Featured Image

Building an Advanced Cybersecurity Plan: Electronic Media Protection

Any advanced cybersecurity plan should address electronic media in both the IT and the OT networks. Devices like CDs, flash drives, and more are problematic since each is an interface to your company’s network, introducing possible security threats.
Jun 17, 2022

From a cybersecurity viewpoint, electronic media includes any mechanism used to transfer electronic information either into or out of devices connected to a company’s network. Devices connected to a company’s network include computers and servers, mass storage devices, production equipment, printers, copiers, etc. The types of mechanisms defined as electronic media include removable drives, diskettes, flash drives, CDs, DVDs, maintenance tools, diagnostic and test equipment, service and maintenance computers, and any other similar device. These devices are particularly problematic from a cybersecurity perspective since each is an interface to a company’s network, where security threats can be introduced.

An advanced cybersecurity plan should address the use and control of electronic media in both the IT network (general business network) and the OT network (manufacturing network). These two network environments share some security concerns common to both environments. Each also has its own unique set of security concerns based on the types of equipment connected to that portion of the company’s network. The challenges are particularly unique for the OT network due to the wide variety of equipment attached to the network – unique in the type of technology deployed, the age of the equipment, and the tools used to support that equipment.

In the IT environment, most equipment tends to be relatively new and can support a variety of security tools. Ideally, security tools are implemented on every computing device that will scan any electronic media immediately upon it being connected to the device – before any software or files are transferred. This goes a step beyond the functions typically provided by the more popular virus protection software tools. If more advanced security tools are not deployed, then the next best alternative is to prohibit the use of all electronic media devices. Since this may not be practical, there are a couple of standard practices to use electronic media devices more safely. One approach is to use specific stations where threat scanning software can be installed. All electronic information transfer to network devices must occur through these stations. Another alternative is to have media scanning stations that are not connected to the company’s network. All electronic media must pass through these scanning stations before they can be used with any device connected to the company network. This approach requires additional practices and procedures that assure the electronic media is properly handled – stored in a secure location, scanned before use, assigned to a specific user for a specific use, tracked while in use, and then re-scanned upon return to a secure location.

One type of electronic media that is often overlooked by companies is support and diagnostic tools used by service and support personnel – particularly those from outside the company. Any device, including computers that are connected to equipment that this also connected to the company network, represents the same security risk as any other electronic media device. These devices should adhere to the same security practices and procedures as all other devices.

In the OT environment, the issues related to managing electronic media and the risks associated with electronic media are a bit more complex. Much of the complexity comes from a variety of factors:

  • A majority of the devices connected to the IT network do not support PC-like functions where security software can be installed.

  • Many of the systems that do support PC-like functionality do not support adding security software.

  • Equipment can span multiple generations of computer/control system technology – each of which requires different types of electronic media to support those systems.

  • The maintenance and support tools needed to service manufacturing equipment can vary as much as the equipment itself.

A common practice in many manufacturing operations is to disable as many of the interfaces available on equipment where electronic media may be connected. This isn’t always practical, so an alternative approach is to provide security covers over the connection points to limit access to authorized personnel. Many of the same practices used in the IT network for scanning electronic media before use and controlling/tracking electronic media can be applied to the OT environment. The challenge is that a much broader set of tools are needed to provide security scanning of the different types of electronic media and the wide range of generations of technology found on the manufacturing shop floor. Some of these technologies include 3.5-inch floppy drives, 5.25-inch floppy drives, DOS systems, non-PC operating systems, SRAM, FROM, etc.

One area where many manufacturers can make a major improvement is in the identification and management of the various tools (hardware and software) used to support, maintain, and test production equipment. Maintenance departments should keep an approved and vetted set of tools and equipment. Where possible, these tools should be scanned for viruses and malware between every use. They also need to be tracked and monitored in a similar manner as electronic media in the IT environment.

Applying the same security practices and procedures to equipment brought into a manufacturing facility by outside service and support personnel is even more important in the OT environment than in the IT environment – simply because the equipment used is exposed to a wider variety of environments where that equipment was used at other facilities. This is an area where most manufacturers turn a blind eye. Where possible, the use of outside tools should be banned – favoring the use of tools that are controlled and vetted by the company’s maintenance department.

In many cases, implementing the ideal security procedures on the shop floor is not realistic or can represent major impacts on resources and production schedules. Many manufacturers make a risk assessment to establish a middle ground between very tight cybersecurity practices and successfully operating their facility. Generally, the concept is to use security tools and networking technologies to isolate individual or small groups of equipment from the balance of the OT network. The thinking is that they are willing to trade off the risk of a portion of their production equipment being impacted by a security threat (usually a virus, malware, or ransomware) while still effectively protecting the balance of their infrastructure.

Access control is a complex subject. A company must make a series of risk/reward decisions relative to the implementation of security procedures relative to electronic media. Implementations will be unique to every company’s specific environment and risk tolerance. The key is to develop a plan that is documented, implemented, re-enforced to personnel, and monitored for adherence.

For more details on concepts addressing security controls for electronic media, you may want to reference Section 3.8 Electronic Media of NIST standard SP 800-171.


For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security 

Part 9: Personnel and Infrastructure Security

Part 10: Maintenance and Incident Response

Part 11: Risk Assessment and Vulnerabilities Testing

PicturePicture
Author
John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Check in for the highlights, headlines, and hijinks that matter to manufacturing. These lean news items keep you updated on the latest developments.
Successfully implementing edge computing into your shop floor may be more cost efficient than you think! Here are a couple ways your shop (and budget) can benefit. Bonus: Edge computing devices can also bolster your cybersecurity measures, saving you more!
In collecting data for digital manufacturing, the underlying system architecture for collecting and storing the data can significantly impact the system's benefits and its flexibility for future extensions. We examine two types that may address your needs.
Event to Connect Small and Medium Manufacturers with Experts in Smart Technologies
Edge computing in digital manufacturing involves placing devices between data sources and the network, and ranges from basic data collection to distributed systems. Learn more about its benefits like data processing, isolation, organization, and security.
Similar News
undefined
Technology
By Benjamin Moses | Dec 13, 2024

Episode 127: Ben and Steve both have some testbed updates and conclude that having a solid in-house IT team on hand is vital for implementing new OT (operational technology) systems. The tech friends lighten things up by reflecting on their Thanksgiving.

45 min
undefined
Technology
By Michelle Edmonson, CEM | Dec 02, 2024

IMTS 2024 brought the manufacturing technology community together for six exhilarating days filled with opportunities to explore new solutions and build meaningful connections.

6 min
undefined
Technology
By Kathy Keyes Webster | Dec 10, 2024

Manufacturers are doers—always building, innovating, and transforming. It’s no surprise that the most-read articles on AMTonline.org this year spotlighted the driving forces of the industry: automation, innovation, and transformation.

6 min