Defense in Depth: Layers to Bank On

Wednesday, March 21, 2012 @ 06:03 PM gHale


Editor’s Note: This is an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.

By Eric Byres
A far more effective strategy for reliable security is “Defense in Depth,” which is not something unique to ICS/SCADA security. In fact, it is not even unique to cyber security.

Defense in Depth is a military strategy that has been around since days of the Romans. If you search the Internet the first definition you will find is the military one on Wikipedia: “Defense in depth (also known as deep or elastic defense) is a military strategy; it seeks to delay rather than prevent the advance of an attacker, buying time and causing additional casualties by yielding space. Rather than defeating an attacker with a single, strong defensive line, defense in depth relies on the tendency of an attack to lose momentum over a period of time or as it covers a larger area.”

RELATED STORIES
How to Stop Stuxnet’s Children
Justifying Security Investment
Defense in Depth: No Singular Approach
Time for a Revolution

Unfortunately, if you want to secure your control system, the above definition doesn’t help you much. So let’s look at security in a bank and see what we can learn.

Ever wonder what it is that makes a typical bank so much more secure than a home or convenience store? It’s not because banks have stronger steel doors or armed guards. Those help a bit, but are quickly offset by the fact that a bank’s adversaries (i.e. professional bank robbers) are also better armed and more determined than the typical house burglar.

The first answer is that a bank employs multiple security measures to maximize its security. For example, just to name a few defenses, a typical bank has steel doors, bulletproof windows, security guards, room sized safes, security boxes, alarm systems, cameras and security-trained tellers.

Even more important, not only are there more defensive layers at a bank, but each layer is designed to address a specific type of threat at the point where it is employed.

For example, bank doors are effective, but simple security devices. They are either locked or unlocked. They either grant or deny access to customers on an all-or-nothing basis – regardless of what a visitor looks like or how the visitor behaves.

One layer up is the security guard – they perform access control to ‘clean’ the general flow of people into the bank. They ensure that access to the bank is for people who have a legitimate need to be there and will ‘behave’ within expected norms. They regard each visitor based on specific criteria, such as, not wearing a mask, suspicious behavior, acting erratically etc.

At yet another level, the tellers, security box keys, passwords, etc. keep these pre-screened customers from accessing other accounts or information. Rather than worrying if a visitor should or should not be in the bank, the tellers and passwords present a different layer of security: Account security. These measures ‘filter’ what account access individual customers are allowed, based on who they are.

The bank analogy points out three important aspects of Defense in Depth:

1. Multiple layers of defense. Do not rely completely on a single point of security, no matter how good it is.

2. Differentiated layers of defense. Make sure that each of the security layers is slightly different. This ensures that just because an attacker finds a way past the first layer, they don’t have the magic key for getting past all the subsequent defenses.

3. Context and threat specific layers of defense. Each of the defenses should be designed to be context and threat specific.

This last point is the most subtle and perhaps the most important. Going back to the bank example, note that banks do not simply have additional security guards at every level. Banks understand that threats come in different flavors, ranging from the desperate drug addict with a gun, to the sophisticated fraud artist. Thus for the banks, each defensive layer is optimized to deal with a specific class of threats.

So what does this have to do with security on the plant floor? Like the bank, the SCADA/ICS system can be exposed to a variety of different security threats, ranging from disgruntled employees, to computer malware, denial of service attacks and information theft. Each needs to be considered and defended against.

For example, a boundary firewall can act like the bank guard, so network messages using specified protocols are either permitted or denied access into the control network. This is ideal for keeping the bulk attacks out, particularly the average IT worm or the common denial of service attack.

Deeper into the control system, more sophisticated SCADA-aware firewalls can observe the traffic beyond the obvious protocol types. This allows defenses based on the behavior and context of the systems using these protocols on the control network. If an operator station computer suddenly starts trying to program a PLC, then perhaps a worm like Stuxnet or a disgruntled employee is at work. This attack needs to be immediately blocked and alarms raised to prevent serious risk to the system.

Finally, servers and controllers with a robust security implementation can act like a well-trained bank teller. After a user successfully connects to a server or controller, the security configuration ensures they only get access to the specific applications and data they are supposed to have access to. Attempts to access other services or data should be blocked and logged.

As with the steel doors, the bank guard and the teller example, the perimeter firewall providing the boundary security, the SCADA/ICS firewall providing the internal security and the server providing the application security are an essential team. For example, a firewall can block millions of randomly malformed messages directed at a control system as part of a Denial of Service (DoS) attack. At the same time, deep packet inspection and user authentication checks can prevent an attacker or worm inside the firewall making changes that might risk property or lives.

Depending on a single defense, such as perimeter firewall, is building a security solution based on a single point of failure.

Make sure that your facility has a proper Defense in Depth design where the network, control devices and systems are collectively hardened – thereby providing reliable security for the plant floor.

You can bank on it.

Eric Byres is chief technology officer at Byres Security. Click here to read the full version of the Practical SCADA Security blog.



Leave a Reply

You must be logged in to post a comment.