Network Reliability and Interoperability Council

Focus Group 1B Cybersecurity

Dr. Bill Hancock, CISSP, CISM

Cable & Wireless

FG1B Chair

bill.hancock@cw.com

972-740-7347

Purpose of Today’s Brief

• Brief discussion of work completed for NRIC by FG1B

• Brief discussion on blended attacks

• Request for approval of seven additional BPs since March, 2003

• Preparation for survey in 2004

• Recommendations for NRIC VII

Charter of FG1B

• Generate Best Practices for cybersecurity – Telecommunications sector– Internet services

• Propose New Actions (if needed)• Deliverables

– December 2002 – prevention (105 BPs)– March 2003 – recovery (48 BPs)– December 2003 blended atack (7 BPs)

• Have made all deliverables, complete and on-time

FG1B Members

FG1B Outreach

• Extensive outreach in the last 12 months– Most major telecommunications events– Standards organizations– Industry groups– Congressional testimony– Webinars– Industry trade publications– Writing (books, papers)– Email and phone support to implementers

Policy, Auditand SecurityManagement

Fraud & Risk Management

Application and Commerce

Security

Network Security

Security Technologies

AberdeenGroup

e-Businesse-Business

Information Information flowflow

Pattern matching

Identification

Authentication

AuthorizationContent filtering

Applications

forensics

access controls

Employees

Data

e-directories

Audit

digital signatures

AvoidanceCompliance

Reliance

Privacy

Assurance

Internet services Customers

Suppliers

viruses

applets

e-Mailweb servers

intrusion detection

VPNs

PKI

risk assessment

cryptography

firewalls

worms

smart cards

biometrics

tokens

monitoring and reporting

Partners

RAS

privacy

spam

BPs and Implementation Guidance

Number 6-6-8008

Title Network Architecture Isolation/Partitioning

Preventative Best Practice

Compartmentalization of technical assets is a basic isolation principle of security where contamination or damage to one part of an overall asset chain does not disrupt or destroy other parts of an asset chain. Network Operators and Service Providers should give deliberate thought to and document an Architecture plan that partitions and isolates network communities and information, through the use of firewalls, DMZ or (virtual) private networks. In particular, where feasible, it is suggested the user traffic networks, network management infrastructure network, customer transaction system networks and enterprise communication/business operations networks be separated and partitioned from one another. Special care must to taken to assess OS, protocol and application vulnerabilities, and subsequently hardened and secure systems and applications, which are located in DMZ's or exposed to the open Internet.

Reference ISF SB52, www.sans.org

Dependency  

Implementor NO, SP

+1300 pages160 BPs

Blended Attack BPs

• Working with FG1A• Base definition: physical attack combined

with a cyber attack to disable infrastructure in a meaningful and intense manner

• Highly complex• Many potential combinations• Range from simple-to-do attacks to

sophisticated variants

Type ASpecific Targeting Against a

Technology Type

• Definition: A coordinated attack against the physical and cyber attributes of a specific product or technology type

• Examples:– Physical attack against an HVAC control system

monitoring facility with a cyber attack against SNMP-managed HVAC entities at specific locations

– Certificate authority server farm physical locations are attacked to access consoles and then used to “poison” root keys via cyber attack to disable all PKI and crypto-sharing entities

Type BSpecific Blended Attack Against

Single Infrastructure Entity• Definition: Blended attack against a specific infrastructure

entity by attacking the physical management control locations and simultaneously attacking management or control “plane” cyber entities

• Examples:– Power grid – grid management locations are physically disabled

with munitions and grid management network disabled via cyberattack (router table attack, autonomous malicious logic, etc.)

– Telco NOC – NOC primary and backups attacked by physical attack and NOC management network and entities attacked by cyber attack

– Airport – multi-spectrum wireless jamming of emergency voice/data wireless communications while physically attacking airport communications blockhouse facilities or fiber junctions

– Manufacturing or process facility – main SCADA control facilities physically attacked and SCADA networks and interconnects suffer cyberattack to disable process control facilities throughout the network

Type CMulti-phased Sequenced Blended

Attack Against Multiple Infrastructures

• Definition: A coordinated physical and cyber attack against two or more different infrastructure constructs causing dependency outages/disruption that are difficult to manage or recover, causing grievous harm and economic disruption on a wide scale

• Example:– Power and Telco: physical attacks (phase 1) to cut

345KVA power lines coordinated with a cyber attack (phase 2) ASN.1 vulnerability “worm” attack against Telco voice infrastructure

– Telco voice and Internet: physical attacks against main NOC and hosting locations combined with ASN.1or similar cyberattacks against routers, switches and other interconnects to disrupt/disable separate voice and data networks simultaneously

Stopping Blended Attacks is Like…

Today’s Request: 7 New BPs

• Mostly geared towards attack situations• Four for prevention

– 6-6-8107 Pre-establish working relationships between cyber and physical security teams.

– 6-6-8108 Authentication System Failure– 6-6-8109 Automated patching systems may be

unauthenticated– 6-6-8110 News Disinformation

• Three for recovery– 6-6-8564 Authentication System Failure– 6-6-8565 Automated patching systems may be

unauthenticated– 6-6-8566 News Disinformation

2004 Survey Preparation

• Fg1B or its equivalent NRIC VII will need to work extensively with the survey creation team

• Do not expect quick adoption of some cybersecurity BPs due to complexity and technology issues

• Security is a process with many solutions along the path…

FG1B Recommendations for NRIC VII• Most of these were provided in our March 2003

documentation– Work for NRIC VII will need to include these items, some

of which are long-term issues• Establish a working relationship with DHS

cybersecurity teams due to long-term “heavy lift” of some popular and extensively used technologies that require a lot of R&D and engineering work over the next few years

• New recommendations:– “Clean and scrub” of all BPs from NRIC I-VII to

consolidate BPs and repair conflicts– Identify specific action plans for “heavy lift” efforts– Work on evangelism of use of FG1B BPs throughout all

areas of US Government and all network environments (many apply to any organization which uses network technologies)

– Accelerate efforts on blended attack BPs

Ultimately, Security is All About…

Network Reliability and Interoperability Council

Focus Group 1B Cybersecurity

Dr. Bill Hancock, CISSP, CISM

Cable & Wireless

FG1B Chair

bill.hancock@cw.com

972-740-7347