---
tags: Hauman工作筆記, Fortinet, OT Security, 證照
---
# Forti OT Security (NSE7)整理筆記
## IT與OT的不同
我們將計算機和資料網路稱為資訊科技(IT; information technology);
工業控制系統(ICS; industrial control system)的操作和程序控制,則通常被稱為運營科技(OT)。
OT是在隔離和獨立的網路中執行,目標與要求和IT完全不同,但這些己開始發生變化。
在最基本的層面上,IT負責資料的建立、傳送、儲存和保護。網路遭入侵可能會對組織產生直接的財務衝擊,通常會讓客戶喪失信心,遭受罰款和處罰,甚至是訴訟。
OT則專注於建立和維護具有實體影響的控制過程,例如製造廠房和生產環境現場。然而,最近的發展,包括需要更有效地在數位化市場中競爭,現在這些傳統上彼此獨立的運作環境正在融合。越來越多的產業已開始藉由部署新的工業物聯網(IIoT)設備(例如智慧電錶、自動化資產分配系統,以及自我監控變壓器),將網路和數位通訊整合到OT之中。
如何著手進行
這些差異並不棘手。透過精心的規劃和協調,結合開放式的溝通和有效傾聽,對於融合這些不同環境來獲得潛在利益至關重要。這些包括:
策略執行的調整:團隊領導者必須明白且認同融合這些資源的企業目標和益處。擁有共同的目標和明確認同的結果,有助於所有團隊推動有效的解決方案。
建立聯合工作小組:一旦確定了目標和結果,很少有方法會比將所有受影響的團隊代表聚集在一起,共同發表意見,思辯策略,制定項目範圍,以及訂定一套共同的流程更有效。第一個目標應該是相互教育這個項目會帶來的挑戰。這將有助於推動各方都能接受的解決方案。當然,要為這個過程做好準備需要一些時間。
執行先導計劃:這通常是不言而喻的,但聯合工作小組概述的流程每一步都需要在受控環境中執行,有時是重複執行,然後才能在生產網路中啟用。這之中有很多利害關係必須考量,因此在將操作控制、安全措施和應急計劃應用到現場環境之前,不斷地進行微調是非常重要的。
融合不僅僅涉及技術
整合IT和OT需要的不僅僅是融合網路資源。企業組織必須避免掉入陷阱,為其網路的OT部分成立另一組並行的安全團隊。工作人員、培訓和資源的重複,不僅浪費企業組織的預算,而且由此產生的組織差異,也可能帶來治理、風險管理和合規等問題。
解決複雜性的最佳方法是簡化它
在數位經濟時代要獲得成功,必須開發能夠完善利用所有可用資源的整合網路,甚至是OT網路內部的ICS / SCADA系統。雖然惡意的網路駭客不斷展現他們的攻擊能力,但組織需要的並非在機櫃中添加新的隔離設備,而是藉由部署整合的安全架構優先考量關鍵功能,例如速度、協作、進階分析,以及基於風險的決策擬訂。這樣的方法圍繞靈活的織網策略構建,能以機器的速度和規模實現全方位的保護,同時將IT和OT環境中適當的解決方案,整合成一個集中式的自動化的安全系統。
參考資料:https://m.fortinet.com.tw/site/%E8%A7%A3%E6%B1%BAit%E5%92%8Cot%E8%9E%8D%E5%90%88%E7%9A%84%E6%8C%91%E6%88%B0/
## What’s OT Specialization Requirements
1. Sales Training
2. Technical Training
## OT Partner Sales Training
By the end of this course you will:
