SlideShare ist ein Scribd-Unternehmen logo

Guide to Securing Industrial Control Systems with Fortinet

Ivan Carmona
Ivan Carmona

This document provides an overview of how Fortinet solutions can help secure industrial control systems (ICS) in accordance with IEC 62443 standards. It describes common ICS vulnerabilities and challenges, and recommends implementing network segmentation, access controls, and multi-layered security using Fortinet products to monitor traffic and enforce security policies across different ICS zones. Specific Fortinet products mentioned include the FortiGate firewall, FortiAuthenticator for authentication, and FortiAnalyzer for logging and reporting.

Ingenieurwesen
1 von 8
Downloaden Sie, um offline zu lesen
SOLUTION GUIDE Securing Industrial Control Systems with Fortinet IEC-62443 compliant end-to-end security
2 www.fortinet.com Executive Summary In recent years, the Industrial Control Systems (ICS) upon which much of our critical infrastructure and manufacturing industry depends, have come under increasingly frequent and sophisticated cyber-attack. In part, this is a consequence of the inevitable convergence of Operational Technology (OT) with Information Technology (IT). As in all spheres of computing, the advantages of increased network connectivity through open standards such as Ethernet and TCP/IP, as well as the cost savings derived from replacing dedicated proprietary equipment with off-the-shelf hardware and software, come at the cost of increased vulnerability. However, while the impact of a security breach on most IT systems is limited to financial loss, attacks on ICS have the added potential to destroy equipment, threaten national security, and even endanger human life. With this critical distinction also comes a troubling difference in the profile and motivations of potential attackers. While the lion’s share of modern cybercrime is motivated by financial reward, ICS have recently become attractive targets for terrorism and cyber-warfare. As a consequence, the financial and human resources available to its perpetrators can be an order of magnitude greater than those of conventional cybercriminals. This is especially true of highly targeted state-sponsored attacks, of which STUXNET (first appearing back in 2010) is considered one of the most sophisticated examples so far. The purpose of this solutions guide is to show how, in spite of these and many other challenges, Fortinet’s Solutions can help to ensure the safety and reliability of ICS - and in particular those employing Supervisory Control and Data Acquisition (SCADA) - through the application of standards-compliant multi-layered network security.
3 SOLUTION GUIDE: SECURING INDUSTRIAL CONTROL Potential Vulnerabilities Due to their unique history and conception, separate from the evolving world of IT, ICS present a number of unique challenges: nn Inherent lack of security: Much of the technology underpinning ICS, while extremely robust and reliable, was never designed to be accessible from remote networks, and so security relied instead upon restricted physical access, and the relative obscurity of its components (e.g. RTUs, PLCs etc.) and their (mostly serial) communications protocols (e.g. Modbus, RP-570, Profibus, Conitel etc.). nn The “air-gap” fallacy: The superficially seductive idea of creating an “air-gap” between the ICS and all other networks is no longer realistic for the vast majority of real-life applications. As more and more of today’s ICS components rely on software updates and periodic patching, it is now virtually impossible to avoid at least occasional data transfer into the ICS. Even in the absence of permanent network connections (or those employing only unidirectional devices such as optical data diodes), ‘air-gapped’ networks are still vulnerable to the connection of infected PCs or storage devices such as USB drives (one of the infection vectors of STUXNET). nn Expanding Attack Surface: As proprietary, dedicated solutions are replaced with off-the-shelf hardware and software, employing open standards such as Ethernet, TCP/IP, and Wi-Fi, the number of potential vulnerabilities increases exponentially. The recent proliferation of mobile devices together with trends such as BYOD only exacerbate the problem further. nn Continued use of outdated hardware and software operating systems (sometimes pre-dating even the very notion of cybersecurity) which may be incompatible with standard modern defenses such as anti-virus software. nn Infrequent updates and patching due to the complexity, cost, and potential service disruption entailed. It is not always practical, for example, to interrupt a plant’s operations whenever one of its operational servers needs patching. nn Large numbers of simple, unsecured telemetry devices such as sensors and pressure gauges, whose data, if manipulated, could nevertheless carry huge consequences for the safety and reliability of the overall system. nn Use of embedded software written with scant adherence to the security techniques and best practices of modern coding. nn Insufficient regulation of component manufacture and supply chain, introducing the possibility of equipment compromise, even prior to installation. nn Limited Access Control / Permission Management: As previously isolated or closed systems have been interconnected, the controls imposed on exactly who can access what, have not always kept pace with IT security best practice. nn Poor network segmentation: The standard security practice of partitioning networks into functional segments which, while still interconnected, nevertheless limit the data and applications that can overlap from one segment to another, is still underutilized within ICS as a whole. nn Lack of security expertise among the engineers who have traditionally designed and maintained the systems.
4 www.fortinet.com SOLUTION GUIDE: SECURING INDUSTRIAL CONTROL Addressing the Problem The good news is that in recent years, the inherent problems and vulnerabilities of ICS have become more widely recognized, and the first steps have now been taken to rectify them. One way this is occurring is through the help of government bodies such as the The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in the US, and the Centre for Protection of National Infrastructure (CPNI) in the UK, both of which publish advice and guidance on security best practice for ICS. Another way is through the definition of common standards such as ISA/IEC-62443 (formerly ISA-99). Created by the International Society for Automation (ISA) as ISA-99 and later renumbered 62443 to align with the corresponding International Electro-Technical Commission (IEC) standards, these documents outline a comprehensive framework for the design, planning, integration and management of secure ICS. Although still a work in progress and some way from addressing all vulnerabilities at their most fundamental level, the standard provides practical guidance, such as the model of ‘zones, conduits, boundaries and security levels’, through which to address the most pressing deficiencies of ICS network security. Implementation of the zones and conduits model, which is recommended by both ICS-CERT and CPNI, can greatly reduce the risk of intrusion, as well as the potential impact should such a breach still occur. The basic strategy outlined in the standard, is to segment the network into a number of functional ‘zones’ (which may also include sub-zones), and then to clearly define the ‘conduits’ as all essential data and applications allowed to cross from one zone to another. Each zone is then assigned a security level from 0 to 5, with 0 representing the highest level of security and 5 the lowest. Strict access controls can then be imposed limiting access to each zone and conduit based on the authenticated identity of the user or device. This is a strategy that maps extremely well to the range of capabilities delivered by Fortinet’s Enterprise Solutions, and in particular the Internal Segmentation Firewall (ISFW).
Securing ISC / SCADA with Fortinet As with any effective security implementation, the first step is to fully assess the business and operational risks and to define an appropriate strategy commensurate with those risks. A major part of this will include defining the zones, conduits, boundaries and security levels outlined in IEC-62443. This will typically look something like the network represented in figure 1. 5 SOLUTION GUIDE: SECURING INDUSTRIAL CONTROL Level 5 Internet DMZ Level 4 Enterprise LAN Level 3 Operations DMZ Level 2 Supervisory HMI LAN Level 1 Controller LAN Level 0 Instrumentation bus network remote user remote vendor Web Servers Authentication Servers Historian Domain Controller AV Server Web Servers & 3rd Party Applications Enterprise Desktops Business Servers Email Servers SCADA, DCS, or EMS System #1 Local HMI SCADA, DCS, or EMS System #2 Local HMI SCADA, DCS, or EMS System #3 Local HMI FortiWeb FortiWeb FortiMail FortiGate Firewall FortiGate Firewall FortiGate Rugged Firewall FortiGate Rugged Firewall FortiGate Rugged Firewall FortiGate Rugged Firewall FortiAuthenticator FortiManager FortiSandboxFortiAnalyzer Figure 1: Security levels as depicted in the ISA S99 standard
