Defense In Depth

Four quick and different points to make in this blog:

1. Eric Byres has started a blog series on the very important defense in depth security concept

2. Defense in depth does not obviate the need for proper risk management and addressing major risks

Project Basecamp has sensitized Digital Bond to the increasing use of defense in depth as an excuse rather than as a security principle. Now that “SCADA and DCS are not connected to other networks / air gap” excuse is slowly dying. Defense in depth has replaced it in vendor and CERT bulletins as the new excuse to avoid addressing the most significant risks in a control system.

The advice the vendors and CERTs are providing on the importance of defense in depth is useful and correct, but it typically does not address the specific risk that is the cause of the bulletin. Imagine you were having trouble seeing, and the advice was brush and floss your teeth, eat a healthy diet and exercise. Not bad advice, but not addressing the real problem. When vulnerabilities occur that greatly increase your risk, push the vendors for an actual solution to the vulnerability in place of SCADASEC 101 advice.

3. labeling entries as SCADASEC 101 or Control System IT 101

From our ten year relationship with loyal blog readers, we know that a large portion of our readers are very experienced in ICS security. I’m sure these readers groan, as I often do, when you read another article about a very basic comment. Probably 95%+ of what is written are these basic concepts rehashed over and over.

On this site we try to bring new information, new opinions, and new tools to the experienced ICS Security professional. And this will continue to be our focus.

That said, only a small percentage of the people who really need to understand ICS security have begun the learning journey, and there are new people coming to the site every day. So there is a need for SCADASEC 101 information, and we believe a need for Control System IT 101 information. I have challenged Michael to push to get more of that information out.

So as to not waste experienced readers time and to acknowledge what we are saying is a primer, we will label those blog entries as SCADASEC 101 and Control System IT 101.

4. Military Analogies

Eric’s first blog entry in the series focused on military strategy. The comparison to the failed Maginot line and relying on a firewalled security perimeter is common and apt.

I’m not a big fan of trying to apply military strategies to ICS or IT security. There are so many “Sun Tzu and …” books and articles written already. Wouldn’t it be more convincing to show real world examples where the primary firewall defense was circumvented.

But if Eric or anyone else is going down that path, it is important to be accurate. I’m not convinced that Sun Tzu would be a proponent of defense in depth. His approach may stress threat actor and threat intelligence, deception, mobility, and other factors more than building multiple walls and impediments around a fixed asset and focusing on defense. I was going to write a blog entry on that … but I’m not a fan of using these military analogies and there already is much written on this. The importance of deception, mobility and other factors is worth discussing in future articles.

Image by downhilldom1984