CHRISTO BUYS Effective defence-in-depth leads to system security that is designed into the infrastructure and becomes a set of layers within the overall network security
Protecting industrial assets requires a defence-in-depth (DiD) security approach that addresses in-house and external security threats. The approach uses multiple layers of defence, including physical, electronic and procedural protection, and at separate instances by applying appropriate controls that address different types of risks.
A good security programme is 20% technology and 80% process and procedure. These processes and procedures, along with a company’s employee policies, are categorised under the nontechnical side of security, says automation multinational Rockwell Automation sub-Saharan Africa software and control systems business manager Christo Buys.
“DiD security architecture is based on the idea that any one point of protection may, and probably will, be defeated. Several procedural and technological steps must also be taken to create a secure environment. By reviewing your security operating protocol, you can identify and prioritise vulnerabilities and develop a comprehensive strategy to help reduce risks.”
DiD security is a five-layer approach of physical, network, computer, application and device security. Multiple layers of network security can help protect networked assets, data and end points, just as multiple layers of physical security can help protect high-value physical assets.
Further, collaborating in the organisation’s security policy development makes employees much more likely to abide by the policy, Buys advises. If policies are impractical or too restrictive, operators might override them and the technical controls.
The result of this process is that system security is designed into the infrastructure and becomes a set of layers within the overall network security. Attackers are faced with a difficult task to successfully break through or bypass each security layer without being detected. A weakness or flaw in one layer can be protected by the strength, capabilities or new variables introduced through other security layers.
Computer hardening involves the use of antivirus software, application whitelisting, host intrusion-detection systems and other end-point security solutions, the removal of unused applications, protocols and services, as well as closing unnecessary ports.
Computers on the plant floor, such as a human-machine interface or industrial computers, are susceptible to malware cyberrisks, including viruses and Trojans. Software patching practices work in concert with hardening techniques to help address risks.
Specifically, companies should disable software automatic updating services on personal computers; conduct an inventory of applications, and software versions and revisions on plant floor computers; and subscribe to and monitor vendor patch qualification services for patch compatibility. Companies should also schedule the application of patches and upgrades and plan for contingencies.
“It is important to focus on the system and apply the DiD strategy to the products you select,” concludes Buys.