Defense in Depth – Multi-Layer Protection Approach


Cyber attacks occur at all levels. Effective plant protection must therefore provide all-around protection and in-depth protection. Siemens Industrial Security meets this criteria with its defense-in-depth concept based on ISA 99, which is applied on three levels: plant security, network security, and access protection.

Plant security

Plant security safeguards physical access by persons to critical components. This starts with conventional building access with a gatekeeper and extends to the security of sensitive areas using code cards. The objective is to keep unauthorized persons away in order to thwart intentional efforts to introduce malware and to prevent industrial espionage.

Network security

One important aspect is the use of firewalls to protect production applications from unauthorized access within common office environments. Segmentation of individual subnets, e.g., by means of a cell protection concept or a perimeter network, provides additional security.

With the cell protection concept, a plant network is subdivided into individual automation cells within which all devices are able to communicate with each other. Access is controlled at the cell entrance using a specifically designed security appliance (hardware). The cell communicates externally (e.g., with other automation cells or on the Internet) using a secure VPN-protected channel. If an incident occurs, the damage can be limited to small self-contained areas.

Connection with a perimeter network offers even greater security. This is often referred to as a DMZ (demilitarized zone). In this case, direct communication between production and the remaining company networks is completely blocked by firewalls. Data can only be exchanged indirectly with servers in the DMZ. This allows internal guidelines for communication to be reliably implemented while preventing unauthorized access from outside.

Password protection

The ultimate purpose here is to authenticate users and to grant permission to make certain changes. Centralized user administration provides the assurance of sufficiently robust passwords and the tracking of invalid logins.

Port security can be achieved using the RADIUS protocol or by assigning permanent MAC addresses. In addition, unneeded services (Web servers, FTP, remote access, etc.), interfaces (USB, Firewire, WLAN, etc.), and ports (Ethernet, PROFINET) should be deactivated. This prevents unnecessary gaps in protection and reduces the amount of communication to be monitored. Measures to protect intellectual property or to prevent unauthorized access can be easily implemented in our configuration programs.

The connected PCs are protected using anti-virus software. Whitelists limit the executability of programs to applications classified as secure. Unneeded services (Web servers, FTP, remote access, etc.), interfaces (USB, Firewire, WLAN, etc.), and ports (Ethernet, Profinet) should be blocked to avoid creating unnecessary and, in particular, unmonitored vulnerabilities. Periodic patches and updates ensure that the protective measures are always up-to-date.