Featured Image

Building an Advanced Cybersecurity Plan: Identification and Authentication

The definition and management of the credentials used to access the resources within a company's network requires their own set of rules within an access control strategy. Here are some important security elements to consider with usernames and passwords.
Aug 08, 2022

Access control, a comprehensive set of rules and requirements regulating which persons and systems have authority to access resources within a company's network and computer systems, is critical to all advanced cybersecurity implementations. Once established, many of the components implemented to support access control will remain relatively static for reasonable periods of time. However, one key element is dynamic and requires its own set of rules within an access control strategy. That is the definition and management of the credentials used to identify and authenticate persons and systems attempting to access resources within a company's network.

Generally, network security credentials include usernames and passwords. Still, they may also have other identifying factors such as the identity (IP address, MAC address, etc.) of any device being used to access the network. There are also a variety of alternative technologies that can be used to identify a user. These include key fobs that generate unique passwords periodically, personal id systems similar to facility access cards, a security dongle that must be connected to a computer's port, biometric id systems, etc.

Once assigned, usernames tend to remain unchanged and allow a designated user to access network resources from any number of devices. Usernames must be unique within a network architecture. Additionally, suppose a username is to be changed. In that case, the validation of the user and the system resources that the user can access should be verified as though the user is a new user within the network system.

Methods should be implemented to monitor the frequency that each user accesses a network. Rules should be established defining when a username is considered abandoned or retired. Such usernames and all other components of the associated credentials should be disabled for future network access.

It is common practice to allow temporary network/computer systems access for temporary workers, company guests, and maintenance/service providers. Companies tend to deploy a couple of different strategies for providing credentials on a temporary basis. It is not uncommon to provide a "guest network" that allows a guest to connect to the network with very limited capabilities – typically restricted to internet access. There are security vulnerabilities associated with a "guest network." Once a guest has access inside the network, it is conceivable to misuse this access as an entry point to tunnel deeper into the company's infrastructure – you have unlocked the door through the outer layer of your security architecture. While it is more cumbersome to implement, it is a better alternative that each guest is provided a unique set of credentials which can be independently validated and monitored for activity on the network. All temporary credentials should be automatically disabled after a specified period of time.

Some standard practices that should be implemented when managing credentials include:

  • Passwords should be required to be updated periodically – monthly, quarterly, etc.

  • Updated passwords should meet a minimum criterion for length and format. For example, a minimum of N characters, a mixture of upper- and lowercase characters, no strings of characters common with usernames, no repetitive characters, and include symbols.

  • When passwords are reset, minimum requirements should be defined for the amount of change required from previous passwords – no single character changes, no reuse of older passwords, etc.

  • Enforce security standards to protect passwords – do not store in a file or email, disallow all written copies of passwords, etc.

Both network credentials and authorization to access specific network resources using those credentials should be categorized based on the frequency upon which each user utilizes those credentials and authorizations. A company should have a standard means of identifying and monitoring the activities of all users on a network. This standard means should be sufficient to monitor users' activities who commonly use specific network resources. However, there are cases where a user may infrequently access the network, or a frequent user may only infrequently need to access specific resources within the network. From a security perspective, it is better to add an extra layer of authentication to address these cases. Multifactor authentication is typically a two-step process to verify that the user requesting access is really the authorized user. In multifactor authentication, a user attempting to log on to the network or in to a specific resource within the network is sent a message (typically either an email or text) that provides additional information required to complete their log-in attempt (commonly a unique code that needs to be entered). The concept is that if a user has access to more than one resource of the authorized user, then they are more than likely the authorized user.

One of the more common security failures comes from the fact that companies frequently do change default credentials for devices connected to a network – usually something like username=USER and password=PASSWORD. This occurs for any device connected to the network but is most commonly found in devices with no direct user interface – printers, cameras, security sensors, monitoring equipment, and many types of production equipment. Each of these represents a security vulnerability. All default credentials should be changed to a secure set of credentials upon installation.

It is important that a company expands the definition of users beyond the traditional human user to include software systems both inside and outside of the company. When software systems interact with each other, the exchange of information should be viewed as though the software system is another user interacting with a company resource. The same rules and definitions for creation, managing, and authenticating user credentials should be applied to these software systems. These interfaces between systems are the second-most common areas for network security breaches, right behind human error. Actors penetrate one system and then use the interfaces between systems to penetrate deeper into a company's network infrastructure.

Properly managing and protecting network credentials is a key element in all advanced cybersecurity implementations. The area within a network where these credentials are stored should have the highest level of security that is possible to implement – this information represents all of the keys needed for an intruder to access all of your business's most critical resources. Additionally, access to this information should be restricted to as few individuals as possible.

For more details on concepts addressing network credentials and authentication, you may want to reference Section 3.5 Identification and Authentication of NIST standard SP 800-171.

For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security 

Part 9: Personnel and Infrastructure Security

Part 10: Maintenance and Incident Response

Part 11: Risk Assessment and Vulnerabilities Testing

John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Event to Connect Small and Medium Manufacturers with Experts in Smart Technologies
Edge computing in digital manufacturing involves placing devices between data sources and the network, and ranges from basic data collection to distributed systems. Learn more about its benefits like data processing, isolation, organization, and security.
What are the benefits of harvesting semantic data from equipment on the shop floor? For starters, it's easier to integrate machines into shop maintenance and monitoring systems. Learn how the industry has responded to semantic data – and where it's going.
A digital twin is more than a computer approximation or simple 3D model – it is an ever-evolving, data-driven digital representation of a system.
Siemens is one of the world’s biggest manufacturing companies – and a company that uses the digital tools it develops to achieve operational excellence.
Similar News
By Benjamin Moses | Apr 19, 2024

Episode 116: The gang shares their love for amusement parks. Stephen is happy to announce that there are a lot of testbed updates. Elissa presents further evidence that Elon Musk is dumb. Ben closes with an allegedly new method of 3D printing.

29 min
By Stephen LaMarca | Apr 19, 2024

Stagnant talent dilemma. No retirement for Atlas. New tech for an old-people game. ABB found red October. Data irrigation.

6 min
By Tim Shinbara | Mar 18, 2024

Discover how MTConnect bridges the innovation lag between consumer tech and manufacturing. As a unifying open-source standard, MTConnect streamlines machine communications and fuels emerging tools like digital twins.

5 min