6 www.fortinet.com SOLUTION GUIDE: SECURING INDUSTRIAL CONTROL Comprehensive multi-layered Security With its multi-layered defense in depth, high availability design, and optional rugged form-factor, the FortiGate range of security appliances is the perfect choice for implementing the zones and conduits model, no matter how critical the ICS infrastructure, or how harsh the environment. Using the deployment mode of “Internal Segmentation Firewall” (ISFW), which combines Functional and physical segmentation, the FortiGate combines advanced high-performance firewall functionality and robust two-factor authentication, with anti-virus, intrusion prevention, URL filtering, and Application Control. With a wide selection of high speed LAN interfaces and the hardware acceleration derived from its custom ASIC design, the FortiGate has been proven to deliver inter-zone performance in excess of 100Gbps. Using the granular security policies available with FortiGate’s ISFW deployment mode, ICS zones and conduits can be enforced based on criteria such as user identity, application, location, and device type. In this way, the FortiGate™ can effectively lock down each zone, ensuring that only legitimate, prescribed traffic, originating from authorized endpoints can pass from one zone to another. For an alternative implementation of sub-zones, the FortiGate and FortiSwitch™ appliances also support 802.1Q VLAN traffic tagging, although in most critical deployments, the ISFW mode provides greater isolation and containment and is therefore recommended over the use of VLANs. The embedded security of these highly flexible and scalable products comes from a combination of their operating system, FortiOS™ , the FortiAuthenticator™ and FortiToken™ authentication solutions, and the automated, 24/7, self-learning, continuous threat response resources of FortiGuard™ . Centralized Management, logging and reporting Management of the infrastructure, which is all consolidated through the FortiGate, is accomplished via FortiManager™ and FortiAnalyzer™ , combining centralized configuration with reporting, visibility, event logging and analysis, to create a comprehensive, real-time network monitoring and control center Specific ICS- / SCADA-aware functionality Using predefined and continually updated signatures, the FortiGate can identify and police most of the common ICS / SCADA protocols (see list below) for the purpose of defining conduits. This is done through the configuration of security policies in which multiple services, such as IPS, AV, and Application Control can be mapped to each protocol. In parallel to this specific protocol support, additional vulnerability protection is provided for applications and devices from the major ICS manufacturers (see list below) through a complementary set of signatures. This provides a more granular application-level control of the traffic between zones and enables the FortiGate to detect attempted exploits of known vulnerabilities relating to any of the supported vendors’ solutions. • Bacnet • DLMS/COSEM • DNP3 • EtherCAT • ICCP • IEC-60870.5.104 • Modbus/TCP • OPC • Profinet • ABB • Advantech • Elcom • GE • Rockwell • Schneider Electric • Seimens • Vedeer Root • Yokogawa
7 SOLUTION GUIDE: SECURING INDUSTRIAL CONTROL Zone Access Control with FortiAuthenticator and FortiToken Applying granular control of the access to each zone and conduit based on both user and device is the role of FortiAuthenticator’s integration with FortiGate and directory services. FortiAuthenticator User Identity Management Appliances provide Two-factor Authentication, RADIUS, LDAP and 802.1X Wireless Authentication, Certificate management and Fortinet Single Sign- on. FortiAuthenticator is compatible with and complements the FortiToken range of Two-Factor Authentication Tokens for Secure Remote Access enabling authentication with multiple FortiGate network security appliances and third party devices. Together, FortiAuthenticator and FortiToken deliver scalable, cost-effective, secure authentication to your entire network infrastructure. Securing the Historian with FortiDB All central databases present an attractive target for cyber- attack, but those underpinning ICS may be especially vulnerable since, due to their history, security may not have been a major consideration in their deployment and scripting. To help assess the current security level, address any vulnerabilities, and monitor all subsequent access for suspicious activity, FortiDB provides a flexible policy framework through which to secure these critical resources. Securing the Web-based HMI with FortiWeb While the cost and usability benefits of controlling the ICS through a web-based console are self-evident, the impact of intrusion or compromise to the back-end is clearly much greater within this environment than for most other web-servers. Using advanced techniques to provide bidirectional protection against malicious sources, application layer DoS Attacks, and sophisticated threats like SQL injection and cross-site scripting, FortiWeb adds another crucial layer to your ICS defenses. Securing the #1 Attack vector with FortiMail Although not specific to ICS or its components, unsecured Email – especially when combined with social engineering – remains the #1 attack vector for the majority of known threats. Protecting against inbound attacks, including advanced malware, as well as outbound threats and data loss, FortiMail™ provides a single solution combining anti-spam, anti-phishing, anti-malware, sandboxing, data leakage prevention (DLP), identity based encryption (IBE), and message archiving. Responding to Advanced Persistent Threats Most of the discussion so far has focused on the detection and blocking of attacks through the use of signatures, yet this approach relies on having encountered some close variant of the threat before. With the extensive threat response resources of FortiGuard continually monitoring thousands of live customer networks around the world, this is extremely likely, but with the stakes for ICS intrusion so high, it is essential to also prepare for attacks which have yet to be encountered. In such a scenario, it becomes crucial that the intrusion is detected rapidly, its propagation limited, and its impact minimized. Here, a critical component of Fortinet’s Advanced Persistent Threat Protection Framework is FortiSandbox™ , which is designed to detect and analyze advanced attacks that might bypass more traditional signature-based defenses. Government Accreditation and Assurance Compliant with US Federal Government standard FIPS 140-2 level 2 for Cryptographic Modules, and International Common Criteria certification EAL 4+, Fortinet delivers robust, field-proven, protection that has been evaluated and tested by numerous third-party organizations to the highest levels of any multi-layered security solution.
Summary Adequately securing ICS presents many significant challenges, some of which clearly go beyond the scope of this solutions guide. Yet by following the best practices set forth by ICS-CERT / CPNI, and deploying government accredited solutions such as those of the Fortinet portfolio outlined above, the probability of a successful cyber-attack, as well as its likely impact on the ICS, can be greatly reduced. With dedicated support for the ICS / SCADA environment as well as its proven success as a leading provider of multi-layered enterprise security, Fortinet is uniquely positioned to help our industrial customers overcome their security challenges and protect the safety and reliability of our most critical infrastructure and services. www.fortinet.com GLOBAL HEADQUARTERS Fortinet Inc. 899 Kifer Road Sunnyvale, CA 94086 United States Tel: +1.408.235.7700 www.fortinet.com/sales EMEA SALES OFFICE 120 rue Albert Caquot 06560, Sophia Antipolis, France Tel: +33.4.8987.0510 APAC SALES OFFICE 300 Beach Road 20-01 The Concourse Singapore 199555 Tel: +65.6513.3730 LATIN AMERICA SALES OFFICE Prol. Paseo de la Reforma 115 Int. 702 Col. Lomas de Santa Fe, C.P. 01219 Del. Alvaro Obregón México D.F. Tel: 011-52-(55) 5524-8480 Copyright © 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other resultsmay vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. 05 Oct 2015 – 5:07 PM MKT-STORAGE:01_BROCHURES:05_SOLUTION_GUIDES:SG-Securing Industrial Control:Securing Industrial Control Folder:Securing Industrial Control

