WHITE PAPER

Securely Enable Industrial

Digital Transformation
Fortinet Delivers Comprehensive
OT Security
WHITE PAPER | Securely Enable Industrial Digital Transformation

Executive Summary
The benefits of digital transformation (DX) have driven organizations to adopt new
technologies that take time to transition into the scope of security operations.
Industrial organizations with substantial operational technology (OT), such as
industrial control systems (ICS) and supervisory control and data acquisition
(SCADA) equipment, are no exception. OT environments face bigger DX
challenges, however, because the technologies involved are often quite old.
Now that these legacy OT systems are connecting to IT systems, they are OT environments that were
exposed to all manner of threats. The attack surface continues to increase, and traditionally separated are
this convergence of IT and OT brings new risks to operational environments. no longer completely isolated.
They now have direct
Fortinet has proven solution sets that ensure connected industrial assets are
connections for business,
protected, even when new connectivity to them is a byproduct of DX. The security OEMs, and other third parties.1
controls deployed cover every aspect of the data chain, from each level of the
Purdue model, through the technologies that connect industrial plants, to the data
center or cloud, all the way up to the data stored and analytics running in the cloud.

IT/OT Convergence Brings Benefits and Risks

Cyber-physical convergence increases the number of devices exposed to attack and gives attackers a hybrid ecosystem to
leverage in their attack chain. Advanced threats can effectively make their way across all parts of an organization’s network,
including OT systems in industrial, manufacturing, and critical infrastructure environments. Now any threat that is capable of
a successful IT breach has a pathway to vulnerable and potentially valuable targets on the OT side. The introduction of new
technologies, such as the Industrial Internet of Things (IIoT) and 5G, further expands the attack surface, exposing industrial
systems to increased risk.

The Fortinet Security Fabric Protects the Entire IT/OT Environment

The Fortinet Security Fabric is a cybersecurity mesh platform that reduces operational complexity while ensuring compliance.
It emphasizes interoperability as well as analytics, intelligence, centralized management, and automation. It also integrates with
a broad ecosystem of technologies and vendors, including OT. Built-in operational efficiencies reduce resource needs as well.

Cloud & Cloud

External Zones Digital Transformation Remote Access Convergence Threats & Vulnerabilities

MAJOR ENFORCEMENT BOUNDARY

How to Secure IT/OT Converged Operations?

Business & IT
Enterprise Zones
Users need Secure Remote Access to OT

SIEM
Data from Industrial Networks to Cloud

Cloud Security Insecure and Legacy

ZTNA
Assets
CONVERGED IT & OT

SOAR
MAJOR ENFORCEMENT BOUNDARY

SD-WAN / 5G VPN
Cyber Intrusions and
Operations & ICS / OT Security Violations
Honeypot
Control Zones

NGFW Single Sign-On

MINOR ENFORCEMENT BOUNDARY
Centralized Policy
Process Control Management
HMI
Zones Vulnerabilities and
Exposures
Secure Switch Multi-factor
Authentication
Centralized Logging
& Reporting 3rd Party Integrations

Rugged Firewalls, Network

MAJOR ENFORCEMENT BOUNDARY Switches, Access Control
Access Point Endpoint Detection Integration
& Response
Safety & Complexities
Protection Zones

Figure 1. Fortinet solutions for OT environments

2
WHITE PAPER | Securely Enable Industrial Digital Transformation

Cloud Security
In the push toward digital acceleration, cloud adoption and migrating applications
to the cloud are key success factors. Most industrial digital transformation
initiatives require powerful cloud-hosted analytics, such as digital twins, that
anticipate equipment failure and optimize maintenance activities by moving from
calendar-based maintenance to condition-based maintenance. Additionally, Work
Maintenance Management Systems (WMMS) and manufacturing execution systems
(MES) are being deployed in the cloud to enable work order management and Only 13% of security operations
operational excellence more cost effectively. teams feel they have 100%
visibility of OT activities, a
Fortinet secures these and other cloud applications with flexible, well-integrated
number that has declined from
security solutions across the build, deploy, and run stages of the application journey.
2020, when it was 23%.2
Fortinet Cloud Security helps organizations secure converged IT/OT environments with:
n A broad portfolio of cloud solutions to empower organizations to achieve any use
case on any cloud, and evolve as needed
n Deep, seamless integrations across clouds and an open ecosystem to deliver
cloud-native protections and reduce friction across cloud deployments
n Flexibleconsumption models so organizations can scale dynamically and balance financial goals such as OpEx
considerations

