Network Reliability and Interoperability Council VI Homeland Security

Focus Group 1A Physical Security

NETWORK RELIABILITY AND INTEROPERABILITY COUNCIL VI

HOMELAND SECURITY

PHYSICAL SECURITY

(FOCUS GROUP 1A)

FINAL REPORT

ISSUE 3, DECEMBER 2003


About This Document

Because of the urgency of its mission, Focus Group 1A reported its vital information to the communications industry as it became available.

·  Issue 1, Prevention Report. The first Issue contained material that focused on Prevention of service disruptions of public communications services and the Internet from terrorist activities, natural disasters, or similar types of occurrences.

·  Issue 2, Prevention and Restoration Report. This second Issue includes material that focuses on Restoration of services of public communications services and the Internet from terrorist activities, natural disasters, or similar types of occurrences. In addition, enhancements to material in Issue 1 have been incorporated.

·  Issue 3, Final Report. The third Issue includes additional Areas for Attention, Recommendations, and discussion of coordinated activities with Focus Group 1B (Cyber Security) on Blended Attacks.

Subsequent versions integrate the newer material with that of the previous issue, and thus make the earlier issues obsolete.


PREFACE

The pages of this document are devoted to technical and policy discussions of Security;

this page is devoted to the Homeland.

“Secure the Homeland”

The Homeland is a place where we value our communications infrastructure

because we value our communication.

The Homeland is a place where we value our communication

because we value our words.

The Homeland is a place where we value our words

because we value thoughts and beliefs.

The Homeland is a place where we value thoughts and beliefs

because we value each other.

The Homeland must be Secured.

KARL F. RAUSCHER

CHAIR, HOMELAND SECURITY PHYSICAL SECURITY FOCUS GROUP

DIRECTOR, NETWORK RELIABILITY OFFICE, LUCENT TECHNOLOGIES BELL LABS

Table of Contents

About This Document 2

Table of Contents 4

1 Executive Summary 7

Systematic Assessment of Infrastructure Vulnerabilities and Creation of an Integrated Vulnerabilities – Threats – Best Practices Framework [Sections 2 and 3] 7