Empfohlen

Iaona handbook for network security - draft rfc 0.4
Iaona handbook for network security - draft rfc 0.4Iaona handbook for network security - draft rfc 0.4
Iaona handbook for network security - draft rfc 0.4Ivan Carmona
 
IRJET - Implementation of Firewall in a Cooperate Environment
IRJET - Implementation of Firewall in a Cooperate EnvironmentIRJET - Implementation of Firewall in a Cooperate Environment
IRJET - Implementation of Firewall in a Cooperate EnvironmentIRJET Journal
 
Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture designEnterpriseGRC Solutions, Inc.
 
IoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the InternetIoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the InternetNathan Wallace, PhD, PE
 
Advance security in cloud computing for military weapons
Advance security in cloud computing for military weaponsAdvance security in cloud computing for military weapons
Advance security in cloud computing for military weaponsIRJET Journal
 
Network Security Architecture
Network Security Architecture Network Security Architecture
Network Security Architecture InnoTech
 
IRJET- Multimedia Content Security with Random Key Generation Approach in...
IRJET- Multimedia Content Security with Random Key Generation Approach in...IRJET- Multimedia Content Security with Random Key Generation Approach in...
IRJET- Multimedia Content Security with Random Key Generation Approach in...IRJET Journal
 
Evaluation of enhanced security solutions in
Evaluation of enhanced security solutions inEvaluation of enhanced security solutions in
Evaluation of enhanced security solutions inIJNSA Journal
 

Empfohlen

Iaona handbook for network security - draft rfc 0.4
Iaona handbook for network security - draft rfc 0.4Iaona handbook for network security - draft rfc 0.4
Iaona handbook for network security - draft rfc 0.4Ivan Carmona
 
IRJET - Implementation of Firewall in a Cooperate Environment
IRJET - Implementation of Firewall in a Cooperate EnvironmentIRJET - Implementation of Firewall in a Cooperate Environment
IRJET - Implementation of Firewall in a Cooperate EnvironmentIRJET Journal
 
Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture designEnterpriseGRC Solutions, Inc.
 
IoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the InternetIoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the InternetNathan Wallace, PhD, PE
 
Advance security in cloud computing for military weapons
Advance security in cloud computing for military weaponsAdvance security in cloud computing for military weapons
Advance security in cloud computing for military weaponsIRJET Journal
 
Network Security Architecture
Network Security Architecture Network Security Architecture
Network Security Architecture InnoTech
 
IRJET- Multimedia Content Security with Random Key Generation Approach in...
IRJET- Multimedia Content Security with Random Key Generation Approach in...IRJET- Multimedia Content Security with Random Key Generation Approach in...
IRJET- Multimedia Content Security with Random Key Generation Approach in...IRJET Journal
 
Evaluation of enhanced security solutions in
Evaluation of enhanced security solutions inEvaluation of enhanced security solutions in
Evaluation of enhanced security solutions inIJNSA Journal
 
5691 computer network career
5691 computer network career5691 computer network career
5691 computer network careerUniversitas Bina Darma Palembang
 
IRJET- Security Analysis and Improvements to IoT Communication Protocols ...
IRJET- Security Analysis and Improvements to IoT Communication Protocols ...IRJET- Security Analysis and Improvements to IoT Communication Protocols ...
IRJET- Security Analysis and Improvements to IoT Communication Protocols ...IRJET Journal
 
Cisco SAFE_Wireless LAN Security in Depth v2
Cisco SAFE_Wireless LAN Security in Depth v2Cisco SAFE_Wireless LAN Security in Depth v2
Cisco SAFE_Wireless LAN Security in Depth v2LinkedIn
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsMuhammad FAHAD
 
Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01RoutecoMarketing
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...Muhammad FAHAD
 
IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...
IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...
IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...IRJET Journal
 
IRJET- Data Security in Local Network for Mobile using Distributed Firewalls
IRJET- Data Security in Local Network for Mobile using Distributed FirewallsIRJET- Data Security in Local Network for Mobile using Distributed Firewalls
IRJET- Data Security in Local Network for Mobile using Distributed FirewallsIRJET Journal
 
Survey on Security Issues of Internet of Things (IoT) Devices
Survey on Security Issues of Internet of Things (IoT) DevicesSurvey on Security Issues of Internet of Things (IoT) Devices
Survey on Security Issues of Internet of Things (IoT) DevicesIRJET Journal
 
Next Generation Network: Security and Architecture
Next Generation Network: Security and ArchitectureNext Generation Network: Security and Architecture
Next Generation Network: Security and Architectureijsrd.com
 
