Fortinet white logo
Fortinet white logo

Administration Guide

OT Simulation

OT Simulation

The OT Malware scans for presence of OT related applications and networking protocols. The LinuxOT is a Linux VM to simulate the OT industry deployment. The VM supports the Siemens application and simulates:

  • Modbus
  • SNMP
  • IPMI
  • FTP
  • TFTP protocols

The Sandbox Threat Intelligence subscription already includes the Industrial Security subscription which allows you to enable the simulation. To scan files, submit them through any Windows VM. If it is an OT Malware, the LinuxOT will capture that lateral movement behavior and access to those application and protocols.

Preparing the OT Simulator VM on FortiSandbox

  1. check that the Industrial Security Service contract is valid with the CLI: vm-license -l

  2. Go to the VM Settings page and click Tools > Add VMs from FortiGuard, and find LinuxOT under the Simulator VMs table.
  3. Click the download icon in the Actions column of the LinuxOT row.
  4. Click the Install button and wait for the installation to complete.
  5. After installing, the LinuxOT VM will be listed in the VM Settings page with clone disabled.
  6. Toggle the switch in the Clone # column to enable it then press Apply to save the changes.

Scanning the files with the Simulator VM enabled

  1. To Scan a file using the Simulator VM, submit a scan job to the Windows VMs. The Simulator VM automatically detects network operations related to the simulated protocols.
  2. After the scan is finished, check the job detail to confirm the following:
    • There should be more than one .pcap file in the PCAP Information section.
    • There should be at least one item in the Network Operations section.

OT Simulation

OT Simulation

The OT Malware scans for presence of OT related applications and networking protocols. The LinuxOT is a Linux VM to simulate the OT industry deployment. The VM supports the Siemens application and simulates:

  • Modbus
  • SNMP
  • IPMI
  • FTP
  • TFTP protocols

The Sandbox Threat Intelligence subscription already includes the Industrial Security subscription which allows you to enable the simulation. To scan files, submit them through any Windows VM. If it is an OT Malware, the LinuxOT will capture that lateral movement behavior and access to those application and protocols.

Preparing the OT Simulator VM on FortiSandbox

  1. check that the Industrial Security Service contract is valid with the CLI: vm-license -l

  2. Go to the VM Settings page and click Tools > Add VMs from FortiGuard, and find LinuxOT under the Simulator VMs table.
  3. Click the download icon in the Actions column of the LinuxOT row.
  4. Click the Install button and wait for the installation to complete.
  5. After installing, the LinuxOT VM will be listed in the VM Settings page with clone disabled.
  6. Toggle the switch in the Clone # column to enable it then press Apply to save the changes.

Scanning the files with the Simulator VM enabled

  1. To Scan a file using the Simulator VM, submit a scan job to the Windows VMs. The Simulator VM automatically detects network operations related to the simulated protocols.
  2. After the scan is finished, check the job detail to confirm the following:
    • There should be more than one .pcap file in the PCAP Information section.
    • There should be at least one item in the Network Operations section.