Featured Image

Building an Advanced Cybersecurity Plan: Communications, Network, and Database Security

Implementing a cybersecurity plan includes deploying specific security functions to provide communications, networking, and database security. Learn what key factors to consider, what new technologies are being overlooked, and more for your implementation.
Nov 16, 2022

Many elements of an advanced cybersecurity plan involve strategic decisions that impact how a company operates securely and how company resources are managed and deployed to facilitate secure operations. These topics require engagement by the management team and every user with access to the company’s network resources. We have discussed many of these elements in previous articles in this series – “Building an Advanced Cybersecurity Plan.” Additional elements of a security plan are equally important but are more narrowly focused on IT professionals. One of these elements is implementing and deploying specific security functions to provide communications, networking, and database security.

Systems security engineering is the science of multiple security engineering specialties to provide a fully integrated, system-level perspective of system security. IT professionals utilize systems security engineering principles to define the network architecture and software/hardware implementations for monitoring, controlling, and protecting communications and information “in transit” and when stationary in databases and other data storage devices.

The specific implementation will depend on several factors, including requirements established in other elements of the security plan, the current state of existing network resources, and the risk tolerance of an individual company. Some key factors that should be considered in all implementations include:

  • Security functions should be designed in a layered fashion such that each layer represents an additional obstacle for a potential intruder.

  • A diversity of security functions should be used at different portions of network architecture. The interface between each segment of the system architecture should be viewed as a “locked door,” and a different set of keys is required for each door – no “master key” that gains access to all.

  • Deploying strong security functions at all external boundaries to the network is of high importance. Deploying security functions between system components within the network is highly recommended.

  • Network segmentation is essential to block the propagation of security threats throughout the network. This is especially important in the manufacturing environment due to the high concentration of devices that do not directly support implementing security functions.

Typically, it is not feasible to implement all of the desired security functions in an existing network without incurring significant disruptions and costs. Companies should deploy as many of the desired security functions as possible based on the current state of the network architecture and their risk tolerance for the potential impact of a security threat. However, when new extensions to the network are implemented, or major system modifications are underway, it is an opportune time to extend and enhance the security implementation at the same time.

One of the functions that can normally be implemented in any network without any significant interruption is the separation of administrative and system management functions to different devices and, where possible, separate domains from all user functions. This task can be implemented over time to transition these functions. This step is important to establish a more secure structure in support of all future network security enhancements.

There are multiple concepts for implementing security functions for accessing the network, network resources, and data sources. The preferred concept is “Deny All, Allow by Exception.” In this scenario, all access to network resources is blocked unless specifically approved. This is also known as “whitelisting.” This approach requires more system configuration management resources but is more secure and proactive than the traditional “blacklisting” approaches that only address known potential threat sources.

One of the newer technologies that is becoming very prevalent and is being overlooked from a security perspective in many cases is VoIP (voice over internet protocol). Basically, VoIP is telephone communication over the internet. Most cellular phone service providers will redirect cellphone service through any available internet connection that can be established. Each of these connections represents a potential for a security breach. While most phone service providers should have well-established security protocols in place, it is not practical to validate each one. Companies must recognize that if they allow mobile phone access to their network, this is another external network interface that must be addressed as part of the overall security implementation.

Architecting and deploying a well-structured and effective network security implementation requires advanced systems security engineering expertise. Larger companies often can hire such expertise. Smaller companies typically rely on outside resources to provide these services. In either case, management should thoroughly vet the selected resources that will provide these services since the balance of your cybersecurity plan will provide little benefit if this plan element is not properly implemented.

For more details on concepts addressing network configuration management, you may want to reference Section 3.13 System and Communications Protection of NIST standard SP 800-171.

For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security 

Part 9: Personnel and Infrastructure Security

Part 10: Maintenance and Incident Response

Part 11: Risk Assessment and Vulnerabilities Testing

John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Event to Connect Small and Medium Manufacturers with Experts in Smart Technologies
Edge computing in digital manufacturing involves placing devices between data sources and the network, and ranges from basic data collection to distributed systems. Learn more about its benefits like data processing, isolation, organization, and security.
What are the benefits of harvesting semantic data from equipment on the shop floor? For starters, it's easier to integrate machines into shop maintenance and monitoring systems. Learn how the industry has responded to semantic data – and where it's going.
A digital twin is more than a computer approximation or simple 3D model – it is an ever-evolving, data-driven digital representation of a system.
Siemens is one of the world’s biggest manufacturing companies – and a company that uses the digital tools it develops to achieve operational excellence.
Similar News
By Peter Zelinski | May 01, 2024

Formnext Chicago arrives next year. AMT's Doug Woods, Mesago's Sascha Wenzler, and Gardner's Peter Zelinski discuss the long road to this event, the importance of Formnext coming to additive's biggest market, and the competitive 2025 event landscape.

7 min
By Stephen LaMarca | May 24, 2024

Biorobotic hand can touch and feel. 0.000000952 seconds. Explosive design and manufacturing optimization. In keeping with the explosive theme... The difference between AI and AGI.

7 min
By Amber Thomas | May 21, 2024

Recently, the Biden Administration announced several science and technology initiatives centered on key digital technologies and manufacturing. Get the latest updates on how digital twin, AI, semiconductor manufacturing, and EV production will be affected.

4 min