Closed-loop manufacturing systems provide superior reliability and stability. Many of the same concepts apply to implementing a cybersecurity plan. An advanced cybersecurity plan should include functionality for logging every attempt to access the network and every attempt to access critical information/services available on the network. Activities such as configuration changes to any network resource should also be logged. While it is typically not practical to log the content of every activity on the network or the content associated with every activity, there may be highly sensitive areas of the network where such enhanced logging is necessary – either to protect business assets or as required for legal or contractual requirements.
Logging of activities and events on the network increases system loading and responsiveness. Therefore, the rules for determining which activities are to be logged need to balance security concerns against the impact on system performance. The information to be captured for each event/activity logged should include a timestamp for the activity, source and destination addresses, the user credentials (both human and system credentials), and, where applicable, the content of the transmitted information. Logging should be focused on “significant events” to protect system performance; significant events include every login attempt, password changes, failed logins, credential failures, use of admin actions, external access to the network, use of guest credentials, and every attempt to access information considered “business sensitive.”
Logging itself is not sufficient. As part of “closing the loop,” monitoring algorithms must be implemented to assess the information that has been logged. As with most manufacturing monitoring systems, the network activity algorithms should provide two primary functions – (1) alerts for detected activities requiring immediate action and (2) periodic reporting to identify unusual trends or abnormalities in network activity.
As part of the security plan, individuals within the organization need to identify who is responsible for responding to security alerts and reviewing system activity reports. A select group of individuals within an organization should be assigned this responsibility. It is recommended that multiple individuals representing differing roles within the organization be assigned these responsibilities – providing various perspectives and to avoid the opportunity for collusion.
Audit logs and reports generated from logged information should be retained for a “reasonable” period. “Reasonable” will differ by each company but should be sufficient to meet the security requirements of each company. We have all seen reports of security breaches that, once detected, were found to have occurred sometime in the past – the intruders had access to the data for an extended period. These audit logs and reports are critical for assessing such situations.
The administrative functions associated with the processes and procedures for logging and reporting network activities should be protected with the highest level of security. Administrative rights to these processes should be restricted to a small group of individuals. Redundant verification should be required for any changes in the configuration of these processes.
Implementing processes and procedures that incapsulate logging of network activities and reporting/auditing of those events strengthens a cybersecurity implementation. It provides ongoing feedback to confirm that security procedures are performing to expectation.
For more details on concepts addressing network event logging and auditing processes, you may want to reference Section 3.3 Audit and Accountability of NIST standard SP 800-171.
For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.
Part 1: Engagement and Reinforcement
Part 2: Interaction Mapping
Part 3: Access Control
Part 4: Electronic Media Protection