1. Understand what the OT environment is and why it represents such a great opportunity.
了解OT環境是什麼,以及為何OT環境是一個極好的機會
2. Understand the breadth of Fortinet’s OT Security offerings and key use cases.
了解Fortinet的OT資安提供的範圍,以及案例的關鍵
3. Have a solid grasp of Fortinet’s OT Use Cases and how Fortinet’s Security Fabric applies in an OT context.
紮實掌握 Fortinet 的 OT 用例以及 Fortinet 的安全結構如何在 OT 環境中應用。
4. Understand the OT market and where to find opportunities.
了解整個OT市場,以及哪裡可以找到機會
5. Have the relevant knowledge to fire up an OT conversation with your prospects / customers.
擁有與潛在客戶/客戶進行 OT 對話的相關知識。
6. Know where to go to get help and support in closing OT opportunities.
了解哪裡可以得到幫助,以及支援相關的OT機會
## OT Partner Technical Training (NSE7)
By the end of this course you will:
1. Understand the fundamentals of an OT infrastructure
了解OT架構的基本面
2. Secure an OT infrastructure using the Purdue model
使用普渡模型(Purdue model)來鞏固OT架構的安全
3. Use FortiGate and FortiNAC to identify and manage devices
使用FortiGate和FortiNAC來辨識與管理設備
4. Implement segmentation and microsegmentation in an OT network
在OT網路中實施分段與微分段
5. Authenticate users
驗證用戶
6. Secure your OT network traffic using a FortiGate device
使用FortiGate設備來鞏固你的OT網路流量的安全
7. Use FortiAnalyzer for logging and reporting
使用FortiAnalyzer來記錄log和生產report
8. Use FortiSIEM to centralize security information and event management
使用FortiSIEM來集中化資安資訊與事件管理
9. Generate real-time analysis of security events using FortiSIEM
使用FortiSIEM來產生資安事件的真實時間分析
## PERA
PERA為企業總體規劃和實現提供了一種結構化的方法,並建模。
任何企業只有三個主要組成部分:
- 物理工廠/生產設施
- 人,組織
- 控制和信息系統
PERA提供了一個企業生命周期模型,它清楚地定義了物理工廠、人員和信息系統之間的角色和關係。
每個企業可以被劃分為明確定義的「階段」
以下是分階段的項目管理的重要規則:
- 在每個階段結束時定義清晰的「可交付內容」
- 不要在所有感興趣的團體正式簽署前進入下一階段。
- 除非設計不安全或無法工作,否則不要回溯先前階段所定義的信息。
項目管理有兩個基本規則:
- 分而治之
- 不要把它切得太厚
據說吃大象的唯一辦法就是得到很多幫助。類似地,大型項目必須被劃分為更小的部分,可以由不同的團隊並行完成(分而治之)。
不幸的是,不同團隊之間必須共享的信息越多,協調和管理就越困難。因此,將項目劃分為子項目是至關重要的,以最小化跨子項目邊界的信息流(不要在最密集的地方劃分)。企業系統必須有效地與物理工廠工程和人力和組織發展相結合。
PERA提供了一個生命周期模型,演示了如何將企業系統、物理工廠工程和組織開發從企業概念集成到解散。
PERA方法是「GERAM」即 「General Enterprise Reference Architecture Methodology」通用企業參考體系結構方法的最佳選擇。PERA已被用作ISA 95和其他一些企業集成標準的基礎。
原文連結:https://kknews.cc/zh-tw/education/4xpvv8x.html
## 如何選課
### Sales Training
最後會連結到:https://training.fortinet.com/course/view.php?id=6674
### Sales Desk
直接下載連結:https://partnerportal.fortinet.com/prm/api/objects/v1/asset/btbkocdddzup/_download
### NSE 7 Technical Training
## 課程內容
### Sales Training
1. Welcome(長度:01:03)
就簡單的一分鐘介紹,歡迎你來選修這門課,還有希望你能enjoy the jounery
-------------------------------------------------
2. Partnering with Fortinet(長度:25:10)
課程簡報(P20)
(沒有P19)
Quiz(10題)
<font color="red">P.S. 每次考試選項順序會變,要注意</font>
- What are the three biggest security challenges end customers face in OT?
Select one or more:
A. The attack surface is growing.
B. Increasing number of solutions brings vendor complexity.
C. Legacy equipment is challenging to upgrade.
D. Threats are becoming more advanced.
Answer:AD
- Select one or more:
A. Manufacturing
B. Chemical / Petrochemical
C. Power Generation and T&D
D. Oil and Gas
Answer:BCD
- TCP/IP is rarely found in OT environments.
Select one:
A. True
B. False
Answer:B
- OT security deals typically requires ruggedized hardware to be successful.
Select one:
A. True
B. False
Answer:B
- The top drivers of OT deals are:
Select one or more:
A. Endpoint Protection
B. Network Segmentation
C. Visibility
D. Network Optimization
Answer:BCD
- Fortinet expects our partners to find and close OT deals with very little help from Fortinet.
Select one:
A. True
B. False
Answer:B
- Which of the following personas cares the most about retiring risk?
Select one:
Network Operations teams
The production and Plant Operations teams
The CISO or CIO
Answer:C
- Approximately how many application signatures does Fortinet provide in OT?
Select one:
A. ~1200
B. > 1800
C. ~ 400
D. ~ 800
Answer:B
- Approximately how many IPS vulnerabilities does Fortinet's IPS protect in OT?
