Defense in depth in OT cybersecurity
No single barrier is perfect. Defense in depth stacks several independent layers of protection, so that one flaw is never enough to reach the process.
A single barrier is never enough
In industrial cybersecurity, no protection is foolproof: a firewall can be bypassed, a password leaks, a patch is late. Defense in depth answers this reality: instead of betting everything on one barrier, you stack several, independent ones. To reach the process, an attacker would have to cross them all — which becomes very hard.
The layers
From the outside toward the process:
- Network segmentation: cut into zones (Purdue model), with an industrial DMZ between IT and OT. Nothing crosses directly.
- Access control: who can connect, to what, how. Named accounts, strong authentication, remote access controlled through a jump server.
- Hardening: disable what is unused, close needless ports, remove default accounts.
- Patch management: keep systems up to date — a challenge in OT, where you do not restart a process for a patch.
- Detection: an industrial intrusion detection probe (IDS) that learns normal traffic and alerts on the abnormal.
- Backups & recovery plan: be able to restore a controller or a workstation after an incident.
The guiding principle
The thread is the independence of the layers. If they all share the same weak point (the same password, the same flat network), the depth is an illusion. Each layer must hold even if the previous one has fallen. It is the same spirit as defense in depth in nuclear safety or functional safety: never depend on a single barrier.
Zones, conduits and security levels
The IEC 62443 standard formalises this approach with two notions: zones (groups of equipment of the same criticality and trust) and conduits (the controlled communication channels between zones). To each zone you assign a target security level (SL-T) according to the attacker profile to counter, then verify the achieved SL (SL-A):
| SL | Attacker to counter |
|---|---|
| SL 1 | accidental error or violation |
| SL 2 | simple attacker, generic means, low resources |
| SL 3 | sophisticated attacker, OT-specific means, moderate resources |
| SL 4 | sophisticated attacker, extended resources (state level) |
You protect each conduit at the level of the most demanding zone it connects. This architecture builds directly on the Purdue model and on the OT / IT distinction.
In practice
Defense in depth is not a product you buy, it is an architecture you design. A concrete implementation example — segmentation, DMZ, proxy, detection — is detailed in the article Exchanging data between 2 OT controllers.