OT/ICS Security Architecture for Indian Manufacturing — FortiGate Rugged + Purdue Model Design Guide
Published 10 Apr 2026
· By
Satyam Maurya
· Cybersecurity
· 8 min read
Manufacturing is the #1 target for OT ransomware — accounting for over 50% of all industrial ransomware victims globally. The Dragos 2025 OT Cybersecurity Year in Review reported an 87% surge in ransomware targeting industrial organisations, with 80 active threat groups (up 60% from 2023). In India, 60% of manufacturers use IIoT devices, yet only 25% have robust OT security (IDC 2024). This guide walks through the Purdue Reference Architecture for securing OT networks, maps Fortinet products to each level, and provides the technical design blueprint for Indian manufacturing enterprises.
Fortinet was named the Overall Leader for the 3rd consecutive year in the Westlands Advisory IT/OT Network Protection Platform Navigator 2025, ranked highest for both strategic direction and platform capability.
The OT Threat Landscape: Why This Matters Now
The pattern is clear: attackers are moving from IT to OT. A ransomware infection that starts with a phishing email in the corporate network crosses into the plant floor through flat, unsegmented networks. Once inside the OT environment, it reaches PLCs, HMIs, and historians — and 75% of the time, it disrupts operations to some degree. The fix isn't just endpoint security. It's network architecture — segmentation, zone enforcement, and protocol-aware inspection at every boundary.
The Purdue Model — Level by Level
The Purdue Enterprise Reference Architecture (PERA) is the foundational framework for OT network segmentation, referenced by IEC 62443, NIST SP 800-82, and every major industrial cybersecurity standard. It divides the network into 6 levels (0–5) with a critical DMZ between IT and OT:
| Level | Name | What Lives Here | Fortinet Product |
|---|---|---|---|
| 5 | Enterprise / Internet | Cloud, remote access, supply chain, partner connectivity | FortiGate (campus NGFW), FortiSASE |
| 4 | Business Planning | ERP (SAP), email, databases, business intelligence, file servers | FortiGate (DC edge), FortiAnalyzer, FortiSIEM |
| 3.5 | IDMZ (Industrial DMZ) | Buffer zone between IT and OT. Data diodes, jump servers, patch management, AV update servers | FortiGate (dedicated pair), FortiDeceptor, FortiNAC |
| 3 | Site Operations | Historians, MES (Manufacturing Execution System), OPC servers, batch management | FortiGate Rugged, FortiSwitch Industrial |
| 2 | Supervisory Control | HMI, SCADA servers, engineering workstations, local databases | FortiGate Rugged + OT IPS, FortiSwitch |
| 1 | Basic Control | PLCs, RTUs, IEDs, DCS controllers | FortiGate Rugged (inline), FortiNAC |
| 0 | Physical Process | Sensors, actuators, valves, motors, drives — the physical plant | No firewall (hardwired to Level 1 controllers) |
The IDMZ (Level 3.5) is the most critical boundary. This is where IT meets OT. No direct traffic should flow between Level 4 (ERP/email) and Level 3 (historians/MES). All data exchange happens through the IDMZ via controlled, inspected paths — typically jump servers, data diodes, or database replication.
FortiGate Rugged — Built for the Plant Floor
Standard enterprise firewalls fail in OT environments — they can't handle extreme temperatures, vibration, dust, or electromagnetic interference. The FortiGate Rugged series is purpose-built for industrial deployment with the same FortiOS and FortiGuard services as campus FortiGates, but in a hardened form factor.
| Specification | FGR-60F | FGR-70G-5G-DUAL |
|---|---|---|
| Processor | SoC4 | FortiSP5 |
| Firewall Throughput | 10 Gbps | 8 Gbps |
| IPS Throughput | 950 Mbps | 2.5 Gbps |
| NGFW Throughput | 550 Mbps | 1.5 Gbps |
| Threat Protection | 500 Mbps | 1.3 Gbps |
| Operating Temp | -40°C to 85°C | -40°C to 75°C |
| Certifications | IEC 61850-3, IEEE 1613 | IEC 61850-3, IEEE 1613 |
| Form Factor | DIN-rail | DIN-rail |
| Bypass Pair | Yes (WAN1/PORT4) | Yes (PORT1/PORT2) |
| Cellular | 3G4G (optional) | Dual 5G (active/active) + GPS |
| Power | 12–125V DC redundant | 12–125V DC redundant |
Sources: FortiGate Rugged Series Datasheet, AVFirewalls FGR-70G
Key OT features: OT-focused dashboard, OT vulnerability correlation, virtual patching via OT IPS signatures, industrial protocol deep packet inspection (Modbus TCP/IP, DNP3, OPC, BACnet, S7, EtherNet/IP), and hardware bypass pair ensuring network continuity even if the firewall fails.
