Defense in Depth Misunderstood & Misapplied in ICS

Project BasecampKey Defense in Depth Principle: Don’t rely solely on the security perimeter(s). Secure the assets inside the perimeter to withstand attacks.

As we have covered ad nauseam on this site and clearly demonstrated in Project Basecamp, almost all PLC’s, RTU’s and other controllers are insecure by design. If an attacker or malware can gain network access to these devices, the device can be reprogrammed, crashed or made to do nasty things to a critical infrastructure process. Our plea has been that these insecure by design devices need to upgraded or replaced now.

The legion of SCADA Apologists have responded that this is impossible and the solution is defense in depth. If you have attended any ICSJWG, WeissCon, SANS SCADA Summit event or even S4 you have heard this in multiple presentations. I’ve had a civil back-and-forth with Eric Byres on this, and he even has a two-part defense in depth blog. ICS-CERT typically recommends defense in depth for PLC/controller vulnerabilities as seen in the Project Basecamp Alert. (You will notice that DHS/ICS-CERT rarely, if ever, say owner/operators should address the actual vuln by upgrading or replace insecure by design devices. Just keep the bad guys out.)

There appears to be unanimity that defense-in-depth is an important security principle, but most of the advocates actually are saying put up more security perimeters rather than implement a key principle of defense in depth. If you believe in defense in depth and have a security perimeter, then the focus should be on securing the systems in case the security perimeter fails.

This is not an argument against further segmentation, improved detection or other security controls the SCADA Apologists’ recommend. We just shouldn’t settle for this often illusory security. You can put up ten security perimeters, but if the owner/operator lets their vendors, engineers, administrators, servers on CorpNet, or others through all of the perimeters, they are of little additional value. Additional network segmentation is valuable only where each perimeter is preventing access that was allowed through an outer perimeter.

This is the same reason why field security devices, such as Tofino, are of little value if you let critical commands pass through the field security device (covered in more detail here). 

NSA has defined technical defense-in-depth as:

  1. Defend the Network and Infrastructure
  2. Defend the Enclave Boundaries
  3. Defend the Computing Environment
When it comes to PLCs/controllers, little is being done to “Defend the Computing Environment” as required for defense in depth even though those devices lack even basic security. While stating the need for defense in depth, all too often the advice focuses solely on “Defend the Enclave Boundaries” where security is often already in place.

Next time you hear a recommendation for defense in depth, say yes and ask if the system or assets are still secure if the perimeters fail. This is defense in depth.

Image by asknot

Leave a Reply