security requirements for gci ii · gci are processed by the idc to detect, locate and analyse...

Annex B

Terms of Reference

Security Review of the Global Communications

Infrastructure

Table of Contents

1 Introduction .......................................................................................................... 4

2 Background ......................................................................................................... 4

2.1 Mandate of the Commission.......................................................................... 4

2.2 The Global Communications Infrastructure (‘GCI’) ........................................ 5

3 Objectives and Expected Results ........................................................................ 5

4 Activities .............................................................................................................. 6

5 Data Sources and Methodology........................................................................... 7

6 Deliverables and Acceptance Criteria .................................................................. 8

6.1 Deliverables .................................................................................................. 8

6.2 Acceptance Criteria ....................................................................................... 8

7 Venue And Timing ............................................................................................... 9

8 Venue ................................................................................................................ 10

9 Commission Input .............................................................................................. 10

10 Minimum Requirements of the Contractor and Its Personnel ......................... 10

Acronyms

GCI Global Communications Infrastructure

3DES Triple Data Encryption Standard

IMS International Monitoring System

IDC International Data Centre

OSI On-Site Inspection

Next GCI (GCI II) Next Generation of GCI

PTS Provisional Technical Secretariat

MPLS Multiprotocol Label Switching

CTBT Comprehensive Nuclear-Test-Ban Treaty

BGAN Broadband Global Area Network

VSAT Very Small Aperture Terminal

NGCI Next Generation GCI

QoS Quality of Service

OSI Reference Model Open Systems Interconnection Reference Model

IPSec Internet Protocol Security

TCP/IP Transport Control Protocol / Internet Protocol

WGB Working Group B (PTS Technical Working Group)

PTS Provisional Technical Secretariat

ACL Access Control List

NMS Network Management System

1 Introduction

The Preparatory Commission for the Comprehensive Nuclear-Test-Ban Treaty

Organisation (‘Commission’) is the international organisation established to carry

out the effective implementation of the global verification system foreseen under the

Comprehensive Nuclear-Test-Ban Treaty (CTBT), which is the Treaty banning any

nuclear weapon test explosion or any other nuclear explosion. The Treaty provides

for a global verification regime, including a network of 321 stations worldwide, a

communications system, an International Data Centre and On-Site Inspections to

monitor compliance.

The Headquarters and the International Data Centre (IDC) of the Preparatory

Commission are in Vienna (Vienna International Centre of United Nations), Austria.

The purpose for this document is to describe the different tasks for the Review

Exercise, which includes the GCI Encryption Standard, IPSec Deployment on GCI

Links and the Security Controls within the GCI Security and Design Documents.

2 Background

2.1 Mandate of the Commission

The Commission is tasked with implementing a global verification regime that

monitors compliance with the CTBT and that is provisionally operational before the

CTBT enters into force. In particular, the Commission is responsible for the

deployment of International Monitoring System Facilities, the establishment of the

International Data Centre and the development of operational procedures for On-Site

Inspections.

The IMS facilities search for, detect and provide evidence of possible nuclear

explosions to States Parties Signatories for verification of compliance with the CTBT.

The facilities consist of 321 monitoring stations and 16 radionuclide laboratories that

monitor the earth for evidence of a nuclear explosion. These consist of seismic,

hydroacoustic, radionuclide and infrasound monitoring technologies. (See

Appendix B)

The IDC supports the States Signatories by providing objective data and products

required for effective global verification. Data collected from the IMS facilities via the

GCI are processed by the IDC to detect, locate and analyse seismo-acoustic and

radionuclide events, and are transmitted to States Signatories for their feedback.

Data and products are transmitted through the GCI or via the public Internet.

2.2 The Global Communications Infrastructure (‘GCI’)

The IDC collects data from IMS facilities, National Data Centres (NDCs) and other

entities via the GCI which consists of terrestrial and hybrid terrestrial and satellite

network infrastructure (See Appendix B). The GCI transports measurement and

application data from IMS facilities to the IDC and from the IDC to the all States

Signatories.

