SOLUTION BRIEF

Securing OT Networks
With Microsegmentation

Executive Summary A VLAN operates at

Layer 2 of the communications
Traditionally, operational technology (OT) networks have used local-area network
network and divides a single
(LAN) solutions, such as virtual LAN (VLAN) on switches, to protect against lateral
communications network into
movement of malware throughout the network. While VLAN solutions can provide
multiple virtual networks. This
segmentation with a greater degree of flexibility, this level of segmentation is
partitions a single broadcast
insufficient to secure these networks.
domain into multiple smaller
With Fortinet microsegmentation, it is possible to implement a zero-trust security domains, improving network
policy and to scan all traffic within a VLAN using a next-generation firewall (NGFW), performance. VLANs also
dramatically decreasing the ability of malware to move laterally throughout the enable logical grouping of
network. Microsegmentation provides the OT network with the level of security that network elements that are
it needs without sacrificing network performance. physically dispersed within a
communications network.
Introduction to ICS/OT Networks
The communications network within an industrial control system (ICS)/operational
technology (OT) realm is known as a process control network (PCN). It enables
communication between the various automation processes residing on discrete
components of the ICS, including the programmable logic controller (PLC), remote
terminal unit (RTU), distributed control system (DCS), and supervisory control and
data acquisition (SCADA) systems.

The PCN transmits instructions and data between control and measurement units and interconnects various components
within an ICS/OT environment. They are high-performance, robust, and deterministic LANs. A PCN must maintain constant
availability, rapid response, robust error checking, and correction to ensure zero downtime and enable the deterministic,
error-free, and continuous operations of an ICS.

To achieve the determinism and robustness requirements of an ICS, PCNs are often configured in flat network structures with
little or no boundary limits between the different components of an ICS, as shown in Figure 1. This inherently flat network
structure of the PCN makes it faster and easier to maintain.

HMI

SCADA historian Single PLC

Figure 1: Example of flat PCN topology.

1
SOLUTION BRIEF | Securing OT Networks With Microsegmentation

However, it also makes it prone to numerous security threats, such as lateral

movement of malware within the PCN and network floods. These threats can
The Purdue Enterprise
potentially disrupt the PCN communications and stall the entire ICS. Moreover,
Reference Architecture,
the flat network structure makes it difficult to integrate a PCN with other
originally developed in the
communications networks outside of the ICS boundary.
1990s for computer integrated
Traditionally, the automation industry has utilized LAN solutions, such as network manufacturing, provides
bridges and gateways, to separate the various components and restrict network guidance to system integrators
broadcasts or floods within the PCN. The implementation of VLANs can add and owners on how to segment
flexibility to this segmentation process, allowing network separation regardless a large-scale system into
of physical layout. However, VLANs alone do not address the security issues that multiple levels. This enables
could still cause significant damage to the PCN. Furthermore, the adoption of better control over integration
VLAN-based segmentation within PCNs is slow compared to enterprise networks. of various components and
subsystems. ISA-99 adopted
Zones and Conduits in ICS/OT Networks this model for segmenting
ICS into multiple levels and
To address the security challenges within ICS/OT networks, the automation industry
implementing security controls.
introduced the concept of zones and conduits to segment the PCN into multiple
ISA-99 later became an IEC
zones, isolating the various components in an ICS. Within an ICS, a zone groups
standard, ISA/IEC 62443.
logical or physical assets that share common security requirements and defines
the security boundaries for information entering and leaving a zone. Conduits are
introduced between different zones to control communication between zones and
to implement security controls. Conduits act as control mechanisms (gatekeepers)
between the different zone boundaries.

The zone and conduit model is introduced in International Society of Automation (ISA)/International Electrotechnical Commission
(IEC) 62443-1-1 and IEC 62443-3-2 and provides detailed guidance on how to define zones and conduits. Additionally, the
Purdue Enterprise Reference Architecture (PERA) framework can be used to segment the various zones and conduits within an
ICS into multiple levels.

Zone A Zone B

Conduit

Figure 2: Concept of zones and conduits.

Industrial Disruption—OT, IIoT, IT, IoT, and Convergence

The evolution of Industry 4.0 and disruptive technologies, like the Internet of Things (IoT) and Industrial IoT (IIoT), transformed
ICS/OT networks into more converged networks. ICS/OT are no longer operating in an isolated environment. Instead, they are
connected to enterprise IT networks and the external internet and are being used to collect business intelligence and derive
business decisions.

In a converged ICS/OT and IT infrastructure, communication is no longer based on proprietary network communication protocols
or even simply ICS/OT-specific communication protocols. Instead, the converged ICS/OT and IT network relies on a combination
of complex proprietary and open standard communication protocols that are inherently vulnerable to various attacks. This

2
SOLUTION BRIEF | Securing OT Networks With Microsegmentation

expands the network’s attack surface and makes traditional security controls, such
as VLANs, insufficient for ICS, especially as OT and IT networks converge.
The zero-trust security
Although defining zones and conduits and segmenting networks into levels are model states that all
essential for ICS/OT and IT convergence, it doesn’t entirely address network attempted connections to an
security challenges within a converged infrastructure. VLANs are not sufficient to organization’s system should
prevent sophisticated network attacks. be verified before granting
access, whether they come
VLANs freely forward network packets to devices that are part of the same
from inside or outside the
broadcast domain. Every packet that needs to travel beyond the broadcast domain
organization’s network. The
boundary requires a network routing mechanism. Typically, the routing mechanism
same zero-trust security
acts as a virtual or physical conduit and is sometimes used to implement security
concept is followed in
controls, such as network traffic inspection, to control communication between
ICS/OT infrastructure
the two broadcast domains. While VLAN routing mechanisms offer some security
to whitelist the network
benefits, they are insufficient in modern ICS/OT and IT converged infrastructure.
communication between
VLANs also fail to inspect the network communication within the same broadcast different ICS components.
domain. Within a broadcast domain, the devices that are part of a VLAN can
unrestrictedly communicate with one another without these communications being
inspected or controlled.

