Security layers

Security layers of protection Also known as concentric rings of protection, a concept of providing multiple independent and overlapping layers of protection in depth. For security purposes, this may include various layers of protection such as countersurveillance, counterintelligence, physical security, and cyber security. 

In the case of malicious acts, the layers or rings of protection must be particularly robust because the adversaries are intentionally attempting to breach the protective features and can be counted on to use whatever means are available to be successful. This could include explosions or other initiating events that result in widespread common-cause failures. Some particularly motivated adversaries might commit suicide while attempting to breach the security layers of protection. 

Ideally, in a perfect world, all chemical facilities would be secured in a layered fashion (aka the barrier approach). Layered security systems are vital. Using the protection in-depth principle, requiring that an adversary defeat several protective barriers or security layers to accomplish its goal, chemical industry infrastructure can be made more secure. Protection in depth is a term commonly used by the military to describe security measures that reinforce one another, masking the defense mechanisms from the view of intruders, and allowing the defender time to respond to intrusion or attack. 

For example, as depicted in figure 9.1, an effective security layering approach requires that an adversary penetrate multiple, separate barriers to gain entry to a critical target at a chemical industry facility. As shown in figure 9.1, protection in depth (multiple layers of security) helps to ensure that the security system remains effective in the event of a failure or an intruder bypassing a single layer of security. 

To deal with security in heterogeneous networks, Y-Comm employs a multilayer security module which is described in [3]. As shown in Pig. 16.4, the security layers in Y-Comm work together across both frameworks in order to be fully integrated with the new architecture. The highest layer of security is at layer seven and is called Service and Application Security or SAS. In the Peripheral Framework, SAS layer defines the A3C functions at the end-device and is used to authenticate users and applications. SAS in the Core Framework provides A3C functions for services on the Service Platform in the core network. The next security layer is called QoS-Based Security or QBS and is concerned with QoS issues and the changing QoS demands of the mobile environment as users move around, the QBS layer also attempts to block QoS related attacks, such as DoS attacks on networks and servers. 

In order to build a real security framework it is necessary to develop security protocols which implement the respective functionalities. A number of authentication and key agreement (AKA) protocols were developed which provide the func-tionahty of some of the layers of the ISM. The PL-AKA protocols could be used in the SAS Layer. It authenticates users to use mobile terminals, etc. The NL-AKA and SL-AKA protocols could be used in the NAS and NTS security layers. There are two network level protocols the first, called Initial NL-AKA, is used to connect users to a network. There is another NL-AKA protocol concerned with handover called the Handover NL-AKA. Similarly, the SL-AKA level which is concerned with the interaction between the user and a given service also has initial and mobile variants. However, the functionahty of the QBS layer is defined by integrating the AKA framework with the QoS signalling models described in the previous section. 

Tag authentication is another security mechanism that authenticates the tag to the reader and protects against tag counterfeiting. There are several protocols proposed for this purpose. For example, Vajda and Buttyan (2003) propose and analyze several lightweight tag authentication protocols. Similarly, Feldhofer (2004) proposes the simple authentication and security layer (SASL) protocol with AES encryption and analyzes the hardware requirements (Feldhofer, 2004 Knospe Pohl, 2004 Wong Phan, 2006). 

Feldhofer, M. (2004). A proposal for authentication protocol in a security layer for RFID smart tags. In Proceedings of the 12" IEEE Mediterranean Electrotechnical Conference iflELECON), Dubrovnik. 

Layered security—A physical security approach that requires a criminal to penetrate or overcome a series of security layers before reaching the target. The layers might be perimeter barriers building or area protection with locks, CCTV, and guards and point and trap protection using safes, vaults, and sensors. 

Security can get rather complicated. Protection of different assets will involve a range of technologies to produce the number of security layers needed. 

From the point of view of the optical security, each layer is defined as an independent information layer. This enables a security layer structure in which nano-scale layers implement covertness and macro-scale layers implement overtness. The former is technically difficult to access and is non-duplicatable, whereas the latter is easy to access and is mass-producable. 

By using the security modules, the system will not end up in fail-safe mode in the case of altered content in the PROFIsafe container, since such failures and/or modifications will be discarded by the security layer, as discussed in section 4.4. This is a positive side effect that will contribute to the overall availability. 

In Section 5 we propose and discuss the concept of security modules a security software layer, to retrofit security in PROFINET lO and PROFIsafe without any changes in the transmission system or standards. If the risk of security threats is not negligible, security modules can be used to add a security layer between PROFINET lO and PROFIsafe to reduce the possibihties of security attacks, and increase the overall availability. In addition for the studied system, the security modules will not forward safety containers that indicate compromised integrity, thus not putting the system in fail-safe mode due to spurious attacks on safety containers. 

There are many potential ways to add this extra security layer. One is to require users to enter a password (on either the device or the ICEbox) in order to complete the introduction step. While such a solution is simple to implement, it has all the problems of traditional password solutions [1] it requires that users remember the password, requires that they perform an extra step at each introduction, and requires that we provide extra UI mechanisms to enter, change, and manage the password. 

---