Twelve Council Recommendations to the FCC and Industry [Section 3] 8

Thirty-Seven Areas for Attention [Section 3] 12

Prevention and Restoration Best Practices [Sections 4 and 5] 14

Coordination with Other Stakeholders 16

Next Steps 16

2 Introduction 17

2.1 Mission 17

2.2 Scope 18

2.2.1 Subject Matter - Defining “Physical” Security 18

2.2.2 Network Types 19

2.2.3 Industry Roles 19

2.2.4 Threat Sources 20

2.2.5 Deliverables 20

2.2.5.1 Areas for Attention 21

2.2.5.2 Checklists 21

2.2.5.3 Best Practices 21

2.2.5.4 Mechanisms and Techniques 22

2.2.6 Specified Actions 23

2.2.6.1 Assess Vulnerabilities 23

2.2.6.2 Determine the Best Methods 23

2.2.6.3 Conduct a Survey 23

2.2.6.4 Issue a Report 23

2.2.6.5 Report on Mechanisms, Techniques and Best Practices 23

2.2.6.6 Develop Best Practices, Mechanisms and Techniques 23

2.3 Participants 23

2.3.1 Industry Representation 24

2.3.2 Activities 24

2.3.3 Citizenship 24

2.4 Approach 26

2.4.1 Key Elements 26

2.4.2 Meeting Logistics 27

2.4.3 Guiding Principles for Members 31

2.5 Coordination with Other Stakeholders 32

2.6 Other Focus Groups 33

2.7 Non Disclosure Agreement 33

3 Vulnerability Assessment 34

3.1 Vulnerability Approach 34

3.1.1 Vulnerabilities and Threats 36

3.1.2 Definitions 39

3.1.3 Integrated Vulnerabilities – Threats – Best Practices Framework 39

3.1.4 Areas for Attention 39

3.2 Communications Infrastructure Vulnerabilities 40

3.2.1 Environment Vulnerabilities 40

3.2.1.1 Task Group Participants 40

3.2.1.2 Approach 41

3.2.1.3 Best Practice Coverage 42

3.2.1.4 Areas for Attention 43

3.2.1.5 Recommendations 43

3.2.2 Power Vulnerabilities 44

3.2.2.1 Task Group Participants 44

3.2.2.2 Approach 44

3.2.2.3 Best Practice Coverage 45

3.2.2.4 Areas for Attention 45

3.2.3 Hardware Vulnerabilities 46

3.2.3.1 Task Group Participants 46

3.2.3.2 Approach 47

3.2.3.3 Best Practice Coverage 47

3.2.3.4 Areas for Attention 48

3.2.4 Software Vulnerabilities 49

3.2.4.1 Task Group Participants 50

3.2.4.2 Approach 50

3.2.4.3 Best Practice Coverage 51

3.2.4.4 Areas for Attention 51

3.2.5 Network Vulnerabilities 52

3.2.5.1 Task Group Participants 52

3.2.5.2 Approach 53

3.2.5.3 Best Practice Coverage 53

3.2.5.4 Areas for Attention 53

3.2.6 Payload Vulnerabilities 54

3.2.6.1 Task Group Participants 54

3.2.6.2 Approach 55

3.2.6.3 Best Practice Coverage 55

3.2.6.4 Areas for Attention 55

3.2.7 Policy Vulnerabilities 56

3.2.7.1 Task Group Participants 57

3.2.7.2 Approach 58

3.2.7.3 Vulnerability and Best Practice Coverage 58

3.2.7.4 Areas for Attention 59

3.2.7.5 Recommendations 63

3.2.8 Human Vulnerabilities 66

3.2.8.1 Task Group Participants 66

3.2.8.2 Approach 66

3.2.8.3 Best Practice Coverage 67

3.2.8.4 Areas for Attention 67

3.2.8.5 Recommendations 67

3.3 Other Infrastructures 68

3.4 Blended Physical and Cyber Attacks 69

3.4.1 Approach 69

3.4.2 Key Findings 70

3.4.3 Recommendations 70

4 Prevention Best Practices 72

4.1 Overview of Best Practices 72

4.1.1 Homeland Security Best Practices 72

4.1.2 Best Practices and Previous Councils 72

4.2 Intended Use 73

4.3 Summary Statistics 74

4.3.1 Industry Roles 74

4.3.2 Network Types 75

4.3.3 Keywords 75

4.4 General, Previous Council and Historic References 76

4.5 Best Practices Expressions 76

4.5.1 Basic Form 76

4.5.2 Critical Communications Infrastructure Facilities 77

4.6 Numbering Format 77

5 Restoration Best Practices 78

5.1 Approach 78

5.2 Restoration Considerations for Elements of the Communications Infrastructure 80

5.2.1 Environment 80

5.2.2 Power 80

5.2.3 Hardware 81

5.2.4 Software 81

5.2.5 Networks 81

5.2.6 Payload 81

5.2.7 Policy 82

5.2.8 Human 82

6 Industry Implementation of Best Practices 84

7 Acknowledgements 85

APPENDIX A. Acronyms and Glossary 86

APPENDIX B. References 89

APPENDIX C. NRIC VI Council Charter 92

APPENDIX D. Best Practices Pertaining to Interaction or Coordination with Government 96

APPENDIX E. NRIC VI Physical Security Prevention Best Practices 98

APPENDIX F. NRIC VI Physical Security Restoration Best Practices 113

NRIC VI Physical Security Additional Best Practices 119

APPENDIX G. Industry Role & Network Type Matrix 120

APPENDIX H. Keyword Matrix 128

APPENDIX I. Letters from Focus Group Chair to Council Chairman (4) 142

November 27, 2002 143

March 5, 2003 148

September 9, 2003 155

November 6, 2003 159

1  Executive Summary

The emphasis of the Sixth Council was Homeland Security. The NRIC VI Homeland Security Physical Security Focus Group was charged with the mission to assess vulnerabilities of the communications infrastructure and determine how best to address those vulnerabilities to prevent, minimize, or restore from, disruptions that could result from terrorist activities, natural disasters, or similar types of occurrences.

The Physical Security Focus Group reports seven major accomplishments:

1. Systematic assessment of communications infrastructure vulnerabilities

2. Creation of an Integrated Vulnerabilities – Threats – Best Practices Framework

3. Formulation of 12 Recommendations approved by Council vote

4. Identification of 37 Areas for Attention

5. Development of ~ 200 Physical Security Prevention Best Practices[1]

6. Development of ~100 Physical Security Restoration Best Practices[2]

7. Coordination with other critical stakeholders throughout the process

The scope of this work includes all network types: wireline, wireless, satellite, cable, and the Internet. In the context of Homeland Security, Physical Security for the communications infrastructure includes three aspects: the reliability of services, the security of networks and the security of enterprises. [Section 2.2]

Systematic Assessment of Infrastructure Vulnerabilities and Creation of an Integrated Vulnerabilities – Threats – Best Practices Framework [Sections 2 and 3]

The communications industry may be surprised by the method of a particular future terrorist attack, but it should not be surprised about its vulnerabilities. The designers and builders of these systems and networks know their vulnerabilities. This report reviews the characteristics of each aspect of the communications infrastructure that are susceptibilities exercisable by attacks or stressed by natural disasters. By systematically addressing these vulnerabilities, the communications industry can directly prepare for any number of unknown threats attempting to exercise those vulnerabilities.