Smart Grid Cyber Security Summit Revere
Smart Grid Cyber Security Summit RevereSmart Grid Cyber Security Summit Revere
Smart Grid Cyber Security Summit Reverehhanebeck
 
Dismantling intrusion prevention_systems
Dismantling intrusion prevention_systemsDismantling intrusion prevention_systems
Dismantling intrusion prevention_systemsOlli-Pekka Niemi
 
White paper - Building Secure Wireless Networks
White paper - Building Secure Wireless NetworksWhite paper - Building Secure Wireless Networks
White paper - Building Secure Wireless NetworksAltaware, Inc.
 
woot15-paper-novella
woot15-paper-novellawoot15-paper-novella
woot15-paper-novellaEduardo Novella
 
A SECURITY PROTOCOL FOR WIRELESS SENSOR NETWORKS
A SECURITY PROTOCOL FOR WIRELESS SENSOR NETWORKSA SECURITY PROTOCOL FOR WIRELESS SENSOR NETWORKS
A SECURITY PROTOCOL FOR WIRELESS SENSOR NETWORKSIAEME Publication
 
Wireless Networks Security in Jordan: A Field Study
Wireless Networks Security in Jordan: A Field StudyWireless Networks Security in Jordan: A Field Study
Wireless Networks Security in Jordan: A Field StudyIJNSA Journal
 
Security sdn
Security sdnSecurity sdn
Security sdnPriya Singh
 
Deterring hacking strategies via
Deterring hacking strategies viaDeterring hacking strategies via
Deterring hacking strategies viaIJNSA Journal
 
My Final Year Project
My Final Year ProjectMy Final Year Project
My Final Year ProjectMOHAMMEDELALAM1
 
CASE STUDY
CASE STUDYCASE STUDY
CASE STUDYTarek Gaad
 
Mark 1 commentary
Mark 1 commentaryMark 1 commentary
Mark 1 commentaryGLENN PEASE
 
Ontdekking van Amerika
Ontdekking van AmerikaOntdekking van Amerika
Ontdekking van Amerikagerbenbroers
 

Weitere ähnliche Inhalte

Was ist angesagt?

IRJET- Security Analysis and Improvements to IoT Communication Protocols ...
IRJET- Security Analysis and Improvements to IoT Communication Protocols ...IRJET- Security Analysis and Improvements to IoT Communication Protocols ...
IRJET- Security Analysis and Improvements to IoT Communication Protocols ...IRJET Journal
 
Cisco SAFE_Wireless LAN Security in Depth v2
Cisco SAFE_Wireless LAN Security in Depth v2Cisco SAFE_Wireless LAN Security in Depth v2
Cisco SAFE_Wireless LAN Security in Depth v2LinkedIn
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsMuhammad FAHAD
 
Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01RoutecoMarketing
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...Muhammad FAHAD
 
IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...
IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...
IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...IRJET Journal
 
IRJET- Data Security in Local Network for Mobile using Distributed Firewalls
IRJET- Data Security in Local Network for Mobile using Distributed FirewallsIRJET- Data Security in Local Network for Mobile using Distributed Firewalls
IRJET- Data Security in Local Network for Mobile using Distributed FirewallsIRJET Journal
 
Survey on Security Issues of Internet of Things (IoT) Devices
Survey on Security Issues of Internet of Things (IoT) DevicesSurvey on Security Issues of Internet of Things (IoT) Devices
Survey on Security Issues of Internet of Things (IoT) DevicesIRJET Journal
 
Next Generation Network: Security and Architecture
Next Generation Network: Security and ArchitectureNext Generation Network: Security and Architecture
Next Generation Network: Security and Architectureijsrd.com
 
Smart Grid Cyber Security Summit Revere
Smart Grid Cyber Security Summit RevereSmart Grid Cyber Security Summit Revere
Smart Grid Cyber Security Summit Reverehhanebeck
 
Dismantling intrusion prevention_systems
Dismantling intrusion prevention_systemsDismantling intrusion prevention_systems
Dismantling intrusion prevention_systemsOlli-Pekka Niemi
 
White paper - Building Secure Wireless Networks
White paper - Building Secure Wireless NetworksWhite paper - Building Secure Wireless Networks
White paper - Building Secure Wireless NetworksAltaware, Inc.
 
A SECURITY PROTOCOL FOR WIRELESS SENSOR NETWORKS
A SECURITY PROTOCOL FOR WIRELESS SENSOR NETWORKSA SECURITY PROTOCOL FOR WIRELESS SENSOR NETWORKS
A SECURITY PROTOCOL FOR WIRELESS SENSOR NETWORKSIAEME Publication
 
Wireless Networks Security in Jordan: A Field Study
Wireless Networks Security in Jordan: A Field StudyWireless Networks Security in Jordan: A Field Study
Wireless Networks Security in Jordan: A Field StudyIJNSA Journal
 
Deterring hacking strategies via
Deterring hacking strategies viaDeterring hacking strategies via
Deterring hacking strategies viaIJNSA Journal
 

Was ist angesagt? (19)

5691 computer network career
5691 computer network career5691 computer network career
5691 computer network career
 
IRJET- Security Analysis and Improvements to IoT Communication Protocols ...
IRJET- Security Analysis and Improvements to IoT Communication Protocols ...IRJET- Security Analysis and Improvements to IoT Communication Protocols ...
IRJET- Security Analysis and Improvements to IoT Communication Protocols ...
 
Cisco SAFE_Wireless LAN Security in Depth v2
Cisco SAFE_Wireless LAN Security in Depth v2Cisco SAFE_Wireless LAN Security in Depth v2
Cisco SAFE_Wireless LAN Security in Depth v2
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control Systems
 
Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
 
IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...
IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...
IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...
 
