CAPABILITY ASSESSMENTS
AUGUST 17, 1995
In order to promote the principles of reliability and security in the NII, a Reliability and Vulnerability Working Group (RVWG) was formed as an inter-agency working group under the Telecommunications Policy Committee of the IITF. The RVWG was chartered to be the government's focal point in defining the attributes of reliability for the NII. To this end, it will identify threats, vulnerabilities, or other issues relevant to the reliability and survivability of NII services.
Among these actions is a comprehensive risk assessment, currently ongoing and led by NSA, that will address the vulnerabilities of major sectors of the NII (i.e., information distribution, education, energy distribution, entertainment, health care, financial, national security and emergency preparedness (NS/EP), and transportation). Additionally, the RVWG has developed a set of features and capabilities for the NII that are needed to ensure the reliability and security of information services under both normal and emergency conditions. These features and capabilities are published in an RVWG document, A Blueprint for Action, and are recommended for incorporation into the acquisition of new government information systems. The Blueprint document provides additional information that is available for use by the Administration, government agencies, and the private sector as a guide to assist in the design and use of networks, information services, and applications that satisfy the reliability and security requirements of the nation.
These assessments are highly subjective and are intended only to characterize the inherent diversity in the current technologies and highlight potential areas of concern. One observation is that the various technologies complement each other's strengths and weaknesses. For example, the broadcast dissemination of emergency information is a natural attribute of cable and other direct broadcast systems. Thus, the composite NII has this capability and it is not a serious concern that, for example, the PSN does not inherently provide broadcast capability. With this caveat on the use and interpretation of the assessments, the general guidelines that were followed were:
There are other systems and technologies, of course, that may be considered in the future. For example, electric utilities are developing a fiber infrastructure extending to households that can be used to manage billing, demand-side management, and energy efficient use of household systems and appliances. A number of articles in technical journals suggest that these infrastructures could provide telecommunications or other services and would be significant components of the NII. However, for purposes of assessing how well the currently evolving NII provides the capabilities and features for reliable and secure services, the following structure of elements of the NII has been adopted.
The rationale for the assessments in Table 1 is as follows:
Performance
The PSN has developed a high level of reliability and availability and provides the user a quality service. The availability of service on demand and the emphasis on the continuity of service under adverse conditions are valuable attributes of the PSN that the user has grown to expect. The companies that provide PSN services maintain an array of service monitoring and management techniques that continue to improve performance. These functions are supported by the collection and analysis of large amounts of data relating to network performance. The PSN presents the recognized benchmark for other segments of the telecommunications industry. These factors are selling points in the highly competitive telecommunications market. The other four categories do not exhibit comparable levels of capability. Generally, they do not fully exercise the ability to monitor their systems and collect and analyze data related to performance parameters. There are varying degrees of performance among the four categories but they do not reach the capability level of the PSN. Therefore, all four have been assessed as having medium capability.
The satellite industry exercises strict control over information they transmit and the user is allowed some screening control. Interactive communications via satellite, that interfaces with the PSN, is subject to the PSN capability. The PSN offers the user some screening capability through caller ID, code blocking and other means. However, the PSN does not screen originating information, therefore, the user must take action to reduce their vulnerability to unwanted information. Wireless users are more vulnerable as caller ID is not available though it may be technically possible. Wireless users can rely upon the PSN for some action against abusive behavior and there are laws governing the PSN that support that action. The broadcast cable assessment is based on the capability of the industry to control what is transmitted to its users and the users capability to block unwanted information. The capability for the user to screen unwanted information can be improved in all categories with greater granularity of choices.
The rationale for the assessments in Table 2 is as follows:
The elements of the national information infrastructure (NII) have no severe deficiencies in supporting assured quality services, and are expected to get stronger across the board as all the elements face growing competition and market demand for better reliability, ubiquity, and survivability. The public switched network (PSN), with its strong network management controls, network reconfiguration capabilities, and robust routing features, offers a high level of support for this requirement.
Satellites also offer a high level of support for this requirement, with their broad geographic coverage, redundancy, and alternate routing features. Satellites do, however, suffer from higher vulnerability due to ground station vulnerability to natural disasters or electronic attack.
