Featured Image

Building an Advanced Cybersecurity Plan: Network Resource Configuration Management

Configuration management in cybersecurity provides a uniform environment to deploy security updates, and a standardized platform to monitor network activity to identify potential security breaches. Learn what it is, how to use it, and what to watch for.
Oct 03, 2022

Configuration management is the definition and deployment of a standard set of operating system versions, software packages, software/firmware versions, software/firmware updates and patches, security software, and network access tools – and the specific configuration of each. Configuration management should apply to all devices connected to the network – computers, servers, databases, routers, firewalls, mobile devices, and production equipment (otherwise known as “controlled devices”).

Configuration management should be included in any advanced cybersecurity plan for a couple of key reasons – (1) provides a uniform environment for deploying security updates and patches and (2) provides a standardized platform for monitoring network activity to identify potential security breaches or abnormal network activity. A common error in configuration management is defining one uniform implementation that includes the same security tools for all systems at all levels in the network architecture. The problem with this approach is that once an intruder can access one part of the network, they essentially have the key to access every system on the network. The network should be viewed as layers of functionality, and different security software and methodologies should be deployed at each level, effectively creating a series of different “locks” within the network. Additionally, the configuration of each device/type of device should be considered independently, applying the principle of “least functionality.” As part of the configuration management plan, unnecessary services or components (both logical and physical) should be disabled to prevent unauthorized connection, transfer of data, and tunneling. This includes programs, ports, protocols, and software/firmware services. Basically, enabling a device with more functionality than is necessary to perform its intended purpose can represent additional security risks.

Of all of the elements of a cybersecurity plan and deployment, configuration management is typically the area that presents the most conflict between IT professionals and their counterparts in manufacturing operations. Much of the equipment installed in manufacturing operations cannot support many of the components defined for configuration management. This is where effectively organizing and segmenting the OT network becomes imperative. Shop floor equipment that cannot support configuration management should be separated from the main network by a “controlled device.” A controlled device, most typically a computer or router, provides a location where configuration management policies can be deployed to protect the balance of the network from security risks associated with any downstream devices. Another method is to exclude certain devices in the configuration management policies. However, this approach is less effective since it requires continual management/updates and provides a less secure network environment.

As with all other aspects of an advanced security plan, configuration management rules and procedures need to be fully documented, formally reviewed, and enforced. All updates/enhancements need to be fully reviewed both for effectiveness and potential impact on all controlled devices on the network. These reviews should specifically address the security impact of all proposed configuration changes.

Configuration updates often require the controlled device to be restarted for the updates to be installed and become effective. Both the download of the updates and the event associated with the update being installed and becoming effective should be logged as a network event. These logs should be retained and reviewed as part of the regular monitoring of network activities.

For more details on concepts addressing network configuration management, you may want to reference Section 3.4 Configuration Management of NIST standard SP 800-171.


For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security 

Part 9: Personnel and Infrastructure Security

Part 10: Maintenance and Incident Response

Part 11: Risk Assessment and Vulnerabilities Testing

PicturePicture
Author
John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Edge computing in digital manufacturing involves placing devices between data sources and the network, and ranges from basic data collection to distributed systems. Learn more about its benefits like data processing, isolation, organization, and security.
What are the benefits of harvesting semantic data from equipment on the shop floor? For starters, it's easier to integrate machines into shop maintenance and monitoring systems. Learn how the industry has responded to semantic data – and where it's going.
A digital twin is more than a computer approximation or simple 3D model – it is an ever-evolving, data-driven digital representation of a system.
Industrial standards and the digital thread are essential for manufacturing productivity as they provide a foundation for efficiency, innovation, quality, compliance, and collaborative integration across the entire manufacturing value chain.
Siemens is one of the world’s biggest manufacturing companies – and a company that uses the digital tools it develops to achieve operational excellence.
Similar News
undefined
Technology
By John Turner | Feb 23, 2024

Edge computing in digital manufacturing involves placing devices between data sources and the network, and ranges from basic data collection to distributed systems. Learn more about its benefits like data processing, isolation, organization, and security.

5 min
undefined
Technology
By Bonnie Gurney | Feb 08, 2024

At IMTS 2024, discover unexpected solutions, including haptic feedback to improve remote robot operation and digital training, quality control software, additive manufacturing powders and gases, services to address labor issues via an app, and more.

5 min
undefined
Technology
By John Turner | Feb 05, 2024

What are the benefits of harvesting semantic data from equipment on the shop floor? For starters, it's easier to integrate machines into shop maintenance and monitoring systems. Learn how the industry has responded to semantic data – and where it's going.

5 min