The first generation GCI (‘GCI-I’) was established in 1999 and expired on

3 September 2008. The Commission completed the migration to the Next Global

Communications Infrastructure (‘Next GCI’ or ‘GCI-II’) at the end of June 2008 (see

Figure 1 and 2). The GCI-II is currently fully operational.

3 Objectives and Expected Results

The overall objective of this assignment is to ensure that security controls adopted

for GCI II meets the Commission’s security requirements as stated in the GCI II

Terms of Reference (see Appendix C) and to ensure that security controls meet

industry best practices1. The Commission is therefore seeking to ensure that the GCI

II Security plan is fully adhered to; and that provisions within this plan conform to

industry best practices.

The expected overall result of this assignment is to examine Security Implementation

and Management on the GCI II to the Commission, and to make recommendations

for improvement(s) going forward.

The expected specific results of this assignment are:

A new or an improved Security policy established for operating GCI-II is based

on best industry practices;

Improved and fully documented procedures and processes for GCI II Security

Management;

Improved and fully documented Security Plan for GCI II;

Improved and fully documented Security Designed documents for the GCI II

(see task 3)

Efficient encryption standard adopted for the GCI II;

IPSec deployment investigated on the GCI II, together with alternatives for

satellite communications;

1 Where an activity/task has been mentioned to meet industry “best practices”, the minimum

baseline to be used is ISO/IEC 27001:2005 – the de facto International Standard on Information Security best practices.

4 Activities

In order to meet the objectives of this assignment, the activities to be performed by

Contractor relate to three tasks and include, but are not necessarily limited, to the

following activities:

Task 1: Encryption Standard for GCI-II

Review current use of cryptographic standards (algorithms) within the GCI-II

and make recommendations on best practices, particularly in satellite networks

with limited capacity. Consider actual or potential interactions, if any, between

the cryptographic standards within the GCI-II and those used in the station

sender equipment to digitally sign the IMS data.

Investigate; compare and contrast performance of traffic on the GCI-II vis-a-vis

using 3DES and AES algorithms. Assessment of these two algorithms should

determine which is computationally more efficient and offers greater security.

This should examine VPN throughput on Cisco firewalls/routers (mainly Cisco

1800 series) and Checkpoint software firewall hosted on a PC.

Task 2: IPSec Deployment on GCI-II

Investigate deployment of IPSec on the GCI links and examine how the extra

bytes added to each IP packet affects bandwidth allocation on the GCI;

Review how IPSec has been implemented and suggest ways to deal with

instability of tunnels at some sites;

Review the interaction between tunnels and QOS mechanisms, and advise on

best practices in implementing tunnels with QOS within and between tunnels.

Compare advantages and disadvantages of IPSec and GRE when used over

satellite links with limited capacity.

Review the tunnelling policies in place and advice on industry best practices

whilst achieving required requirements in Appendix C. Investigate practices of

using a combination IPSec/GRE tunnelling in some locations and IPSec alone

in others.

Investigate alternatives to IPSec for satellites communications networks. The

study should evaluate other options with a view to identifying suitable

candidates that offer less bandwidth overheads for security deployment (eg

fixed IPSec component on each IP packet).

Task 3: Review of GCI Security Design documents

The Contractor shall review the security components of the Final Design

Document (FDD) and associated security documents2 – which include, but not

limited to the following:

GCI Security Plan

GCI Resource Access Procedures

GCI Systems Update Procedures

GCI Components and Controls Implementation

GCI Security Procedures

GCI Audit Procedures

Update GCI security requirements (where necessary), Review security policies

pertinent to the GCI and provide recommendations for improvement

The three tasks may be conducted in parallel and do not require one to be

completed before starting the next.