Secure SD-WAN
Legacy network designs and router-centric, costly multiprotocol label switching (MPLS) connectivity are not optimum for
today’s digital transformation that leverages the cloud and digital processes. Furthermore, internet network connectivity can be
insecure, unreliable, and unpredictable. Fortinet Secure SD-WAN converges networking and security, scales to meet the needs
of the business, and can classify and identify IT and OT traffic to apply appropriate policies.

Our unique Secure SD-WAN solution is built into every FortiGate Next-Generation Firewall (NGFW), enabling industrial sites to
build a modern, security-driven network that optimizes access to applications no matter where they reside. Secure SD-WAN
includes secure local internet breakout and over 5,000 applications classified, including industrial applications. This enables
traffic to be intelligently and dynamically steered over appropriate links based on defined service-level agreement (SLA)
policies, ensuring business productivity and quality of experience. With centralized management and a dashboard across the
whole network and security stack, the delivery of network services across their entire life cycle (Day 0, Day 1, and Day 2+) at
large scale is automated. This removes manual configuration, a major cause of downtime and security breaches.

5G Wireless WAN
Industrial sites relying on edge broadband connectivity to cloud and data center applications need greater resiliency. While
wired options like cable, DSL, and fiber can help, relying solely on these options exposes industrial sites to downtime and
security risks from the internet.

FortiExtender provides 5G/LTE fixed wireless access (FWA) for industrial sites. It extends the broadband edge where wired
options are limited and ensures reliable connectivity where wired is already being leveraged. Dual SIM gateway models provide
active-passive cellular failover, while dual-modem options provide active-active high-availability, as well as load balancing
across carriers.

An integral part of the Fortinet Security Fabric, FortiExtender 5G/LTE wireless wide-area network (WAN) gateways effortlessly
integrate with FortiGate appliances as an IP passthrough device. Simply connect FortiExtender to the FortiGate via Power over
Ethernet (PoE). The wireless edge can then be managed within the FortiGate and FortiManager dashboards.

3
WHITE PAPER | Securely Enable Industrial Digital Transformation

Network Next-Generation Firewall

“In a global context of rising threats, industrial companies appear to be prime
targets and face the proliferation of tools designed specifically to target their
OT systems.”4

As OT systems continue to be favorite targets of bad actors, security controls need

to do more and act intelligently. At the core of the Security Fabric are FortiGate
NGFWs. They include AI-powered security and threat protection for OT sites at any
scale, with ruggedized models for outdoor or harsh environments. Threats to OT systems can
come from numerous sources,
FortiGate NGFWs provide deep visibility across the OT network, identifying including hostile governments,
applications beyond Layer 3 and Layer 4 methods, utilizing advanced Layer 7 terrorist groups, disgruntled
capabilities like signatures and heuristics. FortiGate also identifies users on the employees, malicious intruders,
network with data that goes beyond IP address and Active Directory (AD) files to complexities, accidents, and
ensure accurate and effective permissions and policies. FortiGate can also identify natural disasters as well as
and categorize connected devices, with signatures to recognize both Internet-of- malicious actions by insiders.”3
Things (IoT) and OT devices and their associated threats and vulnerabilities.

When building the Fortinet Security Fabric in an OT environment, FortiGate NGFWs

can be at the core or edge, integrating many network, access, and segmentation
services such as Secure SD-WAN, SD-branch with LTE/5G, and universal zero-trust
network access (ZTNA).

