What is Defense-in-Depth?

As more IIoT-connected equipment makes its way onto the plant floor, defense-in-depth cybersecurity strategies are supplanting perimeter-based approaches.


快速命中:

  • Perimeter cybersecurity strategies alone are no longer a viable approach in a world where businesses may develop and deploy applications in corporate data centers, private clouds, and public clouds, or even leverage software-as-a-service models that require them to maintain a connection to the broader internet.
  • 由于与网络连接的任何物联网设备都可以用作入口点,因此当代行业4.0环境可能包含数百甚至数千个漏洞。确保进入网络的入口点的做法称为端点安全。
  • Patch management is the process of using regular scans and software updates to fix bugs, add new features, or address newly discovered vulnerabilities in an application, system, or network.

与这一集有关:

Listen to the story here:

Read the transcript below:

Hello and welcome to与自动化世界相提并论五。I’m David Miller, Senior Technical Writer for自动化世界。今天,我将谈论深入的网络安全策略。

Now, as per usual, the first question we have to answer is what is defense in depth? Quite simply, defense in depth is a cybersecurity method that uses intentional redundancies at every layer of a system to ensure that a network remains secure. This is, of course, in contrast to the previously dominant perimeter-strategy, which only sought to use tools such as firewalls and border routers to separate plant floor intranet from internet connected enterprise and external networks.

但是为什么这不再起作用?

Well, it’s because we’re in a world where businesses are routinely developing and deploying applications in corporate data centers and private or public clouds, as well as leveraging software-as-a-service models that require them to maintain a connection to the broader internet. Now, while these technologies obviously have tremendous benefits which we here at Automation World discuss all the time, they come with a sharp, reverse edge which is that they open one up to more security vulnerabilities. And we do see an uptick in cyber attacks. On the screen now, you can see that when we conducted a recent survey of our readers, 36% of end users said they had experienced some kind of cybersecurity breach.

And, at that, many different types of attacks were employed, which you can also see beside me on the screen now.

So, Defense-in-Depth can be used to more effectively mitigate against these various attack vectors, and I’m going to spend the remainder of this video going through some of the common tools – the tricks of the trade you might say – that make up a defense-in-depth arsenal.

Let’s talk about the various components that make up a defense-in-depth strategy. Now bare in mind, this list is not exhaustive. However, it does give a good idea of how various techniques can come together to create a more complete security apparatus.

First, we have network perimeter security. Now this is simple; these are the tried and true methods – firewalls, virtual private networks, and virtual local area networks. While the details of how they do so varies, all three of these methods essentially work to isolate plant floor networks from external traffic in some way. That said, as previously mentioned, this is not enough – because this leaves one vulnerable to phishing attacks, physical CDs, USB sticks, or other data-carrying hardware, and even simply blindspots in one’s firewall that could lead to breaches.

So, what are the other layers that make up a defense in depth strategy?

让我们来看看它。接下来,我们有端点安全。This is exactly what it sounds like; The process of securing entrypoints. And in the era of the internet of things, pretty much any connected device can serve as an entry point to a network. To secure these, end users commonly rely on software platforms called endpoint protection platforms, or EPPs. EPP's work by examining files as they enter a network, and checking them against a cloud database containing a library of threat information. This allows end users to outsource the cost and burden of storing such large libraries of information on site. On top of this, they enable threat libraries to be continually updated based on activity from many different sites. So when you have this, you can catch any potentially unpredictable threats entering directly through the OT layer of your operation in real-time.

After that, we have patch management tools. This is the process of using regular scans and software updates to fix bugs, add new features, and address newly discovered vulnerabilities in an application, system, or network. So, this is pretty common in IT, but the reason it’s tougher with OT is because you have so many assets to monitor and you might even be in a multi-vendor environment – But that’s also why patch management procedures, possibly through a centralized patch management server, are even more important in an industrial environment.

随之而来的是我们具有入侵检测和预防工具。因此,入侵检测系统实际上与上述EPP非常相似,因为他们不仅要扫描恶意文件,还可以更广泛地跟踪用户活动。这使他们更有效地检测社会工程尝试,以操纵用户揭示敏感信息。

Finally, we have the last tool we’re going to discuss in this video, and that is user identity and access management. The goal of this is to grant users access to assets and devices that they have rights to in a given context. So, we actually all know this because even outside of an industrial context, we probably use it on a regular basis – This refers to things like multi-factor authentication or privileged account management, where in order to gain access to a system you need information beyond a simple username or password, or otherwise some sort of special administrative certificate or privilege – the idea being that this guards against a phishing attempt wherein a username and password might be obtained, or somehow unlawfully stolen.

现在,我们将不得不结束这一点。如果您对网络安全主题感兴趣,可以查看上面的链接以获取更多信息。

五次