5 Data Sources and Methodology

In performing the activities listed above, the Contractor shall draw, at a minimum, on

the following data sources:-

(a) The internal Commission materials and documents relevant to the GCI, copies

of which will be provided to the Contractor for use exclusively as part of this

project;

(b) GCI Security Design Documents will be provided to the Contractor for use

exclusively as part of the project;

(c) Hard copy report on earlier consultancy work commissioned to look at the

bandwidth capacity and data transmission on the GCI

The choice of methodology to analyse, manipulate and present these data is left to

the Contractor and will form an essential part of the evaluation of the technical

proposal of the Contractor.

2 These security documents are not released as part of the RFP for security reasons; the

Contractor shall estimate seven (7) mandays for reading of these documents and making requests for clarifications once the contract is awarded.

6 Deliverables and Acceptance Criteria

6.1 Deliverables

The expected results of this assignment shall be delivered to the Commission as

follows in both electronic and hardcopy format:

A comprehensive written report presenting the detailed findings of the

reviews/analyses and proposed recommendations undertaken by the

Contractor in a separate chapter for each of the three Tasks; this report shall

contain an executive summary not exceeding 2 pages and a summary of the

conclusions and recommendations in the form of bullet points not exceeding 4

pages;

Supporting graphical documents - attached to the Report or submitted

separately - presenting and summarising the findings and recommendations of

the Contractor separately for each Task in a graphical manner by way of

technical drawings, flowcharts, organigrams, mind maps, concept maps, or

similar; these documents shall be drawn up in such a way that readers can

easily identify any proposed changes to the existing security design , processes

and procedures;

An oral presentation of the Report and the supporting graphical documents of

approximately 45 minutes jointly for all three tasks to the Director of IDC on the

basis of a PowerPoint presentation not to exceed 30 pages. This presentation

shall be given prior to submission of the Final Report Draft, ensuring that any

comments/input from the Commission may be incorporated into the Final

Report. This may require further visit to the Vienna premises by the Contractor.

Optional: based on instructions and comments issued/made by the Director of

IDC following the above-mentioned presentation, a further oral presentation of

the Report and the supporting graphical documents of approximately 25

minutes jointly for all three tasks to the Members of Working Group B of the

CTBTO on the basis of a separate PowerPoint presentation not to exceed 20

pages. This will require a further visit to the Vienna premises by one

representative of the Contractor.

6.2 Acceptance Criteria

The Commission will accept any deliverables submitted by the Contractor as fully

meeting the requirements of this assignment only if they are drawn up in accordance

with the Contract, as instructed by the Commission, and in accordance with best

industry practice.

7 Timing

The Contractor shall implement this assignment within three (3) months after the

issuance of a commencement notice to the Contractor as follows:

A Kick-off meeting shall take place at the headquarters of the Commission in

Vienna, Austria, within seven (7) working days after the issuance of the

commencement notice. The purpose of this meeting is to arrive at a common

understanding of the purpose and objective(s) of the Contract; to introduce the

representatives of the parties to each other; to provide to the Contractor a brief

overview of the strategic, operational and legal framework in which the Commission

operates; and to agree on the practicalities for the implementation of the Contract.

In Phase 1, the Commission will provide the materials for activities mentioned in

Section 4 above. The Commission will provide additional materials that may also

become relevant during discussions with the Contractor. Materials supplied may be

in soft or hard copies subject to the Commission’s rules on confidentiality and data

protection. This data gathering phase shall last no longer than three weeks. By the

end of these three weeks, the Contractor shall submit to the Information Security

Manager, a draft version of its initial assessment for review and comment.

In Phase 2, the Contractor shall commence the various investigations as outlined in

Section 4 above. This phase shall last no longer than six weeks (or seven weeks

including the optional data gathering exercise in Norway) from the first day of

interviews. During that phase, the Commission will assist the Contractor in setting up

interviews with the key stakeholders (PTS staff and GCI II Contractor) and the

personnel of the Contractor. This phase shall commence upon a written notification

by the Commission, which will include the name of suggested key stakeholders to be

interviewed and a draft interview schedule. Interviews with the GCI contractor may

be conducted via tele/video conferences where feasible.

