Defense in depth (also known as Castle Approach) is an information assurance (IA) concept in which multiple layers of security controls are placed throughout an information technology (IT) system. It is the concept of protecting a computer network with a series of defensive mechanisms such that if one mechanism fails, another will already be in place to thwart an attack.
The idea behind the defense in depth approach is to defend a system against any particular attack using several independent methods. It is a layering tactic, conceived by the National Security Agency (NSA) as a comprehensive approach to information and electronic security.
Facilities and IT teams can effectively maintain physical and information security with a “defense-in-depth” approach that addresses both internal and external threats. Defense-in-depth is based on the idea that any one point of protection may, and probably will, be defeated. This approach uses three different types of layers (physical, electronic, and procedural) and applies appropriate controls to address different risks that might arise in each.
The same concept works for both physical and network security. Multiple layers of network security can protect networked assets, data and end points, just as multiple layers of physical security can protect high-value physical assets. With a defense-in-depth approach:
- System security is purposely designed into the infrastructure from the beginning. Attackers are faced with multiple hurdles to overcome if they want to successfully break through or bypass the entire system.
- A weakness or flaw in one layer can be protected by strength, capabilities or new variable introduced through other security layers.
Typical defense-in-depth approaches involve five areas: physical, network, computer, application, and device.
1. Physical Security – It seems obvious that physical security would be an important layer in a defense-in-depth strategy, but don’t take it for granted. Guards, gates, locks, port block-outs, and key cards all help keep people away from systems that shouldn’t touch or alter. In addition, the lines between the physical security systems and information systems are blurring as physical access can be tied to information access.
2. Network Security – An essential part of a plant’s information fabric, network security should be equipped with firewalls, intrusion detection and prevention systems (IDS/IPS), and general networking equipment such as switches and routers configured with their security features enabled. Zones establish domains of trust for security access and smaller local area networks (LANs) to shape and manage network traffic. A demilitarized zone between the industrial plant floor or space and the IT and corporate offices allows data and services to be shared securely.
3. Computer Hardening – Well known (and published) software vulnerabilities are the number one way that intruders gain access to automation systems. Examples of Computer Hardening include the use of:
- Antivirus software
- Application whitelisting
- Host intrusion-detection systems (HIDS) and other endpoint security solutions
- Removal of unused applications, protocols and services
- Closing unnecessary ports
Computers on the plant floor (like the HMI or industrial computer) are susceptible to malware cyber risks including viruses and Trojans. Software patching practices can work in concert with these hardening techniques to help further address computer risks. Follow these guidelines to help reduce risk:
- Disable software automatic updating services on PCs
- Inventory target computers for applications, and software versions and revisions
- Subscribe to and monitor vendor patch qualification services for patch compatibility
- Obtain product patches and software upgrades directly from the vendor
- Pre-test all patches on non-operational, non-mission critical systems
- Schedule the application of patches and upgrades and plan for contingencies
4. Application Security –This refers infusing industrial control system applications with good security practices, such as a Role Based Access Control System, which locks down access to critical process functions, force username/password logins, combinations, etc.
5. Device Hardening – Changing the default configuration of an embedded device out-of-the-box can make it more secure. The default security settings of PLCs, PACs, routers, switches, firewalls and other embedded devices will differ based on class and type, which subsequently changes the amount of work required to harden a Particular device. But remember, a chain is only as strong as its weakest link.
By following good security design practices and applying the right products and services, risk can be reduced, removed, transferred or brought to an acceptable level. Proven techniques to reduce risk to control systems exist today. Facilities and IT teams can use existing methods to control who has access to the system, employ firewalls and intrusion detection capabilities, implement patch management programs, and seek out a third party to assess other procedural and technical opportunities that isolate risk and address identified vulnerabilities specific to your company. These steps will enhance industrial control security solutions and help companies protect their intellectual property, valuable assets and the operational integrity of the industrial control systems on which they depend.
Implementing a strategy of defense in depth will hopefully defeat or discourage all kinds of attackers. Firewalls, intrusion detection systems, well trained users, policies and procedures, switched networks, strong password and good physical security are examples of some of the things that go into an effective security plan. Each of these mechanisms by themselves are of little value but when implemented together become much more valuable as part of an overall security plan.
Authored By - Harish Musthyala
TCS Cyber Security Practice