In a typical ICS/OT network deployment, there are dozens of components grouped together in a single VLAN, and these
components can freely communicate with one another without going through a routing conduit. This enables any anomalous
network communication to move laterally within the PCN.

Once these networks are converged with other networks, usually outside the ICS/OT boundaries, it becomes critical to inspect
each and every communication channel. Otherwise, attacks on the network could remain undetected due to complex network
integrations. Moreover, the use of open communication protocols for exchanging information between the ICS/OT and IT
networks introduces additional risk, where weakness in the communication protocol design and the availability of exploits can
provide a vector to attack ICS/OT environments.

Microsegmenting ICS/OT Networks

VLAN provides logical segmentation flexibility; however, microsegmentation provides more granular control over network traffic
by further partitioning the VLAN and implementing security policies for each partition. Further, these security policies can be
tailored to different types of network traffic to limit network and application flows between various components of an ICS. With
microsegmentation, ICS owners can implement a zero-trust security model, ensuring that a particular PLC cannot communicate
with another PLC unless explicitly permitted by the security policy, even when both PLCs are part of the same VLAN.

Firewall FortiGate

VLAN 1 VLAN 1

VLAN 1 VLAN 1
FortiSwitch FortiSwitch

PLC PLC PLC PLC

Figure 3: Normal VLAN routing vs. microsegmentation using Fortinet FortiSwitch and FortiGate.

3
SOLUTION BRIEF | Securing OT Networks With Microsegmentation

Typically, in a microsegmented network, NGFWs are used in conjunction with VLANs

to implement security policies and to inspect and filter network communications.
Fortinet FortiSwitch and FortiGate NGFW offer an integrated approach to The FortiGate NGFW runs
microsegmentation. This integrated solution expands VLAN capabilities from Layer on Fortinet’s proprietary
2 network communication to Layer 3 (routing) and Layer 7 (visibility), enabling operating system,
network traffic inspection. The FortiSwitch acts at Layer 2, defining VLANs, and FortiOS, which provides
the FortiGate NGFW acts at Layer 3, routing all communications between VLANs industry-leading network
and within the same VLAN. This enables network traffic inspection using granular security features, such as DPI
security policies, and the NGFWs enable Layer 7 inspection for the network for ICS/OT protocols, support
protocols and information passing through the firewall. for ICS/OT specific network
protocols, such as the Parallel
The Fortinet integrated solution for microsegmenting the ICS/OT networks provides Redundancy Protocol (PRP),
numerous benefits to ICS owners. advanced malware protection,
nnHost/device isolation. Isolating each device within the ICS network provides an intrusion prevention system
granular control over the network communication. The network traffic entering (IPS), and software-defined
and exiting a device is forced to flow through the FortiGate NGFW, enabling wide-area networking
security policy enforcement, traffic inspection, application control, and intrusion (SD-WAN) capabilities.
detection and prevention.
nnICS protocol deep packet inspection (DPI). The FortiGate NGFW provides
support for DPI for over 32 ICS/OT protocols with 1,500+ out-of-the-box
application control signatures.
nnLateralmovement prevention. Isolation of each component of ICS makes it difficult for malware to spread laterally within the
ICS network. All traffic within the ICS network is subject to inspection and policing.
nnHighperformance. FortiGate NGFWs are high-performance firewalls with low latency, which makes them an ideal choice for
network traffic inspection within a microsegmented ICS network.
nnSeamless integration. Logical and physical network connections remain unchanged.
nnSingle-pane-of-glass management. The entire solution is managed through an integrated management console, assisting
ICS owners with security automation.

The Fortinet integrated solution for microsegmentation also uses PERA guidance for solution deployment. The
microsegmentation can be implemented at any level within the ICS/OT network as long as there is network connectivity between
the various components of the ICS.

Level 2
Supervisory
Control Network
Engineering workstation Operator PC

VLAN 100 VLAN 100

Level 1
Process Control
Local-area Network PLC #1
PLC #2 PLC #3

Level 0
Physical Plant Floor
Instrumentation
Bus Network

Normal VLAN traffic blocked Fortinet traffic flow with NGFW inspection

Figure 4: Sample Fortinet FortiSwitch and FortiGate microsegmentation PERA deployment architecture.

4
SOLUTION BRIEF | Securing OT Networks With Microsegmentation

Conclusion
ICS/OT networks are largely composed of long life-cycle devices with unique operating requirements. They require an OT-specific
approach to security.

Fortinet has demonstrated that it has a unique perspective on ICS/OT network security, which enables Fortinet to combine
insights with OT-specific threats tracked by FortiGuard Labs into OT-specific security threat reports and to develop solutions
that uniquely meet the needs of OT environments.

VLAN-based microsegmentation enables ICS to control business risk while benefiting from a logically segmented network.
The Fortinet Security Fabric is essential to tying these solutions together and providing the security team with full, centralized
visibility and control over all of their security infrastructure.

www.fortinet.com

Copyright © 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product
or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser
that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any
such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise
revise this publication without notice, and the most current version of the publication shall be applicable.

August 27, 2021 6:09 AM

562135-A-0-EN