Alina Turkevych (002846475)

How defense-in-depth and awareness are complimentary techniques to detect emerging

threats and strengthen countermeasures?

Introduction

In the era of cyber attacks the issues of protecting national infrastructure arise. The
techniques of awareness and defense-in-depth are two important protection methodologies that
complement each other in detecting emerging threats and strengthening countermeasures. The
defense-in-depth method focuses on adding extra layers of protection to the organization, and the
awareness method conduct the research of current risks at the enterprise. Therefore, by studying
the potential and current vulnerabilities, the enterprises can use that information to add extra
layers of protection in the area of those vulnerabilities.

Defense-in-depth and awareness techniques.

Defense-in-depth is a protection technique for cyber security that includes the provision of
extra layers of defense. It has three important features. It has to be "deep" by having many
independent layers of security. It has to be "narrow" by having minimized number of nodes. It
has to be also "strong" by making each different layer retaining from the attacks. (P. Mell, J.
Shook & R. Harang, 2016) In order to fulfill these requirements for defense-in-depth technique,
the awareness methodology can be used. The situational awareness can help to study the
requirements to create "deep", "narrow" and "strong" layers.

With the rise of technologies and automation, the more data appears about vulnerabilities
and potential attacks. The awareness technique is the method that is used to study the potential
risks. According to the paper of T. Pahi, M. Leitner and F. Skopik, the Effective Cyber
Situational Awareness includes three main phases such as network awareness (analyze of assets
enumeration of defense capabilities), threat of attack awareness (creates a picture of possible
attacks), operational or mission awareness (determines how decreased network will affect the
mission of the network) (T. Pahi, M. Leitner and F. Skopik, 2017).

The security administrator asks three main questions when an attack occurs: what
happened? why did it happen? what can be done? The awareness technique answers the first two
questions (M. Albanese, H. Cam & S. Jahodia, 2014). The third question is answered by
implementing the extra defense with multi-layered methods. Based on the acquired information,
the new layers of protection can be added to the network security, software application or user
accessibility. The third question shows the importance of complementing and combining two
techniques of defense-in-depth and awareness together. Defense-in-depth helps to answer the
third question while the first two are replied by awareness.

By conducting the situational awareness, the enterprises process a lot of data of potential
risks and their real association with the vulnerability. Not always the occurred problem is
associated with potential attacks. Sometimes the abnormal behavior can be caused by the
software mistake and not the intruder. The research of Massimiliano Albanese provides the
information on automated tools to conduct the situational awareness effectively and less time
consuming. The author suggest a few models to automate the technique of situational awareness
by creating the cyber situation awareness frameworks and deploying the Petri Net Models. (M.
Albanese, H. Cam & S. Jahodia, 2014). Thus, by automating the awareness, the cyber security
manager would receive a ready information on vulnerabilities that would help to implement
other cyber security methodologies faster. The defense-in-depth methodology would use the
acquired information received from automated awareness tools to strengthen the multi-layered
protection.

Defense-in-depth and awareness techniques in Industrial Control Systems

The growing cybersecurity issues has a tremendous affect on Industrial Control

Systems(ICS) and national infrastructure. With the rise of automation and technologies, the risks
and vulnerabilities appear in the industrial infrastructures. The Homeland Security's National
Cybersecurity and Communication Integration Center (NCCIC) and Industrial Control Systems
Cyber Emergency Response Team (ICS-CERT) developed the recommended practice for
Industrial Control Systems Cybersecurity that focuses on defense-in-depth and awareness
methods. (Homeland Security, 2016) The strategy has the following components such as risk
management program, cybersecurity architecture, physical security, ICS network architecture,
ICS network perimeter security, host security, security monitoring, vendor management and the
human element. According to the publication, the first element of defense-in-depth strategy is the
risk management program that identifies and categorizes the risks. The risk assessment and
identification is a situational awareness method. Therefore, the current practice suggests to use
the awareness method as a part of defense-in-depth strategy. It is a component and an element of
defense-in-depth method.

