Industrial control systems (ICSs) are an integral part of critical infrastructures, helping to facilitate operations in vital industries such as electricity, oil and gas, water, transportation, manufacturing, and chemical manufacturing. The growing issue of cybersecurity and its impact on ICS highlights fundamental risks to the Nation’s critical infrastructure. Efficiently addressing ICS cybersecurity issues requires a clear understanding of the current security challenges and specific defensive countermeasures. A holistic approach—one that uses specific countermeasures implemented in layers to create an aggregated, risk-based security posture—helps to defend against cybersecurity threats and vulnerabilities that could affect these systems. This approach, often referred to as Defense in Depth, provides a flexible and useable framework for improving cybersecurity protection when applied to control systems.
The concept of Defense in Depth is not new—many organizations already employ many of the Defense-in-Depth measures discussed in this document within their information technology (IT) infrastructures; however, they do not necessarily apply it to their ICS operations. In the past, most organizations did not see a need to do so. Legacy ICSs used obscure protocols and were largely considered “hack proof” because of their separation from IT and because of having physical protection measures in place. But with the convergence of IT and ICS architectures, recent high-profile intrusions have highlighted the potential risk to control systems.
Views: 4
