Imperative to invest in OT security protection?

Urgent need to invest in OT security protection? Let Joe Sarno and Emmanuel Miranda take us through an understanding of the issues and what really matters. Insiders, Joe and Emmanuel would have us believe that investing in OT is an imperative and not an option, as IAA finds out.

Fortinet interview – Joe Sarno and Emmanuel Miranda


Industrial Automation Asia


What are Fortinet’s plans and strategies for the Asia Pacific region, regarding cybersecurity, especially pertaining to operating technology (OT)?


Joe Sarno

Fortinet has been so focused on the cybersecurity scene and the operational technology (OT) scene obviously in the last 5, 6, 7 years. To go back to the very beginning, when we founded the company, Fortinet had twenty products in our portfolio. Back then, I would not say there was a massive focus yet on the Asia Pacific region on securing OT.


We founded the company in 2000 and started rolling out products in 2002-3. Then, five or six years ago, we started to see an increase in cybersecurity threats targeting OT and critical infrastructure (CI).


And so that was a time when we initially started to see a lot of these startups offer to enhance visibility aspect of cybersecurity. Companies like Claroty, were consolidated or bought by bigger companies. Basically, these startups gave visibility over the OT network. OT networks have grown exponentially in the last 40-50 years. Many organisations weren’t even aware of the control systems installed on these OT infrastructures, because there was no need to control them, and nobody could really give them an idea the network topology.


Some of these startups offered organisations the ability to understand the exact workings of their network topology. In an instant, organisations could begin to grasp their network’s control system, HMIs, which they didn’t know existed.


And the second thing is controlling visibility was your baseline behaviour. So, drawing a baseline, they could say, your network or OT Network, or CI network is built for this, and it works like this. They were able to paint a very clear picture of how the OT on the CI network was functioning. So, once you have that, that’s good information that can be played around with it. And that’s where Fortinet came in. This was 5, 6 years ago.


Listening to different startups talking about this technology is interesting, because it is complementary to what we do. We stop threats, we detect threats. Aspiring technology, next-gen technology. That also means visibility or behaviour analysis that is pegged to a next-gen firewall, so that we can understand what a threat is, and block it. So that’s what happened, we joined forces and integrated visibility and the behaviour, and the ability to detect and block threats. And this is how everything started, 5, 6 years ago.


It is very exciting because it took me back to the late 90s. You may remember that the first virus was the IW virus in the 90s. And I just imagined in that second that we were going to see the whole story of viruses on IT systems replicated on OT systems. It was just like starting from scratch again. This was the vision I had.


I wrote down a report and sent it to my boss and the founder of Fortinet and said we need to respond to it via OT protection because I’m expecting that the type of threats and malware that we’re going to see in an OT network is going to explode. And I don’t want to pat myself on the back but 5 years later, it’s a huge business with Fortinet, and we’re seeing so many problems coming out of commercial, international OT networks.


And what’s driving this is the necessity for board member visibility. Now what we’re seeing today, cybersecurity is a board member topic, it’s on the top 10 list of every board member meeting. And what we’re seeing is that board members and CEOs are asking for more data from the OT network. So, with the network, nobody would understand or even know what was happening but now the CEO, and the board members want more information and more data analytics. And this has forced them to connect the Xs and Os. So, it’s opened up a whole world of internet companies. And unfortunately, it didn’t have any built-in security. We’re here to help and protect our systems.


Emmanuel Miranda

Absolutely. We are doing a lot of work within the power generation industry as well as other critical infrastructure. To give you an idea, we have secured the biggest power plant in Southeast Asia equivalent to the size of a nuclear power plant in 2019, which is rather recent.

We provided segmentation with our Next Generation Firewall, the FortiGate, as well as visibility with an Intrusion Detection System from our ecosystem’s partner Nozomi Networks.