Phase 3 shall be the final reporting phase. This phase shall commence immediately

after the end of the previous stage and shall last no longer than three weeks.

At the end of the first two weeks of this Phase, the Contractor shall submit to the

Information Security Manager, a draft version of the Final Report for review and

comment. Any comments shall be incorporated into the final version of this Report.

The final version of this Report shall be submitted no later than One week after

receipt of final comments.

Timing described for the different Phases are estimates, and shall be mutually

reviewed (if necessary) during the project to ensure that appropriate timelines are

realised during the three months envisaged project completion.

8 Venue

The Commission expects the majority of the tasks in Phases 1 and 2 to be

conducted on site at the premises of the Commission in Vienna, Austria. Phase 3

shall be implemented at the premises of the Contractor.

However, subject to a common assessment by the Commission and the Contractor

whether better results of this assignment could be achieved with visit(s) to GCI

site(s) and/or the headquarters of the GCI-II Contractor, the Commission reserves

the right to request the Contractor to conduct some of the activities under this

Contract at the GCI hub in Norway and/or a visit to the headquarters of the GCI-II

Contractor in the USA.

9 Commission Input

For the performance of this assignment, the Commission will provide to the

Contractor at its premises free of charge sufficient office space, PCs (MS Windows

XP with internet connection and standard office software (MS Office 2007) installed,

reasonable amount of office consumables, access to the data mentioned above and

access to GCI staff.

If the Commission exercises the option set out in Clause 8 above, a Commission

representative will accompany the Contractor, and the Commission will organise and

pay for the travel expenses (limited to restricted economy plane ticket, local

transportation, accommodation, breakfast, 40% of UN-DSA rate) of the Contractor

between Vienna and the GCI hub in Norway and/or the headquarters of the GCI

Contractor in the USA.

All other resources are to be provided by the Contractor.

10 Minimum Requirements of the Contractor and Its Personnel

The Contractor shall meet or exceed the following qualifications:

Proven track record of designing and implementing projects in relevant

technical field(s), particularly in advising large governmental organisations

and/or NGOs on information security issues;

Proven track record of managing projects of a similar scope and complexity;

Availability of sufficient resources to perform the Contract;

Proven track record of applying project management and Quality Assurance

(QA) measures/methodology;

The Contractor’s personnel assigned to this Contract shall meet or exceed the

following qualifications:-

Experience in design and analysis of cryptographic algorithms;

Experience in design and implementation of networks using Cisco devices;

Experience in Security Management using ISO/IEC 27001:2005 and with a

certification in CCIE and/or CISSP

Experience in networking and satellite communications (including VSATs), an

understanding of tariff management will be an asset

Experience in OSI Reference Model, IPSec and TCP/IP, MPLS;

