* [Blog](https://www.paloaltonetworks.com/blog) * [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/) * [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/) * How the New PAN-OS 7.1 Re... # How the New PAN-OS 7.1 Release Empowers Industrial Control and SCADA Systems [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2016%2F04%2Foil-gas-pan-os-7-1-oil-gas%2F) [](https://twitter.com/share?text=How+the+New+PAN-OS+7.1+Release+Empowers+Industrial+Control+and+SCADA+Systems&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2016%2F04%2Foil-gas-pan-os-7-1-oil-gas%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2016%2F04%2Foil-gas-pan-os-7-1-oil-gas%2F&title=How+the+New+PAN-OS+7.1+Release+Empowers+Industrial+Control+and+SCADA+Systems&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2016/04/oil-gas-pan-os-7-1-oil-gas/&ts=markdown) \[\](mailto:?subject=How the New PAN-OS 7.1 Release Empowers Industrial Control and SCADA Systems) Link copied By [Lionel Jacobs](https://www.paloaltonetworks.com/blog/author/lionel-jacobs/?ts=markdown "Posts by Lionel Jacobs") Apr 07, 2016 5 minutes [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown) [SCADA \& ICS](https://www.paloaltonetworks.com/blog/category/scada-ics/?ts=markdown) [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown) [globalprotect](https://www.paloaltonetworks.com/blog/tag/globalprotect/?ts=markdown) [PAN-OS 7.1](https://www.paloaltonetworks.com/blog/tag/pan-os-7-1/?ts=markdown) Being the ever-vigilant security practitioner for ICS and SCADA, you've probably noticed, we recently [announced the release of our newest operating system, PAN-OS 7.1](https://www.paloaltonetworks.com/blog/2016/04/ignite-announcement-pan-os-7-1/?ts=markdown). For ICS and SCADA customers, I want to share some ideas about how this new platform could be leveraged in the plant production environment. ### Deploy Two-Factor Authentication with GlobalProtect The need for real-time data to remain competitive is a major element that has ushered in the need for connectivity between ICS environments and the enterprise. This need for connectivity, if not done correctly, could truly come at a premium. Even though most ICS environments have little or no access to the Internet, the established connectivity back to the enterprise places these systems at extreme risk. Oftentimes, lacking segmentation, the systems are easily seen and easily accessible by those who have no reason to access them. Due to the age and nature of these systems, access control is difficult to implement and sustain; therefore, special care and consideration must be taken to ensure access for the mobile workforces that support them. By using the [Palo Alto Networks Next-Generation Security Platform](https://www.paloaltonetworks.com/products/designing-for-prevention/security-platform?ts=markdown) and leveraging the extensibility we can provide to end-user devices, we can help ensure that the only people accessing the systems are the ones who need to. Most importantly, we can ensure that their systems are free of infections that could compromise them. With the release of PAN-OS 7.1, we can secure access to these remote plants and field devices that have simple or weak passwords and non-existent authentication capabilities with GlobalProtect™, which can implement two- factor authentication to the zone where they are located. As security practitioners, we know that the use of Active Directory (AD), usernames and passwords are not sufficient for allowing remote access to these devices, as they can be compromised by phishing attacks. We also know attackers can use stolen credentials to gain access to these resources and put the control systems at risk. Most organizations mandate two-factor authentication, or 2FA for VPN authentication to safeguard against stolen credentials, and the same should apply to ICS and SCADA PCN. Common and acceptable options for 2FA are the use of a unique client certificate per client device, in addition to the AD credentials or a one-time password (OTP) with RSA-secure ID. In PAN-OS 7.1, the GlobalProtect portal can now interface with the enterprise public key infrastructure as a Simple Certificate Enrollment Protocol, or SCEP, client and facilitate secure distribution of unique client certificates. GlobalProtect now has enhancements to cache the result of a successful OTP authentication for subsequent authentications. This will significantly reduce the number of times a user must input the OTP to stay connected to GlobalProtect. And don't worry too much about that automation tech who lost their ruggedized device. To mitigate the risk of lost or stolen equipment, just revoke the client certificate or the cached cookie. ### Bootstrapping Device Deployment For owners and/or operators of ICS and SCADA systems in remote locations where there is no personnel with the necessary skills set to configure and deploy equipment or where a third-party provider is needed for the physical deployment of equipment, the new bootstrapping capability of Palo Alto Networks next-generation firewalls will simplify the process of configuration and deployment. In remote environments, physical firewalls generally require trained personnel to perform the sequence of manual configuration before the firewall is ready