IRJET- Data Security in Local Network for Mobile using Distributed Firewalls
IRJET- Data Security in Local Network for Mobile using Distributed FirewallsIRJET- Data Security in Local Network for Mobile using Distributed Firewalls
IRJET- Data Security in Local Network for Mobile using Distributed Firewalls
 
Survey on Security Issues of Internet of Things (IoT) Devices
Survey on Security Issues of Internet of Things (IoT) DevicesSurvey on Security Issues of Internet of Things (IoT) Devices
Survey on Security Issues of Internet of Things (IoT) Devices
 
Next Generation Network: Security and Architecture
Next Generation Network: Security and ArchitectureNext Generation Network: Security and Architecture
Next Generation Network: Security and Architecture
 
Smart Grid Cyber Security Summit Revere
Smart Grid Cyber Security Summit RevereSmart Grid Cyber Security Summit Revere
Smart Grid Cyber Security Summit Revere
 
Dismantling intrusion prevention_systems
Dismantling intrusion prevention_systemsDismantling intrusion prevention_systems
Dismantling intrusion prevention_systems
 
White paper - Building Secure Wireless Networks
White paper - Building Secure Wireless NetworksWhite paper - Building Secure Wireless Networks
White paper - Building Secure Wireless Networks
 
woot15-paper-novella
woot15-paper-novellawoot15-paper-novella
woot15-paper-novella
 
A SECURITY PROTOCOL FOR WIRELESS SENSOR NETWORKS
A SECURITY PROTOCOL FOR WIRELESS SENSOR NETWORKSA SECURITY PROTOCOL FOR WIRELESS SENSOR NETWORKS
A SECURITY PROTOCOL FOR WIRELESS SENSOR NETWORKS
 
Wireless Networks Security in Jordan: A Field Study
Wireless Networks Security in Jordan: A Field StudyWireless Networks Security in Jordan: A Field Study
Wireless Networks Security in Jordan: A Field Study
 
Security sdn
Security sdnSecurity sdn
Security sdn
 
Deterring hacking strategies via
Deterring hacking strategies viaDeterring hacking strategies via
Deterring hacking strategies via
 
My Final Year Project
My Final Year ProjectMy Final Year Project
My Final Year Project
 

Andere mochten auch

Mark 1 commentary
Mark 1 commentaryMark 1 commentary
Mark 1 commentaryGLENN PEASE
 
Ontdekking van Amerika
Ontdekking van AmerikaOntdekking van Amerika
Ontdekking van Amerikagerbenbroers
 
BBLL concierto de fin de año
BBLL concierto de fin de añoBBLL concierto de fin de año
BBLL concierto de fin de añoTrasme_Oficial
 
YV BKI CH14 Denunciation of Human Life
YV BKI CH14 Denunciation of Human LifeYV BKI CH14 Denunciation of Human Life
YV BKI CH14 Denunciation of Human LifePardeep Sehgal
 
Esoteric and Liberating Aspect of Marriage
Esoteric and Liberating Aspect of MarriageEsoteric and Liberating Aspect of Marriage
Esoteric and Liberating Aspect of MarriagePardeep Sehgal
 
ShipMonk’s Tech Stack
ShipMonk’s Tech StackShipMonk’s Tech Stack
ShipMonk’s Tech StackShipMonk
 
Fortinet forti gate_vs._pfsense_report_from_it_central_station_2016-09-05
Fortinet forti gate_vs._pfsense_report_from_it_central_station_2016-09-05Fortinet forti gate_vs._pfsense_report_from_it_central_station_2016-09-05
Fortinet forti gate_vs._pfsense_report_from_it_central_station_2016-09-05Ivan Carmona
 
BBLL Concurso Fitur Twitter
BBLL Concurso Fitur TwitterBBLL Concurso Fitur Twitter
BBLL Concurso Fitur TwitterTrasme_Oficial
 
The War Within: Spiritual Warfare (Part V)
The War Within: Spiritual Warfare (Part V)The War Within: Spiritual Warfare (Part V)
The War Within: Spiritual Warfare (Part V)David Turner
 
DRAW A NEAT DIAGRAM - EXCRETARY SYSTEM
DRAW A NEAT DIAGRAM - EXCRETARY SYSTEMDRAW A NEAT DIAGRAM - EXCRETARY SYSTEM
DRAW A NEAT DIAGRAM - EXCRETARY SYSTEMDr Nilesh Kate
 
Facebook Marketing With TDA Bandung
Facebook Marketing With TDA BandungFacebook Marketing With TDA Bandung
Facebook Marketing With TDA BandungIlham Taufiq Mulyadi
 
Slide Eksplorasi Dan Eksploitasi Niche Market
Slide Eksplorasi Dan Eksploitasi Niche MarketSlide Eksplorasi Dan Eksploitasi Niche Market
Slide Eksplorasi Dan Eksploitasi Niche MarketIlham Taufiq Mulyadi
 

Andere mochten auch (15)

CASE STUDY
CASE STUDYCASE STUDY
CASE STUDY
 
Mark 1 commentary
Mark 1 commentaryMark 1 commentary
Mark 1 commentary
 
Ontdekking van Amerika
Ontdekking van AmerikaOntdekking van Amerika
Ontdekking van Amerika
 
BBLL concierto de fin de año
BBLL concierto de fin de añoBBLL concierto de fin de año
BBLL concierto de fin de año
 
YV BKI CH14 Denunciation of Human Life
YV BKI CH14 Denunciation of Human LifeYV BKI CH14 Denunciation of Human Life
YV BKI CH14 Denunciation of Human Life
 
Esoteric and Liberating Aspect of Marriage
Esoteric and Liberating Aspect of MarriageEsoteric and Liberating Aspect of Marriage
Esoteric and Liberating Aspect of Marriage
 
Long weekend in Madrid
Long weekend in MadridLong weekend in Madrid
Long weekend in Madrid
 
AT
ATAT
AT
 
ShipMonk’s Tech Stack
ShipMonk’s Tech StackShipMonk’s Tech Stack
ShipMonk’s Tech Stack
 
Fortinet forti gate_vs._pfsense_report_from_it_central_station_2016-09-05
Fortinet forti gate_vs._pfsense_report_from_it_central_station_2016-09-05Fortinet forti gate_vs._pfsense_report_from_it_central_station_2016-09-05
Fortinet forti gate_vs._pfsense_report_from_it_central_station_2016-09-05
 
BBLL Concurso Fitur Twitter
BBLL Concurso Fitur TwitterBBLL Concurso Fitur Twitter
BBLL Concurso Fitur Twitter
 
The War Within: Spiritual Warfare (Part V)
The War Within: Spiritual Warfare (Part V)The War Within: Spiritual Warfare (Part V)
The War Within: Spiritual Warfare (Part V)
 
DRAW A NEAT DIAGRAM - EXCRETARY SYSTEM
DRAW A NEAT DIAGRAM - EXCRETARY SYSTEMDRAW A NEAT DIAGRAM - EXCRETARY SYSTEM
DRAW A NEAT DIAGRAM - EXCRETARY SYSTEM
 
Facebook Marketing With TDA Bandung
Facebook Marketing With TDA BandungFacebook Marketing With TDA Bandung
Facebook Marketing With TDA Bandung
 