Tunnel A

Private

Tunnel

BGAN CTBTO Tunnel

Private

VPN

CTBTO Tunnel

Private

Tunnel

Private

Tunnel

Private

Tunnel

BGAN CTBTO VPN Tunnel

MPLSCTBTO Tunnel

CTBTO

Aggregation Router

Pair

MSS Teleport BGAN GGSN

CTBTO

FSS Teleport iDirect

Hub

Santa Paula

Teleport

Eik

Teleport

Southbury

Teleport

CTBTO Architecture

MSS Teleport BGAN GGSN

DP PoP

Router Pair

GAN CTBTO TunnelMSS Teleport GAN ACSE

GAN

Router Pair

CTBTO


Hub

CTBTO

Router Pair

CTBTO

FSS TeleportiDirect

Hub

Nittedal

Teleport

Tunnel A

CTBTO

Router Pair

NDC / ISN

CTBTO

Router Pair

CTBTO

Router Pair

DP PoP

Router Pair

CTBTO

Vienna

GCI

Gateway

Router Pair

CTBTO


Hub

Adelaide

Teleport

CTBTO

Router Pair

CTBTO

Router

Remote

CTBTO

Router

Remote

CTBTO


Hub

CTBTO

Router Pair

Figure 1: Next GCI Network Transport / Security

Figure 2: Next GCI IPSec and related traffic

Appendix A

Figure 3: Schematic Diagram of the Next GCI

Appendix B

Seismic Primary Array

Seismic Primary 3-comp Station

Seismic Auxiliary Array

Seismic Auxiliary 3-comp Station

Hydroacoustic (hydrophone) Station

Hydroacoustic (T-phase) Station

Infrasound Station

Radionuclide

Station

Radionuclide Lab







Infrasound Station

Radionuclide

Station

Radionuclide Lab







Infrasound Station

Radionuclide

Station

Radionuclide Lab

Figure 4: International Monitoring Station: 321 stations, 16 Radionuclide

Laboratories

Appendix C

Security Requirements for GCI II

Item

Number

Description

1 The Contractor shall implement security processes in accordance with the

approved Security Plan.

2 The Contractor, with the approval of the Commission, shall specify who has access to

which resources and shall define processes for action and audit.

3 The Contractor shall implement a real time detection system to detect viruses, worms,

and intrusions. Intrusion includes direct Site to Site logical connections – all data must

flow to/through the Vienna infrastructure.

4 The Contractor shall provide action plans and processes to identify and stop intruders

and shall notify the Commission immediately.

5 The Contractor shall be responsible for the integrity of all data handled within the GCI

and shall prevent unauthorised access into the GCI via any route through the

implementation of firewalls, ACLs, Intrusion Detection System and other security

controls.

6 The Contractor shall be responsible to ensure the ‘Separation’ of the Commission’s

traffic from other potential subscribers of the Contractor’s network infrastructure. The

Contractor shall demonstrate in its proposal how its proposed architecture will

provide/ensure ‘Community Separation’.

7 The Contractor shall ensure all network devices shall be protected with the highest

security controls possible to prevent unauthorised access to network devices.

8 The Contractor shall implement and maintain strict ACLs to limit management access to

network devices in the GCI and to specific approved management systems.

9 The Contractor shall implement a password management policy detailing the processes

and procedures around the life cycle of network devices and the Contractors NMS

accounts and passwords: generation, strength, distribution, storage, use, validity period,

revocation, etc.

10 The Contractor shall ensure that its NMS includes the security controls required to

prevent unauthorised access to the NMS itself and its subordinate network devices. The

NMS shall provide hierarchical privilege accounts to support the approved Security Plan.

11 The Contractor shall ensure that all accounts and passwords issued by the Commission,

allowing access to the Commission’s ITS and NMS are treated in strict confidence and

used only for the purpose they are intended.

12 The Contractor shall harden all network devices where possible to allow only the service

required for operational requirements.

13 The Contractor shall ensure no network device can be installed or replaced to allow

unauthorised access to the GCI. The Contractor shall ensure all unused ports both

physical and logical shall be disabled by default. Any request made by the Commission

to access an unused port shall be handled with a configuration change request initiated

by the Commission, and if access is only temporarily required this shall be disabled once

the requirement has been satisfied.

14 The Contractor shall ensure security configuration is applied at all times to GCI

equipment and part of any configuration management or change control process to

which the GCI is subject.

15 The Contractor shall log, investigate and notify the Commission of security events

affecting the network devices related to the GCI.

16 The Contractor shall generate and submit to the Commission a monthly summary

security report detailing at a minimum the following statistics:

All critical security events

All detection of viruses/worms

All intrusion detections

All unauthorised port/services requests;

All password failures All events shall be verifiable.

17 The Contractor shall cooperate with any security audit/vulnerability assessment

conducted by the Commission either using internal or external security experts. The

Commission will make the report available to the Contractor.

18 The Contractor shall rectify all critical vulnerabilities discovered within 60 days of the

report issue date.