Featured Image

Building an Advanced Cybersecurity Plan: Maintenance and Incident Response

A company's cybersecurity plan requires constant monitoring and maintenance in order to effectively detect, analyze, contain, recover, and prevent attacks. Learn what steps personnel should take when an incident is detected and how to maintain the system.
Jan 12, 2023

A company’s network and the cybersecurity implementation on that network require continuous monitoring and maintenance – just as a company would for any other piece of equipment. Maintenance of the cybersecurity implementation involves both periodic maintenance and incident response. The maintenance procedures and policies should be documented as part of a company’s overall cybersecurity plan, and compliance with these procedures and policies should be part of management’s oversight responsibilities.

When a cybersecurity problem is identified, incident or otherwise, the problem should be reported to the appropriate individuals responsible for oversight of network security. Immediate action should be taken to address any issue identified. The problem and the actions taken to address the problem should be fully documented.

Generally, most, if not all, of the software and hardware included in a company’s network and the equipment connected to the network is supplied by outside suppliers. There should be a contractual requirement with each of these suppliers defining their responsibility for immediately identifying any security vulnerabilities related to their products. The remedy to address these issues will vary depending on the complexity of the issue and the potential vulnerabilities to the company.

Tools used to monitor and maintain the network should also be continuously updated to provide detection for ever-evolving types of security threats. These tools should also be subject to significant scrutiny since they, too, can contain malicious code that can impact the network or contain a “back door” means to access the network. Security scanning of these tools and all vendor updates to equipment and software associated with the network and the cybersecurity implementation should be required before they are approved for use on the network.

The security plan should address detection, analysis, containment, recovery, and prevention from reoccurrence. It should also document how personnel respond when a cybersecurity incident is detected.

Obvious security incidents like equipment failure, ransomware, phishing, etc., should immediately be reported to the appropriate network security personnel. Additionally, network monitoring tools should be capable of detecting access control breaches, suspicious network traffic, detection and identification of new equipment connected to the network, and real-time scanning of all software running on the equipment connected to the network. Additionally, these detection systems should monitor and log all authorized access to the physical network equipment and, when possible, block all unauthorized access to this equipment.

Severe cybersecurity incidents are on the rise – especially ransom attacks. Many companies choose not to openly report such incidents, representing the issue to employees and customers as an equipment failure or major network failure. This is understandable since management’s responsibility is to protect the company’s reputation, customer relations, and personnel. However, information about the vulnerabilities that lead to these attacks and the actions taken to prevent a reoccurrence is very valuable to help other companies avoid such attacks. Companies are encouraged to report all attacks to authorities. The FBI and your state's attorney general are the best authorities to notify when a severe cybersecurity incident is detected. By reporting the incident promptly, you may gain valuable information to help resolve the incident and provide important information to help other companies avoid a similar attack. Suppose it is determined that an attack was caused by an unintentional action by an employee or service provider. In that case, it is important to address this with all employees and/or suppliers to minimize the chance of a repeat incident.

For more details on addressing maintenance and incident response relative to cybersecurity, you may want to reference Section 3.6 Incident Response, Section 3.7 Maintenance, and Section 3.14 System and Information Integrity of NIST standard SP 800-171.

For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security 

Part 9: Personnel and Infrastructure Security

Part 10: Maintenance and Incident Response

Part 11: Risk Assessment and Vulnerabilities Testing

John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Any cybersecurity implementation involves a trade-off between a company’s tolerance for risk and the effort and costs associated with protecting the company’s resources and customers. Learn how to assess risk and test for vulnerabilities in your network.
You can set up free machine monitoring in as little as 30 minutes using a tool created by the great folks at Oak Ridge National Laboratory (ORNL)...
Ultra-premium, bougie digital twin. Michigan incentivizes industry 4.0 embrace. Metal health. "Go hug a driver or hug a worker in a distribution center."
A key aspect of any advanced cybersecurity plan is oversight and management of company and supplier personnel to address events originating within a company – intentional or not. Find out what considerations should be made when implementing your plan.
Implementing a cybersecurity plan includes deploying specific security functions to provide communications, networking, and database security. Learn what key factors to consider, what new technologies are being overlooked, and more for your implementation.
Similar News
By John Turner | Sep 01, 2022

Advanced cybersecurity plans should include functionality for logging every attempt to access the network or critical areas on the network to protect business assets or as required for legal or contractual requirements. Read on to learn what that involves.

5 min
By John Turner | Jun 03, 2022

Access control in an advanced cybersecurity plan go well beyond usernames and passwords. It means defining, implementing, and monitoring rules to control which persons and systems may access resources within your company’s network and computer systems.

5 min
By John Turner | Jan 26, 2023

Any cybersecurity implementation involves a trade-off between a company’s tolerance for risk and the effort and costs associated with protecting the company’s resources and customers. Learn how to assess risk and test for vulnerabilities in your network.

4 min