Featured Image

Building an Advanced Cybersecurity Plan: Communications, Network, and Database Security

Implementing a cybersecurity plan includes deploying specific security functions to provide communications, networking, and database security. Learn what key factors to consider, what new technologies are being overlooked, and more for your implementation.
Nov 16, 2022

Many elements of an advanced cybersecurity plan involve strategic decisions that impact how a company operates securely and how company resources are managed and deployed to facilitate secure operations. These topics require engagement by the management team and every user with access to the company’s network resources. We have discussed many of these elements in previous articles in this series – “Building an Advanced Cybersecurity Plan.” Additional elements of a security plan are equally important but are more narrowly focused on IT professionals. One of these elements is implementing and deploying specific security functions to provide communications, networking, and database security.

Systems security engineering is the science of multiple security engineering specialties to provide a fully integrated, system-level perspective of system security. IT professionals utilize systems security engineering principles to define the network architecture and software/hardware implementations for monitoring, controlling, and protecting communications and information “in transit” and when stationary in databases and other data storage devices.

The specific implementation will depend on several factors, including requirements established in other elements of the security plan, the current state of existing network resources, and the risk tolerance of an individual company. Some key factors that should be considered in all implementations include:

  • Security functions should be designed in a layered fashion such that each layer represents an additional obstacle for a potential intruder.

  • A diversity of security functions should be used at different portions of network architecture. The interface between each segment of the system architecture should be viewed as a “locked door,” and a different set of keys is required for each door – no “master key” that gains access to all.

  • Deploying strong security functions at all external boundaries to the network is of high importance. Deploying security functions between system components within the network is highly recommended.

  • Network segmentation is essential to block the propagation of security threats throughout the network. This is especially important in the manufacturing environment due to the high concentration of devices that do not directly support implementing security functions.

Typically, it is not feasible to implement all of the desired security functions in an existing network without incurring significant disruptions and costs. Companies should deploy as many of the desired security functions as possible based on the current state of the network architecture and their risk tolerance for the potential impact of a security threat. However, when new extensions to the network are implemented, or major system modifications are underway, it is an opportune time to extend and enhance the security implementation at the same time.

One of the functions that can normally be implemented in any network without any significant interruption is the separation of administrative and system management functions to different devices and, where possible, separate domains from all user functions. This task can be implemented over time to transition these functions. This step is important to establish a more secure structure in support of all future network security enhancements.

There are multiple concepts for implementing security functions for accessing the network, network resources, and data sources. The preferred concept is “Deny All, Allow by Exception.” In this scenario, all access to network resources is blocked unless specifically approved. This is also known as “whitelisting.” This approach requires more system configuration management resources but is more secure and proactive than the traditional “blacklisting” approaches that only address known potential threat sources.

One of the newer technologies that is becoming very prevalent and is being overlooked from a security perspective in many cases is VoIP (voice over internet protocol). Basically, VoIP is telephone communication over the internet. Most cellular phone service providers will redirect cellphone service through any available internet connection that can be established. Each of these connections represents a potential for a security breach. While most phone service providers should have well-established security protocols in place, it is not practical to validate each one. Companies must recognize that if they allow mobile phone access to their network, this is another external network interface that must be addressed as part of the overall security implementation.

Architecting and deploying a well-structured and effective network security implementation requires advanced systems security engineering expertise. Larger companies often can hire such expertise. Smaller companies typically rely on outside resources to provide these services. In either case, management should thoroughly vet the selected resources that will provide these services since the balance of your cybersecurity plan will provide little benefit if this plan element is not properly implemented.

For more details on concepts addressing network configuration management, you may want to reference Section 3.13 System and Communications Protection of NIST standard SP 800-171.


For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security 

PicturePicture
Author
John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Configuration management in cybersecurity provides a uniform environment to deploy security updates, and a standardized platform to monitor network activity to identify potential security breaches. Learn what it is, how to use it, and what to watch for.
Advanced cybersecurity plans should include functionality for logging every attempt to access the network or critical areas on the network to protect business assets or as required for legal or contractual requirements. Read on to learn what that involves.
The definition and management of the credentials used to access the resources within a company's network requires their own set of rules within an access control strategy. Here are some important security elements to consider with usernames and passwords.
Any advanced cybersecurity plan should address electronic media in both the IT and the OT networks. Devices like CDs, flash drives, and more are problematic since each is an interface to your company’s network, introducing possible security threats.
The MTConnect Institute announces the release of MTConnect Version 2.0. The 2.0 version of the free, open, model-based standard that supports semantics for discrete manufacturing is a significant advancement from previous versions.
Similar News
undefined
Technology
By Stephen LaMarca | Dec 02, 2022

A valet that won’t burn out your clutch. Y’all need facility tours. Paper batteries. Prototyping to mass production. Cybersecurity and the FBI.

5 min
undefined
Technology
By AMT | Nov 22, 2022

Check in for the highlights, headlines, and hijinks that matter to manufacturing. These lean news items keep you updated on the latest developments.

3 min
undefined
Technology
By Benjamin Moses | Nov 12, 2022

Steve is going to a manufacturing industry adjacent tradeshow that he and Ben have been trying to get into for a long time; Ben will for sure go next year (2024), though. Stephen also talks about how it felt to cut the first part off the new testbed CNC...

46 min