© Copyright Fortinet Inc. All rights reserved.

鞏固網路安全 成就數位轉型 Security without perimeter

陳弘治 / Vincent Chen

+e: vincentchen@fortinet.com

Technical Consultant

2

3

Fortinet 2018 年 資安趨勢預測

自我學習的Hivenet和Swarmbot威脅的興起

綁架雲端商用平台所帶來的商機

新世代型態的惡意軟體

關鍵基礎架構網路的前端隱憂

地下網路與網路犯罪經濟體系將採用 AI 自動化提供服務

請參閱：2018 Threat Predictions - by Derek Manky

Mid-year 2017 Predictions Update

4

[Digital Transformation]

於既有的商業經營架構中導入數位化科技，將基礎的生產過程或營運管理的進行轉

變演化而提升整體商業經營的價值，相對於自身或客戶都可得到更多的價值

5

市 場 -> 需 求

6

資訊安全成為數位轉型的極其重要的關鍵

洞悉潛在的威脅

導入更多創新技術與自動化管控

彈性化配置

新世代安全須涵蓋混合雲環境提供一致性的管理與

多樣化建置

OT 的安全

將 IT 的安全擴展到運營技術網絡

資料保護

無論以何種型態存在, 靜止的或處於傳輸過程

法規遵循

融入整合於既有安全規範策略與法令之內

7

[Security Transformation]

資訊安全的部署必需整合至數位轉型的基礎框架內，需打造的是全新的基礎安全建

構的思維．不再是以單一產品為論述，而需考量整體方案的整合度與自動化聯防的

緊密度，進而滿足全面性資安的轉型．

8

數位資訊威脅的攻擊來自四面八方已難以預測

Cloud

Access

Network

覆蓋性 Attack

Surface Devices

9

過多的獨立產品與產業規範制度遵循

Security Consoles

Compliance

Point Products

整合性

Difficult Form

Factor

30+

GPDR

10

層出不窮的嶄新威脅，資源與專業人力的短缺

Skills

Maturity

Noise

自動化 Critical

Speed

11

辨析了解

攻擊的面向

快速有效的

回應處理相關事件

偵測防護未知

潛在的威脅

持續的評測分析

檢視與審驗

保護抵禦

已知的威脅

現今的安全防護需要的是一個完整且可擴展的框架

持續不斷

的循環

嶄新的資訊安全框架…

13

自動化

FORTINET SECURITY FABRIC 2018

2018

新世代的防護方案需提供高可視度與防護性已涵蓋來自多面

向的資訊威脅

整合多樣化的技術用以防護偵測進階威脅的入侵攻擊

整合式的智能系統，經由持續性的自動化檢測評估，確保資安系統自身維持最優化配置

新世代安全架構框架

NETWORK

MULTI-CLOUD

PARTNER API

EMAIL UNIFIED ACCESS

IOT-ENDPOINT

WEB APPS

ADVANCED THREAT PROTECTION

MANAGEMENT-ANALYTICS

覆蓋性 整合性

14

2018 Fortinet Solutions

Network

Security

Multi-Cloud

Security

Endpoint

Security

Email

Security

Web Application

Security

Secure

Unified Access

Advanced

Threat Protection

Management

- Analytics

FortiGate

Enterprise Firewall

FortiGate

Cloud Firewall

Network Security

FortiClient

EPP

FortiWeb

Web Application

Firewall

FortiMail

Secure Email

Gateway

FortiSandbox

Advanced Threat

Protection

FortiAnalyzer Central Logging /Reporting

FortiManager Central Security Management

FortiSIEM Security Information &

Event Management

FortiGate

Virtual Firewall

Network Security

FortiAP

Wireless

Infrastructure

FortiSwitch

Switching

Infrastructure SWG

SD-WAN

IPS

15

演 進

Industrial Control System

資安威脅的崛起

工業網絡中的資安威脅是一個快速增長的新挑戰

17

ICS 網路將會從 單一實體 往 資訊數位 演進

隔離與專屬設備

序列控制 或 IP連接。 將ICS協議封裝到IP網路中

IT 與 ICS 整合與雲端應用

運營效率

資訊暴露程度

安全轉型是其中一個必要的環節

18

Fortinet & Forrester 的工業控制調查統計報告

Sans Institute Survey – The State of Security in Control Systems Today (June 2015)

受訪者在過去一年發現ICS安全漏洞問題*

51%

受訪者指出，從2015年有6起或更多的安全漏洞持續增加**

17% 受訪者需要一個月以上的時間才能發現違規行為

15%

受訪者無法確認違規的源頭

44%

Tripwire – The State of Security- ICS Next-frontier-for-cyber-attacks (June

2016)

預計到2020年，ICS環境中的意外事件約有 25％ 的比例與

IT安全漏洞有關聯

25%

* Fortinet& Forrester – 2016 & 2018 Industrial Control Systems Security

Trends: Challenges and Strategies For Securing Critical Infrastructure

**Sans Institute Survey – The State of Security in Control

Systems Today (June 2015)

56% 2016

2018

19

OT/ICS/SCADA 環境中實際資訊安全現況 – 2018

Source: A commissioned study conducted by Forrester Consulting on behalf of Fortinet, January 2018

• 近乎 90% 的受訪者都曾面對相關資安問題

• 超過 >50% 是在過去一年內

20

何謂 Operational Technology 資訊安全？

What is Operational Technology (OT) ? "hardware and software that detects or causes a change

through the direct monitoring and/or control of physical

devices, processes and events in asset-centric enterprises,

particularly in production and operations."

