While much of the focus when developing and deploying an advanced cybersecurity plan is concentrated on the technology aspects of the network, securing the physical network equipment and addressing those who have access to that equipment doesn’t get the same attention. In many ways, one can draw parallels between how a company secures its facility and who has access to the facility and the steps to secure access to your network equipment.
Network equipment should be housed in an access-controlled area. This should not be limited to servers and larger computing systems but extend to routers and other network access points distributed throughout a facility. Anyone intent on causing harm to a company or accessing proprietary company information can use these access points to penetrate the network. While larger companies may have a secure computer room where key pieces of equipment are housed, other companies may provide no, or limited, control over access to their network equipment. A broader issue is that few companies control access to routers and other access points distributed throughout the facility – especially in the manufacturing environment. As a minimum, this equipment should be housed in locked cabinets. Where possible, access should be monitored and alarmed. Additionally, logs should be maintained to validate who had accessed locations where network equipment is installed and when that access occurred.
Another topic to be addressed as part of an advanced cybersecurity plan is oversight and management of company and supplier personnel. A significant portion of cybersecurity events originate within a company – some unintentional and others intentional. Training, equipment controls, and other provisions of a company’s network security implementation address many of the unintentional events. The intentional ones are harder to address. Architecting network access controls appropriately can minimize a company’s exposure to an intentional internal “attack.” Activity monitoring can also provide a means to detect unusual activity. Beyond that, properly vetting personnel and management oversight are the only other reasonable means of protecting company assets for most companies.
Special scrutiny should apply to personnel with access to the network infrastructure – servers, routers, computer rooms, etc. A higher level of vetting and oversight should apply to these individuals. A determined individual can significantly damage a company’s infrastructure and intellectual assets. Management oversight should focus on trustworthiness, conduct, integrity, judgment, loyalty, reliability, and stability.
Special consideration should be given to disgruntled, transferred, or terminated personnel. While it is typically not acceptable to restrict or change a disgruntled individual’s access to network resources, careful and considerate management oversight would be most appropriate. For personnel who have been transferred to a new role/responsibility, it is important to reassess the individual’s network privileges and adjust network access privileges to only those required for the new role. Network privileges (usernames and passwords) should be immediately suspended for terminated personnel.
For more details on addressing personnel and infrastructure security relative to cybersecurity, you may want to reference Section 3.9 Personnel Security and Section 3.10 Physical Protection of NIST standard SP 800-171.
For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.
Part 1: Engagement and Reinforcement
Part 2: Interaction Mapping
Part 3: Access Control
Part 4: Electronic Media Protection
Part 5: Identification and Authentication
Part 6: Activity Logging, Auditing, and Traceability
Part 7: Network Resource Configuration Management
Part 8: Communications, Network, and Database Security
Part 9: Personnel and Infrastructure Security
Part 10: Maintenance and Incident Response