Part 1 of 2

Leveraging Industry Standards

to Address OT Cybersecurity Challenges
Aasef Iqbal
Director, Product Management
 Aasef Iqbal
Director, Product Management,
OT Cybersecurity
Our Presenter Fortinet

© Fortinet Inc. All Rights Reserved. 3

Standards
and Strategy
Notable Industry References For Standards & More

Standards,
Regulations, Type Governing Body Origin Scope Applicability
Frameworks
Policy or Regulation Mult-Industry
NIS Directive Regulation ENISA EU (+ UKI) EU
IT/OT
Dictates your intent
Electricity
NERC CIP Regulation FERC US US
IT/OT
ISA/IEC 62443 Multi-Industry
Standards (formerly ANSI ISA99)
Standard ANSI, ISA,IEC International
OT
Multi
Dictates your requirements
Framework Multi-Industry
NIST CSF NIST US Multi
(Guideline) IT/OT
Critical Security
Multi-Industry
Controls Guideline CIS US Multi
Best Practices or Guidelines (CIS Top 20)
OT
Guides your implementation Multi-Industry
ISO/IEC 27000 Series Standard ISO, IEC International Multi
IT/OT
Multi-Industry
NIST SP 800-82 Guideline NIST US Multi
OT
Procedures
Multi-Industry
Helps your implementation NIST SP 800-53 Guideline NIST US Multi
IT/OT

6
Cybersecurity Strategy
Cybersecurity in IT/OT environments is not limited to the “plants” only. The organisations shall develop an
overall cybersecurity strategy for the entire business and IT/OT ecosystems. Critical components of the
strategy may include, Enterprise Architecture and Enterprise Security Architecture

TOGAF Business Value Chains

Contextual
Business IT OT Business Capabilities
Business Processes Conceptual
Business Services
Cybersecurity – Enterprise Service Bus (ESB)
+ Applications
(Logical Information Services)
Logical

ICT Infrastructure & Data

(Physical Networks/Platforms/Storage)
Physical
Service Provider Markets Customer SABSA
Technical Components
(Standards, Products & Tools)
Component
Importance of Strategy – should be able to help answering:
• Approach for legacy automation systems and networks – upgrade vs. replace
• Use of virtualisation technologies – Hyper-V, Vmware, KVM, Hybrid or No Virtualisation at all
• Use of Layer 2 or Layer 3 protocols or both
• Use of HSM, PKI etc.
• Use of software defined networking
• Use of emerging technologies – AI, ML, Big Data etc.
• Managed Security Services (MSS) or on-premise
“ Cybersecurity strategy should be always
current – have a room for emerging
technologies e.g., ML, AI, 5G, etc.
7
Recommendations From The Industry

Governance, Risk & Compliance

• ISO/IEC 27001 ISMS
Security Architecture
• TOGAF
“ Cybersecurity approach should be
holistic, consistent, gradual
• ISA/IEC 62443 • SABSA, EISA
• NIST CSF (SP 800-53, 800-82) • PERA – IEC 62443-2-2

ISA/IEC 62443 Standards Series

Industrial Automation and Control
System Cybersecurity Standards

Cybersecurity Framework

8
IEC 62443 – Overall Process

9
IEC 62443 Foundational Requirements
Countermeasures for Asset Owner, System Integrator, and Product Supplier
What are Foundational Requirements (FRs)?

As defined in IEC 62443-1-1 there are a total of seven FRs:

Foundational Requirements (FRs) Example high-level operational controls mapping to FRs

FR1 – Identification and authentication control (IAC), FR1 – Passwords and user authentication
FR2 – Use control (UC), FR2 – User roles and authorization enforcement (RBAC)
FR3 – System integrity (SI), FR3 – Session handling, mechanism to recognize change
FR4 – Data confidentiality (DC), FR4 – Encryption
Fortinet Security
FR5 – Restricted data flow (RDF), FR5 – Network segmentation Solutions support
Asset Owners achieve
FR6 – Timely response to events (TRE), and FR6 – Logging and monitoring these requirements.
FR7 – Resource availability (RA). FR7 – System backup and recovery
IEC 62443-1-1

IEC 62443 expands the seven FRs defined in IEC 62443-1-1 into a series of SRs. Each SR has a baseline requirement and zero
or more Requirement Enhancements (REs) to strengthen security.

10
How To Select What’s Best
Asset Owner, System Integrator, and Product Supplier

What are the different security protection levels?

To achieve optimum level of security i.e., SL-T and meet the security requirements, the SRs and REs are deployed
depending on the protection required against the specific threats. The IEC 62443 security levels (SL) are mentioned below.

