Control
Zones and Conduits
OT Telemetry

Micro Segmentation
ISP1
SD-WAN
Members
IT Segment

Internet
NGFW
SOC/NOC

ISP2

Provisioning Threat SIEM & Monitoring &

Zones of Control
Server Intelligence Analytics Management Zones and Conduits
Micro Segmentation OT Segment
100 Mbps
ISP1 (Broadband)
Services
External

• WAN Path Controller • Next Generation Firewall

Data Center

• Application Awareness • Multi-Transport Support

• Zero Touch Deployment • Centralized Management
ISP2 (LTE) • Device Consolidation • Single-Pane-of-Glass
• Improved WAN Link Monitoring
Performance • Identity-Based Policy
• Dynamic Application • Service Level
Servers
Internal

VMs Distribution Agreements (WAN

Metrics)
• Traffic Shaping & Policing

© Fortinet Inc. All Rights Reserved. 40

Endpoint Detection &
Response
Introducing FortiEDR

▪ Top-rated Next Gen Endpoint Protection

Multiple machine learning-based engines provide NSS
Labs recommend advanced endpoint protection

FEDR provides host-based next ▪ Behavior-based EDR

generation AV along with endpoint Host-based code tracing and other techniques assess
detection and response (EDR), runtime operation, detect suspicious activity
including automated orchestration
▪ Automated Orchestration Framework
Cloud-based analytics provide incident classification
and predefined playbooks enable automated response

© Fortinet Inc. All Rights Reserved. 42

What makes FortiEDR different?

• Protection at the kernel level

• Pre-Execution Prevention
• Exfiltration Prevention
• Ransomware Prevention
• Patented
• Automated Remediation “Playbooks”
• Lowest footprint in the industry
• Less than 30MB on disk
• Less than ~100MB RAM

• Effective offline protection

• No DLL Injection

© Fortinet Inc. All Rights Reserved. 43

Advantages
Protection Efficacy Operational Efficiency
• Real time protection • Light and fast
• Pre- and post-infection with automated containment • Less than 1% CPU
• Stop breach and ransomware destruction • Minimal network traffics (1.5 kb per host)
• Off line Protection • Minimize post infection disruption
• Automated detection and response • Containment and remediation without taking machines off-line

• Behavioral-based detection • Remediate and roll back malicious changes

• Orchestrated, automated remediation (with playbooks) • Eliminate the need to re-image

• No business disruptions • Platform Coverage

• Forensic Investigation and threat hunting • Windows, Mac, Linux

• Retrieve memory snapshot for File-less malware investigation • Legacy OS – Windows XP, Windows 2003, Windows embedded,
Windows Core
• Patented Code-Tracing technology – attack story drill down
• Virtual machines, and VDI
• Attack surface reduction • Deployment options
• Discovery: vulnerability, applications, rogue devices • Cloud, on-prem, and hybrid
• Virtual patching, USB device control • Supports multitenancy for MSSP/MDR providers

© Fortinet Inc. All Rights Reserved. 44

FortiEDR
Detect, Defuse, Respond and Remote Remediation
Pre-infection/ Pre-execution Post-infection/Post-execution

Discover Prevent Detect Defuse Respond & Remediate

Investigate & Roll back
Proactive risk Pre-execution File-less and Stop Breach and Full attack visibility Automated Dis-
mitigation protection advanced threats Ransomware infection

• Application & • ML AV • Behavioral based • Block malicious • Playbook automation • Clean up / Roll back
Reputation actions
• FortiGuard • Detect memory • Cross platform • Eliminate re-
• Discover rogue Threat Intelligence based attacks • Prevent data loss response image/rebuild
devices & IoT
• Sandbox • Threat classification • Zero Dwell time • Forensic data • Minimize business
• Vulnerabilities Integration disruption
• Behavioral-based
• Virtual patching • Desktop firewall threat hunting
• Web filtering • Built-in MITRE tags

Automation | Cloud . Hybrid . Air-gap deployment | OS coverage

© Fortinet Inc. All Rights Reserved. 45

Hacker’s Recommendation

© Fortinet Inc. All Rights Reserved. 46

Solution Reference
Architectures
 Fortinet Enhanced ISA99 Purdue Model
Internet
Based on IEC 62443 Guidance
Operational Segments
Major Enforcement Boundary
Cloud Security

Enterprise Wireless
Purdue

(Sensors, Platform)

Wireless Boundary
Levels

IoT Boundary

(Wi-Fi, 5G)
Network / Security
Business & 5 Enterprise Network Corporate
Operations Center

IoT
IT
Enterprise Segment
Business Planning
4 & Logistics
Site

Major Enforcement Boundary SIEM SOAR

3.5 Industrial DMZ Security Management

Fortinet Security Fabric
Operations & Major Enforcement Boundary

(Actuators, Sensors, Platform)

