← Home

Detection-in-Depth

Detection-in-Depth is a cybersecurity strategy that uses multiple layers of monitoring and detection throughout an Industrial Automation and Control System (IACS) to identify malicious activity as early as possible.

Unlike preventive security controls, Detection-in-Depth assumes that attackers may eventually bypass one or more defences. The objective is therefore to identify malicious activity before attackers can achieve their objectives or impact industrial operations.

Detection-in-Depth Summary

Detection-in-Depth provides multiple monitoring layers across an IACS to rapidly identify threats and support timely incident response.


Why Detection-in-Depth Matters

No security control is perfect. Firewalls, authentication systems, antivirus software and network segmentation all reduce risk, but determined attackers may still gain access through stolen credentials, insider threats, zero-day vulnerabilities or supply chain compromises.

Detection-in-Depth recognises this reality by ensuring that suspicious activity is continuously monitored throughout the industrial environment. The faster malicious behaviour is detected, the sooner operators can investigate, contain and recover from an incident.

Key Principle

If an attacker cannot be prevented, they should be detected as quickly as possible.

Objectives


Detection Layers

Detection mechanisms should exist throughout the entire architecture rather than relying on a single monitoring point.

Layer Examples
Perimeter Firewall logs, Intrusion Detection Systems (IDS), gateway monitoring, VPN monitoring
Network Network traffic analysis, anomaly detection, protocol monitoring, segmentation monitoring
Critical Systems Endpoint Detection and Response (EDR), file integrity monitoring, configuration change detection, malware monitoring
User Activity Authentication logs, privileged account monitoring, behavioural analytics, remote access monitoring
Central Monitoring Security Information and Event Management (SIEM), security dashboards, event correlation, incident alerting

Common Detection Technologies

Intrusion Detection Systems (IDS)

Monitor network traffic for known attack signatures or abnormal behaviour and generate alerts when suspicious activity is detected.

Intrusion Prevention Systems (IPS)

Extend IDS functionality by automatically blocking or preventing detected malicious traffic where appropriate.

Security Information and Event Management (SIEM)

Collects logs from multiple devices, correlates events and provides a central platform for security monitoring and investigation.

Endpoint Detection and Response (EDR)

Continuously monitors endpoints for malware, suspicious processes and unauthorised activity.

Firewall Logging

Provides visibility into allowed and denied network connections, policy violations and attempted attacks.

Network Monitoring

Analyses industrial network traffic to identify anomalies, unusual communications or unexpected protocol behaviour.

Configuration Monitoring

Detects unauthorised changes to PLCs, DCS servers, HMIs, SIS controllers and other critical assets.

Event Correlation

Combines information from multiple monitoring systems to identify coordinated attacks that individual devices may not recognise.


Detection-in-Depth vs Defense-in-Depth

Defense-in-Depth Detection-in-Depth
Focuses on preventing attacks Focuses on identifying attacks
Uses multiple protective controls Uses multiple monitoring controls
Makes attacks more difficult Makes attacks more visible
Reduces the likelihood of compromise Reduces the time required to detect and respond
Detection-in-Depth and Defense-in-Depth are complementary cybersecurity strategies. Preventive controls reduce the likelihood of compromise, while detection controls reduce the time attackers remain undetected.

Engineering Perspective

Within an Industrial Automation and Control System, monitoring should extend well beyond the enterprise firewall. Critical industrial assets require continuous visibility to quickly identify cyber events that could affect safety, reliability or production.

Examples include monitoring:

Comprehensive monitoring enables security personnel and operators to investigate incidents before they escalate into safety, environmental or production consequences.


Relationship with IEC 62443

IEC 62443 promotes continuous monitoring, audit logging, system integrity verification and timely incident detection as essential components of a secure industrial control system. Detection capabilities support ongoing risk management by providing visibility into security events across zones and conduits.

Effective Detection-in-Depth supports many IEC 62443 objectives, including accountability, system integrity, auditability and continuous monitoring throughout the lifecycle of an IACS.


Exam Points to Remember