Defence in depth
One of the oft stated mantra’s of both system safety and cyber-security is that a defence in depth is required if you’re really serious about either topic. But what does that even mean? How deep? And depth of what exactly? Jello? Cacti? While such a statement has a reassuring gravitas, in practice it’s void of meaning unless you can point to an exemplar design and say there, that is what a defence in depth looks like.
In the spirit of proof by construction let’s consider the dictum of ‘defence in depth’ from the perspective of medieval castle designers. Their problem was to keep the bad guys out and the good guys safe, which seems a close analog to some of our cybersecurity problems we face today*. Looking first to their operational purpose castles were always carefully sited to achieve some strategic objective, and subsequently to take the maximum advantage of the terrain. For example being placed on a hilltop for visibility of the surrounding countryside or in the bend of a river to add a natural barrier to the defences.
Now if you look at a good castle design, you’ll general find a series of concentric defences, with each interior ring being higher and tougher to overcome than the next outer ring. That is, not only is the next inner ring tougher to breach, but that inner ring can in turn help support the outer one. Access points are heavily protected, easily isolable (think drawbridge and portcullis) and rotated around the perimeter wall of each ward, thereby mimimising the risk of what we’d nowadays call a common cause or cascading failure in the defences.
There’s another critical aspect of castle access design which should be borne in mind and that’s the trade-off between access and security. Obviously a point of access is a weakness that’s exploitable, but no access at all is unworkable and so a trade-off needs to be made. One way in which this was be accommodated by castle designers was to allow greater access in the outer wards, the majority of the castle’s footprint, while providing lesser access and applying greater fortification to the inner smaller wards. Because only small areas of the castle were more highly protected this in turn kept the cost of construction down as well as the cost of defending the consequentially smaller perimeter. Thus we expend our greatest effort in protecting a small central keep or redoubt, rather than trying to be impregnable everywhere. As always if you attempt to protect everything, you usually end up protecting nothing.
The final lesson of the castle metaphor is that a castle is only as strong as it’s defenders, if weak points are not actively protected, the integrity of the defences maintained and a watch kept on the surrounding countryside then all the technology of the castle will not protect the inhabitants. Thus a defence in depth is only ever as effective as it’s resourcing, which in turn is predicated on the value of that which the defences are intended to protect.
*For nuclear safety, where the term is ‘defence in depth’ is much loved by the NRC, one can think of it as the ‘inverse castle’ or prison metaphor, that is we have a lot of bad stuff that we want to keep inside.