Wireless, broadcast, and Internet networks all support this requirement moderately, with substantial positive features and less significant drawbacks. Wireless will supplement its broad coverage when global mobile satellite services (MSS) systems begin operating in the next few years. In addition, wireless systems share much of the PSN's robust operations, administration, management and provisioning (OAM&P) systems. However, except for MSS, wireless systems are significantly more vulnerable to natural disasters than the PSN.
Broadcast systems offer ubiquitous and survivable service, but have broadly variant reliability in different types of systems. The television and radio infrastructures, for example, use technology and architectures that have been stable for years. Cable systems, on the other hand, suffer from widespread reliability problems, though they are expected to become more reliable as they begin competing in the telephony market and implement more advanced broadband technologies.
Finally, the Internet offers good survivability (it was designed with that goal in mind) and ubiquity. But it, too, suffers from reliability problems, due to the same feature that makes it so survivable: its flexible routing capabilities, which allow the system to address congestion and out-of-service conditions. Since there is no assurance that data will be transmitted at or by a certain time, service suffers when congestion increases. While congestion problems only occur at peak times now, network traffic is growing substantially (currently at 6 % per month).
Priority treatment is a feature that is being supported by the PSN and broadcast systems. It is currently being developed for wireless, is technically possible in the Internet, and is not significantly supported in satellite systems. The PSN offers the Government Emergency Telecommunications System to bypass congestion and provide enhanced call completion features, and can also configure virtual private networks to handle specific user traffic separate from general network traffic.
Wireless priority is currently a mix of formal and informal agreements between state and local governments and carriers, as well as on-the-scene arrangements between emergency response officials and carriers. In the near future, however, cellular carriers are expected to offer a federally approved nationwide priority access scheme. In addition, MSS systems are being designed with priority services, and the Priority Access and Channel Assignment standard has been approved for personal communications services (PCS) networks (though no service implementation plan has been established yet).
The Internet does not currently support priority treatment, but its data transmission protocols do support quality of service provisions that could be used for that purpose.
Broadcast networks have the ability to "ruthlessly" preempt non-PSN traffic for important transmissions -- terminating calls without warning -- a service that is against the law in PSN and wireless systems.
As mentioned earlier, PSN carriers have substantial network control capabilities, which also help them offer effective provisioning and restoration services. In addition, the Telecommunications Service Priority program identifies critical PSN and satellite circuits and allows them to be restored or brought into service first after a disaster.
Both wireless and broadcast networks offer moderate support for this requirement. Cellular carriers have demonstrated a willingness to help emergency responders, and have the ability to bring cell sites on wheels to disaster scenes or dynamically change cells' transmitting wattage. However, formal coordination is limited, except in high-risk areas. Broadcast networks can also meet this requirement on an ad hoc basis.
The Internet has the technical features to support this requirement, but suffers from its decentralized network control, which makes coordination among the multitude of network operators difficult.
The country's current emergency notification process was designed for broadcast systems, and its support of them is robust. In addition, cable systems have capabilities that allow system administrators to turn on televisions remotely and even set them to a certain channel and adjust the volume.
The satellite system benefits from the strong emergency broadcast features of direct broadcast satellite (DBS) systems, but suffers from a lack of similar capabilities in fixed systems. However, DBS systems are not good for local emergencies, as viewers rarely receive their local programming from DBS systems.
Wireless networks offer limited support for this requirement. MSS systems will offer broadcast services, while terrestrial-based wireless systems have features that could be used for such services, but are not.
The Internet offers some point-to-multipoint transmission capabilities, such as those used by list server services, that could be used to support this requirement. However, delivery cannot be guaranteed.
One of the Internet's strongest features is its ability to support a number of technologies and protocols. However, the other NII elements have interoperability limitations.
Broadcast cable systems use a similar architecture and therefore are largely interoperable with each other. Cable systems offering Internet access, however, have experienced connection and transmission problems. As broadcast networks implement broadband technologies, which are expected to be the same as those used to upgrade the PSN, interoperability should improve.
Fixed satellites offer robust support for this requirement, carrying a range of traffic from a range of sources. DBS systems, though, are proprietary and closed.