Security Levels

SL 0: No specific requirements or security protection necessary No specific security controls required

SL 1: Protection against casual or coincidental violation Security controls against basic threats

Protection against intentional violation using simple means with low

SL 2: Security controls against moderate threats
resources, generic skills and low motivation

Protection against intentional violation using sophisticated means with

SL 3: Security controls against sophisticated threats
moderate resources, IACS specific skills and moderate motivation

Protection against intentional violation using sophisticated means with

SL 4: Security controls against highly advanced threats
extended resources, IACS specific skills and high motivation

11
One Size Doesn’t Fit All – Countermeasures
IEC 62443-3-3

7 FRs

Mitigation Cost $
Cyber Risk

IEC 62443-3-3
SL 0 SL 1 SL 2 SL 3 SL 4

1 2 3 4 Maturity Levels
51 SRs 49 REs

It can be overwhelming, choose your security control requirements based on your risk level.
Choose your countermeasures “wisely”.

12
Cybersecurity Requirements
Standards and Best Practices across IT/OT Security

ISO/IEC 27001 NIST 800-53 ISA/IEC 62443

• Information Security Policies • Access Control • Identification and Authentication Control
• Organization of Information Security • Audit and Accountability • Use Control
• Human Resource Security • Awareness and Training • System Integrity
• Asset Management • Configuration Management • Data Confidentiality
• Access Control • Contingency Planning • Restricted Data Flow
• Cryptography • Identification and Authentication • Timely Response to Events
• Physical and Environmental Security • Incident Response • Resource Availability
• Operations Security • Maintenance
• Communications Security • Media Protection
• System Acquisition, Development, and Maintenance • Personnel Security
• Supplier Relationships • Physical and Environmental Protection
• Information Security Incident Management • Planning
• Information Security aspects of Business Continuity Management • Program Management
• Compliance; with Internal and External Requirements • Risk Assessment
• Security Assessment and Authorization
• System and Communications Protection
• System and Information Integrity
• System and Services Acquisition

Access Control Communications Integrity Vulnerability Management Physical Security

Logging and Monitoring Network Segmentation System Integrity Add your requirements here

14
 CRS Mapping to Security Controls
The CRS needs to be mapped to specific security

cific
control objectives to materialise your security

800-53
IEC 62443
tory

ISO 27001
requirements into Cybersecurity Solutions

ry Spe

rnal
Regula

NIST SP

Inte
Indust
Strategy, EA

Risk Assessment

VA/PT

NIST CSF – Security Control Categories

Architecture
RESPOND DETER DETECT DELAY DENY DEFEAT
IEC 62443 – 5D Physical and Cybersecurity Strategy
RECOVER CRS

Cybersecurity Solutions
“ Layered Security Approach – Defense-in-Depth
15
Develop Solution Compliance Checklists
Firewall
-
-
Shall be IEC 61850-3 and IEEE 1613 compliant
Shall support wide range of ICS protocol DPI
“ CRS helps with generating vendor compliance check-lists

- Shall offer local as well as centralised management capability

- Shall support network high-availability requirements of Digital Substation such as PRP, HSR
- Shall support integration capability with wide range of security products such as NIDS, NAC etc.

IPS
- Shall be IEC 61850-3 and IEEE 1613 compliant
- Shall support wide range of ICS protocol DPI
- Shall offer local as well as centralised management capability
- Shall support network high-availability requirements of Digital Substation such as PRP, HSR
- Shall support integration capability with wide range of security products such as NIDS, NAC etc.

HIDS
- Shall support centralised, distributed, federated and disconnected architecture
- Shall support wide rage of operating systems including legacy operating systems
- Shall run within 20-40 meg system memory
- Shall support passive and active mode
- Shall support log forwarding using syslog etc.
16
How To Apply Defenses in ICS/OT?
Planning and Strategy

Defense-in-Depth planning Proactive security as an iterative process

People

Process

Technology

Source: US-DHS

17
People, Process, and Technology
Governance, Risk, Compliance

Risk, Controls, Architecture

ISA/IEC 62443 Standards Series

Industrial Automation and Control Compliance Monitoring and Reporting

System Cybersecurity Standards

Cybersecurity Framework

People Process Technology

18
Why Defense-in-Depth?
Early detection and minimise impact, proactive security

IEC 62443 – 5D Physical and Cybersecurity Strategy MITRE ATT&CK for ICS
Cyber-attack sequence
DETER DETECT DELAY DENY DEFEAT
Initial Access

Execution Defense-in-
NIST CSF – Security Control Categories
Persistence Depth security
Evasion
measures can
Discovery
break the Cyber-
Lateral Movement
attack sequence
Collection
and prevent the
Command and Control

Inhibit Response Function

potential impact

Impair Process Control

Too late to stop a
Impact cyber-attack

19
What does Defense-in-Depth Mean?

MITRE ATT&CK for ICS

Policies Layer
Initial Access
Physical Layer
Execution
Perimeter Layer

Internal Network Layer Persistence

Host Layer Evasion

Application Layer
Discovery
Data Layer
Lateral Movement

Collection

Command and Control

Inhibit Response Function

Impair Process Control

Impact

People Process Technology

Administrative Controls, Physical Controls, Technical Controls

20
5 Key Countermeasures
Threat Identification and Mitigation

1 Identify, m
inimize, and se
c ure all ne
tw ork conn

2
ec tions to t
Harden th he ICS/O
e ICS and T.
services, p supporting
orts, and p systems b
implemen rotocols; e y disabling
nable ava u
t robust co
nfiguration ilable secu nnecessary
managem rity feature
ent practic s; and
es.

