Featured Image

Building an Advanced Cybersecurity Plan: Activity Logging, Auditing, and Traceability

Advanced cybersecurity plans should include functionality for logging every attempt to access the network or critical areas on the network to protect business assets or as required for legal or contractual requirements. Read on to learn what that involves.
Sep 01, 2022

Closed-loop manufacturing systems provide superior reliability and stability. Many of the same concepts apply to implementing a cybersecurity plan. An advanced cybersecurity plan should include functionality for logging every attempt to access the network and every attempt to access critical information/services available on the network. Activities such as configuration changes to any network resource should also be logged. While it is typically not practical to log the content of every activity on the network or the content associated with every activity, there may be highly sensitive areas of the network where such enhanced logging is necessary – either to protect business assets or as required for legal or contractual requirements.

Logging of activities and events on the network increases system loading and responsiveness. Therefore, the rules for determining which activities are to be logged need to balance security concerns against the impact on system performance. The information to be captured for each event/activity logged should include a timestamp for the activity, source and destination addresses, the user credentials (both human and system credentials), and, where applicable, the content of the transmitted information. Logging should be focused on “significant events” to protect system performance; significant events include every login attempt, password changes, failed logins, credential failures, use of admin actions, external access to the network, use of guest credentials, and every attempt to access information considered “business sensitive.”

Logging itself is not sufficient. As part of “closing the loop,” monitoring algorithms must be implemented to assess the information that has been logged. As with most manufacturing monitoring systems, the network activity algorithms should provide two primary functions – (1) alerts for detected activities requiring immediate action and (2) periodic reporting to identify unusual trends or abnormalities in network activity.

As part of the security plan, individuals within the organization need to identify who is responsible for responding to security alerts and reviewing system activity reports. A select group of individuals within an organization should be assigned this responsibility. It is recommended that multiple individuals representing differing roles within the organization be assigned these responsibilities – providing various perspectives and to avoid the opportunity for collusion.

Audit logs and reports generated from logged information should be retained for a “reasonable” period. “Reasonable” will differ by each company but should be sufficient to meet the security requirements of each company. We have all seen reports of security breaches that, once detected, were found to have occurred sometime in the past – the intruders had access to the data for an extended period. These audit logs and reports are critical for assessing such situations.

The administrative functions associated with the processes and procedures for logging and reporting network activities should be protected with the highest level of security. Administrative rights to these processes should be restricted to a small group of individuals. Redundant verification should be required for any changes in the configuration of these processes.

Implementing processes and procedures that incapsulate logging of network activities and reporting/auditing of those events strengthens a cybersecurity implementation. It provides ongoing feedback to confirm that security procedures are performing to expectation.

For more details on concepts addressing network event logging and auditing processes, you may want to reference Section 3.3 Audit and Accountability of NIST standard SP 800-171.


For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security

Part 9: Personnel and Infrastructure Security

Part 10: Maintenance and Incident Response

Part 11: Risk Assessment and Vulnerabilities Testing

PicturePicture
Author
John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Successfully implementing edge computing into your shop floor may be more cost efficient than you think! Here are a couple ways your shop (and budget) can benefit. Bonus: Edge computing devices can also bolster your cybersecurity measures, saving you more!
In collecting data for digital manufacturing, the underlying system architecture for collecting and storing the data can significantly impact the system's benefits and its flexibility for future extensions. We examine two types that may address your needs.
Event to Connect Small and Medium Manufacturers with Experts in Smart Technologies
Edge computing in digital manufacturing involves placing devices between data sources and the network, and ranges from basic data collection to distributed systems. Learn more about its benefits like data processing, isolation, organization, and security.
What are the benefits of harvesting semantic data from equipment on the shop floor? For starters, it's easier to integrate machines into shop maintenance and monitoring systems. Learn how the industry has responded to semantic data – and where it's going.
Similar News
undefined
Technology
By Douglas K. Woods | Oct 07, 2024

Change is happening faster than ever. With it comes opportunities – as well as potentially insurmountable challenges to the status quo.

6 min
undefined
Technology
By Stephen LaMarca | Oct 02, 2024

OpenUSD and USD refer to the same core technology, with OpenUSD emphasizing the framework's open-source nature.

4 min
undefined
Technology
By Bonnie Gurney | Oct 03, 2024

Throughout the six days of IMTS 2024, the IMTS+ Main Stage hosted more than 85 speakers and produced more than 50 live shows.

4 min