Featured Image

Building an Advanced Cybersecurity Plan: Activity Logging, Auditing, and Traceability

Advanced cybersecurity plans should include functionality for logging every attempt to access the network or critical areas on the network to protect business assets or as required for legal or contractual requirements. Read on to learn what that involves.
Sep 01, 2022

Closed-loop manufacturing systems provide superior reliability and stability. Many of the same concepts apply to implementing a cybersecurity plan. An advanced cybersecurity plan should include functionality for logging every attempt to access the network and every attempt to access critical information/services available on the network. Activities such as configuration changes to any network resource should also be logged. While it is typically not practical to log the content of every activity on the network or the content associated with every activity, there may be highly sensitive areas of the network where such enhanced logging is necessary – either to protect business assets or as required for legal or contractual requirements.

Logging of activities and events on the network increases system loading and responsiveness. Therefore, the rules for determining which activities are to be logged need to balance security concerns against the impact on system performance. The information to be captured for each event/activity logged should include a timestamp for the activity, source and destination addresses, the user credentials (both human and system credentials), and, where applicable, the content of the transmitted information. Logging should be focused on “significant events” to protect system performance; significant events include every login attempt, password changes, failed logins, credential failures, use of admin actions, external access to the network, use of guest credentials, and every attempt to access information considered “business sensitive.”

Logging itself is not sufficient. As part of “closing the loop,” monitoring algorithms must be implemented to assess the information that has been logged. As with most manufacturing monitoring systems, the network activity algorithms should provide two primary functions – (1) alerts for detected activities requiring immediate action and (2) periodic reporting to identify unusual trends or abnormalities in network activity.

As part of the security plan, individuals within the organization need to identify who is responsible for responding to security alerts and reviewing system activity reports. A select group of individuals within an organization should be assigned this responsibility. It is recommended that multiple individuals representing differing roles within the organization be assigned these responsibilities – providing various perspectives and to avoid the opportunity for collusion.

Audit logs and reports generated from logged information should be retained for a “reasonable” period. “Reasonable” will differ by each company but should be sufficient to meet the security requirements of each company. We have all seen reports of security breaches that, once detected, were found to have occurred sometime in the past – the intruders had access to the data for an extended period. These audit logs and reports are critical for assessing such situations.

The administrative functions associated with the processes and procedures for logging and reporting network activities should be protected with the highest level of security. Administrative rights to these processes should be restricted to a small group of individuals. Redundant verification should be required for any changes in the configuration of these processes.

Implementing processes and procedures that incapsulate logging of network activities and reporting/auditing of those events strengthens a cybersecurity implementation. It provides ongoing feedback to confirm that security procedures are performing to expectation.

For more details on concepts addressing network event logging and auditing processes, you may want to reference Section 3.3 Audit and Accountability of NIST standard SP 800-171.


For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security

Part 9: Personnel and Infrastructure Security

Part 10: Maintenance and Incident Response

Part 11: Risk Assessment and Vulnerabilities Testing

PicturePicture
Author
John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
The internet opens a whole new way to think about data sources, raising concerns about network security and data validity. Learn about the two major ways to access such data: accessed and transferred in bulk for storage; and accessed on demand.
Remember the old adage: "Garbage in" equals "garbage out." But is the data you collect good? Learn more about measured and processed manufacturing data, how they form the foundation of all digital manufacturing systems, and strategies to ensure quality.
Many companies collect data from their manufacturing operations to increase productivity and improve shop operations. Others do so as part of a contractual obligation to their customers.
While it might seem that pursuing ER&D during a downturn would be unsustainable, it is actually a sensible approach. Let’s face it: When you’re busy, you’re not likely to have your people do anything other than focus on their main tasks.
Data collection and storage is the process of gathering, arranging, and making data available for analytics. Since data quality is vital, companies must decide what should be collected and stored using newer tech like data lakes and cloud storage.
Similar News
undefined
Technology
By John Turner | Sep 22, 2023

The internet opens a whole new way to think about data sources, raising concerns about network security and data validity. Learn about the two major ways to access such data: accessed and transferred in bulk for storage; and accessed on demand.

4 min
undefined
Technology
By Benjamin Moses | Aug 29, 2023

Episode 101: Ben and Steve discuss the precision and accuracy of “just eyeballin’ it” and torque wrench etiquette. Benjamin gets in-depth on cold spray additive manufacturing.

20 min
undefined
Technology
By Bonnie Gurney | Sep 12, 2023

Registration has opened for IMTS 2024 – The International Manufacturing Technology Show, taking place Sept. 9-14 at McCormick Place in Chicago.

5 min