Featured Image

Building an Advanced Cybersecurity Plan: Identification and Authentication

The definition and management of the credentials used to access the resources within a company's network requires their own set of rules within an access control strategy. Here are some important security elements to consider with usernames and passwords.
Aug 08, 2022

Access control, a comprehensive set of rules and requirements regulating which persons and systems have authority to access resources within a company's network and computer systems, is critical to all advanced cybersecurity implementations. Once established, many of the components implemented to support access control will remain relatively static for reasonable periods of time. However, one key element is dynamic and requires its own set of rules within an access control strategy. That is the definition and management of the credentials used to identify and authenticate persons and systems attempting to access resources within a company's network.

Generally, network security credentials include usernames and passwords. Still, they may also have other identifying factors such as the identity (IP address, MAC address, etc.) of any device being used to access the network. There are also a variety of alternative technologies that can be used to identify a user. These include key fobs that generate unique passwords periodically, personal id systems similar to facility access cards, a security dongle that must be connected to a computer's port, biometric id systems, etc.

Once assigned, usernames tend to remain unchanged and allow a designated user to access network resources from any number of devices. Usernames must be unique within a network architecture. Additionally, suppose a username is to be changed. In that case, the validation of the user and the system resources that the user can access should be verified as though the user is a new user within the network system.

Methods should be implemented to monitor the frequency that each user accesses a network. Rules should be established defining when a username is considered abandoned or retired. Such usernames and all other components of the associated credentials should be disabled for future network access.

It is common practice to allow temporary network/computer systems access for temporary workers, company guests, and maintenance/service providers. Companies tend to deploy a couple of different strategies for providing credentials on a temporary basis. It is not uncommon to provide a "guest network" that allows a guest to connect to the network with very limited capabilities – typically restricted to internet access. There are security vulnerabilities associated with a "guest network." Once a guest has access inside the network, it is conceivable to misuse this access as an entry point to tunnel deeper into the company's infrastructure – you have unlocked the door through the outer layer of your security architecture. While it is more cumbersome to implement, it is a better alternative that each guest is provided a unique set of credentials which can be independently validated and monitored for activity on the network. All temporary credentials should be automatically disabled after a specified period of time.

Some standard practices that should be implemented when managing credentials include:

  • Passwords should be required to be updated periodically – monthly, quarterly, etc.

  • Updated passwords should meet a minimum criterion for length and format. For example, a minimum of N characters, a mixture of upper- and lowercase characters, no strings of characters common with usernames, no repetitive characters, and include symbols.

  • When passwords are reset, minimum requirements should be defined for the amount of change required from previous passwords – no single character changes, no reuse of older passwords, etc.

  • Enforce security standards to protect passwords – do not store in a file or email, disallow all written copies of passwords, etc.

Both network credentials and authorization to access specific network resources using those credentials should be categorized based on the frequency upon which each user utilizes those credentials and authorizations. A company should have a standard means of identifying and monitoring the activities of all users on a network. This standard means should be sufficient to monitor users' activities who commonly use specific network resources. However, there are cases where a user may infrequently access the network, or a frequent user may only infrequently need to access specific resources within the network. From a security perspective, it is better to add an extra layer of authentication to address these cases. Multifactor authentication is typically a two-step process to verify that the user requesting access is really the authorized user. In multifactor authentication, a user attempting to log on to the network or in to a specific resource within the network is sent a message (typically either an email or text) that provides additional information required to complete their log-in attempt (commonly a unique code that needs to be entered). The concept is that if a user has access to more than one resource of the authorized user, then they are more than likely the authorized user.

One of the more common security failures comes from the fact that companies frequently do change default credentials for devices connected to a network – usually something like username=USER and password=PASSWORD. This occurs for any device connected to the network but is most commonly found in devices with no direct user interface – printers, cameras, security sensors, monitoring equipment, and many types of production equipment. Each of these represents a security vulnerability. All default credentials should be changed to a secure set of credentials upon installation.

It is important that a company expands the definition of users beyond the traditional human user to include software systems both inside and outside of the company. When software systems interact with each other, the exchange of information should be viewed as though the software system is another user interacting with a company resource. The same rules and definitions for creation, managing, and authenticating user credentials should be applied to these software systems. These interfaces between systems are the second-most common areas for network security breaches, right behind human error. Actors penetrate one system and then use the interfaces between systems to penetrate deeper into a company's network infrastructure.

Properly managing and protecting network credentials is a key element in all advanced cybersecurity implementations. The area within a network where these credentials are stored should have the highest level of security that is possible to implement – this information represents all of the keys needed for an intruder to access all of your business's most critical resources. Additionally, access to this information should be restricted to as few individuals as possible.

For more details on concepts addressing network credentials and authentication, you may want to reference Section 3.5 Identification and Authentication of NIST standard SP 800-171.

For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security 

Part 9: Personnel and Infrastructure Security

Part 10: Maintenance and Incident Response

Part 11: Risk Assessment and Vulnerabilities Testing

John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
The internet opens a whole new way to think about data sources, raising concerns about network security and data validity. Learn about the two major ways to access such data: accessed and transferred in bulk for storage; and accessed on demand.
Remember the old adage: "Garbage in" equals "garbage out." But is the data you collect good? Learn more about measured and processed manufacturing data, how they form the foundation of all digital manufacturing systems, and strategies to ensure quality.
Many companies collect data from their manufacturing operations to increase productivity and improve shop operations. Others do so as part of a contractual obligation to their customers.
While it might seem that pursuing ER&D during a downturn would be unsustainable, it is actually a sensible approach. Let’s face it: When you’re busy, you’re not likely to have your people do anything other than focus on their main tasks.
Data collection and storage is the process of gathering, arranging, and making data available for analytics. Since data quality is vital, companies must decide what should be collected and stored using newer tech like data lakes and cloud storage.
Similar News
By John Turner | Sep 22, 2023

The internet opens a whole new way to think about data sources, raising concerns about network security and data validity. Learn about the two major ways to access such data: accessed and transferred in bulk for storage; and accessed on demand.

4 min
By Benjamin Moses | Aug 29, 2023

Episode 101: Ben and Steve discuss the precision and accuracy of “just eyeballin’ it” and torque wrench etiquette. Benjamin gets in-depth on cold spray additive manufacturing.

20 min
By Bonnie Gurney | Sep 12, 2023

Registration has opened for IMTS 2024 – The International Manufacturing Technology Show, taking place Sept. 9-14 at McCormick Place in Chicago.

5 min