© Copyright Fortinet Inc. All rights reserved.
鞏固網路安全 成就數位轉型 Security without perimeter
陳弘治 / Vincent Chen
Technical Consultant
3
Fortinet 2018 年 資安趨勢預測
自我學習的Hivenet和Swarmbot威脅的興起
綁架雲端商用平台所帶來的商機
新世代型態的惡意軟體
關鍵基礎架構網路的前端隱憂
地下網路與網路犯罪經濟體系將採用 AI 自動化提供服務
請參閱:2018 Threat Predictions - by Derek Manky
Mid-year 2017 Predictions Update
6
資訊安全成為數位轉型的極其重要的關鍵
洞悉潛在的威脅
導入更多創新技術與自動化管控
彈性化配置
新世代安全須涵蓋混合雲環境提供一致性的管理與
多樣化建置
OT 的安全
將 IT 的安全擴展到運營技術網絡
資料保護
無論以何種型態存在, 靜止的或處於傳輸過程
法規遵循
融入整合於既有安全規範策略與法令之內
7
[Security Transformation]
資訊安全的部署必需整合至數位轉型的基礎框架內,需打造的是全新的基礎安全建
構的思維.不再是以單一產品為論述,而需考量整體方案的整合度與自動化聯防的
緊密度,進而滿足全面性資安的轉型.
13
自動化
FORTINET SECURITY FABRIC 2018
2018
新世代的防護方案需提供高可視度與防護性已涵蓋來自多面
向的資訊威脅
整合多樣化的技術用以防護偵測進階威脅的入侵攻擊
整合式的智能系統,經由持續性的自動化檢測評估,確保資安系統自身維持最優化配置
新世代安全架構框架
NETWORK
MULTI-CLOUD
PARTNER API
EMAIL UNIFIED ACCESS
IOT-ENDPOINT
WEB APPS
ADVANCED THREAT PROTECTION
MANAGEMENT-ANALYTICS
覆蓋性 整合性
14
2018 Fortinet Solutions
Network
Security
Multi-Cloud
Security
Endpoint
Security
Security
Web Application
Security
Secure
Unified Access
Advanced
Threat Protection
Management
- Analytics
FortiGate
Enterprise Firewall
FortiGate
Cloud Firewall
Network Security
FortiClient
EPP
FortiWeb
Web Application
Firewall
FortiMail
Secure Email
Gateway
FortiSandbox
Advanced Threat
Protection
FortiAnalyzer Central Logging /Reporting
FortiManager Central Security Management
FortiSIEM Security Information &
Event Management
FortiGate
Virtual Firewall
Network Security
FortiAP
Wireless
Infrastructure
FortiSwitch
Switching
Infrastructure SWG
SD-WAN
IPS
17
ICS 網路將會從 單一實體 往 資訊數位 演進
隔離與專屬設備
序列控制 或 IP連接。 將ICS協議封裝到IP網路中
IT 與 ICS 整合與雲端應用
運營效率
資訊暴露程度
安全轉型是其中一個必要的環節
18
Fortinet & Forrester 的工業控制調查統計報告
Sans Institute Survey – The State of Security in Control Systems Today (June 2015)
受訪者在過去一年發現ICS安全漏洞問題*
51%
受訪者指出,從2015年有6起或更多的安全漏洞持續增加**
17% 受訪者需要一個月以上的時間才能發現違規行為
15%
受訪者無法確認違規的源頭
44%
Tripwire – The State of Security- ICS Next-frontier-for-cyber-attacks (June
2016)
預計到2020年,ICS環境中的意外事件約有 25% 的比例與
IT安全漏洞有關聯
25%
* Fortinet& Forrester – 2016 & 2018 Industrial Control Systems Security
Trends: Challenges and Strategies For Securing Critical Infrastructure
**Sans Institute Survey – The State of Security in Control
Systems Today (June 2015)
56% 2016
2018
19
OT/ICS/SCADA 環境中實際資訊安全現況 – 2018
Source: A commissioned study conducted by Forrester Consulting on behalf of Fortinet, January 2018
• 近乎 90% 的受訪者都曾面對相關資安問題
• 超過 >50% 是在過去一年內
20
何謂 Operational Technology 資訊安全?
What is Operational Technology (OT) ? "hardware and software that detects or causes a change
through the direct monitoring and/or control of physical
devices, processes and events in asset-centric enterprises,
particularly in production and operations."