FortiGate NGFWs deliver superior performance via proprietary security processing units (SPUs) and a single operating system,
FortiOS, across many functions. At the same time, it provides the context to make sure only the right people access the right
applications with consistent posture reassessments and effective enforcement. FortiGate NGFWs provide several OT-specific
features such as:

n A native OT asset visualization and topology dashboard following the Purdue model layout, built directly into the firewall
n Application
control policies that allow write authorization on 40+ protocols and payload-specific bounding on the
IEC 60870-5-104 (IEC 104), Modbus TCP, and RealPort DNP3
n Intrusion prevention signatures (IPS) supporting more ICS vulnerability signatures than other vendors
n Support for air-gapped licensing and content updates
n Consistent real-time defense with FortiGuard Security Services for OT

Rugged Firewalls
While traditional security solutions are designed and intended for the world of offices and corporations, the FortiGate Rugged
Series offers an industrially hardened, all-in-one security appliance that delivers specialized threat protection for securing
critical industrial and control networks against malicious attacks. FortiGate Rugged NGFWs deliver enterprise security for OT
environments with full network visibility and threat protection. FortiGate Rugged Series NGFWs are designed for harsh and
industrial environments that require wider tolerances for vibration, humidity, temperature, and more.

These firewalls have the same core capabilities as non-ruggedized FortiGates, including:
n Reliable connectivity with lower costs via built-in SD-WAN
n Secure remote access with built-in ZTNA access proxy, multi-factor authentication (MFA), and single sign-on (SSO) capabilities
n Security Fabric integration for faster response to threats

4
WHITE PAPER | Securely Enable Industrial Digital Transformation

Secure, Ruggedized Ethernet Switching

The speed and interoperability of Ethernet can provide significant opportunities
for OT administrators to improve workflows, reduce downtime, and increase
productivity, which in turn can increase overall profitability. The reliability and
redundancy of Ethernet has made Ethernet switching a common starting point in
the IT/OT convergence journey.

Fortinet offers a secure, simple, and scalable approach to Ethernet networking

through the convergence of security and networking. With IT/OT convergence, Where IT systems rarely last
more than five years, OT
security is paramount as administrators must ensure network uptime and high
systems can have life cycles
performance. The Fortinet Security Fabric enables a flexible architecture that can
that measure into decades.
be easily deployed, managed, and secured. FortiSwitch integration into FortiGates
Such legacy systems
enables an easy-to-implement Ethernet solution that simplifies the administration of typically incorporated few, if any,
common tasks such as segmentation and microsegmentation in OT environments. security features and can’t be
FortiLink FortiSwitch Ethernet ports have the same level of inspection and security upgraded because of proprietary
as FortiGate NGFW ports. And, Fortinet also has ruggedized Ethernet switches for designs or protocols.5
deployment in challenging OT environments.

IP67-Rated Access Points

Wi-Fi has rapidly become the connectivity choice across environments because it allows local-area network (LAN) connectivity
while still allowing for client device mobility. FortiAP Wi-Fi access points are available in IP67-rated models that can support
deployment in a variety of industrial environments, from outdoor shipping yards to freezer units, and everything in between.
They offer the latest in Wi-Fi connectivity standards.

The FortiAPs can be directly managed by FortiGate NGFWs, ensuring that the wireless edge is secured as an extension of
the firewall. As part of the Fortinet Security Fabric, the Fortinet wireless portfolio delivers the most secure wireless local-area
network (WLAN) option available, enabling wireless clients without security risk.

Fortinet Delivers Proven OT Solutions

To secure industrial digital transformation, the Fortinet Security Fabric provides multiple levels of segmentation, converged
security and networking, Secure SD-WAN, and comprehensive multi- and hybrid-cloud security. Having all of these capabilities
integrated in one platform simplifies operations, increases security, and reduces costs and resource needs.

For more than a decade, Fortinet has protected OT environments in critical infrastructure sectors such as energy, defense,
manufacturing, food, and transportation.

Learn more about Fortinet solutions for OT environments.

“Reduce Risk to Human Life by Implementing This OT Security Control Framework,” Gartner, June 17, 2021.
1

2
“2022 State of Operational Technology and Cybersecurity Report,” Fortinet, June 2022.
3
Keith Stouffer, et al, “Guide to Operational Technology (OT) Security,” NIST, April 2022.
4
“Alert bulletin: Cyberattacks targeting OT systems,” Almond Consulting, May 11, 2022.
5
Stephen J. Bigelow and Ben Lutkevich, “What is IT/OT convergence? Everything you need to know,” TechTarget, accessed September 18, 2022.

www.fortinet.com

Copyright © 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product
or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser
that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any
such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise
revise this publication without notice, and the most current version of the publication shall be applicable.

September 29, 2022 9:27 AM

1759465-0-0-EN