Wireless systems have not had significant interoperability problems in the past, since cellular systems all used the Advanced Mobile Phone Service protocol for analog transmissions. However, digital systems are expected to have some difficulty. Seven air interface standards are competing in the nascent PCS market. Additionally, in MSS systems, tests have shown that quality degrades significantly in transmissions using competing low-rate voice coders (which translate signals between the analog and digital domains). Wireless providers are counting on the need for all carriers to interconnect with the PSN to provide a common interface among different technologies.
The PSN has shown robust capabilities for connecting with a range of technologies and systems, with limitations that are expected to diminish as broadband technologies are incorporated.
Encryption is generally a feature implemented by the user; it is necessary that the network only support the user's encryption methods and carry the transmission intact. In that respect, the PSN, Internet, and satellite networks have demonstrated an ability to support a range of encryption techniques.
Analog cellular systems suffer because their channels have limited bandwidth, and have problems handing off encrypted calls between cells. Evolving wireless technologies, however, support commercial-grade encryption, and technical committees are working to improve wireless capabilities in this area.
Broadcast networks can carry scrambled programming, but their support for commercial or military encryption is uncertain.
The sustainable coordinating mechanism requirement comprises several capabilities, including an information-sharing function, an ongoing coordinating function, and a real-time attack-response function. The PSN has two formal organizations that support this requirement. The Network Security Information Exchange facilitates sharing incident data among carriers. The National Coordinating Center for Telecommunications (NCC) brings together PSN carriers, and a small number of wireless and satellite carriers, to facilitate effective response to emergency responders' communications needs. Though individual carriers have response functions in their network control centers, they have no formal forum for coordinated, real-time attack response.
The Internet's Computer Emergency Response Teams (CERT) offer real-time response capabilities and their activities are coordinated through the CERT Coordination Center. Those services are supplemented by the information-sharing activities of the Forum of Incident Response and Security Teams.
Broadcast operators have no formal forum to coordinate network activities, while wireless and satellite carriers' only capabilities in this area come from their limited involvement in the NCC.
Network security requires defenses against several types of disruptions, including electronic attack, physical attack, human error, and natural disaster. None of the NII elements could serve as a model for network security, though the PSN and satellite systems offer the greatest degree of support for this requirement.
The PSN benefits from extensive network monitoring features and redundancy, but carriers have weak intrusion detection and incident-handling systems, have been successfully attacked electronically, and do not have standards for protecting OAM&P systems. In addition, two other PSN trends threaten network security: carriers are allowing more direct access to network elements, in order to offer customer-definable services such as call forwarding; and software is becoming increasingly important to network operations, offering hackers opportunities to capture user information, monitor traffic, and remotely manipulate the network.
Satellite systems offer features to mitigate human error and are generally secure physically because of their Cold War importance. However, they have few control centers, are susceptible to electronic attack, and generally do not encrypt their command channels, making the systems vulnerable to hackers copying their commands and disrupting service.
The Internet's decentralized network control allows it to defend against natural disasters and physical attacks. However, decentralization also makes it difficult to protect against electronic intrusion and manipulation, since hackers can attack the weakest system and launch further efforts from there. That fault is exacerbated by inadequate intrusion detection systems. The Internet has tried to overcome these weaknesses with a number of fora focused on sharing information on network security and vulnerabilities and coordinating attack response. Commercialization of the Internet should bring better network security, since breaches will hurt carriers' and access providers' profitability. The growing use of firewalls is an example of this trend. On the other hand, commercial Internet carriers may implement more intelligent routers to support volume-based (rather than the current flat-rate) pricing. Without adequate protection, greater control and accounting capabilities in the network would bring greater vulnerability.
Wireless systems are susceptible to frequency jamming and physical attack. On the other hand, their networks feature many of the same protections as the PSN and have proven resilient in some natural disasters.
Broadcast systems have been focused primarily on preventing fraud rather than protecting their networks. Their defenses against the range of disruptions are minimal.
The rationale for the assessments shown in Table 3 will examine the threats faced by the networks which comprise the NII, evaluate their vulnerability to these threats, and identify shortfalls in the countermeasures currently employed.
For the purposes of this document, power outages will also be considered a natural disaster. Power outages are a byproduct of many natural disasters, although they may also result from overuse on hot days, automobile accidents, or other incidents.
