Mounting cybersecurity threats push the need to layer defense-in-depth approach in industrial environments

Growing progression of organizational connectivity commands the growing need for defense-in-depth strategy in operational environments by employing a combination of advanced security tools across endpoints, data, applications, and networks. Furthermore, the interlocking security layers will help bring about enhanced substructures as defense perimeters and work towards addressing the security vulnerabilities inherent not only with hardware and software but also with people, as negligence or human error are often the cause of a security breach.

While the initial layers of defense begin with frameworks to establish common criteria, requirements, and controls using policies, procedures, and standards, which organizations, groups, and personnel must adopt as the first line of defense. Furthermore, organizations can use frameworks such as ISA/IEC 62443 and NIST SP 800-82, and guidance from regulatory bodies to play a constructive role in organizational cybersecurity defenses. 

Organizations must also expeditiously safeguard operational processes from numerous threats, including the recent reveal of 56 vulnerabilities caused by insecure-by-design practices affecting devices from OT (operational technology) vendors.

Industrial Cyber approached industry experts to evaluate the role played by the defense-in-depth approach to bolster organizational defenses across the ICS environments in the wake of rising cybersecurity incidents and a fluid geopolitical scenario.

“A strong defense-in-depth approach for ICS will help prevent or minimize the impact no matter the source or the type of incident; whether it’s an IT cyber security incident, an ICS cyber security incident, a physical incident, or even an honest mistake,” Chris Sistrunk, technical manager at Mandiant ICS Consulting, told Industrial Cyber. “Deploying multiple defenses and having an incident response plan that covers both IT and ICS are important parts of a successful cybersecurity resiliency strategy,” he added.

Defense-in-depth is a principle with the simple meaning of implementing different categories of defenses, which ideally function independently of each other “because you need to assume that defenses can be overcome by an adversary. Its effectiveness varies greatly depending on WHICH defenses you choose,” Sarah Fluchs, CTO of admeritia, told Industrial Cyber. “Defense in depth is not a new principle, and it’s importance has not changed because of the geopolitical scenario,” she added. 

The best automated and AI-based ICS/OT cybersecurity and defense-in-depth solutions are only as good as the competency and capacity of their human counterparts, ​​Paul Veeneman, an IT|OT|ICS| cybersecurity and risk management professional, told Industrial Cyber. “Education, training, awareness for technology personnel, control system operators and engineers, plant production and operations management, to increase the visibility of common and emerging tactics by threat actors and nation-state adversaries, can mean the difference between a successful attack and a mitigated or contained attack. Providing these incident responders with the educational tools necessary to meet the challenges of securing ICS environments is the first critical component of defense-in-depth, People,” he added.

Veeneman also said that when the various layers are stacked, each providing support to the others, or providing reinforcement in the event of a failure of a preceding layer, like a Kevlar vest’s layers of material working in concert to slow the forward momentum of the bullet. “Defense-in-depth layers for ICS environments work together to slow, mitigate, or impede the intent or progress of the threat,” he added.

Analyzing whether implementing an ICS defense-in-depth strategy proceeds to develop an understanding of the business risk associated with ICS cybersecurity and managing that risk according to the overall business risk appetite, Sistrunk said that implementing an ICS defense-in-depth strategy can start in two ways: top-down or bottom-up approaches. 

“The top-down approach starts by creating an ICS cyber security program with a supporting business case, with the dedicated owner in the company’s leadership. It should have a well-defined charter that guides a cross-functional team to create and implement policy and procedures for ICS security,” Sistrunk said. “The bottom-up approach may have to be used where there are dedicated front-line employees that use the available technical resources they have to harden and protect ICS networks and devices,” he added. 

Often, the bottom-up approach happens organically in the case of an incident, according to Sistrunk. “Much like an ICS is specifically engineered for a purpose, so too should the defense-in-depth measures be equally engineered, deployed, and maintained,” he added.

Fluchs said that she does “not think defense in depth is something that makes sense to implement in isolation. Defense in depth does not help to understand the business risk associated with ICS cybersecurity, it’s rather the other way round: If you understand your business risk, you can more easily choose defenses that mitigate different risk scenarios, resulting in defense-in-depth,” she added. 

“Also, being somehow comparable to the concept of ‘independent layers of protection’ in plant safety, defense in depth can be a good principle to keep in mind for double-checking if you have single points of failure in the hodgepodge of your cybersecurity measures,” Fluchs said. “If all your defenses are meaningless in the case of ONE threat scenario, you may want to re-think,” she added.

Veeneman said that assessing vulnerabilities in hardware, software, and firmware, identifying physical and logical points of access, oversight of distributed maintenance and support across internal and external personnel or entities, and attempting to mitigate the ‘traditional factors,’ if there is such a category, of impact to control system safety, productivity, and reliability, is a significant undertaking.