Select one:
A. ~ 800
B. ~1200
C. > 1800
D. ~ 400
Answer:D
- Which of the following sectors makes sense for OT opportunities?
Select one:
A. Customer Relationship Management (CRM)
B. Power Generation
C. Online learning
D. Banking
Answer:B
-----------------------------------------------------
3. Sales Deck(長度:25:39)
Quiz(11題)
- The Covid-19 pandemic has slowed down the trend of connecting OT environments.
Select one:
A. True
B. False
Answer:B
- Where do you find PLCs (Programmable Logic Controllers) in the Purdue Model?
Select one:
A. Level 1
B. Level 0
C. Level 2
D. Level 3
Answer:A
- What are some OT-specific capabilities relevant to our FortiGate offering?
Select one or more:
A. Manageable offline with FortiManager in air-gapped environment
B. DIN rail mountable
C. Web application and API Security
D. SD-WAN capabilities in a rugged form factor
Answer:ABD
- What is a great reference architecture for talking about Fortinet in the context of Operational Technology environments?
Select one:
A. The OSI Model
B. The YANG Model
C. The Purdue Model
D. The CODALYS Model
Answer:C
- Which of the following groups of products are applicable for segmentation use cases? (Pick one)
Select one:
A. Fortigate, FortiSwitch, FortiAP
B. FortiDeceptor
C. FortiAuthenticator
D. FortiNAC
Answer:A
- Which of the following products are applicable for Advanced Persistant Threats? (Pick all that apply)
Select one or more:
A. FortiSandbox
B. FortiDeceptor
C. FortiEDR
D. FortiGate, FortiSwitch, FortiAP
Answer:AB
- The Fortinet Security Fabric really is best suited to IT and doesn't apply to OT environments.
Select one:
A. True
B. False
Answer:B
- What are some OT-specific capabilities relevant in our FortiEDR offering?
Select one or more:
A. Extremely lightweight agent
B. Blocks unauthorized USB sticks
C. Compatible with the latest patch of modern operating systems
D. Can be deployed on-premise or in an air-gapped environment
Answer:ABD
- Digital Transformation in OT is driven by the following:
Select one or more:
A. A desire to increase asset availability.
B. A desire to increase overall equipment effectiveness (OEE).
C. A desire to increase usage of email and shared calendars in industrial environments.
D. A desire to shift from calendar-based maintenance to condition-based maintenance.
Answer:ABD
- Broadly speaking the following products have relevance in OT environments:
Select one or more:
A. Ruggedized Firewalls
B. Industrial signatures
C. FortiEDR
D. Ruggedized Switches
Answer:ABCD
- What are some OT-specific capabilities relevant to our FortiDeceptor offering?
Select one or more:
A. Simplified setup and flexible deployment capabilities
B. Capable of mimicking IT services like email and file servers
C. Ability to mimic SCADA and ICS protocols
D. Seamless integration with FortiSIEM
Answer:ACD
-----------------------------------------------------
4. Sales Deck Best Practices(長度:04:28)
這邊提到簡報技巧,如何使用課程的PPT來向客戶介紹
Quiz
- Product Marketing strongly recommends that you use the Sales Deck in one go with your customer.
Select one:
A. True
B. False
Answer:B
- Product Marketing strongly recommends that you use every use case example with every customer.
Select one:
A. True
B. False
Answer:B
- Product Marketing has left it up to the Partner to determine how to message the content presented in the Sales Deck.
Select one:
A. True
B. False
Answer:B
- Product Marketing strongly insists that you use the prescribed script when you deliver the sales deck.
Select one:
A. True
B. False
Answer:B
- Under no circumstance shall you print out the sales deck.
Select one:
A. True
B. False
Answer:B
- Using the Purdue Content as a discovery tool when talking to your customer is advised as a best practice.
Select one:
A. True
B. False
Answer:A
-----------------------------------------------------
5. Customer Examples(長度:02:09)
只有簡單的分享三個Case,沒有Quiz
-----------------------------------------------------
6. Call To Action(長度:01:24)
結尾總結,沒其他東西,沒有Quiz
-----------------------------------------------------
### NSE 7 Technical Training
#### 01. Introduction(長度:12:02)
#### 02. Asset Management(長度:44:51)
#### 03. Access Control(長度:27:44)
#### 04. Segmentation(長度:21:19)
#### 05. Protection(長度:25:02)
#### 06. Logging and Monitoring(長度:38:27)
#### 07. Risk Assessment(長度: 19:13)
#### Sample Questions
- A supervisor is configuring an application filter sensor to block Modbus traffic between PLC-1 and PLC-2. When creating a new application sensor, the supervisor is not able see any industrial signatures.
