Many elements of an advanced cybersecurity plan involve strategic decisions that impact how a company operates securely and how company resources are managed and deployed to facilitate secure operations. These topics require engagement by the management team and every user with access to the company’s network resources. We have discussed many of these elements in previous articles in this series – “Building an Advanced Cybersecurity Plan.” Additional elements of a security plan are equally important but are more narrowly focused on IT professionals. One of these elements is implementing and deploying specific security functions to provide communications, networking, and database security.
Systems security engineering is the science of multiple security engineering specialties to provide a fully integrated, system-level perspective of system security. IT professionals utilize systems security engineering principles to define the network architecture and software/hardware implementations for monitoring, controlling, and protecting communications and information “in transit” and when stationary in databases and other data storage devices.
The specific implementation will depend on several factors, including requirements established in other elements of the security plan, the current state of existing network resources, and the risk tolerance of an individual company. Some key factors that should be considered in all implementations include:
Security functions should be designed in a layered fashion such that each layer represents an additional obstacle for a potential intruder.
A diversity of security functions should be used at different portions of network architecture. The interface between each segment of the system architecture should be viewed as a “locked door,” and a different set of keys is required for each door – no “master key” that gains access to all.
Deploying strong security functions at all external boundaries to the network is of high importance. Deploying security functions between system components within the network is highly recommended.
Network segmentation is essential to block the propagation of security threats throughout the network. This is especially important in the manufacturing environment due to the high concentration of devices that do not directly support implementing security functions.
Typically, it is not feasible to implement all of the desired security functions in an existing network without incurring significant disruptions and costs. Companies should deploy as many of the desired security functions as possible based on the current state of the network architecture and their risk tolerance for the potential impact of a security threat. However, when new extensions to the network are implemented, or major system modifications are underway, it is an opportune time to extend and enhance the security implementation at the same time.
One of the functions that can normally be implemented in any network without any significant interruption is the separation of administrative and system management functions to different devices and, where possible, separate domains from all user functions. This task can be implemented over time to transition these functions. This step is important to establish a more secure structure in support of all future network security enhancements.
There are multiple concepts for implementing security functions for accessing the network, network resources, and data sources. The preferred concept is “Deny All, Allow by Exception.” In this scenario, all access to network resources is blocked unless specifically approved. This is also known as “whitelisting.” This approach requires more system configuration management resources but is more secure and proactive than the traditional “blacklisting” approaches that only address known potential threat sources.
One of the newer technologies that is becoming very prevalent and is being overlooked from a security perspective in many cases is VoIP (voice over internet protocol). Basically, VoIP is telephone communication over the internet. Most cellular phone service providers will redirect cellphone service through any available internet connection that can be established. Each of these connections represents a potential for a security breach. While most phone service providers should have well-established security protocols in place, it is not practical to validate each one. Companies must recognize that if they allow mobile phone access to their network, this is another external network interface that must be addressed as part of the overall security implementation.
Architecting and deploying a well-structured and effective network security implementation requires advanced systems security engineering expertise. Larger companies often can hire such expertise. Smaller companies typically rely on outside resources to provide these services. In either case, management should thoroughly vet the selected resources that will provide these services since the balance of your cybersecurity plan will provide little benefit if this plan element is not properly implemented.
For more details on concepts addressing network configuration management, you may want to reference Section 3.13 System and Communications Protection of NIST standard SP 800-171.
For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.
Part 1: Engagement and Reinforcement
Part 2: Interaction Mapping
Part 3: Access Control
Part 4: Electronic Media Protection
Part 5: Identification and Authentication
Part 6: Activity Logging, Auditing, and Traceability
Part 7: Network Resource Configuration Management
Part 8: Communications, Network, and Database Security
Part 9: Personnel and Infrastructure Security
Part 10: Maintenance and Incident Response