Featured Image

Building an Advanced Cybersecurity Plan: Network Resource Configuration Management

Configuration management in cybersecurity provides a uniform environment to deploy security updates, and a standardized platform to monitor network activity to identify potential security breaches. Learn what it is, how to use it, and what to watch for.
Oct 03, 2022

Configuration management is the definition and deployment of a standard set of operating system versions, software packages, software/firmware versions, software/firmware updates and patches, security software, and network access tools – and the specific configuration of each. Configuration management should apply to all devices connected to the network – computers, servers, databases, routers, firewalls, mobile devices, and production equipment (otherwise known as “controlled devices”).

Configuration management should be included in any advanced cybersecurity plan for a couple of key reasons – (1) provides a uniform environment for deploying security updates and patches and (2) provides a standardized platform for monitoring network activity to identify potential security breaches or abnormal network activity. A common error in configuration management is defining one uniform implementation that includes the same security tools for all systems at all levels in the network architecture. The problem with this approach is that once an intruder can access one part of the network, they essentially have the key to access every system on the network. The network should be viewed as layers of functionality, and different security software and methodologies should be deployed at each level, effectively creating a series of different “locks” within the network. Additionally, the configuration of each device/type of device should be considered independently, applying the principle of “least functionality.” As part of the configuration management plan, unnecessary services or components (both logical and physical) should be disabled to prevent unauthorized connection, transfer of data, and tunneling. This includes programs, ports, protocols, and software/firmware services. Basically, enabling a device with more functionality than is necessary to perform its intended purpose can represent additional security risks.

Of all of the elements of a cybersecurity plan and deployment, configuration management is typically the area that presents the most conflict between IT professionals and their counterparts in manufacturing operations. Much of the equipment installed in manufacturing operations cannot support many of the components defined for configuration management. This is where effectively organizing and segmenting the OT network becomes imperative. Shop floor equipment that cannot support configuration management should be separated from the main network by a “controlled device.” A controlled device, most typically a computer or router, provides a location where configuration management policies can be deployed to protect the balance of the network from security risks associated with any downstream devices. Another method is to exclude certain devices in the configuration management policies. However, this approach is less effective since it requires continual management/updates and provides a less secure network environment.

As with all other aspects of an advanced security plan, configuration management rules and procedures need to be fully documented, formally reviewed, and enforced. All updates/enhancements need to be fully reviewed both for effectiveness and potential impact on all controlled devices on the network. These reviews should specifically address the security impact of all proposed configuration changes.

Configuration updates often require the controlled device to be restarted for the updates to be installed and become effective. Both the download of the updates and the event associated with the update being installed and becoming effective should be logged as a network event. These logs should be retained and reviewed as part of the regular monitoring of network activities.

For more details on concepts addressing network configuration management, you may want to reference Section 3.4 Configuration Management of NIST standard SP 800-171.

For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security 

Part 9: Personnel and Infrastructure Security

Part 10: Maintenance and Incident Response

Part 11: Risk Assessment and Vulnerabilities Testing

John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Any cybersecurity implementation involves a trade-off between a company’s tolerance for risk and the effort and costs associated with protecting the company’s resources and customers. Learn how to assess risk and test for vulnerabilities in your network.
A company's cybersecurity plan requires constant monitoring and maintenance in order to effectively detect, analyze, contain, recover, and prevent attacks. Learn what steps personnel should take when an incident is detected and how to maintain the system.
You can set up free machine monitoring in as little as 30 minutes using a tool created by the great folks at Oak Ridge National Laboratory (ORNL)...
Ultra-premium, bougie digital twin. Michigan incentivizes industry 4.0 embrace. Metal health. "Go hug a driver or hug a worker in a distribution center."
A key aspect of any advanced cybersecurity plan is oversight and management of company and supplier personnel to address events originating within a company – intentional or not. Find out what considerations should be made when implementing your plan.
Similar News
By Benjamin Moses | Mar 17, 2023

Collaboration = manufacturing. Check your chips. Who doesn’t like new materials? 5G in manufacturing. We are living in the future.

5 min
By Benjamin Moses | Mar 10, 2023

Innovation is driven by diversity. What does collaboration mean? Energy for wearable tech. ​Hole technology. Wake me up before you grow-grow.

5 min
By Gary Vasilash | Feb 27, 2023

Manufacturing companies the world over are embracing robots in a big way. While U.S. companies have long been deploying the equipment, there are still great opportunities that can be realized ...

10 min