Featured Image

Building an Advanced Cybersecurity Plan: Personnel and Infrastructure Security

A key aspect of any advanced cybersecurity plan is oversight and management of company and supplier personnel to address events originating within a company – intentional or not. Find out what considerations should be made when implementing your plan.
Dec 07, 2022

While much of the focus when developing and deploying an advanced cybersecurity plan is concentrated on the technology aspects of the network, securing the physical network equipment and addressing those who have access to that equipment doesn’t get the same attention. In many ways, one can draw parallels between how a company secures its facility and who has access to the facility and the steps to secure access to your network equipment.

Network equipment should be housed in an access-controlled area. This should not be limited to servers and larger computing systems but extend to routers and other network access points distributed throughout a facility. Anyone intent on causing harm to a company or accessing proprietary company information can use these access points to penetrate the network. While larger companies may have a secure computer room where key pieces of equipment are housed, other companies may provide no, or limited, control over access to their network equipment. A broader issue is that few companies control access to routers and other access points distributed throughout the facility – especially in the manufacturing environment. As a minimum, this equipment should be housed in locked cabinets. Where possible, access should be monitored and alarmed. Additionally, logs should be maintained to validate who had accessed locations where network equipment is installed and when that access occurred.

Another topic to be addressed as part of an advanced cybersecurity plan is oversight and management of company and supplier personnel. A significant portion of cybersecurity events originate within a company – some unintentional and others intentional. Training, equipment controls, and other provisions of a company’s network security implementation address many of the unintentional events. The intentional ones are harder to address. Architecting network access controls appropriately can minimize a company’s exposure to an intentional internal “attack.” Activity monitoring can also provide a means to detect unusual activity. Beyond that, properly vetting personnel and management oversight are the only other reasonable means of protecting company assets for most companies.

Special scrutiny should apply to personnel with access to the network infrastructure – servers, routers, computer rooms, etc. A higher level of vetting and oversight should apply to these individuals. A determined individual can significantly damage a company’s infrastructure and intellectual assets. Management oversight should focus on trustworthiness, conduct, integrity, judgment, loyalty, reliability, and stability.

Special consideration should be given to disgruntled, transferred, or terminated personnel. While it is typically not acceptable to restrict or change a disgruntled individual’s access to network resources, careful and considerate management oversight would be most appropriate. For personnel who have been transferred to a new role/responsibility, it is important to reassess the individual’s network privileges and adjust network access privileges to only those required for the new role. Network privileges (usernames and passwords) should be immediately suspended for terminated personnel.

For more details on addressing personnel and infrastructure security relative to cybersecurity, you may want to reference Section 3.9 Personnel Security and Section 3.10 Physical Protection of NIST standard SP 800-171.

For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security

Part 9: Personnel and Infrastructure Security

Part 10: Maintenance and Incident Response

Part 11: Risk Assessment and Vulnerabilities Testing

John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Any cybersecurity implementation involves a trade-off between a company’s tolerance for risk and the effort and costs associated with protecting the company’s resources and customers. Learn how to assess risk and test for vulnerabilities in your network.
A company's cybersecurity plan requires constant monitoring and maintenance in order to effectively detect, analyze, contain, recover, and prevent attacks. Learn what steps personnel should take when an incident is detected and how to maintain the system.
You can set up free machine monitoring in as little as 30 minutes using a tool created by the great folks at Oak Ridge National Laboratory (ORNL)...
Ultra-premium, bougie digital twin. Michigan incentivizes industry 4.0 embrace. Metal health. "Go hug a driver or hug a worker in a distribution center."
Implementing a cybersecurity plan includes deploying specific security functions to provide communications, networking, and database security. Learn what key factors to consider, what new technologies are being overlooked, and more for your implementation.
Similar News
By Stephen LaMarca | Mar 24, 2023

Machine tending with cobots. ChatGPT’s reinforced position in manufacturing. Don’t bank on EVs just yet. Emerged technology. AddUp sends support to Ohio.

5 min
By Benjamin Moses | Mar 17, 2023

Collaboration = manufacturing. Check your chips. Who doesn’t like new materials? 5G in manufacturing. We are living in the future.

5 min
By Benjamin Moses | Mar 10, 2023

Innovation is driven by diversity. What does collaboration mean? Energy for wearable tech. ​Hole technology. Wake me up before you grow-grow.

5 min