The bombings at the World Trade Center in New York and the Federal Building in Oklahoma City demonstrate that such attacks are feasible. Such attacks have never targeted the communications infrastructure. However, alleged plans targeting the Holland and Lincoln Tunnels show that infrastructure targets are attractive to terrorists.
PSN. The PSN is reasonably resilient in the face of certain disasters. End users may find that their phone continues to work even though a local power outage leaves them without lights or heat. However, power outages in switching centers may also result in widespread outages. Above-ground lines commonly used to deliver service to the end-user are also vulnerable to natural phenomena (especially ice storms), resulting in localized outages.
Human error is an important source of disruption for the PSN. Accidental cable dig-ups remain a common source of outages, including a major outage on the East Coast. Software design errors have been identified as the cause of widespread network failures.
The PSN appears vulnerable to physical security attacks, such as car bombings or deliberate cable dig-ups. Switching centers represent an attractive target to persons wishing to disrupt the phone system. Cutting a trunk line could severely reduce network capacity, or cause widespread outages.
The PSN has proven vulnerable to electronic attacks. Phone hackers are increasingly sophisticated, well organized, and well financed. They have successfully attacked most categories of network elements and have used the PSN to attack networks connected to it. Phone hackers appear to be primarily interested in theft of service, but have shown an interest in the E-911 service and other emergency response services. They have also targeted the network information bases to disable accounting or enable other services.
Wireless. Wireless networks may be more resilient in natural disaster, but when failure occurs it will be catastrophic. A hurricane, tornado, or ice storm will not affect a wireless system unless the antenna array or tower itself is damaged. In that case, all service to that region will be disrupted.
Wireless networks are less vulnerable to human error than the PSN, since they are not subject to cable dig-ups. Wireless systems are vulnerable to software errors or mis-management in the same ways as the PSN, though.
Wireless networks face a serious threat of physical attack upon the infrastructure, although this threat has not yet materialized. Wireless systems depend upon antenna arrays which constitute a single point of failure and appear vulnerable to car bombings and other related attacks. Wireless systems face a more immediate threat of physical attack upon the end system. Wireless systems place certain security-relevant information in the end system. The end system is rarely protected from physical security attacks. Theft of an end system or the security-relevant information stored in that end system will facilitate theft of service attacks or electronic intrusion.
Wireless networks are subjected to electronic intrusion, but the attacks primarily have targeted theft of service. The impact on reliability of wireless networks has been quite low. Wireless systems may be vulnerable to "jamming" of frequencies, but such attacks have not been documented.
Cable Television (CATV). CATV is more vulnerable to the threat of natural disaster than the PSN, since the typical cable feed does not supply power. Even if the cable system survives, a power outage will disrupt services.
CATV is vulnerable to the same procedural and software errors that plague other systems. Current uni-directional systems are fairly simple, so design errors appear to have had minimal impact to this date.
CATV physical security has not been emphasized. Amplifiers and distribution hubs are generally unprotected and the central distribution facility offers a single point of failure for most architectures. Physical security attacks against CATV installations have not materialized to this point, though.
CATV has not experienced an electronic intrusion threat (except theft of service attacks) due to the uni-directional nature of current CATV services. This threat is expected to materialize as CATV networks begin to support interactive services.
Satellite (Very Small Aperture Terminals (VSAT), C-band, Direct Broadcast Systems (DBS)). Satellite systems are more resilient in natural disaster. A hurricane, tornado, or ice storm will not affect a satellite-based system. However, satellite communications are vulnerable to less spectacular natural phenomena: thermal noise and rain fade. Thermal noise affects earth station receivers approximately two weeks a year; outages are predictable but not preventable. Rain fade can occur when signals pass through moisture in the atmosphere; satellite communications are more reliable in arid locales. Satellite systems are also susceptible to earth station power outages.
Satellite systems are vulnerable to the same procedural and software errors that plague other systems. These systems are highly complex, which increases the likelihood of software design errors.
Satellite systems are not especially vulnerable to physical threats. Killer satellites and large meteorites are the only threats to the satellites themselves. Base stations could be attacked to disrupt service causing localized outages, but the failure of a single base station should not affect overall system reliability. The sheer number of base stations should discourage attempting a coordinated attack against the infrastructure.
