Defense-in-depth strategy in industrial cybersecurity.

The term industrial cybersecurity is considered as those mechanisms to prevent illegal or unwanted access, intentional or unintentional interference with the proper and intended operation, or improper access to confidential information in industrial automation and control systems. Electronic security includes computers, networks, operating systems, applications, and other programmable configurable components of the system.

Information security has traditionally focused on achieving 3 main objectives:

1. Confidentiality of information.
2. Data integrity.
3. Availability.

Traditionally, in IT environments, the confidentiality of information has been prioritized, since the information itself is what has value for the function.

In industrial automation environments and critical infrastructures, the priorities are different. In these environments, the main concern is maintaining the availability of all system components as opposed to confidentiality.

CIA Model of IEC 62443

The “CIA1” model shown in Figure 1 is not adequate for a complete understanding of the security requirements of a critical infrastructure. For this, it is necessary to consider other fundamental requirements such as those specified in IEC62443:

1. Access control: protect assets from unauthorized access and information.
2. Usage control: protect assets from unauthorized operations.
3. Information integrity: protect communication channels against unauthorized changes to the information they carry.
4. Information confidentiality: ensure information from espionage.
5. Restrict data flows: protect communication channels to prevent information from reaching unauthorized destinations.
6. Incident response: ensure that cybersecurity incidents are responded to correctly. It implies: monitoring, reporting, alerts and the execution of corrective actions.
7. Resource availability: ensure that all system resources are available and protect them from denial of service.

Increasingly, the operations of ICS OT environments depend on information technologies for the proper development of their function. It is, therefore, necessary to implement cybersecurity controls that protect them, ensure their availability and their correct operation, both of the operations and of the equipment of the organization.

Typical countermeasures to use to minimize external threats are:

• Authentication of users and equipment.
• Access controls.
• IDS
• Use of encryption.
• Use of digital signatures
• Isolation and/or segregation of networks/devices.
• Vulnerability scanners.
• Monitoring of the activity of the equipment and the network.
• Physical security.

For the mitigation of internal threats a different approach is necessary, given that a possible attacker would have the possibility of skipping the normal countermeasures. In this case, it is required to put more emphasis on countermeasures such as policies and procedures, separation of roles, monitoring of activities, encryption and system auditing.

Therefore, a single technology, product or solution is not enough to adequately protect control systems. It is required to employ a multi-layer strategy that includes two or more security mechanisms that overlap, that is, to employ in-depth defense strategies.

An in-depth defense strategy includes the use of firewalls, creation of DMZs, the use of solutions for intrusion detection, effective security policies, training programs, incident response, mechanisms to guarantee physical security and mechanisms for monitoring and alerting incidents. In this way, if a particular safeguard fails, there will be others in the lower layers that will keep the risk at acceptable levels.

In-depth defense strategy

Defense in depth

1. Security policies and procedures: Rules, obligations and procedures that define the organization’s approach to the protection and security of information. Policies should be communicated to the entire organization in an appropriate, understandable and accessible form.

2. Physical and environmental security: Objective: to prevent a possible attacker from having physical access to the equipment and industrial network infrastructures (to the Hardware). Barriers, physical access control and surveillance mechanisms are the pillars to increase the security of this dimension.

3. Perimeter defense: The perimeter is the point or set of points of the internal network of trust, managed by the organization itself, comes into contact with other external or unreliable networks, such as the Internet or networks managed by third parties. The attacker can have access to the services offered or accessible from the outside and take advantage of them to carry out malicious activity. The measures in this layer focus on securing remote access to the network.

4. Network defense: If the attacker has access to the network, he can monitor the traffic that circulates through it, passively (read-only) or actively (possible modification). To protect the network from these threats, intrusion detection systems and intrusion prevention systems are usually used.

5. Equipment defense: The security of equipment, both servers and clients, is based on the implementation of the following safeguards:

• Install security patches to eliminate known vulnerabilities.
• Disable all unnecessary services to minimize the exposure factor of the equipment
• Have an active anti-malware.
• Control incoming communications through a firewall
• Restrict the execution of applications

6. Application defense: Applications are protected by performing access control through the solid implementation of authentication and authorization mechanisms.

7. Data defense: If an attacker has managed to bypass all previous protections and has access to the application, authentication and authorization, as well as encryption, are the most used technologies to protect the data.

8. The use of automated mechanisms is recommended to make backup copies of the control systems that allow having version control.

9. It is recommended to make the storage of the copies redundant.

Links related to defense in depth

• How Logitek Implements Perimeter Defense.
• How Logitek Implements Internal Network Defense.
• Defense in depth.
• How Logitek Implements Equipment Defense.
• How Logitek Implements Data Defense.