Industry Trends

Operational Technology Cybersecurity Assurance With Deception

By Moshe Ben Simon | October 18, 2022

It is well known that the convergence of IT and OT has led to the creation of a new threat vector for cyberattacks facing OT environments. In fact, industrial facility and other operational technology (OT) leaders in a global survey reported a 20% increase in system intrusions from the previous year as network environments continue to transition away from closed to open systems.

Unfortunately, many organizations are ill-equipped to secure legacy supervisory control and data acquisition (SCADA) and industrial control system (ICS) devices found in OT environments. The problems often relate to incompatible security controls and the complexity involved in building a holistic security infrastructure that encompasses both OT and IT environments.

In addition, legacy systems often have limited built-in security controls, which result in unpatched or unmonitored critical devices. Even if patches are available, maintenance windows are costly and measure in months or even years.

The Reality of OT Security Challenges

As OT network environments are increasingly integrated with IT environments for external access, OT systems are more vulnerable to the types of intrusions typically found in IT. Examples include: 

  • IT threats that have been recycled to target OT environments, such as EKANS ransomware
  • Threats that specifically target OT, such as Stuxnet
  • Attacks that can laterally move from IT networks to OT and vice versa
  • Zero-day threats that target legacy OT systems that can’t be patched 

Overall security adoption can be a difficult task because of legacy systems, downtime associated with security implementation, and a complex disjointed security approach with one approach for IT and another for OT. Also organizations that design and build an OT infrastructure without considering cybersecurity will need to implement security controls later. They may need to mitigate production disruption from cyberattacks and comply with newer industry regulations to minimize noncompliance penalties.

Organizations could consider applying their IT-based security solutions for OT, but unfortunately, often these solutions were not designed with OT systems in mind. Here are a few examples that showcase the challenge: 

  • Often antivirus software products are usually not compatible with legacy systems because of a lack of operating system (OS) support or a failure to meet the minimum hardware requirements.
  • A typical legacy firewall can detect threats within IT-based services and applications but isn’t able to decode OT communications such as OPC, BACnet, and Modbus.
  • Typical legacy intrusion detection or prevention systems protect IT-based application vulnerabilities but not OT-based vulnerabilities.
  • Some external threat feeds are applicable for IT but not OT. 

How Can Deception Technology Help for OT Environments?

Deception technology offers three key business benefits for OT environments: active defense security, broad coverage, and automated protection. It is a powerful addition to an organization’s security strategy because it focuses on the source of threats: threat actors. Incorporating deception’s early detection and response characteristics as a proactive defense strategy elevates an organization’s existing security posture and reduces business disruption from external or internal threats.

Deploying security in an OT environment is complex; however, deception removes that obstacle by being unintrusive and also does not add delay to OT operations before, during, and after deployment. Also the right solution can easily integrate with third-party security solutions to enable automated threat response and contextual threat hunting, thus improving efficiencies within SOC processes, and allows SecOps to scale even further. 

"Incorporating deception’s early detection and response characteristics as a proactive defense strategy elevates an organization’s existing security posture and reduces business disruption from external or internal threats."

What is FortiDeceptor for Operational Technology Environments?

Fortinet’s FortiDeceptor solution provides simple-to-use, unintrusive, early detection of threats that target OT and IT environments. Through the deployment of decoys and tokens, FortiDeceptor automates the containment of cyberattacks before serious damage occurs.

FortiDeceptor can simulate various types of OT, ICS, and IoT decoys, such as SCADA PLC and HMI, medical IoT, such as PACS and infusion pumps, printers, IP cameras, routers, modems, UPS units, as well as critical applications, such as SAP and other Enterprise Resource Planning (ERP) systems, and more. In addition, users can easily upload “golden images” to create decoys.

FortiDeceptor is easy to use and not intrusive. Unlike other security solutions that require infrastructure changes or the need to take SCADA/ICS operations offline to install an agent, it creates a fake environment that simulates the actual environment. To lure threat actors away from critical assets, with this fake but authentic environment that simulates the network and assets. FortiDeceptor generates an early warning of an impending attack, so an automated response can protect both IT and OT segments. In addition, FortiDeceptor automatically discovers network and assets in the environment and recommends appropriate decoys and placement.

In the first stage of the Cyber Kill Chain, it is typical for a threat actor to perform active reconnaissance to understand the environment and identify assets of interest before launching a full campaign. Because the fake FortiDeceptor environment is indistinguishable from the real one, any interaction with the decoys during the reconnaissance phase will raise an immediate alert. These alerts are unambiguous because employees only interact with the real assets. FortiDeceptor also captures the tactics of threat actors, which can reveal, their objectives, and the tools they used, which is very helpful to learn more about adversary techniques.

Integration is Easy with FortiDeceptor

Because FortiDeceptor is part of the Fortinet Security Fabric, it supports seamless integration with Fortinet products. In addition, FortiDeceptor also integrates with third-party security solutions via the Fortinet Security Fabric Connector.

Contextual Threat Intelligence About Your Organization

FortiDeceptor correlates every action of the threat actor into a campaign timeline with contextual intelligence of their tactics, techniques, and procedures (TTPs), to help SOC team to make smarter, faster decisions. Organizations that havea large security operations center (SOC) may prefer to use deception to engage with threat actors so the activities can be studied. Then once the investigation is complete, the necessary mitigation and response can be performed. Other organizations may prefer to integrate deception into their automation framework supporting threat response and/or threat hunting.

Organizations with mature security typically adopt security frameworks such as NIST or MITRE. Industrial facilities looking to modernize their ICS architecture also may consider the Purdue model as a systematic approach to applying security to each zone across the OT/IT/IoT infrastructure. FortiDeceptor applies to the various Purdue zones, including process control, operations and control, and business and enterprise in the Purdue model.

FortiDeceptor Demo – Find Out How FortiDeceptor Can Help Secure OT Environments