What is Operational Technology Security ? "the practices and technologies used to protect people, assets and
information involved in the monitoring and/or control of physical
devices, processes and events"
OT is well known as SCADA Supervisory control and data acquisition (SCADA) is a control
system architecture in OT
23
名詞術語定義
Critical Infrastructure (CI)
Operational Technology (OT)
Industrial Control Systems (ICS)
Supervisory Control and Data
Acquisition (SCADA)
Field Sensors/Actuators
OT ICS SCADA CI Field Sensors/
Actuators
24
重大的 OT 事故 - 2009年薩揚-舒申斯克水力發電廠事件
意外發生前 意外發生後
Generator floor
Air-Oil Tanks
Power Units Air-Oil Tanks
Power Units
Air-Oil Tanks
Unit 2
Unit 1
傷亡人數(Deaths)
75
受損的軟硬體設備 整體重建的花費 整體重建的時間
$425M $1.5B 2 years
https://zh.wikipedia.org/wiki/2009年薩揚-舒申斯克水力發電廠事故
25
Information Tech. 與 Operational Tech. 的融合演進
因應全球市場變遷、運營需求的改變導致產業與技術也需不斷的演進
過往 OT 是…… 現在 OT 是 …
完全脫離 IT 連接
使用專屬私有的控制協定
透過獨立的連接線路
使用特殊的硬體、特殊專屬的運作系統
看不懂、管不了、連不到
轉移或透過企業網絡封裝通訊
使用常見的網際網路協議
越來越多是通過標準無線技術進行連接通訊
使用市面上通用的硬體主機與一般的商用運作系統
成為網路犯罪的新世代攻擊目標
Operational Technology 安全四部曲
26
第一部 : Segmentation and Encrypted Communication
Valve
Fan
Pump
Segmentation and Encrypted
Communication
27
FortiGuard Industrial Security
通訊協定與應用程式的識別能力 » Securing Critical Infrastructure (Industrial Control and
SCADA)
» Need special type of applications
– not generally used in an Enterprise environment
» FortiGuard had over 1,100 industrial app signatures
28
IPS/ Application Control for Industrial Systems
Some of the Supported Protocols
-------------------------------- BACnet
DNP3
Elcom
EtherCAT
EtherNet/IP
HART
IEC 60870-6
(TASE 2) /ICCP
IEC 60870-5-104
IEC 61850
Supported Applications and Vendors
----------------------------------------------------- 7 Technologies/
Schneider Electric
ABB
Advantech
Broadwin
CitectSCADA
CoDeSys
Cogent
DATAC
Eaton
GE
Iconics
InduSoft
IntelliCom
Measuresoft
Microsys
MOXA
PcVue
Progea
QNX
RealFlex
Rockwell
Automation
RSLogix
Siemens
Sunway
TeeChart
VxWorks
WellinTech
Yokogawa
LONTalk
MMS
Modbus
OPC
Profinet
S7
SafetyNET
Synchrophasor
29
第二部: Secure Wired and Wireless Access
Valve
Fan
Pump
Segmentation and Encrypted
Communication
Access Control – Users, Devices,
Applications and Protocols
30
提供單一的安控管理平台
延伸資訊安全閘道的管理能力 » Take advantage of FortiLink protocol and
extend FortiSwitch
» FortiView shows physical and logical
topology including FortiSwitch and AP
» Simplified management of FortiSwitch
and AP from FortiGate
提升設備與連接狀態的可視性 » Easy segmentation of users and devices
» Consolidated visibility and reporting
31
FortiSwitch Rugged 112D-POE/124D
• Built to IP30 standards, no fans or moving parts
• Operates in extreme (-40 to 60 C) temperatures
• 12 or 24 gigabit Ethernet ports and RPS supported
FortiAP Outdoor Series
• IEEE 802.11a/b/g/n/ac standards-based, and operates on both 2.4 GHz and 5 GHz spectrums
• Operates in extreme (-40 to 60 C) temperatures
• Rouge AP detection and managed by FortiGate
針對工業規範標準所設計的設備裝置
32
第三部 : Role Based Access Control
Valve
Fan
Pump
Segmentation and Encrypted
Communication
Access Control – Users, Devices,
Applications and Protocols
Role Based Access Control – Users,
Devices, Applications and Protocols
33
管理政策不需因使用者的改變而調整
每個使用者可以在不同控制系統中對應不同角色
資源的控管與對應相對簡化且更具彈性
適用於 OT 與 IT 環境,簡化管理成本
RBAC - Role Based Access Control
使用者 角色 權限 資源
34
強化使用者認證,導入 雙因子認證 機制
2FA – OTP 認證方式優勢
密碼可能已經洩漏… (竊取, 破解, 共享)
過 OTP 的機制可以達到強化認證的目的
1st Pass
2nd Pass
USERNAME & PASSWORD
DIGITAL ASSET
ONE TIME PASSWORD
用戶個人所設定… 真正用戶所具備…
User Directory Service Token/OTP Database
35
第四部 : Vulnerability and Patch Management
Valve
Fan
Pump
Segmentation and Encrypted
Communication
Vulnerability and Patch Management
Access Control – Users, Devices,
Applications and Protocols
Role Based Access Control – Users,
Devices, Applications and Protocols
36
安全漏洞的屏蔽保護
IPS Signatures
Protect against
» Known Vulnerability & Zero day
exploits
» Protocol abnormalities
Details Pop-Up linked to
FortiGuard IPS encyclopedia
Supports
» IP Exemptions
» Custom Signatures
» Packet Logging
» Source Quarantine
37
[Security Transformation]
SX 資訊安全的部署必需整合至數位轉型的基礎框架內,
所打造的是全新的基礎安全建構的思維,不再以單一
產品為論述.整體方案的整合度與自動化聯防的緊密
度是其核心關鍵,進而滿足全面性資安的轉型演變.
