Featured Image

Building an Advanced Cybersecurity Plan: Electronic Media Protection

Any advanced cybersecurity plan should address electronic media in both the IT and the OT networks. Devices like CDs, flash drives, and more are problematic since each is an interface to your company’s network, introducing possible security threats.
Jun 17, 2022

From a cybersecurity viewpoint, electronic media includes any mechanism used to transfer electronic information either into or out of devices connected to a company’s network. Devices connected to a company’s network include computers and servers, mass storage devices, production equipment, printers, copiers, etc. The types of mechanisms defined as electronic media include removable drives, diskettes, flash drives, CDs, DVDs, maintenance tools, diagnostic and test equipment, service and maintenance computers, and any other similar device. These devices are particularly problematic from a cybersecurity perspective since each is an interface to a company’s network, where security threats can be introduced.

An advanced cybersecurity plan should address the use and control of electronic media in both the IT network (general business network) and the OT network (manufacturing network). These two network environments share some security concerns common to both environments. Each also has its own unique set of security concerns based on the types of equipment connected to that portion of the company’s network. The challenges are particularly unique for the OT network due to the wide variety of equipment attached to the network – unique in the type of technology deployed, the age of the equipment, and the tools used to support that equipment.

In the IT environment, most equipment tends to be relatively new and can support a variety of security tools. Ideally, security tools are implemented on every computing device that will scan any electronic media immediately upon it being connected to the device – before any software or files are transferred. This goes a step beyond the functions typically provided by the more popular virus protection software tools. If more advanced security tools are not deployed, then the next best alternative is to prohibit the use of all electronic media devices. Since this may not be practical, there are a couple of standard practices to use electronic media devices more safely. One approach is to use specific stations where threat scanning software can be installed. All electronic information transfer to network devices must occur through these stations. Another alternative is to have media scanning stations that are not connected to the company’s network. All electronic media must pass through these scanning stations before they can be used with any device connected to the company network. This approach requires additional practices and procedures that assure the electronic media is properly handled – stored in a secure location, scanned before use, assigned to a specific user for a specific use, tracked while in use, and then re-scanned upon return to a secure location.

One type of electronic media that is often overlooked by companies is support and diagnostic tools used by service and support personnel – particularly those from outside the company. Any device, including computers that are connected to equipment that this also connected to the company network, represents the same security risk as any other electronic media device. These devices should adhere to the same security practices and procedures as all other devices.

In the OT environment, the issues related to managing electronic media and the risks associated with electronic media are a bit more complex. Much of the complexity comes from a variety of factors:

  • A majority of the devices connected to the IT network do not support PC-like functions where security software can be installed.

  • Many of the systems that do support PC-like functionality do not support adding security software.

  • Equipment can span multiple generations of computer/control system technology – each of which requires different types of electronic media to support those systems.

  • The maintenance and support tools needed to service manufacturing equipment can vary as much as the equipment itself.

A common practice in many manufacturing operations is to disable as many of the interfaces available on equipment where electronic media may be connected. This isn’t always practical, so an alternative approach is to provide security covers over the connection points to limit access to authorized personnel. Many of the same practices used in the IT network for scanning electronic media before use and controlling/tracking electronic media can be applied to the OT environment. The challenge is that a much broader set of tools are needed to provide security scanning of the different types of electronic media and the wide range of generations of technology found on the manufacturing shop floor. Some of these technologies include 3.5-inch floppy drives, 5.25-inch floppy drives, DOS systems, non-PC operating systems, SRAM, FROM, etc.

One area where many manufacturers can make a major improvement is in the identification and management of the various tools (hardware and software) used to support, maintain, and test production equipment. Maintenance departments should keep an approved and vetted set of tools and equipment. Where possible, these tools should be scanned for viruses and malware between every use. They also need to be tracked and monitored in a similar manner as electronic media in the IT environment.

Applying the same security practices and procedures to equipment brought into a manufacturing facility by outside service and support personnel is even more important in the OT environment than in the IT environment – simply because the equipment used is exposed to a wider variety of environments where that equipment was used at other facilities. This is an area where most manufacturers turn a blind eye. Where possible, the use of outside tools should be banned – favoring the use of tools that are controlled and vetted by the company’s maintenance department.

In many cases, implementing the ideal security procedures on the shop floor is not realistic or can represent major impacts on resources and production schedules. Many manufacturers make a risk assessment to establish a middle ground between very tight cybersecurity practices and successfully operating their facility. Generally, the concept is to use security tools and networking technologies to isolate individual or small groups of equipment from the balance of the OT network. The thinking is that they are willing to trade off the risk of a portion of their production equipment being impacted by a security threat (usually a virus, malware, or ransomware) while still effectively protecting the balance of their infrastructure.

Access control is a complex subject. A company must make a series of risk/reward decisions relative to the implementation of security procedures relative to electronic media. Implementations will be unique to every company’s specific environment and risk tolerance. The key is to develop a plan that is documented, implemented, re-enforced to personnel, and monitored for adherence.

For more details on concepts addressing security controls for electronic media, you may want to reference Section 3.8 Electronic Media of NIST standard SP 800-171.

For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security 

Part 9: Personnel and Infrastructure Security

Part 10: Maintenance and Incident Response

Part 11: Risk Assessment and Vulnerabilities Testing

John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Any cybersecurity implementation involves a trade-off between a company’s tolerance for risk and the effort and costs associated with protecting the company’s resources and customers. Learn how to assess risk and test for vulnerabilities in your network.
A company's cybersecurity plan requires constant monitoring and maintenance in order to effectively detect, analyze, contain, recover, and prevent attacks. Learn what steps personnel should take when an incident is detected and how to maintain the system.
You can set up free machine monitoring in as little as 30 minutes using a tool created by the great folks at Oak Ridge National Laboratory (ORNL)...
Ultra-premium, bougie digital twin. Michigan incentivizes industry 4.0 embrace. Metal health. "Go hug a driver or hug a worker in a distribution center."
A key aspect of any advanced cybersecurity plan is oversight and management of company and supplier personnel to address events originating within a company – intentional or not. Find out what considerations should be made when implementing your plan.
Similar News
By John Turner | Sep 01, 2022

Advanced cybersecurity plans should include functionality for logging every attempt to access the network or critical areas on the network to protect business assets or as required for legal or contractual requirements. Read on to learn what that involves.

5 min
By John Turner | Jun 03, 2022

Access control in an advanced cybersecurity plan go well beyond usernames and passwords. It means defining, implementing, and monitoring rules to control which persons and systems may access resources within your company’s network and computer systems.

5 min
By John Turner | Jan 26, 2023

Any cybersecurity implementation involves a trade-off between a company’s tolerance for risk and the effort and costs associated with protecting the company’s resources and customers. Learn how to assess risk and test for vulnerabilities in your network.

4 min