Featured Image

Building an Advanced Cybersecurity Plan: Network Resource Configuration Management

Configuration management in cybersecurity provides a uniform environment to deploy security updates, and a standardized platform to monitor network activity to identify potential security breaches. Learn what it is, how to use it, and what to watch for.
Oct 03, 2022

Configuration management is the definition and deployment of a standard set of operating system versions, software packages, software/firmware versions, software/firmware updates and patches, security software, and network access tools – and the specific configuration of each. Configuration management should apply to all devices connected to the network – computers, servers, databases, routers, firewalls, mobile devices, and production equipment (otherwise known as “controlled devices”).

Configuration management should be included in any advanced cybersecurity plan for a couple of key reasons – (1) provides a uniform environment for deploying security updates and patches and (2) provides a standardized platform for monitoring network activity to identify potential security breaches or abnormal network activity. A common error in configuration management is defining one uniform implementation that includes the same security tools for all systems at all levels in the network architecture. The problem with this approach is that once an intruder can access one part of the network, they essentially have the key to access every system on the network. The network should be viewed as layers of functionality, and different security software and methodologies should be deployed at each level, effectively creating a series of different “locks” within the network. Additionally, the configuration of each device/type of device should be considered independently, applying the principle of “least functionality.” As part of the configuration management plan, unnecessary services or components (both logical and physical) should be disabled to prevent unauthorized connection, transfer of data, and tunneling. This includes programs, ports, protocols, and software/firmware services. Basically, enabling a device with more functionality than is necessary to perform its intended purpose can represent additional security risks.

Of all of the elements of a cybersecurity plan and deployment, configuration management is typically the area that presents the most conflict between IT professionals and their counterparts in manufacturing operations. Much of the equipment installed in manufacturing operations cannot support many of the components defined for configuration management. This is where effectively organizing and segmenting the OT network becomes imperative. Shop floor equipment that cannot support configuration management should be separated from the main network by a “controlled device.” A controlled device, most typically a computer or router, provides a location where configuration management policies can be deployed to protect the balance of the network from security risks associated with any downstream devices. Another method is to exclude certain devices in the configuration management policies. However, this approach is less effective since it requires continual management/updates and provides a less secure network environment.

As with all other aspects of an advanced security plan, configuration management rules and procedures need to be fully documented, formally reviewed, and enforced. All updates/enhancements need to be fully reviewed both for effectiveness and potential impact on all controlled devices on the network. These reviews should specifically address the security impact of all proposed configuration changes.

Configuration updates often require the controlled device to be restarted for the updates to be installed and become effective. Both the download of the updates and the event associated with the update being installed and becoming effective should be logged as a network event. These logs should be retained and reviewed as part of the regular monitoring of network activities.

For more details on concepts addressing network configuration management, you may want to reference Section 3.4 Configuration Management of NIST standard SP 800-171.


For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security 

PicturePicture
Author
John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Implementing a cybersecurity plan includes deploying specific security functions to provide communications, networking, and database security. Learn what key factors to consider, what new technologies are being overlooked, and more for your implementation.
Advanced cybersecurity plans should include functionality for logging every attempt to access the network or critical areas on the network to protect business assets or as required for legal or contractual requirements. Read on to learn what that involves.
The definition and management of the credentials used to access the resources within a company's network requires their own set of rules within an access control strategy. Here are some important security elements to consider with usernames and passwords.
Any advanced cybersecurity plan should address electronic media in both the IT and the OT networks. Devices like CDs, flash drives, and more are problematic since each is an interface to your company’s network, introducing possible security threats.
The MTConnect Institute announces the release of MTConnect Version 2.0. The 2.0 version of the free, open, model-based standard that supports semantics for discrete manufacturing is a significant advancement from previous versions.
Similar News
undefined
Technology
By Stephen LaMarca | Dec 02, 2022

A valet that won’t burn out your clutch. Y’all need facility tours. Paper batteries. Prototyping to mass production. Cybersecurity and the FBI.

5 min
undefined
Technology
By AMT | Nov 22, 2022

Check in for the highlights, headlines, and hijinks that matter to manufacturing. These lean news items keep you updated on the latest developments.

3 min
undefined
Technology
By Benjamin Moses | Nov 12, 2022

Steve is going to a manufacturing industry adjacent tradeshow that he and Ben have been trying to get into for a long time; Ben will for sure go next year (2024), though. Stephen also talks about how it felt to cut the first part off the new testbed CNC...

46 min