Configuration management is the definition and deployment of a standard set of operating system versions, software packages, software/firmware versions, software/firmware updates and patches, security software, and network access tools – and the specific configuration of each. Configuration management should apply to all devices connected to the network – computers, servers, databases, routers, firewalls, mobile devices, and production equipment (otherwise known as “controlled devices”).
Configuration management should be included in any advanced cybersecurity plan for a couple of key reasons – (1) provides a uniform environment for deploying security updates and patches and (2) provides a standardized platform for monitoring network activity to identify potential security breaches or abnormal network activity. A common error in configuration management is defining one uniform implementation that includes the same security tools for all systems at all levels in the network architecture. The problem with this approach is that once an intruder can access one part of the network, they essentially have the key to access every system on the network. The network should be viewed as layers of functionality, and different security software and methodologies should be deployed at each level, effectively creating a series of different “locks” within the network. Additionally, the configuration of each device/type of device should be considered independently, applying the principle of “least functionality.” As part of the configuration management plan, unnecessary services or components (both logical and physical) should be disabled to prevent unauthorized connection, transfer of data, and tunneling. This includes programs, ports, protocols, and software/firmware services. Basically, enabling a device with more functionality than is necessary to perform its intended purpose can represent additional security risks.
Of all of the elements of a cybersecurity plan and deployment, configuration management is typically the area that presents the most conflict between IT professionals and their counterparts in manufacturing operations. Much of the equipment installed in manufacturing operations cannot support many of the components defined for configuration management. This is where effectively organizing and segmenting the OT network becomes imperative. Shop floor equipment that cannot support configuration management should be separated from the main network by a “controlled device.” A controlled device, most typically a computer or router, provides a location where configuration management policies can be deployed to protect the balance of the network from security risks associated with any downstream devices. Another method is to exclude certain devices in the configuration management policies. However, this approach is less effective since it requires continual management/updates and provides a less secure network environment.
As with all other aspects of an advanced security plan, configuration management rules and procedures need to be fully documented, formally reviewed, and enforced. All updates/enhancements need to be fully reviewed both for effectiveness and potential impact on all controlled devices on the network. These reviews should specifically address the security impact of all proposed configuration changes.
Configuration updates often require the controlled device to be restarted for the updates to be installed and become effective. Both the download of the updates and the event associated with the update being installed and becoming effective should be logged as a network event. These logs should be retained and reviewed as part of the regular monitoring of network activities.
For more details on concepts addressing network configuration management, you may want to reference Section 3.4 Configuration Management of NIST standard SP 800-171.
For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.
Part 1: Engagement and Reinforcement
Part 2: Interaction Mapping
Part 3: Access Control
Part 4: Electronic Media Protection