Applying Security Defense-In-Depth

One of the most important realizations cyber security engineers made in their early work is that security efforts are ineffective in isolation. It was this vital realization that gave birth to the concept of defense-in-depth, which is a technique of defending systems against any particular attack vector using multiple and varying methods.



Industrial cybersecurity blog

For more information, visit:

Read more on cyber security at :

Cyber security hits home, Jan. 2009

10 control system security threats, Apr. 2007

One of the most important realizations cyber security engineers made in their early work is that security efforts are ineffective in isolation. It was this vital realization that gave birth to the concept of defense-in-depth, which is a technique of defending systems against any particular attack vector using multiple and varying methods. Documented historically by Sun Tzu and re-conceived by the National Security Agency, this layering strategy aims at providing a comprehensive approach to information and electronic security.

This strategy strongly applies to the industrial control systems arena. While many industrial control systems are becoming commercially available with various integrated cyber security controls, the reality is these systems are still susceptible to many types of threats. Consequently, they should not be deployed in isolation, at least from a cyber security perspective. The question that system owners and implementers raise is, “How do we maximize the assurance that our industrial control systems will be sufficiently resilient against cyber attacks once deployed?” The answer is defense-in-depth.

The primary objective of this discussion is to highlight defense-in-depth techniques for control system security with an overview of cyber security software products and solutions, along with cyber security best practices. Two publications from the National Institute of Standards and Technology (NIST) provide an excellent overview of the topic: “Recommended Security Controls for Federal Information Systems—Special Publication 800-53” and “Guide to Industrial Control Systems Security—Special Publication 800-82” can be applied to industrial control systems currently commercially available.

Given the extent to which defense-in-depth applies to industrial control systems, this will be the first in a series of articles addressing this topic. Defense-in-depth is also an ongoing discussion topic at the Industrial Cyber Security blog located at the Control Engineering website.

Using specialists

Before proceeding further, consider a simple health-care analogy. You may go to your primary care physician, but what happens after he or she diagnoses your medial issue? If it is not something the primary care physician is comfortable treating, you’ll be referred to a specialist. After all, if you have a brain tumor, you would probably not want your primary care physician to perform such delicate surgery, let alone a physician who specializes in gastrointestinal medicine. The same idea of seeking out appropriate specialists applies as you begin looking for cyber security software solutions to harden your industrial control systems.

For example, you may be considering procuring a proven and well-known security information and event management (SIEM) software solution. You discover that the product has a new integrated module bundled with it that promises to streamline user-access provisioning. Do you really want to use this new and potentially unproven module to address this specific aspect of your identity and access management operations? Or should you lean toward another software product that has been specializing in these functions for several years? It is definitely the latter that you should pursue, regardless of how inexpensive the new module may be. Asset owners will face this kind of decision more often as industrial control system vendors move to secure their solutions.

Using the chart

The chart presents a summary view of current threats and solutions:

  • Common cyber components of industrial control systems;

  • Prevalent cyber security threats facing the cyber components of industrial control systems;

  • Cyber security software products (i.e., technical cyber security controls). The examples named, from our experience, have proven capable of mitigating these threats but there are probably others that can also do the job; and

  • Proven cyber security best practices (i.e., people and process cyber security controls) that can mitigate the corresponding threats.

If you study the table, you should conclude that cyber security threats facing industrial control system cyber assets may be effectively mitigated through establishing and executing a sound defense-in-depth strategy including both technical and procedural controls. Future articles in this series running in 2010 will elaborate upon these controls and address other topics related to industrial control systems security, including:

  • Providing an overview of the pros and cons of typical IT solutions leveraged within a control network;

  • Presenting “Procurement Language for Control Systems” concepts and providing security software guidance;

  • Explaining the diverse skill sets required to effectively secure industrial control systems; and

  • Considerations to apply and steps to employ in order to maximize assurance that appropriate and sufficient security controls are endorsed and supported by your control system vendor.

We look forward to seeing your comments at our blog.