The biggest problem we face in Asia is the lack of basic security


And although we are in the same region, in APAC each country is different. Like Japan, Singapore and Australia, the countries are going very different than others. They’re just now starting on compliance legalities. Australia just passed a bill on the Critical Infrastructure Act. It’s targeting the critical infrastructure, but in Australia, banking is part of critical infrastructure as well. The definition of critical infrastructure depends on where you are, it’s not only power plants, or gas distribution, it could be anything else. Banking is part of it for sure in certain countries. And the government in Australia is now putting a pool of money for asset owners to assess their installation because as Joe was saying, a lot of them have no idea what they have inside.


In Southeast Asia such as Indonesia, we are talking about, of course, securing power plants, as well as gas distribution, water, and wastewater, so utilities.

In North Asia it is about manufacturing, China, Korea and Taiwan. We also see some demands in Vietnam and Thailand, particularly for the automotive industry.


In the region, the drivers are more or less the same when implementing security. The first one is Business Continuity.


Asset owners operating critical infrastructure can’t afford to have operations down. And they are going to lose money because there are fines associated with the fact that you are not connected to the grid or supplying water anymore.


The second one is about Digitalisation. This is a lot around the manufacturing sector. When we’re talking to the manufacturing industry, of let’s say a semi-conductor or electronic manufacturer, it’s about new software they want to implement, to get most of the data and the assets from the manufacturing floor up to the cloud. You need to be cost-efficient, and more productive because you operate in a competitive environment. So, digitalisation is key.


The third is Compliance. It’s ongoing in Australia, Singapore, and South Korea. Right now, in the region, some countries are behind. Indonesia and Malaysia, for example, have regulatory gaps regarding OT Security. The Malaysian government provides a guideline, but it’s not commonly enforced.



Industrial Automation Asia:

In recent times, there have been some reports about cybersecurity threats to ports of call, and maritime ports of call-in destinations like Africa. For example, the Deaf Kitty ransomware attacks and other cases, which was found that OT was compromised, and resulted in intrusions. What are Fortinet’s comments about how such intrusions and attacks can be prevented, at these critical points of entry and exit from a country?


Emmanuel Miranda

First of all, in terms of attacks, basically, we have to consider three vectors. The one you mention is an external vector. The second one is internal or insider threats, which could come from employees or contractors and the third one is about supply chain, meaning for example your customer gets attacked via a software that they don’t own such as an ERP (Enterprise Resource Planning) system.


SolarWinds is the classic example of a supply chain attack.


For us, we always use a holistic approach, anchored around Technology, Processes and People. Some countries will define contractors as a supply chain attack vector.

Which is why it is crucial that you get your employees and contractors to go through cybersecurity awareness training.


At today’s Fortinet Accelerate Singapore conference, Joe this morning during the keynote mentioned that in Fortinet, we have mandatory training sessions every quarter for all employees. There is no excuse, and we all have to do it. Whether myself or Joe, we have to go through it.


Joe Sarno

Not even executives are exempted.


Emmanuel Miranda

Our Certification Program is an eight-level training and certification program designed to provide technical professionals with independent validation of their network security skills and experience.

NSE1 and NSE2 are educational tools and are accessible free of charge to the public. NSE-3 was designed for partners, again education that is free of charge.

NSE4 to NSE8 are for professionals.


Coming back to insider threats, something that we are developing at Fortinet is endpoint detection and response which will be huge for OT. When you talk about the convergence of IT and OT, you are in between the IT and the OT system. Now I’ll come back to that point because it’s also driving the market. So, from the inside or OT perimeter, we’re not detecting threats based just on signatures, it’s based on behavior of the person or user.


Let’s talk about external because external is the trend today. There are two things when talking about external attacks.


One is the direct attack on OT. You heard recently about Pipedream in the papers, where attacks were designed to attack the OT systems. That’s what we see today, very sophisticated attacks.   We are supporting our customers, not to try to avoid it because you won’t, but how to   respond, and how to recover from an attack. It’s about adjusting the mindset.