Which change must the supervisor must make in order to see all the industrial signatures in the application filter?
Select one:
A. The supervisor must contact the FortiGuard team to collect the industrial signature database.
B. The supervisor must configure exclude-signatures to none.
C. The supervisor must enable the FortiGuard industrial signatures under config system global.
D. The supervisor must generate some Modbus logs in order to see the Modbus signatures.
Answer:不是C
- Which two statements about FortiSIEM are true? (Choose two.)
Select one or more:
A. FortiSIEM can receive data from any network device and application.
B. FortiSIEM can receive and collect data from network devices and applications.
C. FortiSIEM can receive data from certain devices in SQL format.
D. FortiSIEM cannot receive data from a Windows server without an agent.
Answer:B
- What is the main difference between real-time logs and historical logs on FortiAnalyzer?
Select one:
A. Real-time logs are indexed while historical logs are compressed in the SQL database.
B. Historical logs are compressed and real-time logs are indexed in the SQL database.
C. Historical logs are indexed in the SQL database, but real-time logs are not.
D. Real-time logs are indexed in the SQL database, but historical logs are not.
Answer:V
- Which protocol and port is used by the Modbus protocol?
Select one:
A. TCP port214
B. UDP port500
C. TCP port502
D. TCP port443
Answer:不是B
- In the context of FortiNAC, what is a key feature of a logical network?
Select one:
A. It can identify several endpoints with a single rule.
B. It creates a one-to-one association between a network access policy and a VLAN.
C. It groups up to 10 VLANs into a single policy.
D. It simplifies network access policy management by reducing the number of policies needed.
Answer:不是A
- An administrator needs to group FortiGate wireless interfaces in NAT mode with multiple physical interfaces.
What interface type must the administrator select to group multiple FortiGate interfaces with the wireless interface?
Select one:
A. Redundant interface
B. VLAN interface
C. Software switch interface
D. Aggregate interface
Answer:不是D
- An OT customer is using multiple FortiGate devices in their network to implement two-factor authentication with hardware FortiTokens. A supervisor is carrying multiple FortiTokens to be used when logging in to a critical server behind different FortiGate devices.
As an OT network architect, which approach must you take in order to assign one token per user and still use two-factor authentication on multiple FortiGate devices?
Select one:
A. Configure FSSO-based two-factor authentication.
B. Implement FortiAuthenticator with FortiTokens provisioned for each user, and configure FortiAuthenticator as remote authentication server on all FortiGate devices in the OT network.
C. Provision the Edge-FortiGate device with all the FortiTokens and configure it as a remote authentication server on other FortiGate devices.
D. Implement a FortiManager and manage all FortiGate devices in the OT network to share the FortiTokens database.
Clear my choice
Answer:B
- Which three protocols are used as industrial Ethernet protocols? (Choose three.)
Select one or more:
A. M12
B. PROFINET
C. EtherNet/IP
D. EtherCAT
E. RJ45
Answer:CD,沒有E
- Which deployment option allows an administrator to detect intrusions without any modifications to production traffic?
Select one:
A. Offline IPS
B. Offline IDS
C. Inline IPS and IDS
D. Virtual patching
Answer:不是C
- Which three device profiling methods of FortiNAC are considered non-direct? (Choose three.)
Select one or more:
A. Network traffic
B. IP range
C. SSH
D. TCP
E. Location
Answer:AB,沒有D
- A supervisor is configuring a software switch on a FortiGate device. What must the supervisor configure on FortiGate to control the traffic between member interfaces on the software switch, using firewall policies?
Select one:
A. The supervisor must add different VLAN interfaces to the software switch.
B. The supervisor must configure intra-switch-policy to explicit.
C. The supervisor must configure the software switch with at least one wireless interface and one VLAN interface.
D. The supervisor must configure a separate forward domain for the software switch.
Answer:不是C
- Which two statements about FortiSIEM are true? (Choose two.)
Select one or more:
A. FortiSIEM can receive and collect data from network devices and applications.
B. FortiSIEM cannot receive data from a Windows server without an agent.
C. FortiSIEM can receive data from certain devices in SQL format.
D. FortiSIEM can receive data from any network device and application.
Answer:
-----------------------------------------------------
## 參考資料
追根溯源MES之:普渡企業參考體系結構模型(PERA)
https://kknews.cc/zh-tw/education/4xpvv8x.html
Sign in with Wallet
Connect another wallet