What is Operational Technology Security ? "the practices and technologies used to protect people, assets and

information involved in the monitoring and/or control of physical

devices, processes and events"

OT is well known as SCADA Supervisory control and data acquisition (SCADA) is a control

system architecture in OT

21

Operational Technology (OT) 應用

工業自動化 監控、運作、管理

22

Operational Technology (OT) 運行

多樣化的行業

通常是 “重要” 基礎設施

苛刻環境條件

（高熱、潮濕、振動）; 辦公室和數據中心

23

名詞術語定義

Critical Infrastructure (CI)

Operational Technology (OT)

Industrial Control Systems (ICS)

Supervisory Control and Data

Acquisition (SCADA)

Field Sensors/Actuators

OT ICS SCADA CI Field Sensors/

Actuators

24

重大的 OT 事故 - 2009年薩揚-舒申斯克水力發電廠事件

意外發生前 意外發生後

Generator floor

Air-Oil Tanks

Power Units Air-Oil Tanks

Power Units

Air-Oil Tanks

Unit 2

Unit 1

傷亡人數(Deaths)

75

受損的軟硬體設備 整體重建的花費 整體重建的時間

$425M $1.5B 2 years

https://zh.wikipedia.org/wiki/2009年薩揚-舒申斯克水力發電廠事故

25

Information Tech. 與 Operational Tech. 的融合演進

因應全球市場變遷、運營需求的改變導致產業與技術也需不斷的演進

過往 OT 是…… 現在 OT 是 …

完全脫離 IT 連接

使用專屬私有的控制協定

透過獨立的連接線路

使用特殊的硬體、特殊專屬的運作系統

看不懂、管不了、連不到

轉移或透過企業網絡封裝通訊

使用常見的網際網路協議

越來越多是通過標準無線技術進行連接通訊

使用市面上通用的硬體主機與一般的商用運作系統

成為網路犯罪的新世代攻擊目標

Operational Technology 安全四部曲

26

第一部 : Segmentation and Encrypted Communication

Valve

Fan

Pump

Segmentation and Encrypted

Communication

27

FortiGuard Industrial Security

通訊協定與應用程式的識別能力 » Securing Critical Infrastructure (Industrial Control and

SCADA)

» Need special type of applications

– not generally used in an Enterprise environment

» FortiGuard had over 1,100 industrial app signatures

28

IPS/ Application Control for Industrial Systems

Some of the Supported Protocols

-------------------------------- BACnet

DNP3

Elcom

EtherCAT

EtherNet/IP

HART

IEC 60870-6

(TASE 2) /ICCP

IEC 60870-5-104

IEC 61850

Supported Applications and Vendors

----------------------------------------------------- 7 Technologies/

Schneider Electric

ABB

Advantech

Broadwin

CitectSCADA

CoDeSys

Cogent

DATAC

Eaton

GE

Iconics

InduSoft

IntelliCom

Measuresoft

Microsys

MOXA

PcVue

Progea

QNX

RealFlex

Rockwell

Automation

RSLogix

Siemens

Sunway

TeeChart

VxWorks

WellinTech

Yokogawa

LONTalk

MMS

Modbus

OPC

Profinet

S7

SafetyNET

Synchrophasor

29

第二部: Secure Wired and Wireless Access

Valve

Fan

Pump

Segmentation and Encrypted

Communication

Access Control – Users, Devices,

Applications and Protocols

30

提供單一的安控管理平台

延伸資訊安全閘道的管理能力 » Take advantage of FortiLink protocol and

extend FortiSwitch

» FortiView shows physical and logical

topology including FortiSwitch and AP

» Simplified management of FortiSwitch

and AP from FortiGate

提升設備與連接狀態的可視性 » Easy segmentation of users and devices

» Consolidated visibility and reporting

31

FortiSwitch Rugged 112D-POE/124D

• Built to IP30 standards, no fans or moving parts

• Operates in extreme (-40 to 60 C) temperatures

• 12 or 24 gigabit Ethernet ports and RPS supported

FortiAP Outdoor Series

• IEEE 802.11a/b/g/n/ac standards-based, and operates on both 2.4 GHz and 5 GHz spectrums