To secure better the ICS by defense-in-depth methodologies, the new approach was
proposed by Jayasingam Nivethan and Mauricio Papa when changes in constraints are
determined by employees that are not related to IT industries. The approach brings awareness of
the risks and helps to mitigate them by non-IT workers. The framework allows the Intrusion
Detection System (ICS) to audit the variables and alert the system operator if abnormal values
occurred. (J. Nivethan, M. Papa, 2016) The method shows how two techniques of awareness and
defense-in-depth are used together in Industrial Control System by acquiring the risks
information and improving the defense.

The other method of automatic construction of statechart anomaly detection models for ICS
presents the defense-in-depth method along with awareness strategy. The authors, Amit
Kleinmann and Avishai Wool, offer a new approach that called Statechart DFA, that demonstrate
automatic construction of statechart from captured traffic stream. It learns the individual patterns
of complex cycle patterns in the traffic (A. Kleinmann, A. Wool, 2017). The method discovers
the potential vulnerabilities and adds extra layers of protection to the system.

F.Silva and P. Jacob consider that creating a mission dependency metamodel is a crucial
requirement for the risk assessment. The model determines the dependency layers and entities
that are affected by the risks ( F.Silva, P. Jacob, 2018). The suggested method also uses the
techniques of defense-in-depth and awareness complimentarily by thoroughly determining the
risks in each layer.

Conclusion

The defense-in-depth and awareness are complimentary strategies to detect emerging

threats and improve countermeasures. Implementation of the defense-in-depth techniques
requires the information on the current and potential vulnerabilities, and the awareness
techniques provide with it. The two methods are also used together in Industrial Controls
Systems. The Department of Homeland Security does not separate the methodologies and use
them complimentary in the recommended practice for ICS. According to their recommended
practice, the risk assessment is a part of defense-in-depth strategy. The other scholars deploy
these two methods together as well. The SCADA intrusion detection framework that
incorporates process semantics, the statechart anomaly detection and mission dependency
metamodel present the approaches when defense-in-depth and awareness are deployed together
in cybersecurity. Therefore, based on the mentioned examples, the two techniques complement
each other in the era of protection against cyber attacks.

References

Albanese, M., Cam, H., & Jajodia, S. (2014). Automated Cyber Situation Awareness Tools and
Models for Improving Analyst Performance. Advances in Information Security Cybersecurity
Systems for Human Cognition Augmentation,47-60. doi:10.1007/978-3-319-10374-7_3

Kleinmann, A., & Wool, A. (2017). Automatic Construction of Statechart-Based Anomaly

Detection Models for Multi-Threaded Industrial Control Systems. ACM Transactions on
Intelligent Systems and Technology (TIST) - Special Issue: Cyber Security and Regular
Papers,8(4), Article No.55. doi:10.1145/3011018

Mell, P., Shook, J., & Harang, R. (2016). Measuring and Improving the Effectiveness of
Defense-in-Depth Postures. ICSS '16 Proceedings of the 2nd Annual Industrial Control System
Security Workshop,15-22. doi:10.1145/3018981.3018986

Nivethan, J., & Papa, M. (2016). A SCADA Intrusion Detection Framework that Incorporates
Process Semantics. CISRC'16 Proceedings of the 11th Annual Cyber and Information Security
Research Conference Article No. 6. doi:10.1145/2897795.2897814

Pahi, T., Leitner, M., & Skopik, F. (2017). Analysis and Assessment of Situational Awareness
Models for National Cyber Security Centers. Proceedings of the 3rd International Conference on
Information Systems Security and Privacy : ICISSP,1, 334-345. doi:10.5220/0006149703340345

Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-

Depth Strategies. (2016). Homeland Security. Retrieved from https://ics-cert.us-
cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-
CERT_Defense_in_Depth_2016_S508C.pdf.

Silva, F. R., & Jacob, P. (2018). Mission-Centric Risk Assessment to Improve Cyber Situational
Awareness. Proceedings of the 13th International Conference on Availability, Reliability and
Security - ARES 2018. doi:10.1145/3230833.3233281