Defense-in-Depth concept 

Purpose of the Defense-in-Depth concept

A suitable approach to counter manifold cyber threats is a Defense-in-Depth strategy, for example in accordance with the IEC 62443 standard. This means that a holistic approach must include a combination of technological and organizational measures.

Furthermore, a defense system must not only rely on a single measure. Instead, staggered countermeasures should be implemented, each of which represents one layer of protection. All measures should complement and reinforce each other. If an attacker succeeded in leveraging one (i.e., the outermost) measure, he would be stopped by the subsequent protection mechanism.

Example: In case of an external cyber attack via the network, one or more firewalls must first be overcome before the attacker can reach the target component. There, he must defeat a user logon, only to be stopped by internal security mechanisms. If one protective mechanism in a Defense-in-Depth system fails, the security model does not immediately collapse and exposes the target to the attacker.

Consequently, the Defense-in-Depth concept is realized through the interaction of the various security mechanisms. It is therefore also important to consider all security mechanisms in the system.

The IEC 62443 standard defines all aspects of a Defense-in-Depth strategy and addresses all stakeholders involved.

Note: Each stakeholder must contribute to a suitable Defense-in-Depth strategy by
  • implementing suitable protection measures for his role/area, and
  • avoiding to create potential vulnerabilities when further developing his business (part).
Note: The weakest link in the defensive chain must determine the strength of the entire strategy.

Outer defense layer: organizational measures...

...to be implemented by the plant owner (acc. to IEC 62443-2-1). To this end, security policies and procedures are to be defined by the plant owner.

Topics of these policies are among others:

  • General security-related behavior
  • Awareness and training of personnel
  • Definition/review of responsibilities of plant users
  • Definition/review of (user) roles
  • Definition/review user access rights
  • Regulations of physical access
  • Implementation of an incident response plan. Such a plan contains the instructions to be carried out after an attack in order to continue the business.
  • Definition of a patch management system (IEC 62443-2-3) for rolling out security patches.

Further defense layers: protection measures...

...to be implemented by design in the plant/ICS by the system integrator (acc. to IEC 62443-2-4, 3-2 and 3-3).

Examples for such defense measures are:

Inner defense layers: functional security capabilities...

...of the components and systems used: security by design, implemented by product suppliers (addressed by the IEC 62443-3-3 and 4-2 as well as 62443-4-1 which describes the quality of the development process and includes the security by design).

Examples for such defense features of components and devices are:

  • Use of signed software/firmware
  • Anti-malware features, such as scanners
  • Whitelisting features
  • Authentication and authorization mechanisms for human users and software processes on all communication channels including wireless channels. Refer to the topic User Management for details.
  • Hardware protection measures for private vendor keys stored on a device, e.g., Trusted Platform Modules (TPM) which provide enhanced security functions thus ensuring the integrity of a hardware/operating system
  • Implementation of a encrypted storages for certificates, keys and identities of system integrators and operators
  • VPN (Virtual Private Network) communication interfaces
  • Device management interface for updating firmware components (Plant Management)
  • Logging mechanisms with a synchronized time base
  • Secured communication protocols, e.g., TLS communication (Transport Layer Security), also available for wireless links.
  • Support of the built-in interface with security profiles
  • Use and configuration of the integrated firewalls

 

 

 


•  Web browser recommendation: Chrome, Firefox 78 or newer, Edge 88 or newer, or Safari • 
• Published/reviewed: 2023-01-13 • Revision 005 •