Slide Eksplorasi Dan Eksploitasi Niche Market
Slide Eksplorasi Dan Eksploitasi Niche MarketSlide Eksplorasi Dan Eksploitasi Niche Market
Slide Eksplorasi Dan Eksploitasi Niche Market
 

Ähnlich wie Guide to Securing Industrial Control Systems with Fortinet

Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices IJECEIAES
 
Sb fortinet-nozomi
Sb fortinet-nozomiSb fortinet-nozomi
Sb fortinet-nozomiIvan Carmona
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control SystemHemanth M
 
The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443WoMaster
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)Ivan Carmona
 
Darktrace white paper_ics_final
Darktrace white paper_ics_finalDarktrace white paper_ics_final
Darktrace white paper_ics_finalCMR WORLD TECH
 
Standards based security for energy utilities
Standards based security for energy utilitiesStandards based security for energy utilities
Standards based security for energy utilitiesNirmal Thaliyil
 
ICS_WhitePaper_Darktrace
ICS_WhitePaper_DarktraceICS_WhitePaper_Darktrace
ICS_WhitePaper_DarktraceAustin Eppstein
 
Protecting the movable Endeavor with Network-Based validation and Virtual Com...
Protecting the movable Endeavor with Network-Based validation and Virtual Com...Protecting the movable Endeavor with Network-Based validation and Virtual Com...
Protecting the movable Endeavor with Network-Based validation and Virtual Com...IOSR Journals
 
Supply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoTSupply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoTSource Code Control Limited
 
Cloud computing security- critical infrastructures
Cloud computing security- critical infrastructuresCloud computing security- critical infrastructures
Cloud computing security- critical infrastructuresMohammed Saqib
 
Network Security v1.0 Network Security v
Network Security v1.0 Network Security vNetwork Security v1.0 Network Security v
Network Security v1.0 Network Security vSYYULIANISKOMMT
 
Demilitarized network to secure the data stored in industrial networks
Demilitarized network to secure the data stored in industrial networks Demilitarized network to secure the data stored in industrial networks
Demilitarized network to secure the data stored in industrial networks IJECEIAES
 
Robust Cyber Security for Power Utilities
Robust Cyber Security for Power UtilitiesRobust Cyber Security for Power Utilities
Robust Cyber Security for Power UtilitiesNir Cohen
 
Brochure network security-en
Brochure network security-enBrochure network security-en
Brochure network security-ensandeep1721
 
Cybridge Secure Content Filter for SCADA Networks
Cybridge Secure Content Filter for SCADA NetworksCybridge Secure Content Filter for SCADA Networks
Cybridge Secure Content Filter for SCADA NetworksGeorge Wainblat
 
Practical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart gridsPractical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart gridsSergey Gordeychik
 
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Abhishek Goel
 

Ähnlich wie Guide to Securing Industrial Control Systems with Fortinet (20)

Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices
 
Sb fortinet-nozomi
Sb fortinet-nozomiSb fortinet-nozomi
Sb fortinet-nozomi
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
 
The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)
 
Darktrace white paper_ics_final
Darktrace white paper_ics_finalDarktrace white paper_ics_final
Darktrace white paper_ics_final
 
169
169169
169
 
Standards based security for energy utilities
Standards based security for energy utilitiesStandards based security for energy utilities
Standards based security for energy utilities
 
ICS_WhitePaper_Darktrace
ICS_WhitePaper_DarktraceICS_WhitePaper_Darktrace
ICS_WhitePaper_Darktrace
 
Protecting the movable Endeavor with Network-Based validation and Virtual Com...
Protecting the movable Endeavor with Network-Based validation and Virtual Com...Protecting the movable Endeavor with Network-Based validation and Virtual Com...
Protecting the movable Endeavor with Network-Based validation and Virtual Com...
 
Unit_3.pptx
Unit_3.pptxUnit_3.pptx
Unit_3.pptx
 
Supply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoTSupply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoT
 
Cloud computing security- critical infrastructures
Cloud computing security- critical infrastructuresCloud computing security- critical infrastructures
Cloud computing security- critical infrastructures
 
Network Security v1.0 Network Security v
Network Security v1.0 Network Security vNetwork Security v1.0 Network Security v
Network Security v1.0 Network Security v
 
Demilitarized network to secure the data stored in industrial networks
Demilitarized network to secure the data stored in industrial networks Demilitarized network to secure the data stored in industrial networks
Demilitarized network to secure the data stored in industrial networks
 
Robust Cyber Security for Power Utilities
Robust Cyber Security for Power UtilitiesRobust Cyber Security for Power Utilities
Robust Cyber Security for Power Utilities
 
Brochure network security-en
Brochure network security-enBrochure network security-en
Brochure network security-en
 
Cybridge Secure Content Filter for SCADA Networks
Cybridge Secure Content Filter for SCADA NetworksCybridge Secure Content Filter for SCADA Networks
Cybridge Secure Content Filter for SCADA Networks
 
Practical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart gridsPractical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart grids
 
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
 

Kürzlich hochgeladen

(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSRajkumarAkumalla
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...roncy bisnoi
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduitsrknatarajan
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...ranjana rawat
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)simmis5
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSKurinjimalarL3
 

Kürzlich hochgeladen (20)

