Defense-in-depth (also defense in depth) is
|“||an information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.||”|
|“||[t]he DoD approach for establishing an adequate IA posture in a shared-risk environment that allows for shared mitigation through: the integration of people, technology, and operations; the layering of IA solutions within and among IT assets; and, the selection of IA solutions based on their relative level of robustness.||”|
|“||[a] [c]ybersecurity strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.||”|
Achieving defense-in-depth requires placing multiple, diverse barriers in front of a potential attacker. Defense-in-depth starts with an overall cybersecurity policy that calls for multiple measures and employs cybersecurity strategies such as identifying authentication and authorization, admission control, encryption, integrity checking, detections of policy violations, data logging and data auditing. For more sophisticated equipment, these strategies may be a straightforward element bundled within the existing software. For older, "dumber" equipment, such as simple control systems, enabling this capacity may be difficult or impossible, necessitating other cybersecurity strategies. Effective cybersecurity often encompasses physical as well as technological measures — restricted access to server rooms, locks on smart meters, security fencing and security cameras at key substations, for example.
"Defense-in-depth requires widely distributed intrusion detection activities to recognize and describe activities that are different from the normal pattern or fit known "bad" patterns, and to limit and contain the access across networks that a malicious user may exploit. The nature and scope of the incident, effects, cause, and vulnerability must be determined. After an intrusion is detected, incident information must be reported through established channels to appropriate authorities, specialized analysis, and response centers."
- ↑ NIST Special Publication 800-39, at H-4, n. 77.
- ↑ DoD Directive 8500.1, at 18.
- ↑ Electricity Subsector Cybersecurity Risk Management Process, at 63.
- Overview section: A Comparison of Cross-Sector Cyber Security Standards, at 11.