Featured Image

Building an Advanced Cybersecurity Plan: Personnel and Infrastructure Security

A key aspect of any advanced cybersecurity plan is oversight and management of company and supplier personnel to address events originating within a company – intentional or not. Find out what considerations should be made when implementing your plan.
Dec 07, 2022

While much of the focus when developing and deploying an advanced cybersecurity plan is concentrated on the technology aspects of the network, securing the physical network equipment and addressing those who have access to that equipment doesn’t get the same attention. In many ways, one can draw parallels between how a company secures its facility and who has access to the facility and the steps to secure access to your network equipment.

Network equipment should be housed in an access-controlled area. This should not be limited to servers and larger computing systems but extend to routers and other network access points distributed throughout a facility. Anyone intent on causing harm to a company or accessing proprietary company information can use these access points to penetrate the network. While larger companies may have a secure computer room where key pieces of equipment are housed, other companies may provide no, or limited, control over access to their network equipment. A broader issue is that few companies control access to routers and other access points distributed throughout the facility – especially in the manufacturing environment. As a minimum, this equipment should be housed in locked cabinets. Where possible, access should be monitored and alarmed. Additionally, logs should be maintained to validate who had accessed locations where network equipment is installed and when that access occurred.

Another topic to be addressed as part of an advanced cybersecurity plan is oversight and management of company and supplier personnel. A significant portion of cybersecurity events originate within a company – some unintentional and others intentional. Training, equipment controls, and other provisions of a company’s network security implementation address many of the unintentional events. The intentional ones are harder to address. Architecting network access controls appropriately can minimize a company’s exposure to an intentional internal “attack.” Activity monitoring can also provide a means to detect unusual activity. Beyond that, properly vetting personnel and management oversight are the only other reasonable means of protecting company assets for most companies.

Special scrutiny should apply to personnel with access to the network infrastructure – servers, routers, computer rooms, etc. A higher level of vetting and oversight should apply to these individuals. A determined individual can significantly damage a company’s infrastructure and intellectual assets. Management oversight should focus on trustworthiness, conduct, integrity, judgment, loyalty, reliability, and stability.

Special consideration should be given to disgruntled, transferred, or terminated personnel. While it is typically not acceptable to restrict or change a disgruntled individual’s access to network resources, careful and considerate management oversight would be most appropriate. For personnel who have been transferred to a new role/responsibility, it is important to reassess the individual’s network privileges and adjust network access privileges to only those required for the new role. Network privileges (usernames and passwords) should be immediately suspended for terminated personnel.

For more details on addressing personnel and infrastructure security relative to cybersecurity, you may want to reference Section 3.9 Personnel Security and Section 3.10 Physical Protection of NIST standard SP 800-171.

For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

Part 8: Communications, Network, and Database Security

Part 9: Personnel and Infrastructure Security

Part 10: Maintenance and Incident Response

Part 11: Risk Assessment and Vulnerabilities Testing

John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Digital manufacturing uses operational data for more informed decision-making, which helps increase workflow efficiency. But a major challenge is the quality of data. Learn more about this crucial factor in digital manufacturing decision-making processes.
Art and engineering, Robot retires to do what it loves, Projects for standards in measurement, US air force offers am experience for students.
Digital manufacturing is company-specific strategy that uses data from manufacturing operations to support more informed decision-making and increase efficiency. Find out what goes into building a unique digital manufacturing strategy for your business.
KOVAL smartly deploys advanced monitoring technology in the service of creating a reliable, consistent (and delicious) product.
Any cybersecurity implementation involves a trade-off between a company’s tolerance for risk and the effort and costs associated with protecting the company’s resources and customers. Learn how to assess risk and test for vulnerabilities in your network.
Similar News
By AMT | Jun 01, 2023

Check in for the highlights, headlines, and hijinks that matter to manufacturing. These lean news items keep you updated on the latest developments.

4 min
By Stephen LaMarca | May 12, 2023

In April, Silicon Valley Robotics hosted its annual Robot Block Party in Oakland, California. The event served as a hub for robotics enthusiasts, hobbyists, and makers to showcase their projects and products. Think public school book fair – but for robots.

4 min
By Nina Anderson | May 23, 2023

Does a year-over-year percentage growth truly reflect industry change? Do increased robot installations in sectors with less robot density look the same in ones with more density? Derivatives help expose how total change is affected when variables change.

5 min