Control Systems Cyber Security: Defense in Depth Strategies

Information infrastructures across many public and private domains share several common attributes regarding IT deployments and data communications. This is particularly true in the control systems domain. A majority of the systems use robust architectures to enhance business and reduce costs by increasing the integration of external, business, and control system networks. However, multi-network integration strategies often lead to vulnerabilities that greatly reduce the security of an organization, and can expose mission-critical control systems to cyber threats. This document provides guidance and direction for developing ‘defense-in-depth’ strategies for organizations that use control system networks while maintaining a multi-tier information architecture that requires: •Maintenance of various field devices, telemetry collection, and/or industrial-level process systems •Access to facilities via remote data link or modem •Public facing services for customer or corporate operations •A robust business environment that requires connections among the control system domain, the external Internet, and other peer organizations.