The second one is an attack on IT that is going to impact OT indirectly. When I talk to clients in OT, I don’t limit myself to talking about OT. We talk about IT, and OT together. So that’s the reason why we have an integrated platform, the Fortinet Security Fabric, if you just secure your IT and don’t secure your OT, you’re going to have problems. The same is true if you strengthen the OT side and do just a handful of things in IT, you run into problems.


And that’s why we use the concept of the mesh architecture in Fortinet to protect both sides of the house, the IT and OT side. I will give a good example, the US Colonial Pipeline attack last year, they are supplying 45% of oil for US East Coast, so, we’re talking about millions in revenue per day.

They were hit by ransomware on the IT side, and what happened was they lost visibility over their billing system. Billing system, it’s an IT software. You are not able to bill your customer anymore. So, you shut down the business, right? They pay the ransom the next day, 5 million dollars. But it took them 15 days to normalise their operations.   We’re talking about millions of US dollars.


The next one is supply chain attacks. We have a lot of examples as well. Again 20 years ago, when the OT systems couldn’t push data out of the OT perimeter there was nothing for us to use off the shelves in terms of products. So, we had to create gateways to extract and show data. I remember using Excel a couple of times, it is not secure at all.

And then we started to see suppliers coming into the market, developing solutions to extract the data, normalised it and putting it into nice dashboards for the CEO or for the plant operator. And we have seen in fact, more and more of those kinds of software being used, third-party software not secured by design. So, you go to any critical infrastructure plant and see a lot of these kinds of software on top of the industrial control system at level 3 of the Purdue model.


The SolarWinds Orion attack was about hackers being able to penetrate into the SolarWinds’s systems. They were able to penetrate their networks and added malicious code into an Orion software patch.

SolarWinds released the patch to their customer, as you will receive from let’s say, Apple for iPhones. Clients installed the patch that created a backdoor and the hackers were able to go to any of their 30,000 customers and enter their network.


You need to have a plan. You need to have a strategy. There are three pillars to effectively ensuring this. The first thing we should talk about is Threat Detection and Protection. It’s about Network Segmentation to protect the North-South communication, which is the network traffic flowing into and out of your Operational Technology perimeter.  This is followed by Threat & Vulnerability Management, which is about Threat Intel, End-point management etc. And last but not least Compliance, industry certified solutions, compliant architectures, centralised auditing, etc.


To give an example. One of the things I was doing with my former company, was the digitalisation of the power plants, and our job was to offer apps in the cloud to improve efficiency of the boiler. The boiler is what makes the steam, steam goes to the steam turbine, and then generates electricity through a generator. There were two solutions, an open loop, which is basically to push data to the cloud to a condition-based monitoring system. So, the customer has access to the data of the machine, they can do much with it. They’re running some calculations, monitoring data and therefore can plan preventive maintenance on the machine.

And there was another solution where the data was pushed to the cloud. And there was some calculation and going back as a set point to the industrial control system that resides in OT that’s what we called closed loop.


So, you need a Next Generation Firewall to practically do that if you want to leverage the data, and you can’t do that with a Data Diode. You need broad coverage OT protocols and applications to be able to inspect the traffic. If something does not seem right, the Next Generation Firewall will trigger a change in policies to stop the suspicious traffic.


The other one is for sure the most important when we’re talking about ransomware, which is Micro-segmentation and East-West traffic monitoring. The objective is, when your network has been breached, to limit the lateral movements of the hackers within your OT environment. It’s a critical exercise, because you need to identify your critical assets, your crown jewels.

Not everything is critical though. You can run a power plant at 50% of its capacity because you might be missing a sub-system. However, as an example a gas turbine is a critical element to generate power. So micro-segmentation is the use case that we preach to our customers, if you want to protect yourself from ransomware, there really is no better solution.


