Cybersecurity is a never-ending battle; a system cannot be 100% secure. We must keep adding layers and updating our systems to make it increasingly difficult for others to gain access and to keep up with the ever-changing threat landscape. 

Layers we can include can be improving policies, splitting your network into segments, using complex passwords, adding firewalls, etc. 

The game of Pac-Man can provide a great analogy to defense in depth. In Pac-Man you are in control of a little yellow circle and have to eat smaller yellow circles and fruit while keeping away from ghost in a big maze. As you progress through the game different parameters change which increases the difficulty.  

If the maze were to be smaller the game will be harder, if the maze is bigger, the game would be easier as you can more easily avoid the ghosts.   

Defense in Depth Analogy Illustrated.
Figure 1: Defense in Depth Analogy

This is fairly similar to protecting your control system. If you add more obstacles between your PLC and the outside world, it will make it hard for a threat actor to compromise your system. 

Using the same example, pretend you are Pac-Man navigating the maze and trying to complete your level. The ghost finds you, but first they have to guess a password before you lose a life. If your password is “password”, they might take a fraction of a second to guess. But if your password is “RedFishBlueCat87!” By the time the ghost guesses your password you might have enough time to get away. 

In this example, we have two clear layers of defense for Pac-Man. First is the maze, and second is the password. In your water plant, your network should act as a maze, it can be split into segments known as zones and conduits. These make it more challenging for someone with malicious intent to gain access. The second layer may be a password. Most modern PLCs have some sort of ability to have password protection. Either to prevent programming changes, or communicate with it in some way. 

The more layers we can implement between our key assets and the outside world, the more protected it will be. Layers can include: 

  • Physical Security  
  • Policies & Procedures  
  • Zones & Conduits  
  • Malware Prevention  
  • Access Controls  
  • Monitoring & Detection  
  • Patching 

The goal here is to make it increasingly difficult for someone to gain access. Essentially, don’t put all your eggs in one basket. 

Jason Marchese, P.Eng. PMP  

Director of Engineering