Defense In Depth
It’s all about protecting assets
The variety and sophistication of cyber security threats has been steadily increasing since the advent of the Internet and the World Wide Web. The simple email-based viruses and worms of previous years that primarily exploited operating system vulnerabilities remain, but these are now accompanied by network attacks, browser-based attacks, server-side attacks, mobile platform attacks, phishing, spear phishing, and many others. The varied nature of today’s attacks means that no single defensive technology is able to protect important cyber assets. A combination of different kinds of defenses is necessary to provide effective protection. This strategy is known as defense in depth. The US Department of Energy, the Federal Energy Regulatory Commission, and other authorities specify that critical infrastructure operators require a defense-in-depth approach for cyber security.
Four Stage Strategy
Defense in depth is based on an old military strategy of using multiple layers of defense, so that if one layer is compromised there are additional layers of protection. There are four stages to developing a defense-in-depth strategy for cyber security:
- Define your assets
- Define the threats to these assets
- Place your highest priority asset(s) at the innermost layer of protection
- Protect your assets with overlapping and complementary layers of prevention, detection, and mitigation so if one layer of protection is successfully bypassed, the next layer can catch it.
Five Key Elements
There are five elements that work together to create a defense-in-depth security posture:
- Perimeter Protection
- Interior Security
Historically perimeter protection (usually in the form of firewalls) has been the focus for security. Perimeter protection is required but it in itself is not an adequate form of protection for a critical infrastructure operator. Stuxnet, the most advanced form of malware developed to date, attacked control systems on an isolated network, and was not blocked or impeded by firewalls. Perimeter protection aligns to the NERC CIP-005 Electronic Security Perimeter(s) standard.
Interior security is fast becoming a very critical element in the defense-in-depth model. Interior security is focused on identifying and blocking security breaches from personnel with authorized access to the systems and from internal system to system applications. With advanced forms of malware personnel can propagate and / or launch malware unknowingly. Interior security aligns to the NERC CIP-007 System Security Management standard.
Security is a process, and as such measurement in the form of monitoring provides data and information for better management of the security process. It is critical to monitor assets and their environment to determine the overall cyber health. Monitoring is prevalent throughout the NERC CIP standards.
Management in the defense-in-depth model refers to the inclusion of cyber-security as a management priority. Effective cyber security is championed actively by the Senior Management team and should be included in the governance process. This element is included in the NERC CIP standards including the NERC CIP-003 Security Management Controls standard.
Processes and procedures are an important element of the defense-in-depth model. Effective processes include well defined roles and responsibilities, process mapping, and back-up plans. Processes are prevalent throughout the NERC CIP standards.
N-Dimension’s solutions create a comprehensive defense-in-depth security posture for critical infrastructure operators.