Current satellite-based systems require expensive end systems (terminals). These systems have not experienced substantial electronic intrusion threats due to the cost and scarcity of these terminals. As the next generation of satellite-based networks comes on-line, terminal costs should fall. This may increase the threat faced by satellite-based systems.
Internet. The Internet relies upon the PSN and leased lines to provide basic connectivity, but relies upon a system of redundant networks to maintain interconnectivity. As a result, failures within the PSN will not prevent communication between systems unless an outage is severe or local to one of the end-systems.
The Internet is not especially vulnerable to natural disaster. However, the Internet is dependent on local power for most equipment, so outages may indirectly result from storms.
The Internet is vulnerable to human error. A poorly written program, such as the Internet Worm[2] , can cause the network to fail by using all of the available bandwidth. Administrative errors can generate error messages, reducing the available bandwidth.
The distributed nature of the Internet reduces its vulnerability to physical threats. Destruction of a single link router would result in heavy loading of remaining links, but most traffic would still be completed. A coordinated attack would be necessary to cause a network outage.
The vulnerability of the Internet to electronic intrusion is well documented. In one well-publicized incident, a major segment of the Internet was compromised and security-relevant information (user passwords) was obtained for users all over the country.[3] This was not an isolated attack, just a particularly successful one. While this attack did not directly affect reliability of the Internet, it facilitated a variety of attacks which could have adversely impacted reliability.
Technical controls are needed to:
Legal and regulatory policy must be established to:
Managerial institutions must:
The security provided by network protocols is inadequate. Basic protocols, such as SONET and ATM, are deployed without adequate security testing. Higher level protocols, such as those employed on the Internet, show similar lack of foresight. Standards for future protocols must consider security as a critical feature.
Technology for monitoring and restoring networks is generally available for the NII. Such technology is widely used in the PSN, satellite systems, and cellular networks. The Internet also has such tools in place.
CATV networks are the notable exception. Technology for monitoring centrally distributed signals is well-understood but has not been deployed. (Many cable systems rely on the end-user to report outages.) Technology for monitoring signals from the end-user to the central office is not available for the most common CATV architectures.
The PSN, wireless networks, satellite systems, and Internet are designed to survive isolated or even regional failures and provide service to the remaining customer base. The central design of traditional CATV systems makes them more vulnerable. Emerging network architectures are introducing redundant paths that enhance the network's survivability.
Rapid reconfiguration and restoration after network failure is an important feature of the PSN and Internet. Satellite-based systems and wireless networks do not have a particularly rich infrastructure, but can reconfigure networks to eliminate failed earth stations.
Government policy should encourage development of highly reliable networks through directed procurement activities. This requires establishing and enforcing appropriate standards for network reliability. This would require cooperative efforts from numerous government agencies, including OMB, GSA, NIST, and NTIA.
The FCC currently requires the PSN vendors to report large-scale outages (30,000 or more users for more than 30 minutes). Outages in rural areas rarely meet these thresholds, and small CATV vendors may not have that number of subscribers. The reporting requirement should be extended to all NII network suppliers, and the number of users should be gradually reduced.
The Network Security Information Exchanges (NSIEs) and Forum of Incident Response and Security Teams (FIRST) facilitate the exchange of security-related information. The NSIEs focus upon the PSN but have expanded to include cellular providers as well. FIRST is focused upon computer networks such as the Internet and computer-related security problems. Since much of the PSN infrastructure is computer based, several PSN vendors participate in FIRST as well. Industry-specific groups perform this function for other industries. A government forum for exchange of security-related information will probably be established by NIST as a result of the rewrite of OMB A-130.
The exchange of security-related information should be encouraged. Mechanisms for reporting and disseminating this information should be formalized. Liaisons should be established between the various industry and government groups to ensure information is distributed to all appropriate communities.
The NII is not centrally managed or operated. As a result, no central contact point exists. In most cases, it is unclear where to report network failures or other security events. The NSIEs, FIRST, and government agencies should coordinate the establishment of a central reporting mechanism to accept and disseminate reports of network outages.