FortiGuard OT Security Service — Virtual Patching for SCADA
You can't patch a running PLC during production. The FortiGuard OT Security Service solves this with virtual patching — deploying IPS signatures that block exploitation of known vulnerabilities in industrial devices without touching the device firmware. When a vendor releases a patch, FortiGuard develops and deploys the corresponding OT IPS signature in near real-time.
- Passive deep packet inspection (DPI) of industrial traffic — no disruption to process control
- OT protocol awareness — understands Modbus RTU/TCP, DNP3, OPC, BACnet, S7COMM, EtherNet/IP, IEC 104 at the application layer
- Virtual patching — immediate protection for unpatched PLCs, RTUs, HMIs, and SCADA servers
- OT vulnerability correlation — maps discovered devices to known CVEs and prioritises remediation
- Developed in collaboration with automation vendors (Siemens, Schneider, Rockwell, ABB)
The Full Fortinet OT Security Stack
FortiGate Rugged
NGFW at every Purdue level boundary. Zone enforcement, OT IPS, virtual patching, VPN for remote sites. DIN-rail mount, -40°C to 85°C, hardware bypass.
FortiSwitch Rugged
Industrial-grade managed switches for OT LANs. Port-level microsegmentation, 802.1X, MAC-based filtering. Managed by FortiGate for unified policy.
FortiNAC
OT asset discovery and profiling using passive traffic analysis + FortiGuard IoT/OT signatures. Discovers every device without active scanning that could disrupt PLCs. Enforces segmentation policy.
FortiDeceptor
OT-specific honeypots emulating PLCs and SCADA systems. Supports Modbus, S7COMM, BACnet, IEC 104, PROFINET, TRICONEX. Deploys Siemens S7-200/S7-1500 decoys to detect lateral movement before it reaches real controllers.
FortiSIEM
Unified IT/OT SOC. OT-specific correlation rules, Purdue-level visibility, IEC 62443 compliance dashboards. Correlates IT alerts with OT anomalies for cross-domain threat detection.
FortiAP Outdoor
Ruggedised wireless access points for plant floor WiFi. IP67 rated, -40°C to 65°C. Managed by FortiGate. Secure wireless for mobile HMIs, barcode scanners, and AGVs.
Reference Architecture: Fortinet at Every Purdue Boundary
Key design principle: No traffic crosses a Purdue level boundary without passing through a FortiGate with OT IPS inspection enabled. The IDMZ (Level 3.5) uses a dedicated FortiGate pair — one facing IT (Level 4), one facing OT (Level 3) — with only controlled data flows between them (historian replication, patch downloads, antivirus updates).
India Context: NCIIPC, CERT-In, and Sector CSIRTs
India's critical infrastructure is regulated by a layered cybersecurity framework:
- NCIIPC (National Critical Information Infrastructure Protection Centre) — provides threat intelligence, situational awareness, and advisories to organisations with Critical Information Infrastructures (CIIs) including power, oil & gas, telecom, banking, and transport
- CERT-In — 6-hour incident reporting mandate. Over 9,700 cybersecurity audits conducted in 2024–25. New 2025 audit guidelines place unprecedented accountability on critical infrastructure operators
- Sector CSIRTs — CSIRT-Fin (finance) and CSIRT-Power (power sector) are operational for sector-specific coordination
- Key Indian OT sectors: power generation (NTPC, NHPC, state DISCOMs), oil & gas (IOCL, BPCL, HPCL), pharmaceuticals, automotive, steel, cement, smart manufacturing (IIoT)
With 60% of Indian manufacturers deploying IIoT devices but only 25% having adequate OT security, the gap between digitisation and protection is dangerously wide. Purdue model segmentation with Fortinet's OT stack closes this gap without requiring a forklift upgrade of existing industrial systems.
How Ogma Deploys OT Security
Ogma is an authorised Fortinet partner with experience deploying OT security for Indian manufacturing, power, and pharma enterprises. Our approach:
- OT Network Assessment — passive discovery of all OT assets using FortiNAC + network traffic analysis. No active scanning that could disrupt PLCs. Purdue level mapping of your current architecture.
- Segmentation Design — zone-based architecture mapped to Purdue levels with FortiGate Rugged at each boundary. IEC 62443 zones and conduits design.
- FortiGate Rugged Deployment — DIN-rail installation in switch cabinets, OT IPS policy configuration, virtual patching for unpatched PLCs/HMIs, bypass pair configuration for fail-open safety.
- OT SOC Integration — FortiSIEM or FortiAnalyzer deployment with OT-specific correlation rules. Managed SOC service with OT protocol awareness.
- FortiDeceptor — OT honeypot deployment emulating your actual PLC models (Siemens, Rockwell, ABB) to detect lateral movement before it reaches real controllers.
- Compliance Reporting — IEC 62443, NCIIPC, and CERT-In audit-ready documentation and dashboards.
Email [email protected] or contact Ogma for an OT security assessment. We'll map your Purdue levels, identify segmentation gaps, and recommend a deployment plan — without disrupting your production line.
Stay ahead of cyber threats
One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.
