Professional Documents
Culture Documents
Executive Summary
The benefits of digital transformation (DX) have driven organizations to adopt new
technologies that take time to transition into the scope of security operations.
Industrial organizations with substantial operational technology (OT), such as
industrial control systems (ICS) and supervisory control and data acquisition
(SCADA) equipment, are no exception. OT environments face bigger DX
challenges, however, because the technologies involved are often quite old.
Now that these legacy OT systems are connecting to IT systems, they are OT environments that were
exposed to all manner of threats. The attack surface continues to increase, and traditionally separated are
this convergence of IT and OT brings new risks to operational environments. no longer completely isolated.
They now have direct
Fortinet has proven solution sets that ensure connected industrial assets are
connections for business,
protected, even when new connectivity to them is a byproduct of DX. The security OEMs, and other third parties.1
controls deployed cover every aspect of the data chain, from each level of the
Purdue model, through the technologies that connect industrial plants, to the data
center or cloud, all the way up to the data stored and analytics running in the cloud.
Business & IT
Enterprise Zones
Users need Secure Remote Access to OT
SIEM
Data from Industrial Networks to Cloud
SOAR
MAJOR ENFORCEMENT BOUNDARY
SD-WAN / 5G VPN
Cyber Intrusions and
Operations & ICS / OT Security Violations
Honeypot
Control Zones
2
WHITE PAPER | Securely Enable Industrial Digital Transformation
Cloud Security
In the push toward digital acceleration, cloud adoption and migrating applications
to the cloud are key success factors. Most industrial digital transformation
initiatives require powerful cloud-hosted analytics, such as digital twins, that
anticipate equipment failure and optimize maintenance activities by moving from
calendar-based maintenance to condition-based maintenance. Additionally, Work
Maintenance Management Systems (WMMS) and manufacturing execution systems
(MES) are being deployed in the cloud to enable work order management and Only 13% of security operations
operational excellence more cost effectively. teams feel they have 100%
visibility of OT activities, a
Fortinet secures these and other cloud applications with flexible, well-integrated
number that has declined from
security solutions across the build, deploy, and run stages of the application journey.
2020, when it was 23%.2
Fortinet Cloud Security helps organizations secure converged IT/OT environments with:
n A broad portfolio of cloud solutions to empower organizations to achieve any use
case on any cloud, and evolve as needed
n Deep, seamless integrations across clouds and an open ecosystem to deliver
cloud-native protections and reduce friction across cloud deployments
n Flexibleconsumption models so organizations can scale dynamically and balance financial goals such as OpEx
considerations
Secure SD-WAN
Legacy network designs and router-centric, costly multiprotocol label switching (MPLS) connectivity are not optimum for
today’s digital transformation that leverages the cloud and digital processes. Furthermore, internet network connectivity can be
insecure, unreliable, and unpredictable. Fortinet Secure SD-WAN converges networking and security, scales to meet the needs
of the business, and can classify and identify IT and OT traffic to apply appropriate policies.
Our unique Secure SD-WAN solution is built into every FortiGate Next-Generation Firewall (NGFW), enabling industrial sites to
build a modern, security-driven network that optimizes access to applications no matter where they reside. Secure SD-WAN
includes secure local internet breakout and over 5,000 applications classified, including industrial applications. This enables
traffic to be intelligently and dynamically steered over appropriate links based on defined service-level agreement (SLA)
policies, ensuring business productivity and quality of experience. With centralized management and a dashboard across the
whole network and security stack, the delivery of network services across their entire life cycle (Day 0, Day 1, and Day 2+) at
large scale is automated. This removes manual configuration, a major cause of downtime and security breaches.
5G Wireless WAN
Industrial sites relying on edge broadband connectivity to cloud and data center applications need greater resiliency. While
wired options like cable, DSL, and fiber can help, relying solely on these options exposes industrial sites to downtime and
security risks from the internet.
FortiExtender provides 5G/LTE fixed wireless access (FWA) for industrial sites. It extends the broadband edge where wired
options are limited and ensures reliable connectivity where wired is already being leveraged. Dual SIM gateway models provide
active-passive cellular failover, while dual-modem options provide active-active high-availability, as well as load balancing
across carriers.
An integral part of the Fortinet Security Fabric, FortiExtender 5G/LTE wireless wide-area network (WAN) gateways effortlessly
integrate with FortiGate appliances as an IP passthrough device. Simply connect FortiExtender to the FortiGate via Power over
Ethernet (PoE). The wireless edge can then be managed within the FortiGate and FortiManager dashboards.
3
WHITE PAPER | Securely Enable Industrial Digital Transformation
FortiGate NGFWs deliver superior performance via proprietary security processing units (SPUs) and a single operating system,
FortiOS, across many functions. At the same time, it provides the context to make sure only the right people access the right
applications with consistent posture reassessments and effective enforcement. FortiGate NGFWs provide several OT-specific
features such as:
n A native OT asset visualization and topology dashboard following the Purdue model layout, built directly into the firewall
n Application
control policies that allow write authorization on 40+ protocols and payload-specific bounding on the
IEC 60870-5-104 (IEC 104), Modbus TCP, and RealPort DNP3
n Intrusion prevention signatures (IPS) supporting more ICS vulnerability signatures than other vendors
n Support for air-gapped licensing and content updates
n Consistent real-time defense with FortiGuard Security Services for OT
Rugged Firewalls
While traditional security solutions are designed and intended for the world of offices and corporations, the FortiGate Rugged
Series offers an industrially hardened, all-in-one security appliance that delivers specialized threat protection for securing
critical industrial and control networks against malicious attacks. FortiGate Rugged NGFWs deliver enterprise security for OT
environments with full network visibility and threat protection. FortiGate Rugged Series NGFWs are designed for harsh and
industrial environments that require wider tolerances for vibration, humidity, temperature, and more.
These firewalls have the same core capabilities as non-ruggedized FortiGates, including:
n Reliable connectivity with lower costs via built-in SD-WAN
n Secure remote access with built-in ZTNA access proxy, multi-factor authentication (MFA), and single sign-on (SSO) capabilities
n Security Fabric integration for faster response to threats
4
WHITE PAPER | Securely Enable Industrial Digital Transformation
The FortiAPs can be directly managed by FortiGate NGFWs, ensuring that the wireless edge is secured as an extension of
the firewall. As part of the Fortinet Security Fabric, the Fortinet wireless portfolio delivers the most secure wireless local-area
network (WLAN) option available, enabling wireless clients without security risk.
For more than a decade, Fortinet has protected OT environments in critical infrastructure sectors such as energy, defense,
manufacturing, food, and transportation.
“Reduce Risk to Human Life by Implementing This OT Security Control Framework,” Gartner, June 17, 2021.
1
2
“2022 State of Operational Technology and Cybersecurity Report,” Fortinet, June 2022.
3
Keith Stouffer, et al, “Guide to Operational Technology (OT) Security,” NIST, April 2022.
4
“Alert bulletin: Cyberattacks targeting OT systems,” Almond Consulting, May 11, 2022.
5
Stephen J. Bigelow and Ben Lutkevich, “What is IT/OT convergence? Everything you need to know,” TechTarget, accessed September 18, 2022.
www.fortinet.com
Copyright © 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product
or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser
that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any
such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise
revise this publication without notice, and the most current version of the publication shall be applicable.