This article was updated on September 12, 2019.
At the RSA Conference in San Francisco, many CISOs and IT leaders disclosed that OT risk management, defense and resiliency topped their must-have list. They were interested in learning how Nozomi Networks provides industrial OT network and operational visibility and risk assessment, and how our solution works in concert with other security products to deliver comprehensive IT/OT cyber security defense.
Read on to see how Nozomi Networks and Fortinet deliver one ‘knock-out’ cyber security solution for resiliency and defense—and tackle two of the most common OT use cases.
Passive Threat Detection Paired with Active Industrial Firewalls
In 2016, Nozomi Networks and Fortinet got together to create a comprehensive industrial cyber security solution that combines non-intrusive detection of OT security issues with proactive threat remediation and containment.
The solution integrates Nozomi Networks’ Guardian solution, backed by our in-depth understanding of ICS (industrial control system) networks, protocols and device behavior, with Fortinet’s FortiGate industrial firewall for OT/ICS/SCADA systems. Let’s see how the combined solution addresses two common cyber security scenarios.
Use Case 1: When Unintentional Activity Creates Cyber Incidents
We can all agree that mistakes in any environment are not uncommon. As with enterprise IT, network and ‘operator error’ can lead to unintentional security vulnerabilities. Consider these examples of unintended cyber incidents:
- A contractor updating software on a machine during scheduled maintenance unintentionally and unknowingly introduces malware into the network.
- An infrastructure vendor connects a new device to the network, suddenly increasing network traffic. A piece of legacy equipment, unable to handle the new volume, crashes, causing other devices on the OT network to fail.
- An employee uses the default password “admin.” Another, unauthorized employee logs in and make changes to the network without understanding the consequences.
- An inexperienced staff member misconfigures a device on the network.
Here’s how the integrated Nozomi Networks – Fortinet solution proactively identifies unintentional vulnerabilities like these, alerts the organization that something needs to be done, and takes proactive steps to close the door.
Guardian non-intrusively monitors network traffic to create an internal representation of the entire system, its nodes, and the typical behavior of each device. It also tracks interactions between devices and operational outcomes across the OT system. If an anomaly, suspicious behavior or known, signature-based threat vector is detected, it sends an alarm to security operators and network administrators.
At the same time, Guardian sends an alert to the Fortinet security enforcement and segmentation device. The Fortinet firewall applies a new security policy that pinpoints and blocks the suspicious traffic, if at all possible. The result is that production disruptions or downtime are avoided until authorized personnel provide instructions on how to best manage the incident.
Use Case #2: Blocking OT Reconnaissance Activity
Reconnaissance is the first phase in a cyber kill chain sequence. The threat actor’s goal at this stage is to probe for areas of weakness and gather as much information as possible about the network, in preparation for a full-scale attack.
Reconnaissance can occur passively, for example using publicly available information like a registered domain to fish for information, or it can be done actively, using system information to gain a foothold that will later allow the threat actor to move laterally within the network towards the final target.
The combined Nozomi Networks – Fortinet solution proactively stops phase I reconnaissance activity in its tracks. First, Nozomi Networks’ Guardian uses a hybrid approach—including behavior-based anomaly detection and multiple types of signature-based detection—to identify anomalies, risks and threats. Detection results are correlated with operational context to provide rapid insight into what’s going on, reducing mitigation and forensic analysis time.
Nozomi Networks’ Guardian integrates natively with Fortinet assets and devices, including FortiGate firewalls for OT/IT/SCADA systems. When Guardian detects a risk, threat or anomaly, such as an unknown node that suddenly appears on the network and starts communicating (e.g. evidence of reconnaissance), it sends an alert to FortiGate which can then automatically trigger a security policy and proactive remediation response. By quarantining and/or blocking suspicious traffic, FortiGate shuts down reconnaissance activity while allowing the unaffected, critical infrastructure control traffic to run as usual.
Nozomi Networks and Fortinet Take ICS Cyber Security to the Next Level
In the SANS 2017 Security Awareness Report, 52% of survey respondents listed ICS reliability and availability as their biggest business concern. Their top threat worries centered around new devices being added to the network, and accidental, internally-created issues.
Given the potential impact and increasing frequency of cyber incidents within the industrial premise, it’s no surprise that security personnel rank their current risk level as high.
To manage risk and support operations that run 24/7, CISOs need better visibility into their OT network, and better ways to detect and prevent unintentional risks and intentional threats.
Security professionals need a robust ICS network security platform that takes the interconnectedness of IT/OT into consideration and combines real-time monitoring with active defense.
The innovative integration between Nozomi Networks’ Guardian and Fortinet’s industrial security products provide OT networks with the most comprehensive cyber security solution available today.
Fortinet & Nozomi Networks ICS Cyber Security Solutions
This document covers:
- Challenges of Securing ICS
- Fortinet-Nozomi Networks Joint Solution
- Segmenting ICS Networks
- Sample Network Architecture