Featured Image

Building an Advanced Cybersecurity Plan: Access Control

Access control in an advanced cybersecurity plan go well beyond usernames and passwords. It means defining, implementing, and monitoring rules to control which persons and systems may access resources within your company’s network and computer systems.
Jun 03, 2022

“Access control” includes the definition, implementation, and monitoring of rules to control which persons and systems have authority to access resources within a company’s network and computer systems. This goes well beyond assigning credentials (usernames and passwords) to those who have access to the network. Implementation of access control policies should address which systems and which content a user can access within those systems. A simple example of this would be the controls that allow individual customer service personnel access to order status and shipping information but blocks them from accessing customer financial information.

The definitions and implementation of access controls in an advanced cybersecurity plan go well beyond this simple example. The rules for granting access to network and system resources should be broken down to a very granular level to address (1) user rights and methods to access individual systems and functions within those systems, (2) the definition of whether individual users have read, write, and/or edit capabilities for each system and function, and (3) the definition of how software systems (either inside or outside a business) interact with other systems – much the same as if those systems were another type of user.

When defining the criteria for access control, some fundamental rules should be considered:

  • Define unique sets of rules for accessing system resources for each different type of user and software system – be as granular as possible.

  • Grant access only to those systems and functions within a system required for a specific individual’s job.

  • Do not grant access privileges greater than necessary for one’s job responsibilities.

  • Segregate access between those who can view information from those who can change/edit information.

  • Restrict administrative rights (ability to change the configuration of any software or hardware resource) to a carefully vetted set of users

  • Treat access to the internet, or any other connection to resources outside the company, with the same rules as are applied to systems within the company – grant access to only that which is necessary to successfully complete required tasks.

A key part of this interaction mapping addresses the access and exchange of information between software systems and databases within a network infrastructure. Applying access control criteria to each of these interfaces is an important element that needs to be incorporated into an advanced cybersecurity plan – an element that is often overlooked by many companies. A majority of cybersecurity breaches are the result of an attack on a weak link in security defenses and then using the interfaces between systems to penetrate deeper into a company’s resources.

From personal experience, I can attest that the above scenario is real. At our small office, our monthly phone bill for long-distance services was typically around $200 (yes, way back in the day when we had landlines and paid for long-distance services). One month, our bill came in at $85,000. Hackers had found a vulnerability in our fax service and were able to tunnel through the fax system to gain access to our phone system. They were then selling long-distance international phone service hosted through our system. This is just one example of how security breaches can come from any direction and why every point of access to a company’s network and every interface between systems within the network needs to be individually addressed to block unauthorized access. Today’s hackers are a lot more sophisticated, and security breaches can be a lot more expensive.

Applying access control functions between systems within a company’s infrastructure has a lot of parallels to adding locks on doors within your facility – if an intruder penetrates one lock, they have limited access until they find a way to penetrate the next lock. A common security failure encountered at many companies is that they have their one favorite security method that they deploy throughout their system (which makes things easy). This is the same as having locked doors to control access throughout your facility and all doors using the same key. While it may take more resources to implement different security tools dispersed throughout a business’s network, such an effort is necessary to improve the reliability of your security implementation.

Another key factor in implementing access controls for an advanced cybersecurity plan is to verify that the security plan is functioning as expected. This includes:

  • Monitor who is accessing systems and information within the network

  • Limit login attempts for individual sets of credentials and lock out a user after successive failed attempts

  • Implement active warning methods to notify and log specific approved and non-approved system access

  • Implement time-based lockout on inactivity and for any highly restricted access sessions

  • Monitor and record all remote access

  • Encrypt all remote access

  • For wireless access, implement separate methods for network access and account access

  • Consider tablet and cell phone access as both an interface to a company’s network and as an access point to the outside world

Access control is a complex subject and demands a high level of attention as part of the development and implementation of an advanced cybersecurity plan. For more details on addressing access control, you may want to reference Section 3.1 Access Control in NIST standard SP 800-171.

For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security 

Part 9: Personnel and Infrastructure Security

Part 10: Maintenance and Incident Response

Part 11: Risk Assessment and Vulnerabilities Testing

John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Event to Connect Small and Medium Manufacturers with Experts in Smart Technologies
Edge computing in digital manufacturing involves placing devices between data sources and the network, and ranges from basic data collection to distributed systems. Learn more about its benefits like data processing, isolation, organization, and security.
What are the benefits of harvesting semantic data from equipment on the shop floor? For starters, it's easier to integrate machines into shop maintenance and monitoring systems. Learn how the industry has responded to semantic data – and where it's going.
A digital twin is more than a computer approximation or simple 3D model – it is an ever-evolving, data-driven digital representation of a system.
Siemens is one of the world’s biggest manufacturing companies – and a company that uses the digital tools it develops to achieve operational excellence.
Similar News
By Tim Shinbara | Mar 18, 2024

Discover how MTConnect bridges the innovation lag between consumer tech and manufacturing. As a unifying open-source standard, MTConnect streamlines machine communications and fuels emerging tools like digital twins.

5 min
By Kristin Bartschi | Mar 11, 2024

The organizations favor a collaborative partnership as independent entities to enhance operational performance, responsiveness, and strategic flexibility.

3 min
By Kristin Bartschi | Feb 29, 2024

Event to Connect Small and Medium Manufacturers with Experts in Smart Technologies

5 min