Featured Image

Building an Advanced Cybersecurity Plan: Access Control

Access control in an advanced cybersecurity plan go well beyond usernames and passwords. It means defining, implementing, and monitoring rules to control which persons and systems may access resources within your company’s network and computer systems.
Jun 03, 2022

“Access control” includes the definition, implementation, and monitoring of rules to control which persons and systems have authority to access resources within a company’s network and computer systems. This goes well beyond assigning credentials (usernames and passwords) to those who have access to the network. Implementation of access control policies should address which systems and which content a user can access within those systems. A simple example of this would be the controls that allow individual customer service personnel access to order status and shipping information but blocks them from accessing customer financial information.

The definitions and implementation of access controls in an advanced cybersecurity plan go well beyond this simple example. The rules for granting access to network and system resources should be broken down to a very granular level to address (1) user rights and methods to access individual systems and functions within those systems, (2) the definition of whether individual users have read, write, and/or edit capabilities for each system and function, and (3) the definition of how software systems (either inside or outside a business) interact with other systems – much the same as if those systems were another type of user.

When defining the criteria for access control, some fundamental rules should be considered:

  • Define unique sets of rules for accessing system resources for each different type of user and software system – be as granular as possible.

  • Grant access only to those systems and functions within a system required for a specific individual’s job.

  • Do not grant access privileges greater than necessary for one’s job responsibilities.

  • Segregate access between those who can view information from those who can change/edit information.

  • Restrict administrative rights (ability to change the configuration of any software or hardware resource) to a carefully vetted set of users

  • Treat access to the internet, or any other connection to resources outside the company, with the same rules as are applied to systems within the company – grant access to only that which is necessary to successfully complete required tasks.

A key part of this interaction mapping addresses the access and exchange of information between software systems and databases within a network infrastructure. Applying access control criteria to each of these interfaces is an important element that needs to be incorporated into an advanced cybersecurity plan – an element that is often overlooked by many companies. A majority of cybersecurity breaches are the result of an attack on a weak link in security defenses and then using the interfaces between systems to penetrate deeper into a company’s resources.

From personal experience, I can attest that the above scenario is real. At our small office, our monthly phone bill for long-distance services was typically around $200 (yes, way back in the day when we had landlines and paid for long-distance services). One month, our bill came in at $85,000. Hackers had found a vulnerability in our fax service and were able to tunnel through the fax system to gain access to our phone system. They were then selling long-distance international phone service hosted through our system. This is just one example of how security breaches can come from any direction and why every point of access to a company’s network and every interface between systems within the network needs to be individually addressed to block unauthorized access. Today’s hackers are a lot more sophisticated, and security breaches can be a lot more expensive.

Applying access control functions between systems within a company’s infrastructure has a lot of parallels to adding locks on doors within your facility – if an intruder penetrates one lock, they have limited access until they find a way to penetrate the next lock. A common security failure encountered at many companies is that they have their one favorite security method that they deploy throughout their system (which makes things easy). This is the same as having locked doors to control access throughout your facility and all doors using the same key. While it may take more resources to implement different security tools dispersed throughout a business’s network, such an effort is necessary to improve the reliability of your security implementation.

Another key factor in implementing access controls for an advanced cybersecurity plan is to verify that the security plan is functioning as expected. This includes:

  • Monitor who is accessing systems and information within the network

  • Limit login attempts for individual sets of credentials and lock out a user after successive failed attempts

  • Implement active warning methods to notify and log specific approved and non-approved system access

  • Implement time-based lockout on inactivity and for any highly restricted access sessions

  • Monitor and record all remote access

  • Encrypt all remote access

  • For wireless access, implement separate methods for network access and account access

  • Consider tablet and cell phone access as both an interface to a company’s network and as an access point to the outside world

Access control is a complex subject and demands a high level of attention as part of the development and implementation of an advanced cybersecurity plan. For more details on addressing access control, you may want to reference Section 3.1 Access Control in NIST standard SP 800-171.

For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security 

Part 9: Personnel and Infrastructure Security

Part 10: Maintenance and Incident Response

Part 11: Risk Assessment and Vulnerabilities Testing

John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Any cybersecurity implementation involves a trade-off between a company’s tolerance for risk and the effort and costs associated with protecting the company’s resources and customers. Learn how to assess risk and test for vulnerabilities in your network.
A company's cybersecurity plan requires constant monitoring and maintenance in order to effectively detect, analyze, contain, recover, and prevent attacks. Learn what steps personnel should take when an incident is detected and how to maintain the system.
You can set up free machine monitoring in as little as 30 minutes using a tool created by the great folks at Oak Ridge National Laboratory (ORNL)...
Ultra-premium, bougie digital twin. Michigan incentivizes industry 4.0 embrace. Metal health. "Go hug a driver or hug a worker in a distribution center."
A key aspect of any advanced cybersecurity plan is oversight and management of company and supplier personnel to address events originating within a company – intentional or not. Find out what considerations should be made when implementing your plan.
Similar News
By Kristin Bartschi | May 05, 2022

We’ve seen an exponential growth in investments into robotics companies formed in the last 10 years, and every indicator suggests that this is just the start. There’s a growing demand for robotics and automation in the United States.

5 min
By Gary Vasilash | Jan 26, 2023

Manufacturing companies the world over are embracing robots in a big way. While U.S. companies have long been deploying the equipment, there are still great opportunities that can be realized ...

10 min
By AMT | Jan 25, 2023

Check in for the highlights, headlines, and hijinks that matter to manufacturing. These lean news items keep you updated on the latest developments.

6 min