3
Technology
Continually monito
r and assess the se
networks, and inte
rconnections.
curity of the ICS/O
T, Five Key Security
Countermeasures for

4
Industrial Control Systems
Process Implement a risk-based defense-in-depth approach to and Operational Technology
securing ICS/OT systems and networks.

e the hu m an – cle ar ly identify requirements for

Manag
for performance; hold

5
es tabl ish ex pe ctat io ns
ICS/OT; rformance; establish
ac co untabl e fo r th ei r pe
People individuals l
OT security training for al
policies; and provide ICS/
tors.
operators and administra
Source: US-DHS 22
Fortinet Can Help – Cyber Threat Assessment

Documentation/ architecture review

OT CTAP Site assessment

• Inventory
Online/ offline data collection • Vulnerabilities
• Compliance (IEC 62443, NIST CSF, NIS2, etc.)
Report &
Dashboard • Baseline Management
FG, FAZ, FSM, SOAR • Roadmap (Based on customer objectives)
• Recommendations (Fortinet catalog)
Interview based • Audits
assessment module
FortiGuard Labs

23
Security Architecture
Development & Implementation
Controls to Solution and Compliance Mapping
Example

FR5 – Restricted Data Flow – SRs

SR 5.1 – Network segmentation Switch, Firewall, VLAN, Zoning, Segmentation
SR 5.2 – Zone boundary protection Firewall, Data-diode, DMZ, VLAN
SR 5.3 – General purpose person-to-person restrictions Firewall, IPS, ATP
SR 5.4 – Application Partitioning HIDS, Application Whitelisting, Micro-segmentation

FR5 – Restricted Data Flow – REs

SR 5.1 RE 1 – Physical network segmentation
SR 5.1 RE 2 – Independence from non-control system networks
SR 5.1 RE 3 – Logical and physical isolation of critical networks

SR 5.2 RE 1 – Deny by default, allow by exception

SR 5.2 RE 2 – Island mode
SR 5.2 RE 3 – Fail close

SR 5.3 RE 1 – Prohibit all general purpose person-to-person communications

25
Example Security Control Implementation
Security Zones and Conduits

Segmentation Micro-segmentation IEC 62443 Foundational Requirements

Coarse Policies Granular Policies • FR1 – Identification and Authentication Control

Physical Network Virtual Network • FR2 – Use Control

• FR3 – System Integrity
North-South Traffic East-West Traffic
• FR4 – Data Confidentiality
Address Based Identity Based
• FR5 – Restricted Data Flow
Hardware Software
• FR6 – Timely Response to Events
• FR7 – Resource Availability
Network Segmentation and Micro-segmentation

NIST CSF Protect – Protective Technology (PR.PT)-4

Network Firewall
NIST CSF Protect – Identity Management, Authentication and Access Control (PR.AC)-5
NIST CSF Respond – Mitigation (RS.MI)-1
ISA/IEC 62443-2-1:2009 4.3.3.4, 4.3.4.5.6 Network Switch
ISA/IEC 62443-3-3:2013 SR 3.1, 3.5, 3.8, SR 4.1, 4.3, SR 5.1-5.4, SR 7.1, 7.6

26
How To Define Security Zones and Conduits?

§ A zone can have sub-zones.

§ A conduit cannot have sub-conduits.
§ A zone can have more than one conduit.
Cyber assets within a zone use one or more
conduits to communicate.
§ A conduit cannot traverse more than one
zone.
§ A conduit can be used for two or more
zones to communicate with each other.

Source: ISA GCA

27
In a Nutshell
Network Segmentation and Micro-segmentation

Network Segmentation (Red Box)

§ Fortinet’s core offering with FortiGate NGFW
§ Implementation of security zones and conduits
§ Security for inter-VLAN communication
§ North and South network traffic monitoring and threat protection
§ IPS signatures help with implementing Virtual Patching and prevents exploitation
of vulnerabilities from internal or external threats

Network Micro-segmentation (Blue Box)

§ Fortinet’s core offering with FortiGate NGFW and integrated FortiSwitch
§ Further segmentation of security zones based on different security requirements
§ Security for intra-VLAN communication
§ East and West network traffic monitoring and deep packet inspection
§ Application Control signatures help with implementing granular protocol and
application policies and stops lateral movement of threats

29
Key Takeaways

It’s better to understand security gaps in your infrastructure to an applicable standard – even a basic,
initial security gap assessment is better than ignoring the problem!

Layered Security Continuous Threat Comprehensive Response

Defenses Monitoring Plan

30
Q&A
More information at fortinet.com/ot

Thank You!
Continue Learning
REGISTER TODAY | Part 2

Applying Standards-based Cybersecurity for OT with Fortinet

May 18 12:00pm ET Register
Security Fabric (Virtual)

32
Fortinet’s mission is
to secure people,
devices, and data
everywhere.

Stay tuned for Part 2.

33