(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
 

Guide to Securing Industrial Control Systems with Fortinet

  • 1. SOLUTION GUIDE Securing Industrial Control Systems with Fortinet IEC-62443 compliant end-to-end security
  • 2. 2 www.fortinet.com Executive Summary In recent years, the Industrial Control Systems (ICS) upon which much of our critical infrastructure and manufacturing industry depends, have come under increasingly frequent and sophisticated cyber-attack. In part, this is a consequence of the inevitable convergence of Operational Technology (OT) with Information Technology (IT). As in all spheres of computing, the advantages of increased network connectivity through open standards such as Ethernet and TCP/IP, as well as the cost savings derived from replacing dedicated proprietary equipment with off-the-shelf hardware and software, come at the cost of increased vulnerability. However, while the impact of a security breach on most IT systems is limited to financial loss, attacks on ICS have the added potential to destroy equipment, threaten national security, and even endanger human life. With this critical distinction also comes a troubling difference in the profile and motivations of potential attackers. While the lion’s share of modern cybercrime is motivated by financial reward, ICS have recently become attractive targets for terrorism and cyber-warfare. As a consequence, the financial and human resources available to its perpetrators can be an order of magnitude greater than those of conventional cybercriminals. This is especially true of highly targeted state-sponsored attacks, of which STUXNET (first appearing back in 2010) is considered one of the most sophisticated examples so far. The purpose of this solutions guide is to show how, in spite of these and many other challenges, Fortinet’s Solutions can help to ensure the safety and reliability of ICS - and in particular those employing Supervisory Control and Data Acquisition (SCADA) - through the application of standards-compliant multi-layered network security.
  • 3. 3 SOLUTION GUIDE: SECURING INDUSTRIAL CONTROL Potential Vulnerabilities Due to their unique history and conception, separate from the evolving world of IT, ICS present a number of unique challenges: nn Inherent lack of security: Much of the technology underpinning ICS, while extremely robust and reliable, was never designed to be accessible from remote networks, and so security relied instead upon restricted physical access, and the relative obscurity of its components (e.g. RTUs, PLCs etc.) and their (mostly serial) communications protocols (e.g. Modbus, RP-570, Profibus, Conitel etc.). nn The “air-gap” fallacy: The superficially seductive idea of creating an “air-gap” between the ICS and all other networks is no longer realistic for the vast majority of real-life applications. As more and more of today’s ICS components rely on software updates and periodic patching, it is now virtually impossible to avoid at least occasional data transfer into the ICS. Even in the absence of permanent network connections (or those employing only unidirectional devices such as optical data diodes), ‘air-gapped’ networks are still vulnerable to the connection of infected PCs or storage devices such as USB drives (one of the infection vectors of STUXNET). nn Expanding Attack Surface: As proprietary, dedicated solutions are replaced with off-the-shelf hardware and software, employing open standards such as Ethernet, TCP/IP, and Wi-Fi, the number of potential vulnerabilities increases exponentially. The recent proliferation of mobile devices together with trends such as BYOD only exacerbate the problem further. nn Continued use of outdated hardware and software operating systems (sometimes pre-dating even the very notion of cybersecurity) which may be incompatible with standard modern defenses such as anti-virus software. nn Infrequent updates and patching due to the complexity, cost, and potential service disruption entailed. It is not always practical, for example, to interrupt a plant’s operations whenever one of its operational servers needs patching. nn Large numbers of simple, unsecured telemetry devices such as sensors and pressure gauges, whose data, if manipulated, could nevertheless carry huge consequences for the safety and reliability of the overall system. nn Use of embedded software written with scant adherence to the security techniques and best practices of modern coding. nn Insufficient regulation of component manufacture and supply chain, introducing the possibility of equipment compromise, even prior to installation. nn Limited Access Control / Permission Management: As previously isolated or closed systems have been interconnected, the controls imposed on exactly who can access what, have not always kept pace with IT security best practice. nn Poor network segmentation: The standard security practice of partitioning networks into functional segments which, while still interconnected, nevertheless limit the data and applications that can overlap from one segment to another, is still underutilized within ICS as a whole. nn Lack of security expertise among the engineers who have traditionally designed and maintained the systems.
  • 4. 4 www.fortinet.com SOLUTION GUIDE: SECURING INDUSTRIAL CONTROL Addressing the Problem The good news is that in recent years, the inherent problems and vulnerabilities of ICS have become more widely recognized, and the first steps have now been taken to rectify them. One way this is occurring is through the help of government bodies such as the The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in the US, and the Centre for Protection of National Infrastructure (CPNI) in the UK, both of which publish advice and guidance on security best practice for ICS. Another way is through the definition of common standards such as ISA/IEC-62443 (formerly ISA-99). Created by the International Society for Automation (ISA) as ISA-99 and later renumbered 62443 to align with the corresponding International Electro-Technical Commission (IEC) standards, these documents outline a comprehensive framework for the design, planning, integration and management of secure ICS. Although still a work in progress and some way from addressing all vulnerabilities at their most fundamental level, the standard provides practical guidance, such as the model of ‘zones, conduits, boundaries and security levels’, through which to address the most pressing deficiencies of ICS network security. Implementation of the zones and conduits model, which is recommended by both ICS-CERT and CPNI, can greatly reduce the risk of intrusion, as well as the potential impact should such a breach still occur. The basic strategy outlined in the standard, is to segment the network into a number of functional ‘zones’ (which may also include sub-zones), and then to clearly define the ‘conduits’ as all essential data and applications allowed to cross from one zone to another. Each zone is then assigned a security level from 0 to 5, with 0 representing the highest level of security and 5 the lowest. Strict access controls can then be imposed limiting access to each zone and conduit based on the authenticated identity of the user or device. This is a strategy that maps extremely well to the range of capabilities delivered by Fortinet’s Enterprise Solutions, and in particular the Internal Segmentation Firewall (ISFW).
  • 5. Securing ISC / SCADA with Fortinet As with any effective security implementation, the first step is to fully assess the business and operational risks and to define an appropriate strategy commensurate with those risks. A major part of this will include defining the zones, conduits, boundaries and security levels outlined in IEC-62443. This will typically look something like the network represented in figure 1. 5 SOLUTION GUIDE: SECURING INDUSTRIAL CONTROL Level 5 Internet DMZ Level 4 Enterprise LAN Level 3 Operations DMZ Level 2 Supervisory HMI LAN Level 1 Controller LAN Level 0 Instrumentation bus network remote user remote vendor Web Servers Authentication Servers Historian Domain Controller AV Server Web Servers & 3rd Party Applications Enterprise Desktops Business Servers Email Servers SCADA, DCS, or EMS System #1 Local HMI SCADA, DCS, or EMS System #2 Local HMI SCADA, DCS, or EMS System #3 Local HMI FortiWeb FortiWeb FortiMail FortiGate Firewall FortiGate Firewall FortiGate Rugged Firewall FortiGate Rugged Firewall FortiGate Rugged Firewall FortiGate Rugged Firewall FortiAuthenticator FortiManager FortiSandboxFortiAnalyzer Figure 1: Security levels as depicted in the ISA S99 standard