But once we have done that, that’s not enough because you put a piece of hardware, but then what do we do with that? How do we improve our security posture? Can you afford to go without visibility over the plant? You need to be able to manage the data, and manage the ecosystem and infrastructure. You need a device manager that provides full visibility, access, and management of managed devices, interfaces, scripts, templates, automation, users, settings, and more.

You need a system that is scalable and flexible, because we have clients with small facilities and clients with large or geographically dispersed systems.


Then we have coverage of the OT protocols, what’s the type of communication, it’s not only open protocols such as Modbus TCP/IP or OPC, it could be something very specific proprietary protocols you need to know them, you need to be able to inspect them. So, we work with Industrial Control Vendors, we have been working with most of them, Siemens, Schneider Electric and others to develop what is called DPI deep packet inspection to analyse the traffic.


I was talking about console management earlier about the single pane of glass. The complexity comes when we go to industrial places as large as the size of a city. We cannot just manage this without a console. We need a console that manages your appliances, something which is very important to us are the OT dashboards. If you go to the OT people, and you show them a software displaying IT messaging they won’t understand. So, simplification, and console management that people can understand is important. And I’ll come back to that as we have done something recently with our FortiSIEM.


Regarding our second pillar in our strategy, ‘Threat & Vulnerability Management’, it is about continuous detection and analysis of the threats and protecting the critical assets from the threats.

Going back earlier, it’s about our partnership with top-tier industrial IDS platforms such as offered by Nozomi Networks, Dragos and Claroty to name a few offering visibility. Because you need also to figure out what are the connected assets in your OT network including their known vulnerabilities.

One more thing that is also important against ransomware is to make sure that you have access to intelligence. Again, we have threat intelligence via FortiGuard Labs, meaning that technology is not enough, you need to have access to intelligence to make sure that your systems are up to date in terms of signatures on known vulnerabilities so you can leverage the virtual patching feature embedded in our Next Generation Firewall, the FortiGate.

Threat Intelligence solutions enable fast detection and enforcement across the entire attack surface. All of our security services are natively integrated into the Fortinet Security Fabric.


Again, just to summarise, the strategies for OT are Threat Detection & Protection, Threat & Vulnerability Management and Compliance.


Joe Sarno

The human element is still a very key factor in all of this because ransomware typically will come as we’ve seen from the SolarWinds incident. Exploits that came from a patch. There’s very little you can do unless you have a very intelligent AI system that catches that before it happens, like alerting you to the Zero Day patch. The other element is a human element. We have been conducting surveys in the OT world, just like in the IT world, and it has shown that the human element is crucial.


The majority of incidents happen because of human errors, so clicking on the wrong email, picking up a USB drive from the carpark and saying, “What’s this?” and you put it into your PC, and boom, you have malware that spreads out because of these types of common mistakes. So again, it’s not about technology, but about mindset, Cyber Security Awareness. Building that cybersecurity awareness inside your companies and business is what we offer to our customers free of charge. We offer them a SaaS platform where we can prepare employees through mandatory training, whereby they learn how to recognise threats.


There are simple things like that for how to recognise a phishing email. It looks genuine with all the company logos and everything. And then it asked me for my passport credentials. I know what I’ve done with my passport recently and I reset my password, instead, to avoid compromising my personal information.


Industrial Automation Asia

So, when it comes to visibility and control, the strategy will be to reduce the attack surfaces, network segmentation, sandboxing qualifying, and maybe MFA. And is there anything else that we need to look at?


Emmanuel Miranda

Yes, sandboxing. You need real-time protection with in-line sandboxing. If you don’t have in-line sandboxing in place, malware is only detected after the fact, which could be minutes or hours later, meaning the damage could already be done. Secure remote access allows clients or contractors to connect directly to OT systems without being physically present.

And we are working with our technology partners such as Xona Systems to enhance their solution by providing Sandboxing.


We’re working with a large company that wants to push files, documents, patches and before it goes inside OT, it goes through our sandbox, and it is detonated in a safe environment and checked. And the good thing about sandboxing and going back to the integrated platform, again, is that as soon as the sandbox is connected to the system and sees something suspicious, it creates intelligence and IOCs indicators of compromise and it is shared with the other Fortinet solutions.


