As remote OT sites shift to SD-WAN, risk increases. Learn the five elements to include for a simplified, secure SD-WAN deployment in OT.

By Rick Peters, CISO for operational technology, North America, Fortinet

At remote operational technology (OT) sites around the world, software-defined wide-area networking (SD-WAN) is beginning to displace traditional WAN. At the same time, the convergence of OT and IT is changing the way many organizations do business, but it’s also opening up new security risks. While SD-WAN supports digital innovation, few SD-WAN solutions offer consolidated networking and security features as well as ruggedized solutions suitable for harsh environments such as oil rigs, electrical substations, and maritime cargos.

To realize the full potential of SD-WAN, it’s essential that OT organizations implement security-driven networking approaches that reduce complexity, deliver secure, reliable connectivity and include rugged options suitable for remote and harsh environments.

Organizations must deploy a security-driven networking approach to SD-WAN to consolidate networking/security tools into a single solution.
Organizations must deploy a security-driven networking approach to SD-WAN to consolidate networking/security tools into a single solution.

Innovation for Remote Locations and Harsh Environments

OT sites are adopting digital innovations—such as Software-as-a-Service (SaaS) and real-time applications—to increase productivity, improve communications and foster rapid business growth. However, traditional WAN architectures at many remote locations struggle to accommodate the traffic demands of these new technologies at reasonable costs. This has led to increasing adoption of SD-WAN architectures that employ more affordable, direct internet connections.

SD-WAN delivers better connectivity reliability, but it also may increase an organization’s risk exposure. According to a recent Gartner survey analysis, “Customers continue to strive for better WAN performance and visibility, but security now tops their priorities when it comes to the challenges with their WAN.”

Some network engineering and operations leaders who recognized the need for SD-WAN security have incorporated an array of point products to address security deficiencies, threat exposures or compliance requirements. Such an approach leads to infrastructure complexity, which increases manageability burdens while creating new defensive gaps at the network edge.

Simplifying and Securing SD-WAN Deployments

OT organizations must deploy a security-driven networking approach to SD-WAN, which consolidates networking and security tools into a single, integrated solution. Below are five attributes key to enabling a simplified, secure SD-WAN deployment optimized for OT environments.

1. Distributed networks need centralized management

Centralized management across an organization’s distributed networks drastically reduces the likelihood for configuration errors that lead to cyber-risk exposures and network outages. Modern SD-WAN orchestration allows organizations to simplify deployment, enable automation, and offer business-centric policies. Features such as SD-WAN and next-generation firewall templating, enterprise-grade configuration management, and role-based access controls help mitigate human errors.

2. Reporting and analytics

Historical statistics enable the infrastructure team to troubleshoot and quickly resolve network issues. Enhanced analytics for WAN link availability, a performance service-level agreement (SLA) and application traffic in runtime are key to achieving safe and continuous operations. With advanced telemetry for application visibility and network performance, enterprises achieve faster resolution and reduce the number of IT support tickets. On-demand SD-WAN reports provide further insight into the threat landscape, trust level and asset access, which are mandated for compliance purposes.

3. Reporting for compliance

To validate compliance to their auditors, OT organizations need reports and tools for customization. However, compliance management has traditionally been a costly, labor-intensive process for networking teams—often requiring multiple full-time staff and months of work to aggregate and normalize data from multiple point security products.

Modern solutions speed the process of compliance reporting by simplifying security infrastructure and eliminating the dependence on manual processes. This may include customizable regulatory templates for standards such as Security Activity Report (SAR), Center for Internet Security (CIS), and National Institute of Standards and Technology (NIST). Other important features are audit logging and role-based access control (RBAC), which ensure that employees can only access the information they need to perform their jobs.

4. Automation and integration

For security practices to be effective, they must be integrated across every part of the distributed organization, provide full visibility from a single location, and automated responses, which can decrease threat remediation time from months to minutes. A detected incident alert sent with contextual awareness data from one location allows a network administrator to quickly determine a course of action against a potential coordinated attack. Certain events can also trigger automatic changes to device configurations to close the loop on attack mitigation in an instant.

5. Rugged solutions for harsh OT environments

Not all SD-WAN solutions are physically built the same. Some OT organizations may require solutions that meet specific space, power, and environmental requirements. For facilities in harsh environments, a chosen solution may need to withstand harsh environmental conditions such as extreme temperature, electromagnetic interference, high moisture, and extreme or constant vibration.

While there are many SD-WAN solutions on the market today, only a security-driven networking approach to SD-WAN delivers a secure, reliable and cost-effective solution that meets the needs of operational technology organizations. Ultimately, SD-WAN for OT should deliver centralized management, enhanced analytics, customized reporting for compliance, automation and integration, and ruggedized options, to ensure your digital innovation goals don’t turn into increased digital risk and complexity.

rick peters fortinet
Rick Peters

Mr. Peters is the CISO for Operational Technology, North America for Fortinet Inc. delivering cybersecurity defense solutions and insights for the OT/ICS/SCADA critical infrastructure environments. He is charged with overseeing growth of Fortinet’s penetration into the largest global OT marketspace.  That charge entails identifying and partnering to gain traction on existing OT business campaigns as well as targeting emerging customer opportunities. 

Immediately prior, he served as the Director Operational Technology Global Enablement for Fortinet.  In this capacity, Mr. Peters enabled OT business growth by partnering with Fortinet OT Security, Sales and Marketing counterparts.  The success realized in EMEA and APAC over two years keyed recognition and a strategic transition to focus on North America as the largest target marketspace in 2020.      

Prior to joining Fortinet, he served the U.S. Intelligence Community for more than 37 years imparting cybersecurity and global partnering experience across foreign, domestic, and commercial industry sectors at the National Security Agency (NSA). He led development of cyber capability against Endpoint, Infrastructure, and Industrial Control System technologies at the agency. 

Before that role, he partnered as an executive leader supporting the Information Assurance Directorate at the NSA.  Mr. Peters also served in a broad range of leadership and Engineering roles including Chief of Staff for the NSA Cyber Task Force and a 5-year forward liaison charged with directing integration of cyber and cryptologic solutions for U.S. Air Force Europe, Ramstein AFB, Germany.

Mr. Peters is a repeatedly published OT Security thought leader and a frequent speaker at global industry events.  He holds a BS in Electronics Engineering and an MS in Engineering Management from the Johns Hopkins University.