Any cybersecurity implementation involves a trade-off between a company’s tolerance for risk represented by a security attack and the effort and costs associated with protecting the company’s resources, reputation, customers, and personnel.
One of the most valuable network design concepts implemented as part of an advanced cybersecurity plan is segmenting the network into discrete functional areas or processes. This typically goes beyond separating the IT portions of the network (office) and the OT portions of the network (manufacturing operations) – portions of either network environment may be more risk tolerant than others. When this architecture is implemented, security tools can then be effectively implemented to control access and the flow of information across the boundaries between segments. Separate unique risk assessments can then be defined for each network segment – applying the appropriate level of effort and cost for each network segment.
A company’s cybersecurity plan should include a variety of approaches for testing network security vulnerabilities. Software tools for testing vulnerabilities should include:
Tests for the effectiveness of access control to the network (internal and external) and across network boundaries
Identification of equipment added/removed from the network
Identification of software added to the network or equipment attached to the network
Tests that evaluate the effectiveness of tools used to detect infected software
Tests to evaluate personnel response to suspicious emails and internet sites
Tests to assess personnel response to various types of network security breaches
Other tests may also be appropriate depending on the requirements of individual companies. Additionally, vulnerability testing should include manual actions intended to stress other functions associated with network security – detection of unauthorized access to network equipment, detection to determine when unauthorized equipment is connected to the network, test system response when key pieces of equipment are removed from the network, etc.
Any vulnerabilities detected should be identified as an incident and addressed as part of the network maintenance and incident response procedures defined in the company’s cybersecurity plan.
Vulnerabilities testing is typically reviewed and assessed for effectiveness when first implemented. However, it is important to periodically re-assess the vulnerabilities testing portion of an advanced cybersecurity plan and the tools implemented to ensure all practices, procedures, and tools effectively address all current types of security threats. Any process, procedure, or software/hardware found insufficient should be upgraded/replaced as soon as possible.
Periodic reviews should also evaluate whether the original risk assessment applicable to each network segment is still valid, or if the implementation needs to be upgraded for specific portions of the network architecture.
Each assessment and each periodic review should be fully documented and reviewed by management with oversight responsibility to ensure that the security plan is implemented and functioning as intended.
For more details on addressing maintenance and incident response relative to cybersecurity, you may want to reference Section 3.11 Risk Assessment and Section 3.12 Security Assessment of NIST standard SP 800-171.
For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.
Part 1: Engagement and Reinforcement
Part 2: Interaction Mapping
Part 3: Access Control
Part 4: Electronic Media Protection
Part 5: Identification and Authentication
Part 6: Activity Logging, Auditing, and Traceability
Part 7: Network Resource Configuration Management
Part 8: Communications, Network, and Database Security
Part 9: Personnel and Infrastructure Security
Part 10: Maintenance and Incident Response