White Paper

WHITE PAPER A Solution Guide to Operational Technology Cybersecurity 2A Solution Guide to Operational Technology Cybersecurity WHITE PAPER 3A Solution Guide to Operational Technology Cybersecurity WHITE PAPER Executive Summary With the acceleration of digital transformation (DX)—such as the transition to Industry 4.0—it has become critical for organizations to understand the similarities and differences between their information technology (IT) and operational technology (OT) networks, as well as what happens when the two intersect. IT generally refers to computing, networking, and managing information in organizations. OT controls processes that have safety and physical impacts, guiding physical processes with equipment in manufacturing plants, power stations, pipelines, railways, and other infrastructure. While the impact of IT functions are typically restricted to an organization itself, many components of OT are critical to public safety and global economic health. IT and OT networks have traditionally been kept separate (even air gapped) but, motivated by the business advantages that are possible through DX, they are now being integrated. Benefits of this convergence include the ability to reduce costs, boost productivity, and achieve a competitive advantage. The downside is that interconnecting the environments increases exposure to cyber intrusions, with cybercriminals taking advantage of targeting IT networks to gain access to OT systems. Attacks on power grids, shipping lines, manufacturing plants, and other facilities are steadily increasing. In a global survey of OT security professionals, a staggering 93% of organizations admitted to experiencing an intrusion in the past 12 months, and 78% experienced more than three. Impacts included downtime, financial or data loss, brand degradation, and even reduced physical safety. The result is that companies in many industries are scrambling to provide security for vulnerable OT systems. Independent research for Fortinet by Westlands Advisory finds that investment in IT/OT and OT-specific security technologies totaled $6.9 billion for all of 2022. And these investments are increasing more quickly than spending on IT-only cybersecurity, with a projected compound annual growth rate (CAGR) of 21% for OT security and 16% for IT/OT cybersecurity between now and 2027. These investments are imperative in ensuring that organizations’ IT and OT security postures are ready for the most sophisticated attacks. Today’s cybersecurity solution must cover the entire attack surface, share threat intelligence between security products, and automate responses to threats. This comprehensive guide explains how Fortinet effectively provides security throughout the interconnected IT and OT infrastructure while fully enabling integration across Fortinet and partner security solutions and supporting security automation across the entire security ecosystem. It also explores how IT and OT are different yet increasingly interconnected, as well as ways to address increased security risks arising from such integrations. The air gap between OT and IT has evaporated and cyberthreats pose a real challenge to OT organizations: nearly three-quarters indicate they experienced a successful malware intrusion in the past year.

4A Solution Guide to Operational Technology Cybersecurity WHITE PAPER This guide also reviews how elements of the Fortinet Security Fabric map to security controls in leading cybersecurity regulations, standards, and best practices. It outlines an architectural framework for securing OT—correlated to the Purdue Enterprise Reference Architecture (PERA)—and suggests actionable next steps in a journey to a desired state for cybersecurity. Finally, a helpful appendix maps existing OT security needs to Fortinet Security Fabric offerings. Here is a review of the Fortinet cybersecurity platform—Fortinet Security Fabric for IT and OT—and a close look at the five things every organization must do to secure interconnected digital ecosystems:

Digital Transformation: Opportunities, Challenges, and IT/OT Convergence OT networks comprise industrial control systems (ICSs) that control equipment in industrial sectors such as manufacturing, energy and utilities, and transportation. ICSs were deployed decades before IT networks and were at first analog and proprietary, with little or no connectivity to IT or external networks. This led to the air gap practice of protection, that OT networks were “safe” because of their relative isolation. As part of the larger drive towards digital transformation, organizations started unlocking the traditional boundaries between IT and OT to leverage digital technologies. The Internet of Things (IoT), Industrial Internet of Things (IIoT), cloud computing, artificial intelligence (AI), and other innovations that converge IT and OT networks can optimize operations, improve safety and reliability, and deliver a competitive edge. All the improved agility and efficiency that comes from IT/OT convergence, however, also comes with increased risks to the business. The diminishing presence of the air gap between OT and IT networks means the OT infrastructure is subject to all the threats that IT systems have traditionally faced. Worse, an attack on OT systems can compromise industrial processes and equipment or critical infrastructure—potentially causing dire health and safety consequences if they are breached. For organizations looking to adapt the IT and OT infrastructure to account for convergence and DX, the security for the infrastructure must also transform to protect against evolving cyberthreats.