Control Segment Operations &

Industrial Wireless
3

Wireless Boundary
Simulation, Engineering, Test

(RAN, Wi-Fi, 5G)

Control Sandbox Honeypot Advanced Threat
IIoT Boundary Protection
Minor Enforcement Boundary
IIoT

Area Supervisory
OT 2 Control
HMIs, Historians

Network Access Application Intrusion Detection

Process Control 1 Basic Control PLC, RTU, IED Control Control & Prevention
Segment
0 Process Actuators, Sensors

Air-gap / Major Enforcement Boundary Endpoint Detection Protocol Virtual

& Response Inspection Patching
Safety & Protection S SIS Safety Instrumented System
Segment
Digital Assets
© Fortinet Inc. All Rights Reserved. 48
Enforcement Boundaries
Customer Journey for Securing OT Infrastructure

© Fortinet Inc. All Rights Reserved. 49

Customer Journey for Securing OT Infrastructure
Step 1. Basic Visibility & Control
- NGFW w/ OT protocol & vulnerability protection

© Fortinet Inc. All Rights Reserved. 50

Customer Journey for Securing OT Infrastructure
Step 2. Visibility & Configuration
- Add Management & Analytics

© Fortinet Inc. All Rights Reserved. 51

Customer Journey for Securing OT Infrastructure
Step 3. Internal segmentation
- OT Segmentation Firewall w/ OT-
specific protections
- Industrial Switching & Wireless

© Fortinet Inc. All Rights Reserved. 52

Customer Journey for Securing OT Infrastructure
Step 4. Access Control Internal segmentation
- User Authentication (with MFA)
- Device Authentication with NAC
- Device Protection, Detection and Response (EDR)
- Insider Threat Detection (UEBA)

© Fortinet Inc. All Rights Reserved. 53

Customer Journey for Securing OT Infrastructure
Step 5. Application Security
- Add WAF
- Secure Cloud-based Apps
- Secure remote access

© Fortinet Inc. All Rights Reserved. 54

Customer Journey for Securing OT Infrastructure
Step 6. Defend Against Unknowns
- Add Sandbox
- Add Deception Technologies
- Add SIEM

© Fortinet Inc. All Rights Reserved. 55

Applying Fortinet’s Reference Architecture to
Purdue
Level External FortiGuard
Internet FortiGuard Threat
Global
Intelligence Service
Intelligence
Remote User Remote Vendor

Level 5 FortiGate
Internet DMZ
Enterprise Web Email
Corporate Environment Servers Servers FortiWeb FortiMail

Level 4 FortiGate FSSO

External Authentication Services
Enterprise LAN Business & Enterprise
Corporate Environment Servers Domain Controllers Desktops
Operational Technology (OT) Authentication Boundary

FSSO
Level 3.5
Operational DC DMZ FortiClient Domain
Management Zone FortiSwitch FortiSIEM FortiSandbox FortiManager FortiAnalyzer EMS Server FortiAuthenticator Controller

Level 3 Zones of
Operational DC Control
Manufacturing Zone Zones and
FortiSwitch Conduits
Micro
FortiGate Historian Application Engineering Engineering
Segmentation
FortiLink Server Zone Server Zone Server Zone WorkStation Zone Physical and
FortiSwitch Operator Virtual
Private VLANs WorkStation Zone Segmentation
Micro Segmentation FortiGate

Wide Area Network

MPLS, SD-WAN, 3G, 4G,
APN, VPN
ADSL, Cable
Purdue, ISA-99, IEC-62443

© Fortinet Inc. All Rights Reserved. 56

Deploy Defense in Depth with a Single Pane of
Glass
Fortinet Security Fabric
BROAD
Visibility of the
entire digital attack
Fabric Management surface
Defense in Depth Center
AUTOMATED
Usually requires many point-products NO
C
SO
C Operations,
orchestration,
and response

INTEGRATED
AI-driven breach prevention
Fortinet Answer Adaptive across devices, networks,
Cloud and applications
Security

Secure Zero Trust

WLAN/LAN Access

FORTIO
S

Security-
FortiGuard Driven
Threat Networking
Intelligence

© Fortinet Inc. All Rights Reserved. 57

Security Best Practices for Cyber Risk Mitigation
Visibility Across
the Digital
Attack Surface
From IT to OT
New “Edges” expand the
digital attack surface. Enable
visibility over all vectors with
a platform of detection.
Protect Against Simplify Adopt an
Sophisticated Compliance Intelligent and
Threats Structured Security
Global, Country, Province,
Industry and Government Architecture
Breaches and ransomware
continue to increase. Protect Regulation. Secure network
and data from end-to-end Complexity is the enemy of
across all devices, networks, an effective security posture.
and applications. and make reporting easier.
Too many vendors, too many
alerts, not enough skilled
people. Automatically prevent,
detect, and respond to
cyber threats.
© Fortinet Inc. All Rights Reserved. 58