What is Defense-in-Depth?

Hello and welcome to Take Five with Automation World. I’m David Miller, Senior Technical Writer for Automation World. Today, I’m going to be talking about defense-in-depth cybersecurity strategies.

Now, as per usual, the first question we have to answer is what is defense in depth? Quite simply, defense in depth is a cybersecurity method that uses intentional redundancies at every layer of a system to ensure that a network remains secure. This is, of course, in contrast to the previously dominant perimeter-strategy, which only sought to use tools such as firewalls and border routers to separate plant floor intranet from internet connected enterprise and external networks.

But why doesn’t this work anymore?

Well, it’s because we’re in a world where businesses are routinely developing and deploying applications in corporate data centers and private or public clouds, as well as leveraging software-as-a-service models that require them to maintain a connection to the broader internet. Now, while these technologies obviously have tremendous benefits which we here at Automation World discuss all the time, they come with a sharp, reverse edge which is that they open one up to more security vulnerabilities. And we do see an uptick in cyber attacks. On the screen now, you can see that when we conducted a recent survey of our readers, 36% of end users said they had experienced some kind of cybersecurity breach.

And, at that, many different types of attacks were employed, which you can also see beside me on the screen now.

So, Defense-in-Depth can be used to more effectively mitigate against these various attack vectors, and I’m going to spend the remainder of this video going through some of the common tools – the tricks of the trade you might say – that make up a defense-in-depth arsenal. 

Let’s talk about the various components that make up a defense-in-depth strategy. Now bare in mind, this list is not exhaustive. However, it does give a good idea of how various techniques can come together to create a more complete security apparatus.

First, we have network perimeter security. Now this is simple; these are the tried and true methods – firewalls, virtual private networks, and virtual local area networks. While the details of how they do so varies, all three of these methods essentially work to isolate plant floor networks from external traffic in some way. That said, as previously mentioned, this is not enough – because this leaves one vulnerable to phishing attacks, physical CDs, USB sticks, or other data-carrying hardware, and even simply blindspots in one’s firewall that could lead to breaches.

So, what are the other layers that make up a defense in depth strategy? 

Let’s get into it. Next, we have endpoint security. This is exactly what it sounds like; The process of securing entrypoints. And in the era of the internet of things, pretty much any connected device can serve as an entry point to a network. To secure these, end users commonly rely on software platforms called endpoint protection platforms, or EPPs. EPP's work by examining files as they enter a network, and checking them against a cloud database containing a library of threat information. This allows end users to outsource the cost and burden of storing such large libraries of information on site. On top of this, they enable threat libraries to be continually updated based on activity from many different sites. So when you have this, you can catch any potentially unpredictable threats entering directly through the OT layer of your operation in real-time.

After that, we have patch management tools. This is the process of using regular scans and software updates to fix bugs, add new features, and address newly discovered vulnerabilities in an application, system, or network. So, this is pretty common in IT, but the reason it’s tougher with OT is because you have so many assets to monitor and you might even be in a multi-vendor environment – But that’s also why patch management procedures, possibly through a centralized patch management server, are even more important in an industrial environment.

Following from this we have Intrusion Detection and Prevention tools. So, intrusion detection systems are really quite similar to the aforementioned EPP with the caveat that rather than merely scanning for malicious files, they track user activity more broadly. This makes them more effective for detecting social engineering attempts that manipulate users into revealing sensitive information.

Finally, we have the last tool we’re going to discuss in this video, and that is user identity and access management. The goal of this is to grant users access to assets and devices that they have rights to in a given context. So, we actually all know this because even outside of an industrial context, we probably use it on a regular basis  – This refers to things like multi-factor authentication or privileged account management, where in order to gain access to a system you need information beyond a simple username or password, or otherwise some sort of special administrative certificate or privilege – the idea being that this guards against a phishing attempt wherein a username and password might be obtained, or somehow unlawfully stolen.

Now we’re going to have to wrap this up. If you’re interested in cybersecurity topics, you can take a look at the links above for more information.