OT Simulation is a simulated Linux VM developed by Fortinet to address the OT industry’s need to detect malware which sends commands or collects data from their Industrial Control systems ( ICS ). The implementation in FortiSandbox uses an Industrial Security Signature contract in a Linux VM that simulates protocols such as Modbus, SNMP, IPMI, FTP and TFTP to detect the malware.
Preparing the OT Simulator VM on FortiSandbox
- First, log in to Fortinet One, select Manage/View Products, and ensure the unit's Serial Number contains the "ISSS" contract and that it is not expired.
- On the FortiSandbox System -> FortiGuard page, click the Connect FDN Now button to download the latest contracts and engines.
- Wait for a while then refresh the FortiGuard page. There is a new entry for Industry Security Signature.
- On the Dashboard page, under the System Information widget, check that the ISSS contract is downloaded and valid.
- Go to the VM Image page and find LinuxOT under the Simulator VMs table.
- Click the download icon in the status column of the LinuxOT row.
- Click the Install button as below and wait for the installation to complete and the FortiSandbox to reboot.
- After rebooting, the LinuxOT VM is installed with clone disabled.
- Toggle the switch in the Clone # column to enable it then press Apply to save the changes.
Scanning the files with the Simulator VM enabled
- To Scan a file using the Simulator VM, submit a scan job to the Windows VMs. The Simulator VM will detect network operations automatically.
- After the scan is finished, check the job detail to confirm the following:
- There should be more than one .pcap file in the PCAP Information section.
- There should be at least one item containing the Lateral Movement category in the Network Operations section.