for operation. At the very least, a field technician who has a wireless modem connected to a laptop is needed. The laptop must be configured to allow a remote desktop session so that someone at a corporate office can work through that machine. Our new bootstrapping feature helps simplify and automate the process of deployment, whether it's to replace or upgrade an existing unit or to undergo a completely new installation. With PAN-OS 7.1, when a firewall is first deployed or has been factory reset, it will look for a configuration package (located on a USB flash drive). Once found, it will automatically load it as part of the boot-up process. Our bootstrapping process is incredibly flexible. The configuration can be as simple as a basic network configuration and a Panorama™ IP address to the latest software versions, content updates, policies and licenses. This new feature will reduce the time required to get remote sites with new deployments live or back online due to site mishaps. Additionally, it can reduce the level of frustration during the deployment or recovery process. With this new feature, your deployment abilities in remote, disconnected environments could be improved by delivering all the required configurations through the bootstrapping package without the aid of the Internet. When you call the field and request a pair of hands to do the deployment you truly mean just a pair of hands. ### Bidirectional Forwarding Detection It is not uncommon for operators of ICS and SCADA systems to use the dynamic routing capabilities of the Next-Generation Firewall to meet their Layer 3 connectivity needs, especially in situations where space and power are at a premium and network downtime must be kept at a minimum. The need for fast, reliable network convergence in these environments is essential to ensuring the safe operation of these real-time systems. Bidirectional Forwarding Detection, or BFD, in PAN-OS 7.1 allows sub-second failure detection, immediately triggering convergence in routing protocols, such as Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP) to re-establish viable paths in traffic flow across the firewall. This helps reduce production network outages. Just think: The device that gets blamed the most for causing communication disruptions is now the device that's keeping the communication going. ### Want to learn more? Details about what's new in this release can be found on our [PAN-OS 7.1 Technical Documentation](https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide.html?ts=markdown) page with additional resources available below. * [Technical Documentation: Enhanced Two-Factor Authentication](https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/globalprotect-features/enhanced-two-factor-authentication.html?ts=markdown) * [Technical Documentation: Bootstrapping Firewalls for Rapid Deployment](https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/management-features/bootstrapping-firewalls-for-rapid-deployment.html?ts=markdown) * [Technical Documentation: Failure Detection with BFD](https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/networking-features/failure-detection-with-bfd.html?ts=markdown) *** ** * ** *** ## Related Blogs ### [Customer Spotlight](https://www.paloaltonetworks.com/blog/category/customer-spotlight/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown) [#### Customer Spotlight: Domain Group Keeps the Presses Rolling With Palo Alto Networks](https://www.paloaltonetworks.com/blog/2017/09/customer-spotlight-domain-group-keeps-presses-rolling-palo-alto-networks/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown) [#### Announcing PAN-OS 8.0 -- Our Biggest Launch Yet!](https://www.paloaltonetworks.com/blog/2017/02/announcing-pan-os-8-0-biggest-launch-yet/) ### [Customer Spotlight](https://www.paloaltonetworks.com/blog/category/customer-spotlight/?ts=markdown), [Real Estate](https://www.paloaltonetworks.com/blog/category/real-estate/?ts=markdown), [Retail](https://www.paloaltonetworks.com/blog/category/retail/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown) [#### Customer Spotlight: Delta Holding Prevents Ransomware by Upgrading Security Posture](https://www.paloaltonetworks.com/blog/2016/10/customer-spotlight-delta-holding-prevents-ransomware-upgrading-security-posture/) ### [Endpoint](https://www.paloaltonetworks.com/blog/category/endpoint-2/?ts=markdown), [SCADA \& ICS](https://www.paloaltonetworks.com/blog/category/scada-ics/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown) [#### Protecting Your Industrial Control Systems With Traps Advanced Endpoint Protection](https://www.paloaltonetworks.com/blog/2016/09/protecting-your-industrial-control-systems-with-traps-advanced-endpoint-protection/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### New Year, New Program, New Opportunities](https://www.paloaltonetworks.com/blog/2026/02/new-year-new-program-new-opportunities/) ### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/category/zero-trust-security/?ts=markdown) [#### Empowering the RAF Association with Next-Generation Cyber Resilience](https://www.paloaltonetworks.com/blog/2026/02/raf-association-next-generation-cyber-resilience/) ### Subscribe to the Blog! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language