Featured Image

Building an Advanced Cybersecurity Plan: Activity Logging, Auditing, and Traceability

Advanced cybersecurity plans should include functionality for logging every attempt to access the network or critical areas on the network to protect business assets or as required for legal or contractual requirements. Read on to learn what that involves.
Sep 01, 2022

Closed-loop manufacturing systems provide superior reliability and stability. Many of the same concepts apply to implementing a cybersecurity plan. An advanced cybersecurity plan should include functionality for logging every attempt to access the network and every attempt to access critical information/services available on the network. Activities such as configuration changes to any network resource should also be logged. While it is typically not practical to log the content of every activity on the network or the content associated with every activity, there may be highly sensitive areas of the network where such enhanced logging is necessary – either to protect business assets or as required for legal or contractual requirements.

Logging of activities and events on the network increases system loading and responsiveness. Therefore, the rules for determining which activities are to be logged need to balance security concerns against the impact on system performance. The information to be captured for each event/activity logged should include a timestamp for the activity, source and destination addresses, the user credentials (both human and system credentials), and, where applicable, the content of the transmitted information. Logging should be focused on “significant events” to protect system performance; significant events include every login attempt, password changes, failed logins, credential failures, use of admin actions, external access to the network, use of guest credentials, and every attempt to access information considered “business sensitive.”

Logging itself is not sufficient. As part of “closing the loop,” monitoring algorithms must be implemented to assess the information that has been logged. As with most manufacturing monitoring systems, the network activity algorithms should provide two primary functions – (1) alerts for detected activities requiring immediate action and (2) periodic reporting to identify unusual trends or abnormalities in network activity.

As part of the security plan, individuals within the organization need to identify who is responsible for responding to security alerts and reviewing system activity reports. A select group of individuals within an organization should be assigned this responsibility. It is recommended that multiple individuals representing differing roles within the organization be assigned these responsibilities – providing various perspectives and to avoid the opportunity for collusion.

Audit logs and reports generated from logged information should be retained for a “reasonable” period. “Reasonable” will differ by each company but should be sufficient to meet the security requirements of each company. We have all seen reports of security breaches that, once detected, were found to have occurred sometime in the past – the intruders had access to the data for an extended period. These audit logs and reports are critical for assessing such situations.

The administrative functions associated with the processes and procedures for logging and reporting network activities should be protected with the highest level of security. Administrative rights to these processes should be restricted to a small group of individuals. Redundant verification should be required for any changes in the configuration of these processes.

Implementing processes and procedures that incapsulate logging of network activities and reporting/auditing of those events strengthens a cybersecurity implementation. It provides ongoing feedback to confirm that security procedures are performing to expectation.

For more details on concepts addressing network event logging and auditing processes, you may want to reference Section 3.3 Audit and Accountability of NIST standard SP 800-171.

For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security

Part 9: Personnel and Infrastructure Security

Part 10: Maintenance and Incident Response

Part 11: Risk Assessment and Vulnerabilities Testing

John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Digital manufacturing uses operational data for more informed decision-making, which helps increase workflow efficiency. But a major challenge is the quality of data. Learn more about this crucial factor in digital manufacturing decision-making processes.
Art and engineering, Robot retires to do what it loves, Projects for standards in measurement, US air force offers am experience for students.
Digital manufacturing is company-specific strategy that uses data from manufacturing operations to support more informed decision-making and increase efficiency. Find out what goes into building a unique digital manufacturing strategy for your business.
KOVAL smartly deploys advanced monitoring technology in the service of creating a reliable, consistent (and delicious) product.
Any cybersecurity implementation involves a trade-off between a company’s tolerance for risk and the effort and costs associated with protecting the company’s resources and customers. Learn how to assess risk and test for vulnerabilities in your network.
Similar News
By Stephen LaMarca | May 12, 2023

In April, Silicon Valley Robotics hosted its annual Robot Block Party in Oakland, California. The event served as a hub for robotics enthusiasts, hobbyists, and makers to showcase their projects and products. Think public school book fair – but for robots.

4 min
By Nina Anderson | May 23, 2023

Does a year-over-year percentage growth truly reflect industry change? Do increased robot installations in sectors with less robot density look the same in ones with more density? Derivatives help expose how total change is affected when variables change.

5 min
By Stephen LaMarca | May 12, 2023

Roboangelo. AI is so big it needs 7 research institutes. Raspberry Pi on steroids. Exhaustion? No. Errors? Rarely, but yes. Captain planet is a LIAR!

5 min