System defense-in-depth assumptions

Defense-in-depth is an information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions in your information technology and control system. Defense-in-depth helps minimize data protection gaps, reduces single-points-of-failure, and creates a strong Cybersecurity posture. The more layers of security you have in your system, the harder it is for hackers to breach your defenses, steal your digital assets, or cause disruption. Using a defense-in-depth strategy by securing the device in a protected environment will help reduce your attack surface, decreasing the likelihood of a vulnerability.

Before you install your device, review the following system defense-in-depth assumptions. If you have not already adopted these assumptions, we strongly recommend you add them to help improve your Cybersecurity posture.

Site security assumptions

  • Perimeter security – installed devices, and devices that are not in service, are in an access-controlled or monitored location.

  • Emergency power – the control system provides the capability to switch to and from an emergency power supply without affecting the existing security state or a documented degraded mode.Site security assumptions

Network security assumptions

  • Controls against malware – detection, prevention and recovery controls to help protect against malware are implemented and combined with appropriate user awareness.

  • Physical network segmentation – the control system provides the capability to:

    • Physically segment control system networks from non-control system networks.

    • Physically segment critical control system networks from non-critical control system networks.

  • Logical isolation of critical networks – the control system provides the capability to logically and physically isolate critical control system networks from non-critical control system networks. For example, using VLANs.

  • Independence from non-control system networks – the control system provides network services to control system networks, critical or non-critical, without a connection to non-control system networks.

  • Zone boundary protection – the control system provides the capability to:

    • Manage connections through managed interfaces consisting of appropriate boundary protection devices, such as: proxies, gateways, routers, firewalls and encrypted tunnels.

    • Use an effective architecture, for example, firewalls protecting application gateways residing in a DMZ.

    • Control system boundary protections at any designated alternate processing sites should provide the same levels of protection as that of the primary site, for example, data centers.

  • No public internet connectivity – access from the control system to the internet is not recommended. If a remote site connection is needed, for example, encrypt protocol transmissions.

  • Resource availability and redundancy – ability to break the connections between different network segments or use duplicate devices in response to an incident.

  • Manage communication loads – the control system provides the capability to manage communication loads to mitigate the effects of information flooding types of DoS (Denial of Service) events.

  • Control system backup – available and up-to-date backups for recovery from a control system failure.

  • Encrypt protocol transmissions over all external connections using a Virtual Private Network (VPN) or a similar solution.

Administrative assumptions

  • Cybersecurity governance – available and up-to-date guidance on governing the use of information and technology assets in your company.

  • Software and firmware upgrades – software and device upgrades are implemented consistently to the current version.