Featured Image

Building an Advanced Cybersecurity Plan: Identification and Authentication

The definition and management of the credentials used to access the resources within a company's network requires their own set of rules within an access control strategy. Here are some important security elements to consider with usernames and passwords.
Aug 08, 2022

Access control, a comprehensive set of rules and requirements regulating which persons and systems have authority to access resources within a company's network and computer systems, is critical to all advanced cybersecurity implementations. Once established, many of the components implemented to support access control will remain relatively static for reasonable periods of time. However, one key element is dynamic and requires its own set of rules within an access control strategy. That is the definition and management of the credentials used to identify and authenticate persons and systems attempting to access resources within a company's network.

Generally, network security credentials include usernames and passwords. Still, they may also have other identifying factors such as the identity (IP address, MAC address, etc.) of any device being used to access the network. There are also a variety of alternative technologies that can be used to identify a user. These include key fobs that generate unique passwords periodically, personal id systems similar to facility access cards, a security dongle that must be connected to a computer's port, biometric id systems, etc.

Once assigned, usernames tend to remain unchanged and allow a designated user to access network resources from any number of devices. Usernames must be unique within a network architecture. Additionally, suppose a username is to be changed. In that case, the validation of the user and the system resources that the user can access should be verified as though the user is a new user within the network system.

Methods should be implemented to monitor the frequency that each user accesses a network. Rules should be established defining when a username is considered abandoned or retired. Such usernames and all other components of the associated credentials should be disabled for future network access.

It is common practice to allow temporary network/computer systems access for temporary workers, company guests, and maintenance/service providers. Companies tend to deploy a couple of different strategies for providing credentials on a temporary basis. It is not uncommon to provide a "guest network" that allows a guest to connect to the network with very limited capabilities – typically restricted to internet access. There are security vulnerabilities associated with a "guest network." Once a guest has access inside the network, it is conceivable to misuse this access as an entry point to tunnel deeper into the company's infrastructure – you have unlocked the door through the outer layer of your security architecture. While it is more cumbersome to implement, it is a better alternative that each guest is provided a unique set of credentials which can be independently validated and monitored for activity on the network. All temporary credentials should be automatically disabled after a specified period of time.

Some standard practices that should be implemented when managing credentials include:

  • Passwords should be required to be updated periodically – monthly, quarterly, etc.

  • Updated passwords should meet a minimum criterion for length and format. For example, a minimum of N characters, a mixture of upper- and lowercase characters, no strings of characters common with usernames, no repetitive characters, and include symbols.

  • When passwords are reset, minimum requirements should be defined for the amount of change required from previous passwords – no single character changes, no reuse of older passwords, etc.

  • Enforce security standards to protect passwords – do not store in a file or email, disallow all written copies of passwords, etc.

Both network credentials and authorization to access specific network resources using those credentials should be categorized based on the frequency upon which each user utilizes those credentials and authorizations. A company should have a standard means of identifying and monitoring the activities of all users on a network. This standard means should be sufficient to monitor users' activities who commonly use specific network resources. However, there are cases where a user may infrequently access the network, or a frequent user may only infrequently need to access specific resources within the network. From a security perspective, it is better to add an extra layer of authentication to address these cases. Multifactor authentication is typically a two-step process to verify that the user requesting access is really the authorized user. In multifactor authentication, a user attempting to log on to the network or in to a specific resource within the network is sent a message (typically either an email or text) that provides additional information required to complete their log-in attempt (commonly a unique code that needs to be entered). The concept is that if a user has access to more than one resource of the authorized user, then they are more than likely the authorized user.

One of the more common security failures comes from the fact that companies frequently do change default credentials for devices connected to a network – usually something like username=USER and password=PASSWORD. This occurs for any device connected to the network but is most commonly found in devices with no direct user interface – printers, cameras, security sensors, monitoring equipment, and many types of production equipment. Each of these represents a security vulnerability. All default credentials should be changed to a secure set of credentials upon installation.

It is important that a company expands the definition of users beyond the traditional human user to include software systems both inside and outside of the company. When software systems interact with each other, the exchange of information should be viewed as though the software system is another user interacting with a company resource. The same rules and definitions for creation, managing, and authenticating user credentials should be applied to these software systems. These interfaces between systems are the second-most common areas for network security breaches, right behind human error. Actors penetrate one system and then use the interfaces between systems to penetrate deeper into a company's network infrastructure.

Properly managing and protecting network credentials is a key element in all advanced cybersecurity implementations. The area within a network where these credentials are stored should have the highest level of security that is possible to implement – this information represents all of the keys needed for an intruder to access all of your business's most critical resources. Additionally, access to this information should be restricted to as few individuals as possible.

For more details on concepts addressing network credentials and authentication, you may want to reference Section 3.5 Identification and Authentication of NIST standard SP 800-171.


For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security 

Part 9: Personnel and Infrastructure Security

Part 10: Maintenance and Incident Response

Part 11: Risk Assessment and Vulnerabilities Testing

PicturePicture
Author
John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Check in for the highlights, headlines, and hijinks that matter to manufacturing. These lean news items keep you updated on the latest developments.
Successfully implementing edge computing into your shop floor may be more cost efficient than you think! Here are a couple ways your shop (and budget) can benefit. Bonus: Edge computing devices can also bolster your cybersecurity measures, saving you more!
In collecting data for digital manufacturing, the underlying system architecture for collecting and storing the data can significantly impact the system's benefits and its flexibility for future extensions. We examine two types that may address your needs.
Event to Connect Small and Medium Manufacturers with Experts in Smart Technologies
Edge computing in digital manufacturing involves placing devices between data sources and the network, and ranges from basic data collection to distributed systems. Learn more about its benefits like data processing, isolation, organization, and security.
Similar News
undefined
Technology
By Benjamin Moses | Dec 13, 2024

Episode 127: Ben and Steve both have some testbed updates and conclude that having a solid in-house IT team on hand is vital for implementing new OT (operational technology) systems. The tech friends lighten things up by reflecting on their Thanksgiving.

45 min
undefined
Technology
By Michelle Edmonson, CEM | Dec 02, 2024

IMTS 2024 brought the manufacturing technology community together for six exhilarating days filled with opportunities to explore new solutions and build meaningful connections.

6 min
undefined
Technology
By Kathy Keyes Webster | Dec 10, 2024

Manufacturers are doers—always building, innovating, and transforming. It’s no surprise that the most-read articles on AMTonline.org this year spotlighted the driving forces of the industry: automation, innovation, and transformation.

6 min