System defense-in-depth assumptions

Defense-in-depth is an information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions in your information technology and control system.

Defense-in-depth helps minimize data protection gaps, reduces single-points-of-failure, and creates a strong cybersecurity posture. The more layers of security in your system, the harder it is to breach defenses, take digital assets or cause disruption.

Using a defense-in-depth strategy by securing the device in a protected environment will help reduce your attack surface, decreasing the likelihood of a vulnerability.

Before you install your device, review the following system defense-in-depth assumptions. If you have not already adopted these assumptions, we strongly recommend you add them to help improve your cybersecurity posture.

Site security assumptions

  • Perimeter security – Installed devices, and devices that are not in service, are in an access-controlled or monitored location.
  • Emergency power – The control system provides the capability to switch to and from an emergency power supply without affecting the existing security state or a documented degraded mode.

Network security assumptions

  • Controls against malware – Detection, prevention, and recovery controls to help protect against malware are implemented and combined with appropriate user awareness.
  • Physical network segmentation – The control system provides the capability to:
    • Physically segment control system networks from non-control system networks.
    • Physically segment critical control system networks from non-critical control system networks.
  • Logical isolation of critical networks – The control system provides the capability to logically and physically isolate critical control system networks from non-critical control system networks. For example, using VLANs.
  • Independence from non-control system networks – The control system provides network services to control system networks, critical or non-critical, without a connection to non-control system networks.
  • Zone boundary protection – The control system provides the capability to:
    • Manage connections through managed interfaces consisting of appropriate boundary protection devices, such as proxies, gateways, routers, firewalls, and encrypted tunnels.
    • Use an effective architecture. For example, firewalls protecting application gateways residing in a DMZ.
    • Control system boundary protections at any designated alternate processing sites should provide the same levels of protection as that of the primary site. For example, data centers.
  • No public internet connectivity – Access from the control system to the internet is not recommended. If a remote site connection is needed encrypt protocol transmissions.
  • Resource availability and redundancy – Ability to break the connections between different network segments or use duplicate devices in response to an incident.
  • Manage communication loads – The control system provides the capability to manage communication loads to mitigate the effects of information flooding types of DoS (Denial of Service) events.
  • Control system backup – Available and up-to-date backups for recovery from a control system failure.
  • Encrypt protocol transmissions over all external connections – Use an encrypted tunnel, TLS wrapper, or a similar solution.

Administrative assumptions

  • Cybersecurity governance – Available and up-to-date guidance on the secure use of information and technology assets in your company.
  • Firmware upgrades – Meter upgrades are implemented consistently to the current version of firmware.

For detailed information on the device security capabilities, see Device security capabilities.