• Operates in extreme (-40 to 60 C) temperatures

• Rouge AP detection and managed by FortiGate

針對工業規範標準所設計的設備裝置

32

第三部 : Role Based Access Control

Valve

Fan

Pump

Segmentation and Encrypted

Communication

Access Control – Users, Devices,

Applications and Protocols

Role Based Access Control – Users,

Devices, Applications and Protocols

33

管理政策不需因使用者的改變而調整

每個使用者可以在不同控制系統中對應不同角色

資源的控管與對應相對簡化且更具彈性

適用於 OT 與 IT 環境，簡化管理成本

RBAC - Role Based Access Control

使用者 角色 權限 資源

34

強化使用者認證，導入 雙因子認證 機制

2FA – OTP 認證方式優勢

密碼可能已經洩漏… (竊取, 破解, 共享)

過 OTP 的機制可以達到強化認證的目的

1st Pass

2nd Pass

USERNAME & PASSWORD

DIGITAL ASSET

ONE TIME PASSWORD

用戶個人所設定… 真正用戶所具備…

User Directory Service Token/OTP Database

35

第四部 : Vulnerability and Patch Management

Valve

Fan

Pump

Segmentation and Encrypted

Communication

Vulnerability and Patch Management

Access Control – Users, Devices,

Applications and Protocols

Role Based Access Control – Users,

Devices, Applications and Protocols

36

安全漏洞的屏蔽保護

IPS Signatures

Protect against

» Known Vulnerability & Zero day

exploits

» Protocol abnormalities

Details Pop-Up linked to

FortiGuard IPS encyclopedia

Supports

» IP Exemptions

» Custom Signatures

» Packet Logging

» Source Quarantine

37

[Security Transformation]

SX 資訊安全的部署必需整合至數位轉型的基礎框架內，

所打造的是全新的基礎安全建構的思維，不再以單一

產品為論述．整體方案的整合度與自動化聯防的緊密

度是其核心關鍵，進而滿足全面性資安的轉型演變．

38

Level 3

Operational DC

Manufacturing Zone

Level 3.5

Operational DC DMZ

Management Zone

FortiGate

FortiLink

FortiSwitch

Private VLANs

Micro Segmentation

Wide Area Network

MPLS, SD-WAN, 3G, 4G,

APN, VPN

ADSL, Cable

FortiSwtich

Remote User

Level 4

External

Enterprise LAN

Corporate Environment

Level 5

Internet DMZ

Enterprise

Corporate Environment

Remote Vendor

Zones of Control

Zones and Conduits

Micro Segmentation

Physical and Virtual

Segmentation

Engineering

Server Zone

Historian

Server Zone

Application

Server Zone

Engineering

WorkStation Zone

Operator

WorkStation Zone

Domain

Controller

FortiClient

EMS Server

FortiAuthenticator

FortiManager

FortiAnalyzer

FSSO

FortiSandbox

FortiSIEM

FortiMail

FortiWeb

Email

Servers

Web

Servers

Enterprise

Desktops

Business

Servers

FSSO

Authentication Services

&

Domain Controllers

Level External

Internet

FortiSwtich

FortiGate

FortiGate

FortiGate

FortiGuard Threat

Intelligence

Service

FortiGuard

Global

Intelligence

Operational Technology (OT) Authentication Boundary

ISA-99, IEC-62443

Fortinet 的安控架構模型 – ISA99 / IEC-62443

http://isa99.isa.org/Public/Meetings/Committee/201205-Gaithersburg/ISA-99-Security_Levels_Proposal.pdf

39

Critical Manufacturing Plant Floor

Level 0

Physical Plant Floor

Instrumentation Bus Network

Level 1

Process Control

Local Area Network

Level 2

Supervisory

Control Network

Industrial Control System

Physically Segmented

Production Line

FortiGate

FortiLink

FortiSwitch

Private VLANs

Micro Segmentation

Fortinet Secure

Unified Access Solution

Fortinet

Operational Technology

Fabric Solution

Remote Edge

Manufacturing Plant

FortiGate

Firewall

Internal Segmentation

Wide Area Network

MPLS, SD-WAN, 3G, 4G, APN, VPN

ADSL, Cable

FortiGate Edge Firewall

Enterprise Protection

Physical Internal

Segmentation of Production Lines

Wide Area

SD WAN

3G 4G Extension

VPN

Authentication

Two Factor

Access Control

FortiGate Firewall

Industrial FortiGuard

Application Control

IPS

Physical Security

Physical Relays

Stack lights

Presence Analytics

FortiCAM

FortiSwitch

FortiAP’s

Micro Segmentation

Layer Two

FortiLink

Operator PC

Serial to IP

Mic

ro

Segm

enta

tio

n

PLC or RTU

Engineering

WorkStation

ISA-99, IEC-62443

40

自動化

FORTINET SECURITY FABRIC 2018

2018

新世代的防護方案需提供高可視度與防護性已涵蓋來自多面

向的資訊威脅

整合多樣化的技術用以防護偵測進階威脅的入侵攻擊

整合式的智能系統，經由持續性的自動化檢測評估，確保資安系統自身維持最優化配置

新世代安全架構框架

NETWORK

MULTI-CLOUD

PARTNER API

EMAIL UNIFIED ACCESS

IOT-ENDPOINT

WEB APPS

ADVANCED THREAT PROTECTION

MANAGEMENT-ANALYTICS

覆蓋性 整合性