Detection-in-Depth is a cybersecurity strategy that uses multiple layers of monitoring and detection throughout an Industrial Automation and Control System (IACS) to identify malicious activity as early as possible.
Unlike preventive security controls, Detection-in-Depth assumes that attackers may eventually bypass one or more defences. The objective is therefore to identify malicious activity before attackers can achieve their objectives or impact industrial operations.
Detection-in-Depth provides multiple monitoring layers across an IACS to rapidly identify threats and support timely incident response.
No security control is perfect. Firewalls, authentication systems, antivirus software and network segmentation all reduce risk, but determined attackers may still gain access through stolen credentials, insider threats, zero-day vulnerabilities or supply chain compromises.
Detection-in-Depth recognises this reality by ensuring that suspicious activity is continuously monitored throughout the industrial environment. The faster malicious behaviour is detected, the sooner operators can investigate, contain and recover from an incident.
Detection mechanisms should exist throughout the entire architecture rather than relying on a single monitoring point.
| Layer | Examples |
|---|---|
| Perimeter | Firewall logs, Intrusion Detection Systems (IDS), gateway monitoring, VPN monitoring |
| Network | Network traffic analysis, anomaly detection, protocol monitoring, segmentation monitoring |
| Critical Systems | Endpoint Detection and Response (EDR), file integrity monitoring, configuration change detection, malware monitoring |
| User Activity | Authentication logs, privileged account monitoring, behavioural analytics, remote access monitoring |
| Central Monitoring | Security Information and Event Management (SIEM), security dashboards, event correlation, incident alerting |
Monitor network traffic for known attack signatures or abnormal behaviour and generate alerts when suspicious activity is detected.
Extend IDS functionality by automatically blocking or preventing detected malicious traffic where appropriate.
Collects logs from multiple devices, correlates events and provides a central platform for security monitoring and investigation.
Continuously monitors endpoints for malware, suspicious processes and unauthorised activity.
Provides visibility into allowed and denied network connections, policy violations and attempted attacks.
Analyses industrial network traffic to identify anomalies, unusual communications or unexpected protocol behaviour.
Detects unauthorised changes to PLCs, DCS servers, HMIs, SIS controllers and other critical assets.
Combines information from multiple monitoring systems to identify coordinated attacks that individual devices may not recognise.
| Defense-in-Depth | Detection-in-Depth |
|---|---|
| Focuses on preventing attacks | Focuses on identifying attacks |
| Uses multiple protective controls | Uses multiple monitoring controls |
| Makes attacks more difficult | Makes attacks more visible |
| Reduces the likelihood of compromise | Reduces the time required to detect and respond |
Within an Industrial Automation and Control System, monitoring should extend well beyond the enterprise firewall. Critical industrial assets require continuous visibility to quickly identify cyber events that could affect safety, reliability or production.
Examples include monitoring:
Comprehensive monitoring enables security personnel and operators to investigate incidents before they escalate into safety, environmental or production consequences.
IEC 62443 promotes continuous monitoring, audit logging, system integrity verification and timely incident detection as essential components of a secure industrial control system. Detection capabilities support ongoing risk management by providing visibility into security events across zones and conduits.
Effective Detection-in-Depth supports many IEC 62443 objectives, including accountability, system integrity, auditability and continuous monitoring throughout the lifecycle of an IACS.