38
Level 3
Operational DC
Manufacturing Zone
Level 3.5
Operational DC DMZ
Management Zone
FortiGate
FortiLink
FortiSwitch
Private VLANs
Micro Segmentation
Wide Area Network
MPLS, SD-WAN, 3G, 4G,
APN, VPN
ADSL, Cable
FortiSwtich
Remote User
Level 4
External
Enterprise LAN
Corporate Environment
Level 5
Internet DMZ
Enterprise
Corporate Environment
Remote Vendor
Zones of Control
Zones and Conduits
Micro Segmentation
Physical and Virtual
Segmentation
Engineering
Server Zone
Historian
Server Zone
Application
Server Zone
Engineering
WorkStation Zone
Operator
WorkStation Zone
Domain
Controller
FortiClient
EMS Server
FortiAuthenticator
FortiManager
FortiAnalyzer
FSSO
FortiSandbox
FortiSIEM
FortiMail
FortiWeb
Servers
Web
Servers
Enterprise
Desktops
Business
Servers
FSSO
Authentication Services
&
Domain Controllers
Level External
Internet
FortiSwtich
FortiGate
FortiGate
FortiGate
FortiGuard Threat
Intelligence
Service
FortiGuard
Global
Intelligence
Operational Technology (OT) Authentication Boundary
ISA-99, IEC-62443
Fortinet 的安控架構模型 – ISA99 / IEC-62443
http://isa99.isa.org/Public/Meetings/Committee/201205-Gaithersburg/ISA-99-Security_Levels_Proposal.pdf
39
Critical Manufacturing Plant Floor
Level 0
Physical Plant Floor
Instrumentation Bus Network
Level 1
Process Control
Local Area Network
Level 2
Supervisory
Control Network
Industrial Control System
Physically Segmented
Production Line
FortiGate
FortiLink
FortiSwitch
Private VLANs
Micro Segmentation
Fortinet Secure
Unified Access Solution
Fortinet
Operational Technology
Fabric Solution
Remote Edge
Manufacturing Plant
FortiGate
Firewall
Internal Segmentation
Wide Area Network
MPLS, SD-WAN, 3G, 4G, APN, VPN
ADSL, Cable
FortiGate Edge Firewall
Enterprise Protection
Physical Internal
Segmentation of Production Lines
Wide Area
SD WAN
3G 4G Extension
VPN
Authentication
Two Factor
Access Control
FortiGate Firewall
Industrial FortiGuard
Application Control
IPS
Physical Security
Physical Relays
Stack lights
Presence Analytics
FortiCAM
FortiSwitch
FortiAP’s
Micro Segmentation
Layer Two
FortiLink
Operator PC
Serial to IP
Mic
ro
Segm
enta
tio
n
PLC or RTU
Engineering
WorkStation
ISA-99, IEC-62443
40
自動化
FORTINET SECURITY FABRIC 2018
2018
新世代的防護方案需提供高可視度與防護性已涵蓋來自多面
向的資訊威脅
整合多樣化的技術用以防護偵測進階威脅的入侵攻擊
整合式的智能系統,經由持續性的自動化檢測評估,確保資安系統自身維持最優化配置
新世代安全架構框架
NETWORK
MULTI-CLOUD
PARTNER API
EMAIL UNIFIED ACCESS
IOT-ENDPOINT
WEB APPS
ADVANCED THREAT PROTECTION
MANAGEMENT-ANALYTICS
覆蓋性 整合性