Featured Image

Building an Advanced Cybersecurity Plan: Personnel and Infrastructure Security

A key aspect of any advanced cybersecurity plan is oversight and management of company and supplier personnel to address events originating within a company – intentional or not. Find out what considerations should be made when implementing your plan.
Dec 07, 2022

While much of the focus when developing and deploying an advanced cybersecurity plan is concentrated on the technology aspects of the network, securing the physical network equipment and addressing those who have access to that equipment doesn’t get the same attention. In many ways, one can draw parallels between how a company secures its facility and who has access to the facility and the steps to secure access to your network equipment.

Network equipment should be housed in an access-controlled area. This should not be limited to servers and larger computing systems but extend to routers and other network access points distributed throughout a facility. Anyone intent on causing harm to a company or accessing proprietary company information can use these access points to penetrate the network. While larger companies may have a secure computer room where key pieces of equipment are housed, other companies may provide no, or limited, control over access to their network equipment. A broader issue is that few companies control access to routers and other access points distributed throughout the facility – especially in the manufacturing environment. As a minimum, this equipment should be housed in locked cabinets. Where possible, access should be monitored and alarmed. Additionally, logs should be maintained to validate who had accessed locations where network equipment is installed and when that access occurred.

Another topic to be addressed as part of an advanced cybersecurity plan is oversight and management of company and supplier personnel. A significant portion of cybersecurity events originate within a company – some unintentional and others intentional. Training, equipment controls, and other provisions of a company’s network security implementation address many of the unintentional events. The intentional ones are harder to address. Architecting network access controls appropriately can minimize a company’s exposure to an intentional internal “attack.” Activity monitoring can also provide a means to detect unusual activity. Beyond that, properly vetting personnel and management oversight are the only other reasonable means of protecting company assets for most companies.

Special scrutiny should apply to personnel with access to the network infrastructure – servers, routers, computer rooms, etc. A higher level of vetting and oversight should apply to these individuals. A determined individual can significantly damage a company’s infrastructure and intellectual assets. Management oversight should focus on trustworthiness, conduct, integrity, judgment, loyalty, reliability, and stability.

Special consideration should be given to disgruntled, transferred, or terminated personnel. While it is typically not acceptable to restrict or change a disgruntled individual’s access to network resources, careful and considerate management oversight would be most appropriate. For personnel who have been transferred to a new role/responsibility, it is important to reassess the individual’s network privileges and adjust network access privileges to only those required for the new role. Network privileges (usernames and passwords) should be immediately suspended for terminated personnel.

For more details on addressing personnel and infrastructure security relative to cybersecurity, you may want to reference Section 3.9 Personnel Security and Section 3.10 Physical Protection of NIST standard SP 800-171.


For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security

Part 9: Personnel and Infrastructure Security

Part 10: Maintenance and Incident Response

Part 11: Risk Assessment and Vulnerabilities Testing

PicturePicture
Author
John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
The internet opens a whole new way to think about data sources, raising concerns about network security and data validity. Learn about the two major ways to access such data: accessed and transferred in bulk for storage; and accessed on demand.
Remember the old adage: "Garbage in" equals "garbage out." But is the data you collect good? Learn more about measured and processed manufacturing data, how they form the foundation of all digital manufacturing systems, and strategies to ensure quality.
Many companies collect data from their manufacturing operations to increase productivity and improve shop operations. Others do so as part of a contractual obligation to their customers.
While it might seem that pursuing ER&D during a downturn would be unsustainable, it is actually a sensible approach. Let’s face it: When you’re busy, you’re not likely to have your people do anything other than focus on their main tasks.
Data collection and storage is the process of gathering, arranging, and making data available for analytics. Since data quality is vital, companies must decide what should be collected and stored using newer tech like data lakes and cloud storage.
Similar News
undefined
Technology
By John Turner | Sep 22, 2023

The internet opens a whole new way to think about data sources, raising concerns about network security and data validity. Learn about the two major ways to access such data: accessed and transferred in bulk for storage; and accessed on demand.

4 min
undefined
Technology
By Benjamin Moses | Aug 29, 2023

Episode 101: Ben and Steve discuss the precision and accuracy of “just eyeballin’ it” and torque wrench etiquette. Benjamin gets in-depth on cold spray additive manufacturing.

20 min
undefined
Technology
By Bonnie Gurney | Sep 12, 2023

Registration has opened for IMTS 2024 – The International Manufacturing Technology Show, taking place Sept. 9-14 at McCormick Place in Chicago.

5 min