Featured Image

Building an Advanced Cybersecurity Plan: Communications, Network, and Database Security

Implementing a cybersecurity plan includes deploying specific security functions to provide communications, networking, and database security. Learn what key factors to consider, what new technologies are being overlooked, and more for your implementation.
Nov 16, 2022

Many elements of an advanced cybersecurity plan involve strategic decisions that impact how a company operates securely and how company resources are managed and deployed to facilitate secure operations. These topics require engagement by the management team and every user with access to the company’s network resources. We have discussed many of these elements in previous articles in this series – “Building an Advanced Cybersecurity Plan.” Additional elements of a security plan are equally important but are more narrowly focused on IT professionals. One of these elements is implementing and deploying specific security functions to provide communications, networking, and database security.

Systems security engineering is the science of multiple security engineering specialties to provide a fully integrated, system-level perspective of system security. IT professionals utilize systems security engineering principles to define the network architecture and software/hardware implementations for monitoring, controlling, and protecting communications and information “in transit” and when stationary in databases and other data storage devices.

The specific implementation will depend on several factors, including requirements established in other elements of the security plan, the current state of existing network resources, and the risk tolerance of an individual company. Some key factors that should be considered in all implementations include:

  • Security functions should be designed in a layered fashion such that each layer represents an additional obstacle for a potential intruder.

  • A diversity of security functions should be used at different portions of network architecture. The interface between each segment of the system architecture should be viewed as a “locked door,” and a different set of keys is required for each door – no “master key” that gains access to all.

  • Deploying strong security functions at all external boundaries to the network is of high importance. Deploying security functions between system components within the network is highly recommended.

  • Network segmentation is essential to block the propagation of security threats throughout the network. This is especially important in the manufacturing environment due to the high concentration of devices that do not directly support implementing security functions.

Typically, it is not feasible to implement all of the desired security functions in an existing network without incurring significant disruptions and costs. Companies should deploy as many of the desired security functions as possible based on the current state of the network architecture and their risk tolerance for the potential impact of a security threat. However, when new extensions to the network are implemented, or major system modifications are underway, it is an opportune time to extend and enhance the security implementation at the same time.

One of the functions that can normally be implemented in any network without any significant interruption is the separation of administrative and system management functions to different devices and, where possible, separate domains from all user functions. This task can be implemented over time to transition these functions. This step is important to establish a more secure structure in support of all future network security enhancements.

There are multiple concepts for implementing security functions for accessing the network, network resources, and data sources. The preferred concept is “Deny All, Allow by Exception.” In this scenario, all access to network resources is blocked unless specifically approved. This is also known as “whitelisting.” This approach requires more system configuration management resources but is more secure and proactive than the traditional “blacklisting” approaches that only address known potential threat sources.

One of the newer technologies that is becoming very prevalent and is being overlooked from a security perspective in many cases is VoIP (voice over internet protocol). Basically, VoIP is telephone communication over the internet. Most cellular phone service providers will redirect cellphone service through any available internet connection that can be established. Each of these connections represents a potential for a security breach. While most phone service providers should have well-established security protocols in place, it is not practical to validate each one. Companies must recognize that if they allow mobile phone access to their network, this is another external network interface that must be addressed as part of the overall security implementation.

Architecting and deploying a well-structured and effective network security implementation requires advanced systems security engineering expertise. Larger companies often can hire such expertise. Smaller companies typically rely on outside resources to provide these services. In either case, management should thoroughly vet the selected resources that will provide these services since the balance of your cybersecurity plan will provide little benefit if this plan element is not properly implemented.

For more details on concepts addressing network configuration management, you may want to reference Section 3.13 System and Communications Protection of NIST standard SP 800-171.


For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security 

Part 9: Personnel and Infrastructure Security

Part 10: Maintenance and Incident Response

Part 11: Risk Assessment and Vulnerabilities Testing

PicturePicture
Author
John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Check in for the highlights, headlines, and hijinks that matter to manufacturing. These lean news items keep you updated on the latest developments.
Successfully implementing edge computing into your shop floor may be more cost efficient than you think! Here are a couple ways your shop (and budget) can benefit. Bonus: Edge computing devices can also bolster your cybersecurity measures, saving you more!
In collecting data for digital manufacturing, the underlying system architecture for collecting and storing the data can significantly impact the system's benefits and its flexibility for future extensions. We examine two types that may address your needs.
Event to Connect Small and Medium Manufacturers with Experts in Smart Technologies
Edge computing in digital manufacturing involves placing devices between data sources and the network, and ranges from basic data collection to distributed systems. Learn more about its benefits like data processing, isolation, organization, and security.
Similar News
undefined
Technology
By Benjamin Moses | Dec 13, 2024

Episode 127: Ben and Steve both have some testbed updates and conclude that having a solid in-house IT team on hand is vital for implementing new OT (operational technology) systems. The tech friends lighten things up by reflecting on their Thanksgiving.

45 min
undefined
Technology
By Michelle Edmonson, CEM | Dec 02, 2024

IMTS 2024 brought the manufacturing technology community together for six exhilarating days filled with opportunities to explore new solutions and build meaningful connections.

6 min
undefined
Technology
By Kathy Keyes Webster | Dec 10, 2024

Manufacturers are doers—always building, innovating, and transforming. It’s no surprise that the most-read articles on AMTonline.org this year spotlighted the driving forces of the industry: automation, innovation, and transformation.

6 min