“Place upon that international incidents and events that act as catalysts and provocation for increased numbers of threat actors and activity, and the results are an ever-increasing threat landscape of attack vectors and probabilities of an exploit against today’s control system environments supporting critical infrastructure targets,” according to Veeneman. “These challenges place remarkable stress on risk management and mitigation efforts.”

“Organizations responsible for ICS environments or critical infrastructure will have marginal success with any Defense-in-Depth strategy if the risk analysis is not first performed, and continuously monitored, evaluated, and maintained over time,” Veeneman said. “The natural evolution of cybersecurity is risk profiling. This is evident in other prominent sectors and industries, such as finance, insurance, and healthcare. There has also been a rise in technology risk management education, training, and curriculum over the past 8-10 years,” he added.

A culture of risk management and cybersecurity starts at the top, Veeneman said. “Senior leadership requires the information collected within risk analysis to identify the threats to the organization, determine the qualitative or quantitative value of these threats, and set the prioritization based on impact to the organization. Risk within ICS environments can represent a significant threat to human safety, either within production environments or to surrounding communities that are dependent on essential services of critical infrastructure,” he added.

“Once threats, vulnerabilities, and the likelihood of exploit or compromise have been assessed and prioritized, the individual or aggregate risks can be addressed with the variety of process, operational, or technical controls that begin to form the layers of the Defense-in-Depth strategy,” Veeneman said. “Each layer provides a portion of, or the whole risk mitigation plan for a threat, or collection of threats. These steps are repeated throughout the prioritized register of current and known threats until each risk has been mitigated, accepted, avoided, or transferred, leaving the residual risks and threats within the organization’s tolerance levels or risk appetite.”

Looking into how defense-in-depth fights back against human error across critical infrastructure and operational technology environments, Sistrunk said that honest mistakes and human errors are far more common in ICS environments than ICS malware or attacks. 

“Oftentimes, the incident response, root cause analysis, and disaster recovery actions that are performed after accidents are applicable to cyber security incidents and vice versa,” according to Sistrunk. “Examples of incident agnostic mitigations are good training programs and standard operating procedures, mentoring and training opportunities, strong controls around access and change management, and ICS backups that are tested on a regular basis. The better you are prepared for incident response and disaster recovery, the better you can minimize impacts to ICS, no matter the disruption,” he added.

Fluchs said that ​​defense-in-depth means also considering implementing measures that could prevent risk scenarios exploiting human error. “However, defenses against human error are very limited. Since human errors can’t be eliminated, you can’t do much more than implementing cybersecurity awareness training and ensuring important decisions or actions cannot be taken by one human alone,” she added.

“More important in ICS, in my eyes, is thinking of humans as a layer of defense. Often, it is a simple yet very effective defense-in-depth measure to (re-)insert a human into the loop, i.e. to have a human supervise processes and decisions that have been automated,” Fluchs pointed out. “Unfortunately, there are often economic reasons contradicting this. But frankly, an investment into adding humans who know the automated process as a layer of defense would be more cost-effective than buying new cybersecurity tools, which, in the end, need humans to work with them as well,” she added.

Veeneman said that the defense-in-depth strategy could mitigate human error in cases such as misconfiguration of cybersecurity solutions like a firewall that protects the ICS/OT control system boundary. “Process and change control, along with configuration management control within a framework, may require a peer review of configuration changes to the firewall. The peer review provides the opportunity to identify the misconfiguration and close the vulnerability prior to deploying the configuration change,” he added. 

He further pointed to two cascading human error events, and the peer review process control does not identify the misconfiguration of the firewall that leaves a port exposed. “Another layer of defense could be internal and external vulnerability scanning, appropriately configured for use ICS/OT environments, can identify exposed or unnecessary protocol ports on misconfigured firewalls, control systems, and devices, providing personnel the opportunity to correct the misconfiguration, or remove unnecessary industrial protocols from an operation on control system devices.”

Veeneman said that there are some scenarios where the ICS environments have a critical level of operation, a high-risk factor, and any human error impact carries an extremely high severity. “In the past, these ICS environments might have been protected through air-gapping. While this is not as effective with the levels of integration with the enterprise, other layers of defense have emerged.  These are unidirectional communication and post-quantum cryptographic transport and networking,” he added. 

“Defense-in-Depth provides the means to protect humans from themselves, whether the errors are unintended or malicious. Deploying multiple layers of process, technical, and operational controls provides organizations with more opportunities to mitigate risks proactively or reduce the time and impact of mitigating risks reactively,” Veeneman concluded.