Featured Image

Building an Advanced Cybersecurity Plan: Activity Logging, Auditing, and Traceability

Advanced cybersecurity plans should include functionality for logging every attempt to access the network or critical areas on the network to protect business assets or as required for legal or contractual requirements. Read on to learn what that involves.
Sep 01, 2022

Closed-loop manufacturing systems provide superior reliability and stability. Many of the same concepts apply to implementing a cybersecurity plan. An advanced cybersecurity plan should include functionality for logging every attempt to access the network and every attempt to access critical information/services available on the network. Activities such as configuration changes to any network resource should also be logged. While it is typically not practical to log the content of every activity on the network or the content associated with every activity, there may be highly sensitive areas of the network where such enhanced logging is necessary – either to protect business assets or as required for legal or contractual requirements.

Logging of activities and events on the network increases system loading and responsiveness. Therefore, the rules for determining which activities are to be logged need to balance security concerns against the impact on system performance. The information to be captured for each event/activity logged should include a timestamp for the activity, source and destination addresses, the user credentials (both human and system credentials), and, where applicable, the content of the transmitted information. Logging should be focused on “significant events” to protect system performance; significant events include every login attempt, password changes, failed logins, credential failures, use of admin actions, external access to the network, use of guest credentials, and every attempt to access information considered “business sensitive.”

Logging itself is not sufficient. As part of “closing the loop,” monitoring algorithms must be implemented to assess the information that has been logged. As with most manufacturing monitoring systems, the network activity algorithms should provide two primary functions – (1) alerts for detected activities requiring immediate action and (2) periodic reporting to identify unusual trends or abnormalities in network activity.

As part of the security plan, individuals within the organization need to identify who is responsible for responding to security alerts and reviewing system activity reports. A select group of individuals within an organization should be assigned this responsibility. It is recommended that multiple individuals representing differing roles within the organization be assigned these responsibilities – providing various perspectives and to avoid the opportunity for collusion.

Audit logs and reports generated from logged information should be retained for a “reasonable” period. “Reasonable” will differ by each company but should be sufficient to meet the security requirements of each company. We have all seen reports of security breaches that, once detected, were found to have occurred sometime in the past – the intruders had access to the data for an extended period. These audit logs and reports are critical for assessing such situations.

The administrative functions associated with the processes and procedures for logging and reporting network activities should be protected with the highest level of security. Administrative rights to these processes should be restricted to a small group of individuals. Redundant verification should be required for any changes in the configuration of these processes.

Implementing processes and procedures that incapsulate logging of network activities and reporting/auditing of those events strengthens a cybersecurity implementation. It provides ongoing feedback to confirm that security procedures are performing to expectation.

For more details on concepts addressing network event logging and auditing processes, you may want to reference Section 3.3 Audit and Accountability of NIST standard SP 800-171.

For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security 

John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Implementing a cybersecurity plan includes deploying specific security functions to provide communications, networking, and database security. Learn what key factors to consider, what new technologies are being overlooked, and more for your implementation.
Configuration management in cybersecurity provides a uniform environment to deploy security updates, and a standardized platform to monitor network activity to identify potential security breaches. Learn what it is, how to use it, and what to watch for.
The definition and management of the credentials used to access the resources within a company's network requires their own set of rules within an access control strategy. Here are some important security elements to consider with usernames and passwords.
Any advanced cybersecurity plan should address electronic media in both the IT and the OT networks. Devices like CDs, flash drives, and more are problematic since each is an interface to your company’s network, introducing possible security threats.
The MTConnect Institute announces the release of MTConnect Version 2.0. The 2.0 version of the free, open, model-based standard that supports semantics for discrete manufacturing is a significant advancement from previous versions.
Similar News
By Stephen LaMarca | Dec 02, 2022

A valet that won’t burn out your clutch. Y’all need facility tours. Paper batteries. Prototyping to mass production. Cybersecurity and the FBI.

5 min
By AMT | Nov 22, 2022

Check in for the highlights, headlines, and hijinks that matter to manufacturing. These lean news items keep you updated on the latest developments.

3 min
By Benjamin Moses | Nov 12, 2022

Steve is going to a manufacturing industry adjacent tradeshow that he and Ben have been trying to get into for a long time; Ben will for sure go next year (2024), though. Stephen also talks about how it felt to cut the first part off the new testbed CNC...

46 min