5. Defense in Depth: Why One Firewall Is Never Enough in Industrial Cybersecurity
In the previous post, we learned how Zones and Conduits help organize industrial networks and control communication between systems.
A common misconception is that installing a firewall automatically makes a network secure.
In reality:
No single security device can fully protect an industrial control system.
Firewalls fail.
Passwords get stolen.
Users make mistakes.
Software contains vulnerabilities.
This is why IEC 62443 promotes a concept known as:
Defense in Depth
Defense in Depth means building multiple layers of protection so that if one security control fails, additional controls continue protecting the system.
Think of it as multiple barriers between an attacker and your critical assets.
The Castle Analogy
Imagine a medieval castle.
A king would not rely on a single wall.
Instead, he would use:
- A moat
- Outer walls
- Inner walls
- Guard towers
- Gates
- Guards
- Secure rooms
An attacker would have to defeat multiple layers to reach the target.
Industrial cybersecurity works the same way.
Why Defense in Depth Matters
Consider a real-world example.
A maintenance technician receives a phishing email.
The email installs malware on a corporate laptop.
Without layered protection:
Laptop
↓
IT Network
↓
OT Network
↓
SCADA
↓
PLCThe attack may reach the control system.
With Defense in Depth:
Laptop
↓
Endpoint Protection
↓
Firewall
↓
DMZ
↓
Firewall
↓
OT Monitoring
↓
PLC NetworkMultiple security controls must fail before critical systems are exposed.
Layer 1 – Physical Security
Cybersecurity starts with physical security.
If someone can physically access equipment, they may bypass many cyber controls.
Examples:
- Locked control panels
- Locked server rooms
- Badge access
- Security cameras
- Visitor management
- Secured network cabinets
Real Plant Example
A PLC cabinet left unlocked on the production floor.
Potential risks:
- Unauthorized laptop connection
- USB device insertion
- Network cable connection
- Controller modification
A simple lock may prevent a serious security incident.
Layer 2 – Network Security
Network security controls communication between systems.
Examples:
- Firewalls
- VLANs
- NAT
- Industrial routers
- ACLs
- DMZ architecture
The objective is simple:
Allow only necessary communication.
Example
Allowed:
Historian → PLC
EtherNet/IP
Port 44818Blocked:
Office PC → PLC
All TrafficLayer 3 – Endpoint Security
Endpoints are devices connected to the network.
Examples:
- Engineering Workstations
- SCADA Servers
- Historian Servers
- Operator PCs
- Industrial PCs
Protection methods include:
- Antivirus
- Endpoint Detection and Response (EDR)
- Application Whitelisting
- Patch Management
- Malware Protection
Why This Matters
Many industrial incidents begin on a workstation before spreading to control systems.
Protecting endpoints reduces the attack surface.
Layer 4 – Access Control
Not everyone needs access to everything.
IEC 62443 promotes:
Least Privilege
Users receive only the permissions necessary to perform their job.
Examples:
Operator
Can:
- Start machine
- Stop machine
- Acknowledge alarms
Cannot:
- Modify PLC logic
Engineer
Can:
- Modify programs
- Download logic
- Configure systems
Vendor
Can:
- Access assigned systems only
- Access during approved time windows
Multi-Factor Authentication (MFA)
Passwords alone are no longer enough.
MFA requires:
- Something you know
- Something you have
Example:
Password
+
Authentication AppEven if a password is stolen, attackers still need the second factor.
Layer 5 – Monitoring and Detection
Security controls should not only block threats.
They should also detect them.
Examples:
- Security Logs
- IDS (Intrusion Detection Systems)
- SIEM Platforms
- Network Monitoring
- Remote Access Logs
- Firewall Logs
Example
An engineer normally logs in during the day.
Suddenly:
2:15 AM
Foreign IP Address
Engineering Workstation LoginMonitoring systems can alert personnel to suspicious activity.
Layer 6 – Backup and Recovery
One of the most overlooked cybersecurity controls.
Even the best security program may eventually experience an incident.
Backups allow recovery.
Critical Backups
PLC Programs
- Studio 5000 Projects
- RSLogix 500 Files
HMIs
- FactoryTalk View Projects
- PanelView Applications
VFD Configurations
- Drive Parameters
- Backup Files
Switch Configurations
- Stratix Configurations
- VLAN Settings
Servers
- Historians
- Databases
- SCADA Systems
Recovery Testing
Many facilities perform backups.
Few verify recovery.
Ask yourself:
Can we actually restore the system?
Backups should be tested regularly.
Layer 7 – Incident Response
Every facility should have a response plan.
Questions to answer:
- Who gets called?
- How do we isolate systems?
- How do we restore operations?
- Who communicates with management?
- Who works with vendors?
Preparation reduces downtime.
Defense in Depth and the Purdue Model
Defense in Depth exists at every level.
| Purdue Level | Security Layers |
|---|---|
| Level 5 | Corporate Security |
| Level 4 | Business Firewalls |
| DMZ | Secure Data Exchange |
| Level 3 | Operations Monitoring |
| Level 2 | SCADA Security |
| Level 1 | PLC Security |
| Level 0 | Physical Process Protection |
Each layer contributes to overall resilience.
Defense in Depth and IEC 62443
Defense in Depth directly supports the IEC 62443 foundational requirements.
Examples:
| Requirement | Defense Layer |
|---|---|
| FR1 Authentication | MFA, User Accounts |
| FR2 Use Control | RBAC |
| FR3 Integrity | Antivirus, Whitelisting |
| FR4 Confidentiality | Encryption |
| FR5 Data Flow | Firewalls, VLANs |
| FR6 Event Response | Monitoring |
| FR7 Availability | Backups, Redundancy |
This is why Defense in Depth is a cornerstone of industrial cybersecurity.
Common Mistakes
Avoid These
❌ Relying on a single firewall
❌ Shared administrator accounts
❌ No PLC backups
❌ No monitoring
❌ Flat networks
❌ No DMZ
❌ No vendor access control
❌ No recovery testing
❌ No incident response plan
A chain is only as strong as its weakest link.
Real Example: Protecting a Bottling Line
A modern bottling line might include:
- CompactLogix PLC
- PanelView HMI
- Stratix Switch
- PowerFlex Drives
- Historian
- ERP Connection
Defense in Depth may include:
Physical
Locked PLC panel
Network
Firewalls and VLANs
Endpoint
Protected engineering workstation
Access
Role-based permissions
Monitoring
Security logs
Recovery
PLC backups
Response
Documented procedures
No single control protects the line.
The combination of controls does.
Practical Checklist for Automation Technicians
Ask yourself:
✅ Are PLC cabinets locked?
✅ Are networks segmented?
✅ Are engineering laptops protected?
✅ Are user accounts unique?
✅ Are backups current?
✅ Are switch configurations backed up?
✅ Is remote access controlled?
✅ Is monitoring enabled?
✅ Have recovery procedures been tested?
The more “Yes” answers, the stronger your security posture.
Final Thoughts
Defense in Depth is one of the most important principles in industrial cybersecurity.
No single device, software package, or firewall can completely protect an industrial control system.
True security comes from combining multiple layers of protection that work together to reduce risk, improve resilience, and support safe operations.
For automation professionals, Defense in Depth means thinking beyond individual devices and viewing security as a complete system of people, processes, and technology.
The goal is not to eliminate all risk.
The goal is to make successful attacks significantly more difficult and to recover quickly if an incident occurs.