Featured Image

Building an Advanced Cybersecurity Plan: Access Control

Access control in an advanced cybersecurity plan go well beyond usernames and passwords. It means defining, implementing, and monitoring rules to control which persons and systems may access resources within your company’s network and computer systems.
Jun 03, 2022

“Access control” includes the definition, implementation, and monitoring of rules to control which persons and systems have authority to access resources within a company’s network and computer systems. This goes well beyond assigning credentials (usernames and passwords) to those who have access to the network. Implementation of access control policies should address which systems and which content a user can access within those systems. A simple example of this would be the controls that allow individual customer service personnel access to order status and shipping information but blocks them from accessing customer financial information.

The definitions and implementation of access controls in an advanced cybersecurity plan go well beyond this simple example. The rules for granting access to network and system resources should be broken down to a very granular level to address (1) user rights and methods to access individual systems and functions within those systems, (2) the definition of whether individual users have read, write, and/or edit capabilities for each system and function, and (3) the definition of how software systems (either inside or outside a business) interact with other systems – much the same as if those systems were another type of user.

When defining the criteria for access control, some fundamental rules should be considered:

  • Define unique sets of rules for accessing system resources for each different type of user and software system – be as granular as possible.

  • Grant access only to those systems and functions within a system required for a specific individual’s job.

  • Do not grant access privileges greater than necessary for one’s job responsibilities.

  • Segregate access between those who can view information from those who can change/edit information.

  • Restrict administrative rights (ability to change the configuration of any software or hardware resource) to a carefully vetted set of users

  • Treat access to the internet, or any other connection to resources outside the company, with the same rules as are applied to systems within the company – grant access to only that which is necessary to successfully complete required tasks.

A key part of this interaction mapping addresses the access and exchange of information between software systems and databases within a network infrastructure. Applying access control criteria to each of these interfaces is an important element that needs to be incorporated into an advanced cybersecurity plan – an element that is often overlooked by many companies. A majority of cybersecurity breaches are the result of an attack on a weak link in security defenses and then using the interfaces between systems to penetrate deeper into a company’s resources.

From personal experience, I can attest that the above scenario is real. At our small office, our monthly phone bill for long-distance services was typically around $200 (yes, way back in the day when we had landlines and paid for long-distance services). One month, our bill came in at $85,000. Hackers had found a vulnerability in our fax service and were able to tunnel through the fax system to gain access to our phone system. They were then selling long-distance international phone service hosted through our system. This is just one example of how security breaches can come from any direction and why every point of access to a company’s network and every interface between systems within the network needs to be individually addressed to block unauthorized access. Today’s hackers are a lot more sophisticated, and security breaches can be a lot more expensive.

Applying access control functions between systems within a company’s infrastructure has a lot of parallels to adding locks on doors within your facility – if an intruder penetrates one lock, they have limited access until they find a way to penetrate the next lock. A common security failure encountered at many companies is that they have their one favorite security method that they deploy throughout their system (which makes things easy). This is the same as having locked doors to control access throughout your facility and all doors using the same key. While it may take more resources to implement different security tools dispersed throughout a business’s network, such an effort is necessary to improve the reliability of your security implementation.

Another key factor in implementing access controls for an advanced cybersecurity plan is to verify that the security plan is functioning as expected. This includes:

  • Monitor who is accessing systems and information within the network

  • Limit login attempts for individual sets of credentials and lock out a user after successive failed attempts

  • Implement active warning methods to notify and log specific approved and non-approved system access

  • Implement time-based lockout on inactivity and for any highly restricted access sessions

  • Monitor and record all remote access

  • Encrypt all remote access

  • For wireless access, implement separate methods for network access and account access

  • Consider tablet and cell phone access as both an interface to a company’s network and as an access point to the outside world

Access control is a complex subject and demands a high level of attention as part of the development and implementation of an advanced cybersecurity plan. For more details on addressing access control, you may want to reference Section 3.1 Access Control in NIST standard SP 800-171.

For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security 

Part 9: Personnel and Infrastructure Security

Part 10: Maintenance and Incident Response

Part 11: Risk Assessment and Vulnerabilities Testing

John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
What other area is data-rich? Let's get real about cybersecurity. What is the key to digital manufacturing? C'mon – we're not even done with Industry 4.0. Man, I miss being a CAD jockey.
Additive hanging on by a link. Spoiler Alert: Data is the foundation of DME. Mobile robots are coming. Is sustainability part of your business model? AI, where are you?
If you want to be a supplier to many major companies, then sign on to environmental practices. A great way to get started that can be hugely beneficial is to pull out that lean production manual that may be collecting dust on an office shelf.
The internet opens a whole new way to think about data sources, raising concerns about network security and data validity. Learn about the two major ways to access such data: accessed and transferred in bulk for storage; and accessed on demand.
Remember the old adage: "Garbage in" equals "garbage out." But is the data you collect good? Learn more about measured and processed manufacturing data, how they form the foundation of all digital manufacturing systems, and strategies to ensure quality.
Similar News
By Benjamin Moses | Nov 17, 2023

What other area is data-rich? Let's get real about cybersecurity. What is the key to digital manufacturing? C'mon – we're not even done with Industry 4.0. Man, I miss being a CAD jockey.

6 min
By Ryan Kelly | Nov 14, 2023

Do sticky notes and USBs make a connected shop? For a better way without breaking the bank, you’ll want to tune into Episode 2 of the IMTS+ Original Series “Smart(er) Shop,” brought to you by Autodesk.

4 min
By Bonnie Gurney | Oct 19, 2023

West Coast manufacturing is growing fast, thanks to a wealth of cutting-edge tech and industry intelligence. Get insights on the region’s advanced manufacturing technology and latest trends.

5 min