What role does the defense-in-depth strategy play for the cybersecurity of industrial facilities?

They use a variety of different attacks to gain access to a computer, server or controller in the network. Protection against cyberattacks can only succeed if all levels in the company are protected at the same time - from the management down to the field level. For this purpose, IEC 62443, the world's leading standard for industrial cybersecurity, defines a multi-layered security concept: With this "defense-in-depth" strategy, an attacker has to overcome not just one, but several layers of security measures in order to reach his target. When implementing this concept, users as well as system integrators and device manufacturers must take appropriate measures to create a secure environment.

“Defense-in-depth” defense layers

Although there are differences between traditional IT systems and ICS (Industrial Control Systems), the basic concept of "defense-in-depth" is applicable to both. The usual operational security levels are listed below.

Example: Engineering work station of a control center

To better understand the principle of "defense-in-depth", let's look at an engineering workstation (EWS) in a control center of an industrial facility as an example:

• First, rules and procedures for secure use are established.
• Physical security prevents unauthorized access to the EWS.
• Network security restricts access to the network to authorized actors only.
• Host security reduces the attack surface with application whitelisting and protection agents to detect and prevent malicious activity.
• Application and data security ensures that the installed application is secure and free from known vulnerabilities.

What does physical security mean?

The physical protection of components such as PLCs, storage media, workstations as well as laptops and servers is an important element of cybersecurity. An example of this is a SCADA system whose components are geographically distributed (e.g. in power grids or oil and gas infrastructure). These facilities have stations (e.g. substations) in remote locations. They should have very strong physical safeguards for protection (e.g. electric fences), and surveillance (e.g. CCTV cameras). A firewall cannot prevent an attacker from stealing hardware such as a storage device from a station.

Physical security helps defend against threats such as unauthorized entry, theft, vandalism, or even natural disasters such as fire and flood. It is implemented with physical facilities such as locks, video surveillance, protective barriers, rooms and cabinets with access control mechanisms, uninterruptible power supplies and security personnel to protect hardware and software assets.

What is network security?

The Internet is based on the TCP/IP protocol family. It enables a connection for hosts belonging to the network. Due to the structure of the Internet, however, it is almost impossible to control the path taken by data packets. A user can never be sure who is actually reading the data and what is being done with it.

Network security refers to technologies and processes that ensure the security of the network itself and the data transmitted in. Important aspects are confidentiality and integrity. Unauthorized intrusion into the networks should be prevented. In addition to organizational measures, both hardware and software technologies are used to prevent malicious actors from accessing or moving in a network.

Network security can begin with simple username and password authentication. However, depending on an organization's risk profile, multi-factor authentication and the usage of complex hardware and software technologies may also be necessary. Examples could be networkfilter and Intrusion Detection Systems (IDS).

Commonly important elements of network security are “Demilitarized Zones” (DMZ). This are physical or logical sub-networks in which critical components are placed. A DMZ groups systems and components that are required in both internal and external networks and secures the company network, by isolating it with firewalls. At least a three-tier architecture is recommended in industrial facilities. A DMZ separates the general corporate IT network (this is where the hosts for e-mail and web servers are located, for example) from the operational network in which the components of the ICS are located. The DMZ adds an additional layer of security to a company's operational network. Hence, an external attacker can only access the devices in the DMZ and not other parts of the network.

What does host security mean?

In principle, a host is nothing more than hardware within a network on which software can be executed. In industrial control systems, a host can be a PLC, an HMI, or a server. Host security ensures that, among other things, hardware, software, server and storage components are protected against cyberattacks, and this also includes regular updates, monitoring and access controls.

Why is application security of key importance?

Applications are the most used and exposed interfaces of a device. This makes them a prime target for cyberattacks - and explains why application security is critical to a defense-in-depth strategy. There are various ways to protect the applications: input control, authentication and data encryption are just a few examples.

What is SIEM monitoring?

Understanding what is happening inside the network from both a performance and security perspective is critical to cybersecurity. This is especially true in a control system. Security Information and Event Management (SIEM) helps organizations monitor infrastructure components and identify potential security threats and vulnerabilities. Today, thanks to the power of AI and machine learning, SIEM offers advanced analytics of user and entity behavior.

Conclusion

With today's threat situation, perimeter protection (Firewall, virus and spam filters) at the edge of networks is no longer sufficient - especially not with industrial control systems (ICS). Rather, it requires a multi-layered "defense-in-depth" that protects manufacturing systems such as the various walls and ramparts of a castle. In the white paper “Cybersecurity considerations for industrial control systems”, Eaton describes the measures that users must take to protect industrial controllers and automation components from cyberattacks and how manufacturers develop "secure" products.