Defense in Depth in ICS

Dan Ricci,
Engagement and R&D Director

Defense in Depth is a cybersecurity strategy that involves a layered approach to protect critical assets within industrial control systems (ICS). It draws its origins from military strategy, where it aims to create barriers to impede intruders’ progress, monitor their activities, and develop responses to repel them.

In the context of cybersecurity, Defense in Depth focuses on detective and protective measures to hinder cyber intruders while enabling organizations to detect and respond to intrusions, ultimately reducing and mitigating the consequences of breaches.

With the complexity of industrial systems and the growing pressure to secure the critical infrastructure that utilizes ICS, Defense in Depth can be an effective approach to cybersecurity design. This is the first blog in a series exploring how to leverage Defense in Depth to better secure critical infrastructure’s industrial systems and technology.

Why Take a Defense in Depth Approach for ICS?

There are no shortcuts or simple solutions to address cybersecurity vulnerabilities within critical infrastructure ICS. Traditional IT security measures typically fall short because they often don’t consider the complex and unique constructions of these environments. This includes the use of legacy assets and technologies, the emphasis on reliability and continuity, and the rapidly evolving threat landscape. This underscores the complexity and seriousness of the threats faced by control systems.

Defense in Depth is not a one-to-one exercise, but employs a holistic approach toward cybersecurity strategy. It considers all assets, interconnections, dependencies, and available resources within the environment to establish effective layers of monitoring and protection. This approach is vital in control systems, where multiple components are interconnected.

Applying Defense in Depth to ICS Environments

To apply Defense in Depth to ICS environments, organizations must comprehend the relationship between threats, vulnerabilities, and the controls (policies, standards, and countermeasures) that are already in place.

Threat actors seek to exploit weaknesses or vulnerabilities such as outdated software, misconfigured devices, unpatched flaws, and more so countermeasures like security controls, firewalls, patch management, and others are essential to protect critical assets, operations, personnel, and technology.

Evaluating and securing an industrial environment with Defense in Depth in mind will provide a framework that makes it easier to identify any gaps and potential weaknesses in these security controls.

Adaptability is also crucial in the ever-evolving landscape of cybersecurity to ensure ongoing protection for control systems. Effective security isn’t something that can be implemented and forgotten about. Organizations must continuously adjust and refine security countermeasures to address known and emerging threats.

Because of the complexity of ICS architectures, potential vulnerabilities and exploits that introduce new and evolving categories of threats to the ICS environment can have lasting consequences.

Without a layered, multi-tier strategy like Defense in Depth, control systems may be exposed to threats for extended periods. Without continuous visibility or regular assessment of the environment, advanced persistent threats could remain undetected within the system.

Below are some examples of threats and intrusion methods that ICS environments face that could be addressed with a Defense in Depth strategy:

  • Attacks directly from the Internet to Internet-connected ICS devices: These attacks can establish direct access deep into the ICS systems, posing a significant risk to safety and operations.
  • Attacks initiated using remote access credentials stolen or hijacked from authorized ICS organization users: Such attacks can also establish direct access deep within the ICS systems. The use of legitimate credentials also makes them difficult to detect.
  • Attacks on the external business web interface: These attacks leverage vulnerabilities in web services and can pivot into the ICS historian, which provides ICS data to web server applications.
  • Attacks initiated by insertion of infected mobile media into a system component: Threat actors can use this to pivot deeper into the ICS network systems when opportunities arise.
  • Phishing email attacks: When threat actors use phishing emails to establish a presence on enterprise user desktops or business computers, they can use this access for deeper access into the ICS network systems.
  • Increased attack surface: Since the pandemic, the cyber attack surface has expanded through remote work arrangements. This has made industries such as the critical manufacturing sector and others more vulnerable to ransomware attacks. Growing attack surfaces and reduced protective abilities necessitate a comprehensive security approach like Defense in Depth.

Defense in Depth is essential for mitigating these risks and ensuring the resilience of control systems against evolving threats.

The next blog in the series will explore the principles of Defense in Depth and how they can be applied as a security strategy for control systems.