1. Eric Byres has started a blog series on the very important defense in depth security concept
2. Defense in depth does not obviate the need for proper risk management and addressing major risks
Project Basecamp has sensitized Digital Bond to the increasing use of defense in depth as an excuse rather than as a security principle. Now that “SCADA and DCS are not connected to other networks / air gap” excuse is slowly dying. Defense in depth has replaced it in vendor and CERT bulletins as the new excuse to avoid addressing the most significant risks in a control system.
The advice the vendors and CERTs are providing on the importance of defense in depth is useful and correct, but it typically does not address the specific risk that is the cause of the bulletin. Imagine you were having trouble seeing, and the advice was brush and floss your teeth, eat a healthy diet and exercise. Not bad advice, but not addressing the real problem. When vulnerabilities occur that greatly increase your risk, push the vendors for an actual solution to the vulnerability in place of SCADASEC 101 advice.
3. Digitalbond.com labeling entries as SCADASEC 101 or Control System IT 101
From our ten year relationship with loyal blog readers, we know that a large portion of our readers are very experienced in ICS security. I’m sure these readers groan, as I often do, when you read another article about a very basic comment. Probably 95%+ of what is written are these basic concepts rehashed over and over.
On this site we try to bring new information, new opinions, and new tools to the experienced ICS Security professional. And this will continue to be our focus.