Industrial control system cyber asset

Primary cyber security threats

Recommended cyber security software products (technical cyber security controls)

Recommended cyber security best practices (people and process cyber security controls)

Field hardware (RTUs, PLCs, other IEDs)

• Default, insecure settings • Unmanageable

• External vulnerability scanning assessment tools (Tenable Nessus) but use with caution • Interactive configuration analysis using ICS vendor-defined templates

• Update with only authenticated firmware • Protect sensitive configuration information • Design enclaves with the appropriate collaborations among physical security, cyber security, operations, and engineering to ensure reliability

Human machine interface (HMI)

• Lack of accurate visibility of system state • Lack of authentic control

• Application whitelisting solutions (CoreTrace Bouncer) • Restrictive man-in-the-middle configurations (see Encari’s whitepaper “Protecting a Smarter Grid”)

• Operators must have integrated understanding of physical, cyber and operational awareness data

Field technician/engineering workstations

• Highly mobile/transient laptop connecting to many cyber assets and networks of varied trust levels • Physical loss of sensitive information

• Full disk encryption (Pointsec) • Application whitelisting (CoreTrace Bouncer) to limit rogue applications • Local host firewall and security controls (Symantec)

• Understand incident response plan in the event of a lost system • Security awareness to impart best practices regarding laptop management

Remote vendor support computer

• Untrusted system and/or network allowed access to control networks and systems

• Build jumphosts (using Hypervisor and VMWare ESX server) • Apply serial connectivity access restrictions (using Tripp Lite products)

• Establish service level agreements with screened consultants

Industrial communications network

• Default, insecure settings • Unmanageable • Interconnected to many varied trust level networks

• Example: Migrate to managed Cisco ICS hardware • Use hardening guides available from • Fully discover and document wired and wireless cyber assets and their connectivity using manual processes or passive detectors (Sandia National Laboratory’s Antfarm and Software Defined Radios (SDR)) • Define appropriate architectural isolation capabilities for incremental incident response

• Collaborate with the vendor to migrate to standard manageable IT communications platforms and capabilities • Define incremental monitoring, alerting and response escalation procedures based upon threat indicators

DCS/SCADA front-end processor (data acquisition/control server)

• Common operating systems with typical IT vulnerabilities • Unauthenticated WAN/LAN communications with cyber assets of varied trust levels

• Define one-way communication flow for mutual distrust (Waterfall Technologies) • Application whitelisting (CoreTrace Bouncer) to limit rogue applications • Multipath redundancy for field communications

• Duplicate systems based upon the trustworthiness of the application and controlled environment (Electrical distribution versus transmission)


• Manipulation of stored information to impact future forecasting or real time processing (dependent upon implementation) • Backchannel communication flow to source of information (front-end application)

• Monitor database modifications for fraudulent activity (NitroSecurity dbm) • Application whitelisting (CoreTrace Bouncer) to limit rogue applications • Define one-way communication flow for mutual distrust (Waterfall Technologies)

• Influence vendors to incorporate the same database software that is used by your personnel (e.g. corporate database servers)


• Undocumented changes to or addition of cyber assets or communication channels • Multi-homed devices spanning the control and corporate networks • Undocumented cyber asset circuit board communications • Workforce attrition and insider threats

• Integrate restrictive communications and data flows (enclaves) • Password escrow (eDMZ Security Password Management) • Develop a patch and baseline management solution (Lumension/KBox) • Establish a compliance and documentation repository (Archer Technologies) • Maintain continued industry threat and vulnerability awareness (Critical Intelligence) • Develop attack tree methodologies to perform risk analyses (Amenaza SecurItree)

• Utilize the DHS CSSP procurement language to integrate appropriate controls • Develop appropriate workflows and communications to support sustainable change management processes • Review engineered specifications for cyber assets • Executive, engineering, physical security and cyber security collaboration


Author Information

Consultants Matt Luallen and Steve Hamburg are cofounders of Encari and writers of the Industrial Cyber Security blog for Control Engineering.

No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2015 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
Safety for 18 years, warehouse maintenance tips, Ethernet and the IIoT, GAMS 2016 recap
2016 Engineering Leaders Under 40; Future vision: Where is manufacturing headed?; Electrical distribution, redefined
Strategic outsourcing delivers efficiency; Sleeve bearing clearance; Causes of water hammer; Improve air quality; Maintenance safety; GAMS preview
SCADA at the junction, Managing risk through maintenance, Moving at the speed of data
Safety at every angle, Big Data's impact on operations, bridging the skills gap
The digital oilfield: Utilizing Big Data can yield big savings; Virtualization a real solution; Tracking SIS performance
Applying network redundancy; Overcoming loop tuning challenges; PID control and networks
Driving motor efficiency; Preventing arc flash in mission critical facilities; Integrating alternative power and existing electrical systems
Package boilers; Natural gas infrared heating; Thermal treasure; Standby generation; Natural gas supports green efforts

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
This article collection contains several articles on the vital role of plant safety and offers advice on best practices.
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.
This article collection contains several articles on strategic maintenance and understanding all the parts of your plant.
click me