Featured Image

Building an Advanced Cybersecurity Plan: Network Resource Configuration Management

Configuration management in cybersecurity provides a uniform environment to deploy security updates, and a standardized platform to monitor network activity to identify potential security breaches. Learn what it is, how to use it, and what to watch for.
Oct 03, 2022

Configuration management is the definition and deployment of a standard set of operating system versions, software packages, software/firmware versions, software/firmware updates and patches, security software, and network access tools – and the specific configuration of each. Configuration management should apply to all devices connected to the network – computers, servers, databases, routers, firewalls, mobile devices, and production equipment (otherwise known as “controlled devices”).

Configuration management should be included in any advanced cybersecurity plan for a couple of key reasons – (1) provides a uniform environment for deploying security updates and patches and (2) provides a standardized platform for monitoring network activity to identify potential security breaches or abnormal network activity. A common error in configuration management is defining one uniform implementation that includes the same security tools for all systems at all levels in the network architecture. The problem with this approach is that once an intruder can access one part of the network, they essentially have the key to access every system on the network. The network should be viewed as layers of functionality, and different security software and methodologies should be deployed at each level, effectively creating a series of different “locks” within the network. Additionally, the configuration of each device/type of device should be considered independently, applying the principle of “least functionality.” As part of the configuration management plan, unnecessary services or components (both logical and physical) should be disabled to prevent unauthorized connection, transfer of data, and tunneling. This includes programs, ports, protocols, and software/firmware services. Basically, enabling a device with more functionality than is necessary to perform its intended purpose can represent additional security risks.

Of all of the elements of a cybersecurity plan and deployment, configuration management is typically the area that presents the most conflict between IT professionals and their counterparts in manufacturing operations. Much of the equipment installed in manufacturing operations cannot support many of the components defined for configuration management. This is where effectively organizing and segmenting the OT network becomes imperative. Shop floor equipment that cannot support configuration management should be separated from the main network by a “controlled device.” A controlled device, most typically a computer or router, provides a location where configuration management policies can be deployed to protect the balance of the network from security risks associated with any downstream devices. Another method is to exclude certain devices in the configuration management policies. However, this approach is less effective since it requires continual management/updates and provides a less secure network environment.

As with all other aspects of an advanced security plan, configuration management rules and procedures need to be fully documented, formally reviewed, and enforced. All updates/enhancements need to be fully reviewed both for effectiveness and potential impact on all controlled devices on the network. These reviews should specifically address the security impact of all proposed configuration changes.

Configuration updates often require the controlled device to be restarted for the updates to be installed and become effective. Both the download of the updates and the event associated with the update being installed and becoming effective should be logged as a network event. These logs should be retained and reviewed as part of the regular monitoring of network activities.

For more details on concepts addressing network configuration management, you may want to reference Section 3.4 Configuration Management of NIST standard SP 800-171.

For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security 

Part 9: Personnel and Infrastructure Security

Part 10: Maintenance and Incident Response

Part 11: Risk Assessment and Vulnerabilities Testing

John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
The internet opens a whole new way to think about data sources, raising concerns about network security and data validity. Learn about the two major ways to access such data: accessed and transferred in bulk for storage; and accessed on demand.
Remember the old adage: "Garbage in" equals "garbage out." But is the data you collect good? Learn more about measured and processed manufacturing data, how they form the foundation of all digital manufacturing systems, and strategies to ensure quality.
Many companies collect data from their manufacturing operations to increase productivity and improve shop operations. Others do so as part of a contractual obligation to their customers.
While it might seem that pursuing ER&D during a downturn would be unsustainable, it is actually a sensible approach. Let’s face it: When you’re busy, you’re not likely to have your people do anything other than focus on their main tasks.
Data collection and storage is the process of gathering, arranging, and making data available for analytics. Since data quality is vital, companies must decide what should be collected and stored using newer tech like data lakes and cloud storage.
Similar News
By John Turner | Sep 22, 2023

The internet opens a whole new way to think about data sources, raising concerns about network security and data validity. Learn about the two major ways to access such data: accessed and transferred in bulk for storage; and accessed on demand.

4 min
By Benjamin Moses | Aug 29, 2023

Episode 101: Ben and Steve discuss the precision and accuracy of “just eyeballin’ it” and torque wrench etiquette. Benjamin gets in-depth on cold spray additive manufacturing.

20 min
By Bonnie Gurney | Sep 12, 2023

Registration has opened for IMTS 2024 – The International Manufacturing Technology Show, taking place Sept. 9-14 at McCormick Place in Chicago.

5 min