Implementation of Defense in Depth Strategy to Secure Industrial Control System in Critical Infrastructures

摘要

The goal of this communication is to examine the implementation of defense in depth strategy to secure the industrial control systems (ICS) from threats, hackers, vandals and other ones that can damage the critical infrastructures (gas transportation network, power transmission network, power generation, power distribution grids, air traffic, petrochemical industries, rail traffic, military industries) and others big infrastructures that affect large number of persons and security of nations [1]. The defense in depth concept ensures the physical access protection of the infrastructure, using network access control system (NAC) and traditional security measures, and implements policies and procedures that deal training and cybersecurity awareness programs, risk assessment (analyzing and documenting), and the plan of security. The philosophy of defense in depth uses also the IT technologies in order to ensure separation and segmentations of the networks to the VLANs, demilitarized zones, VPN, using firewalls, switch and routers. The hardening of different systems installed like routers, firewalls, switches and other devices on the network such as SCADA servers is a very sensitive operation of defense in depth. The last important operations are monitoring and maintenance, the monitoring serve to detect and stop intrusions attempts before they can damage the control system with using detection and protection system (IDS/IPS), and the maintenance operations control system (soft and hard), schedule updating of anti-virus software on different devices installed in the network like (computers, SCADA servers, routers, switch and other devices). The defense-in-depth recommendations described in this document can decrease the risk of attacks can target industrial network architectures, like VLAN hopping, SQL injection on SCADA, IP spoofing and DoS (denies of service) and others ones. The risk of attacks can use a common point of access as point of failures (RTU, corporate VPNs, database links, wireless communication, and IT controlled communication equipment). The implementation strict of the defense in depth concept can avoid important damage of critical infrastructures such as loss of production, damage to plant, impact on reputation, impact of health, impact of safety, impact of environment and impact on nation's security.