Extend AI-Powered Security to Remote OT Sites

Organizations that specialize in operational technology (OT) are under increasing pressure to secure their attack surfaces. While digital innovations such as remote access and cloud applications can improve safety, efficiency, and output, connecting OT networks to untrusted networks can increase the risk of malicious cyberthreats. Increasingly sophisticated attacks coupled with more government scrutiny in the form of regulations and compliance standards, such as NIS2 and NERC-CIP, increase the urgency to secure modern OT networks.

FortiGate owners can address these challenges by adding FortiExtender gateways to remote sites. In the latest 7.6 release of FortiOS, Fortinet updated its capabilities to include an innovative cybersecurity solution to address the expanding OT attack surface.

The Fortinet enhanced LAN extension is a simple, effective, low-cost way to secure OT assets by extending FortiGuard AI-Powered Security Services with existing FortiGate Next-Generation Firewalls (NGFWs) to remote FortiExtender gateways using VxLAN over IPsec technology.

Securing Remote OT Sites Is Challenging

To ensure the entire attack surface is secured, many OT organizations around the world are busy cataloging their remote sites, no matter their size or status. Whether it's a capped oil well in the middle of the ocean or a set of electric vehicle charging stations (EVCS) in an office park, every remote site is now a possible point of entry for malicious hackers. According to the MITRE ATT&CK Tactics for Initial Access to Industrial Control Systems (ICS), public-facing applications, remote services, internet-accessible devices, removable media, and transient devices are some of the most common vectors. As a result, OT organizations need an effective, easy-to-deploy, and competitively priced way to secure their entire attack surface, from the largest production facility to the smallest remote site.

OT organizations also need to be able to gain real-time threat intelligence for OT-specific malware. OT networks may have tens of thousands of different devices and protocols, everything from programmable logic controllers (PLCs) to human-machine interfaces (HMIs) running protocols such as Modbus, PROFINET, and OPC. Without the ability to identify these devices, inspect the protocol traffic, and prevent OT-specific malware, OT organizations risk a malicious cyberattack.

Although Fortinet offers a variety of NGFWs with custom ASICs that offer high-performance on-premises security, in some cases, deploying a firewall appliance at every site may not be possible due to space or environmental constraints. The infrastructure coverage could be massive, especially when the latest regulations increase the required scope of coverage. Additionally, the number of sites being secured can sometimes be in the tens of thousands. Some sites, such as offshore capped and active oil wells, remote mines, or EVCS, require a broad suite of cybersecurity controls backed with threat intelligence but may have only modest throughput requirements, so a firewall is "too much product" for the location.

Enhanced LAN Extension

In the most recent update to FortiOS (version 7.6), Fortinet enhanced its LAN extension technology to address the specific and pervasive challenge of remote sites for OT organizations and for any enterprise facing challenges of scale in their cybersecurity strategy. With the enhanced LAN extension, organizations can extend their existing FortiGuard security services, including the OT Security Service, to more than 1,000 remote branches by deploying a FortiExtender 3G/4G LTE or 5G cellular gateway.

The technology uses VxLAN over an IPsec tunnel to extend the Layer 2 broadcast domain of a FortiGate to remote sites, so you can manage remote sites as if they were a part of the headend LAN and easily incorporate networking and security policies. You do not require an additional license for each remote site because you're extending an existing FortiGuard license with advanced security capabilities such as IDS/IPS, URL and DNS filtering, and content inspection. This solution offers an efficient, easy-to-deploy, and cost-effective solution for the many challenges that OT organizations and enterprises face.