  • 6. 6 www.fortinet.com SOLUTION GUIDE: SECURING INDUSTRIAL CONTROL Comprehensive multi-layered Security With its multi-layered defense in depth, high availability design, and optional rugged form-factor, the FortiGate range of security appliances is the perfect choice for implementing the zones and conduits model, no matter how critical the ICS infrastructure, or how harsh the environment. Using the deployment mode of “Internal Segmentation Firewall” (ISFW), which combines Functional and physical segmentation, the FortiGate combines advanced high-performance firewall functionality and robust two-factor authentication, with anti-virus, intrusion prevention, URL filtering, and Application Control. With a wide selection of high speed LAN interfaces and the hardware acceleration derived from its custom ASIC design, the FortiGate has been proven to deliver inter-zone performance in excess of 100Gbps. Using the granular security policies available with FortiGate’s ISFW deployment mode, ICS zones and conduits can be enforced based on criteria such as user identity, application, location, and device type. In this way, the FortiGate™ can effectively lock down each zone, ensuring that only legitimate, prescribed traffic, originating from authorized endpoints can pass from one zone to another. For an alternative implementation of sub-zones, the FortiGate and FortiSwitch™ appliances also support 802.1Q VLAN traffic tagging, although in most critical deployments, the ISFW mode provides greater isolation and containment and is therefore recommended over the use of VLANs. The embedded security of these highly flexible and scalable products comes from a combination of their operating system, FortiOS™ , the FortiAuthenticator™ and FortiToken™ authentication solutions, and the automated, 24/7, self-learning, continuous threat response resources of FortiGuard™ . Centralized Management, logging and reporting Management of the infrastructure, which is all consolidated through the FortiGate, is accomplished via FortiManager™ and FortiAnalyzer™ , combining centralized configuration with reporting, visibility, event logging and analysis, to create a comprehensive, real-time network monitoring and control center Specific ICS- / SCADA-aware functionality Using predefined and continually updated signatures, the FortiGate can identify and police most of the common ICS / SCADA protocols (see list below) for the purpose of defining conduits. This is done through the configuration of security policies in which multiple services, such as IPS, AV, and Application Control can be mapped to each protocol. In parallel to this specific protocol support, additional vulnerability protection is provided for applications and devices from the major ICS manufacturers (see list below) through a complementary set of signatures. This provides a more granular application-level control of the traffic between zones and enables the FortiGate to detect attempted exploits of known vulnerabilities relating to any of the supported vendors’ solutions. • Bacnet • DLMS/COSEM • DNP3 • EtherCAT • ICCP • IEC-60870.5.104 • Modbus/TCP • OPC • Profinet • ABB • Advantech • Elcom • GE • Rockwell • Schneider Electric • Seimens • Vedeer Root • Yokogawa
  • 7. 7 SOLUTION GUIDE: SECURING INDUSTRIAL CONTROL Zone Access Control with FortiAuthenticator and FortiToken Applying granular control of the access to each zone and conduit based on both user and device is the role of FortiAuthenticator’s integration with FortiGate and directory services. FortiAuthenticator User Identity Management Appliances provide Two-factor Authentication, RADIUS, LDAP and 802.1X Wireless Authentication, Certificate management and Fortinet Single Sign- on. FortiAuthenticator is compatible with and complements the FortiToken range of Two-Factor Authentication Tokens for Secure Remote Access enabling authentication with multiple FortiGate network security appliances and third party devices. Together, FortiAuthenticator and FortiToken deliver scalable, cost-effective, secure authentication to your entire network infrastructure. Securing the Historian with FortiDB All central databases present an attractive target for cyber- attack, but those underpinning ICS may be especially vulnerable since, due to their history, security may not have been a major consideration in their deployment and scripting. To help assess the current security level, address any vulnerabilities, and monitor all subsequent access for suspicious activity, FortiDB provides a flexible policy framework through which to secure these critical resources. Securing the Web-based HMI with FortiWeb While the cost and usability benefits of controlling the ICS through a web-based console are self-evident, the impact of intrusion or compromise to the back-end is clearly much greater within this environment than for most other web-servers. Using advanced techniques to provide bidirectional protection against malicious sources, application layer DoS Attacks, and sophisticated threats like SQL injection and cross-site scripting, FortiWeb adds another crucial layer to your ICS defenses. Securing the #1 Attack vector with FortiMail Although not specific to ICS or its components, unsecured Email – especially when combined with social engineering – remains the #1 attack vector for the majority of known threats. Protecting against inbound attacks, including advanced malware, as well as outbound threats and data loss, FortiMail™ provides a single solution combining anti-spam, anti-phishing, anti-malware, sandboxing, data leakage prevention (DLP), identity based encryption (IBE), and message archiving. Responding to Advanced Persistent Threats Most of the discussion so far has focused on the detection and blocking of attacks through the use of signatures, yet this approach relies on having encountered some close variant of the threat before. With the extensive threat response resources of FortiGuard continually monitoring thousands of live customer networks around the world, this is extremely likely, but with the stakes for ICS intrusion so high, it is essential to also prepare for attacks which have yet to be encountered. In such a scenario, it becomes crucial that the intrusion is detected rapidly, its propagation limited, and its impact minimized. Here, a critical component of Fortinet’s Advanced Persistent Threat Protection Framework is FortiSandbox™ , which is designed to detect and analyze advanced attacks that might bypass more traditional signature-based defenses. Government Accreditation and Assurance Compliant with US Federal Government standard FIPS 140-2 level 2 for Cryptographic Modules, and International Common Criteria certification EAL 4+, Fortinet delivers robust, field-proven, protection that has been evaluated and tested by numerous third-party organizations to the highest levels of any multi-layered security solution.
  • 8. Summary Adequately securing ICS presents many significant challenges, some of which clearly go beyond the scope of this solutions guide. Yet by following the best practices set forth by ICS-CERT / CPNI, and deploying government accredited solutions such as those of the Fortinet portfolio outlined above, the probability of a successful cyber-attack, as well as its likely impact on the ICS, can be greatly reduced. With dedicated support for the ICS / SCADA environment as well as its proven success as a leading provider of multi-layered enterprise security, Fortinet is uniquely positioned to help our industrial customers overcome their security challenges and protect the safety and reliability of our most critical infrastructure and services. www.fortinet.com GLOBAL HEADQUARTERS Fortinet Inc. 899 Kifer Road Sunnyvale, CA 94086 United States Tel: +1.408.235.7700 www.fortinet.com/sales EMEA SALES OFFICE 120 rue Albert Caquot 06560, Sophia Antipolis, France Tel: +33.4.8987.0510 APAC SALES OFFICE 300 Beach Road 20-01 The Concourse Singapore 199555 Tel: +65.6513.3730 LATIN AMERICA SALES OFFICE Prol. Paseo de la Reforma 115 Int. 702 Col. Lomas de Santa Fe, C.P. 01219 Del. Alvaro Obregón México D.F. Tel: 011-52-(55) 5524-8480 Copyright © 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other resultsmay vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. 05 Oct 2015 – 5:07 PM MKT-STORAGE:01_BROCHURES:05_SOLUTION_GUIDES:SG-Securing Industrial Control:Securing Industrial Control Folder:Securing Industrial Control