Defense in Depth: No Singular Approach
Tuesday, February 28, 2012 @ 05:02 PM gHale
Editor’s Note: This is an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.
By Eric Byres
Defense in Depth is such a critical foundation in the field of security.
The first thing to understand is that it is not a cyber security concept. It is core to the entire practice of security, starting with the ancient Chinese military sage Sun Tzu. Countless battles have been lost because warriors ignored the law of “defense in depth.”
In fact, Carl von Clausewitz, a Prussian soldier and military theorist during the Napoleonic era said: “If you entrench yourself behind strong fortifications, you compel the enemy to seek a solution elsewhere.”
So let’s explore this idea and begin by looking at a military example where defense in depth was not used.
Let’s go back to November 1918. World War I, the greatest war the world has ever seen, just ended and France is reeling from the devastation. The conflict has killed over one million French citizens, wounded four million more and destroyed much of the countryside of eastern France. A fierce debate begins to rage: “How should France ensure that another invasion of their beautiful country by the German hordes never occurs again?”
While there are a number of opposing ideas on how to achieve this, the one that prevailed was to build a defensive line of fortresses along the border with Germany.
Thus, between 1930 and 1936, the French government poured approximately three billion francs into building 400 miles of fixed concrete fortifications known as the Maginot Line.
Everyone in France felt secure knowing their country was safe behind the massive barrier of concrete and guns.
Then on May 10, 1940, Hitler attacked France.
While a German decoy force right opposite the Line, Hitler’s second Army Group cut through Belgium, the Netherlands and the undefended Ardennes Forest.
These troops completely bypassed the Line, within a week Nazi troops were deep inside France, and a month and half later France surrendered. The Line was only marginally a part of the fighting.
What went wrong? The Line certainly achieved its task, namely preventing a direct assault against France’s eastern border.
But France’s strategic use of the Line was poor. As originally designed, the Maginot Line should only have been a part of a larger multilayered plan, involving other defenses and the French Army.
Instead the mere existence of the Line gave French authorities a false sense of security. They based their entire defense strategy on this single solution, resulting in a quick and embarrassing defeat at the hands of the Nazis.
In the words of several historians “The Maginot Line did not fail France, but the ‘Maginot mentality’ did cause her defeat.” It was the belief that a single very strong defense was good security.
Basing a security design on hiding behind a single monolithic solution is the Bastion Model and results in the possibility of a single point of failure. With the inevitable help of Murphy’s Law, this single point will eventually either be bypassed (like the Maginot Line) or will experience some sort of malfunction. When it does, the system will be left wide open to attack.
In the same way, industrial security designs that assume all evil traffic will flow through a single choke point are succumbing to the same dangerous set of beliefs. Depending on a single firewall or data diode is building a security solution based on a single point of security failure. Only a proper defense in depth design, where the control devices and systems are individually and collectively hardened, can provide reliable security for the plant floor.
What is the alternative to the Maginot Line? It is simple: Layering multiple security solutions, so if an attacker gets by one, another will provide the defense.
Eric Byres is chief technology officer at Byres Security. Click here to read the full version of the Practical SCADA Security blog.