Organizations that specialize in operational technology (OT) are under increasing pressure to secure their attack surfaces. While digital innovations such as remote access and cloud applications can improve safety, efficiency, and output, connecting OT networks to untrusted networks can increase the risk of malicious cyberthreats. Increasingly sophisticated attacks coupled with more government scrutiny in the form of regulations and compliance standards, such as NIS2 and NERC-CIP, increase the urgency to secure modern OT networks.

FortiGate owners can address these challenges by adding FortiExtender gateways to remote sites. In the latest 7.6 release of FortiOS, Fortinet updated its capabilities to include an innovative cybersecurity solution to address the expanding OT attack surface.

The Fortinet enhanced LAN extension is a simple, effective, low-cost way to secure OT assets by extending FortiGuard AI-Powered Security Services with existing FortiGate Next-Generation Firewalls (NGFWs) to remote FortiExtender gateways using VxLAN over IPsec technology. 

Securing Remote OT Sites Is Challenging

To ensure the entire attack surface is secured, many OT organizations around the world are busy cataloging their remote sites, no matter their size or status. Whether it's a capped oil well in the middle of the ocean or a set of electric vehicle charging stations (EVCS) in an office park, every remote site is now a possible point of entry for malicious hackers. According to the MITRE ATT&CK Tactics for Initial Access to Industrial Control Systems (ICS), public-facing applications, remote services, internet-accessible devices, removable media, and transient devices are some of the most common vectors. As a result, OT organizations need an effective, easy-to-deploy, and competitively priced way to secure their entire attack surface, from the largest production facility to the smallest remote site.

OT organizations also need to be able to gain real-time threat intelligence for OT-specific malware. OT networks may have tens of thousands of different devices and protocols, everything from programmable logic controllers (PLCs) to human-machine interfaces (HMIs) running protocols such as Modbus, PROFINET, and OPC. Without the ability to identify these devices, inspect the protocol traffic, and prevent OT-specific malware, OT organizations risk a malicious cyberattack.

Although Fortinet offers a variety of NGFWs with custom ASICs that offer high-performance on-premises security, in some cases, deploying a firewall appliance at every site may not be possible due to space or environmental constraints. The infrastructure coverage could be massive, especially when the latest regulations increase the required scope of coverage. Additionally, the number of sites being secured can sometimes be in the tens of thousands. Some sites, such as offshore capped and active oil wells, remote mines, or EVCS, require a broad suite of cybersecurity controls backed with threat intelligence but may have only modest throughput requirements, so a firewall is "too much product" for the location.

Enhanced LAN Extension

In the most recent update to FortiOS (version 7.6), Fortinet enhanced its LAN extension technology to address the specific and pervasive challenge of remote sites for OT organizations and for any enterprise facing challenges of scale in their cybersecurity strategy. With the enhanced LAN extension, organizations can extend their existing FortiGuard security services, including the OT Security Service, to more than 1,000 remote branches by deploying a FortiExtender 3G/4G LTE or 5G cellular gateway.

The technology uses VxLAN over an IPsec tunnel to extend the Layer 2 broadcast domain of a FortiGate to remote sites, so you can manage remote sites as if they were a part of the headend LAN and easily incorporate networking and security policies. You do not require an additional license for each remote site because you're extending an existing FortiGuard license with advanced security capabilities such as IDS/IPS, URL and DNS filtering, and content inspection. This solution offers an efficient, easy-to-deploy, and cost-effective solution for the many challenges that OT organizations and enterprises face.

FortiOS 7.6 greatly improved the LAN extension performance, and with the number of remote FortiExtender gateways that each FortiGate model can now support in LAN extension, you can build a true security platform across a global footprint.

With a variety of FortiExtender models, you can support different kinds of remote sites. Indoor FortiExtender models can support offices and kiosks with controlled environmental conditions. These models include the latest 5G connectivity, out-of-band-management (OOB), and a rich interface to support wired broadband alongside cellular links. FortiExtender Vehicle is a series of ruggedized devices that can withstand temperature challenges, electromagnetic interference, shock, vibration, and humidity for harsh sites with extreme environmental conditions. They are both dust and splash tight for outdoor deployments, so you can deploy FortiExtender Vehicle to a remote oil well, EVCS, a fixed IoT site such as a camera installation or security checkpoint, or a vehicle fleet to extend the FortiGuard security services, including the OT Security Service.

An Effective, Easy to Deploy Cybersecurity Solution

Enhanced LAN extension extends the rich networking and security capabilities of the FortiGate to the remote FortiExtender and is simple to deploy. Simply plug in your FortiExtender, provision the device, and set it up as a LAN extension in your FortiGate or FortiManager dashboard. Right away, you'll be able to extend the headend LAN into the farthest reaches of your network, even to mobile fleets. The enhanced LAN extension replaces the need for dedicated hardware with a small 3G/4G LTE/5G cellular gateway and reduces the required number of subscription licenses. 

Contact your Fortinet sales or partner representative today and ask for more information about enhanced LAN extension in FortiOS version 7.6 and try out this integrated robust solution for OT remote sites, FortiGate, and FortiExtender today.