Industrial Automation Asia

Looking at the Southeast Asia region and the nature of cybersecurity attacks in this region, can you comment on the strategy and plans of Fortinet?


Joe Sarno

Before we started this journey into OT about five years ago, not only have we been building better and more capable technology for the operational technology and consumer space. What Emmanuel has been illustrating, we’ve also been increasing the knowledge base. As I mentioned before, we specifically have a specialised NSE training at level seven which is why we have eight levels of training in Fortinet. These are training that we do for partners and end-users and customers. There are eight levels, from one to eight. Level seven is very high-level, which we specifically developed, and we are the only one in the market right now to have an operation technology-specific training course.


This is the number one training facility that we can offer to our customers. So, for sure we need the right skillsets because I spoke this morning about the 4 million-wide cybersecurity-related gap. So, we are trying our best to train as many people as possible to be able to manage use of Fortinet products.


The other thing is that we’ve been increasing our capacity in terms of people. Emmanuel is driving the APAC region in terms of operational technology practice, together with me as a team of five or six people. One of our hiring mandates is to bring onboard talents directly from the OT sector. I’ve been really strict about having people coming from the right segments. So, whether it be oil and gas, power generation, transportation, manufacturing, or utilities, they need to come from the OT sector.


And clearly, again, we’ve been increasing that team. We have a big team, also made up of experts as well. We’ve got two OT engineers, and product managers. All the requirements coming from the field need to be checked because of our customers’ specific requirements for the network. We feed that information back to the product managers. And he goes to engineering and works with engineers to build these products for our customers.


We’re a big company, but we still have a very new startup mind, so we like to listen to customers, get their feedback, and implement new solutions and new technologies to help our customers mitigate these threats.


Specialised OT experts within the product development, management, building and promotion. And of course, we’ve been training all our salespeople. We have a very strong sales readiness training inside our company, whereby we give them the minimum language knowledge, let’s say before they sit in front of a customer. So, they need to be creative with their expertise and legal cybersecurity knowledge, so they understand that they can capture and give these pitches like experts to customers.


Emmanuel Miranda

Coming back to OT, we want to see things like OT-specific dashboards, customers are telling us that they need more visibility to understand what’s happening on their networks.


We now have a new feature in our Security Information and Event Management system, the FortiSIEM. The MITRE ATT&CK ICS matrix is now embedded, dashboards for ICS are created to show Rule coverage, Incident coverage and Kill Chain analysis for ICS Techniques. This is an important feature for asset owners.



Industrial Automation Asia

As you have explained just now that when it comes to the human element, education and training is very important. So, the example you gave of picking up a USB drive as well as other social engineering techniques. What can we do to reduce the effect of social hacking?


Emmanuel Miranda

When you go to plants, any plant, most of the time you go through a mandatory Safety induction. We could create mandatory Security induction for our clients’ employees and contractors.


Fortinet can provide the NSE 1, 2, 3 programs to build the basics of cybersecurity awareness. This is an online course that people can go through within 15-20 minutes. This is something very simple to implement and cost-effective. You train all your contractors and employees within a year.


Joe Sarno

Right now, the energy services are being targeted, which is very impactful to daily life. Imagine if we lose electricity for 24 hours in Singapore. Oil and gas companies are very keen on protecting their infrastructure. Especially nowadays, we’re seeing what’s going on in Europe – one of the major attack areas, especially with Russian pipelines, has put the oil & gas industry under stress. And the Ukraine conflict is not helping either.


Thank you so much everyone for the session.

Special thanks to Joe and Emmanuel for agreeing to and participating in the interview session.





Achieving ISO/SAE21434 Cybersecurity Using Secure Flash
Importance Of Securing Critical Infrastructure Amidst Rising Cyber Attacks