Featured Image

Building an Advanced Cybersecurity Plan: Access Control

Access control in an advanced cybersecurity plan go well beyond usernames and passwords. It means defining, implementing, and monitoring rules to control which persons and systems may access resources within your company’s network and computer systems.
Jun 03, 2022

“Access control” includes the definition, implementation, and monitoring of rules to control which persons and systems have authority to access resources within a company’s network and computer systems. This goes well beyond assigning credentials (usernames and passwords) to those who have access to the network. Implementation of access control policies should address which systems and which content a user can access within those systems. A simple example of this would be the controls that allow individual customer service personnel access to order status and shipping information but blocks them from accessing customer financial information.

The definitions and implementation of access controls in an advanced cybersecurity plan go well beyond this simple example. The rules for granting access to network and system resources should be broken down to a very granular level to address (1) user rights and methods to access individual systems and functions within those systems, (2) the definition of whether individual users have read, write, and/or edit capabilities for each system and function, and (3) the definition of how software systems (either inside or outside a business) interact with other systems – much the same as if those systems were another type of user.

When defining the criteria for access control, some fundamental rules should be considered:

  • Define unique sets of rules for accessing system resources for each different type of user and software system – be as granular as possible.

  • Grant access only to those systems and functions within a system required for a specific individual’s job.

  • Do not grant access privileges greater than necessary for one’s job responsibilities.

  • Segregate access between those who can view information from those who can change/edit information.

  • Restrict administrative rights (ability to change the configuration of any software or hardware resource) to a carefully vetted set of users

  • Treat access to the internet, or any other connection to resources outside the company, with the same rules as are applied to systems within the company – grant access to only that which is necessary to successfully complete required tasks.

A key part of this interaction mapping addresses the access and exchange of information between software systems and databases within a network infrastructure. Applying access control criteria to each of these interfaces is an important element that needs to be incorporated into an advanced cybersecurity plan – an element that is often overlooked by many companies. A majority of cybersecurity breaches are the result of an attack on a weak link in security defenses and then using the interfaces between systems to penetrate deeper into a company’s resources.

From personal experience, I can attest that the above scenario is real. At our small office, our monthly phone bill for long-distance services was typically around $200 (yes, way back in the day when we had landlines and paid for long-distance services). One month, our bill came in at $85,000. Hackers had found a vulnerability in our fax service and were able to tunnel through the fax system to gain access to our phone system. They were then selling long-distance international phone service hosted through our system. This is just one example of how security breaches can come from any direction and why every point of access to a company’s network and every interface between systems within the network needs to be individually addressed to block unauthorized access. Today’s hackers are a lot more sophisticated, and security breaches can be a lot more expensive.

Applying access control functions between systems within a company’s infrastructure has a lot of parallels to adding locks on doors within your facility – if an intruder penetrates one lock, they have limited access until they find a way to penetrate the next lock. A common security failure encountered at many companies is that they have their one favorite security method that they deploy throughout their system (which makes things easy). This is the same as having locked doors to control access throughout your facility and all doors using the same key. While it may take more resources to implement different security tools dispersed throughout a business’s network, such an effort is necessary to improve the reliability of your security implementation.

Another key factor in implementing access controls for an advanced cybersecurity plan is to verify that the security plan is functioning as expected. This includes:

  • Monitor who is accessing systems and information within the network

  • Limit login attempts for individual sets of credentials and lock out a user after successive failed attempts

  • Implement active warning methods to notify and log specific approved and non-approved system access

  • Implement time-based lockout on inactivity and for any highly restricted access sessions

  • Monitor and record all remote access

  • Encrypt all remote access

  • For wireless access, implement separate methods for network access and account access

  • Consider tablet and cell phone access as both an interface to a company’s network and as an access point to the outside world

Access control is a complex subject and demands a high level of attention as part of the development and implementation of an advanced cybersecurity plan. For more details on addressing access control, you may want to reference Section 3.1 Access Control in NIST standard SP 800-171.


For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media protection

PicturePicture
Author
John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Any advanced cybersecurity plan should address electronic media in both the IT and the OT networks. Devices like CDs, flash drives, and more are problematic since each is an interface to your company’s network, introducing possible security threats.
The MTConnect Institute announces the release of MTConnect Version 2.0. The 2.0 version of the free, open, model-based standard that supports semantics for discrete manufacturing is a significant advancement from previous versions.
A look at what some of the job shops in the United States are doing.
Check in for the highlights, headlines, and hijinks that matter to manufacturing. These lean news items keep you updated on the latest developments.
To build or enhance your company's cybersecurity plan, one of the first steps to consider is mapping out all access points to your company’s systems and network, including the interaction points between various systems within and outside the network.
Similar News
undefined
Technology
By John Turner | May 02, 2022

Cybersecurity protects your – and your clients' – assets. This series dives into how you can integrate a successful cybersecurity plan. From company culture to training and maintaining your personnel, creating a safe business environment starts here.

5 min
undefined
Technology
By John Turner | May 06, 2022

To build or enhance your company's cybersecurity plan, one of the first steps to consider is mapping out all access points to your company’s systems and network, including the interaction points between various systems within and outside the network.

5 min
undefined
Technology
By John Turner | Jun 17, 2022

Any advanced cybersecurity plan should address electronic media in both the IT and the OT networks. Devices like CDs, flash drives, and more are problematic since each is an interface to your company’s network, introducing possible security threats.

7 min