The systematic identification of the vulnerabilities within the communications infrastructure was an historic undertaking and accomplishment. Previous attempts to catalogue such vulnerabilities resulted in abbreviated lists of top concerns, but came far short of a comprehensive list.

The systematic vulnerability-based approach has fundamental distinctions from the traditional threat-based protection methods, and is vital for infrastructure protection in the post-September 11, 2001 world. As the airline industry had its “cockpit door” access vulnerability on that day, the communications industry must first identify and then effectively address all of its vulnerabilities. The systematic vulnerability-based approach is intended to be used in addition to the traditional threat-based approaches and is consistent with the President’s National Strategy for Homeland Security[3].

Twelve Council Recommendations to the FCC and Industry [Section 3]

The Council has approved twelve recommendations formulated by the Homeland Security Physical Security Focus Group. Each of the recommendations received strong support from the Council. The twelve recommendations are listed below; additional information for each recommendation is provided in the body of the report.

Homeland Security Physical Security Restoration Best Practices

RECOMMENDATION NRIC VI-1A-01

The Council recommends that the NRIC VI Physical Security Prevention Best Practices be implemented, as appropriate, by Service Providers, Network Operators and Equipment Suppliers, in order to promote the reliability, robustness, adequate capacity, security and sustainability of the public communications infrastructure throughout the United States during events or periods of exceptional stress and to prevent or minimize disruptions of public communications services and the Internet from terrorist activities, natural disasters, or similar types of occurrences.

(The NRIC VI Physical Security Prevention Best Practices are provided in Appendix E.)

Identify Air Handling Methods for Protection Against Chemical and Biological Agents

RECOMMENDATION NRIC VI-1A-02

The federal government should sponsor and fund a study to identify effective methods (e.g., electrostatic filters/precipitators) for protection against the introduction and dissemination of chemical and biological agents into critical facilities via air handling systems and air intakes. Results of such a study would support ongoing industry efforts to identify, compare, and implement effective mitigation strategies against emerging biological and chemical agent threats.

Voluntary National Background Checks for Personnel Accessing Critical Infrastructure

RECOMMENDATION NRIC VI-1A-03

The federal government should develop and fund a process to enable employers to voluntarily conduct national background checks (e.g., National Crime Information Center [NCIC]) on employees with access to areas of critical communications infrastructure.

Review of Infrastructure-Related Mergers and Acquisitions

RECOMMENDATION NRIC VI-1A-04

The federal government should continue existing processes to review all infrastructure-related mergers and acquisitions with particular attention to issues (e.g., foreign-owned infrastructure, foreign interests) that could potentially compromise communications services or have national security implications.

Homeland Security Physical Security Restoration Best Practices

RECOMMENDATION NRIC VI-1A-05

The Council recommends that the NRIC VI Physical Security Restoration Best Practices be implemented, as appropriate, by Service Providers, Network Operators and Equipment Suppliers, in order to promote the reliability, robustness, adequate capacity, security and sustainability of the public communications infrastructure throughout the United States during events or periods of exceptional stress and to more effectively restore from disruptions of public communications services and Internet services due to terrorist activities, natural disasters, or similar types of occurrences.

(A list of the NRIC VI Homeland Security Physical Security Restoration Best Practices is found in Appendix F. This list supplements the Homeland Security Physical Security Prevention Best Practices approved by the Council in December 2002.)

Role of the NCS/NCC and Telecom-ISAC in U.S. Homeland Security[4]

RECOMMENDATION NRIC VI-1A-06

The federal government should maintain National Coordinating Center for Telecommunications (NCC) and Telecom-ISAC (Information Sharing and Analysis Center) operations to support restoration efforts.

RECOMMENDATION NRIC VI-1A-07

The National Coordinating Center for Telecommunications (NCC) should be the focal point for sharing information (to include alerts and notifications) to and from relevant state and local authorities, and should implement an industry/government information sharing process to ensure that consistent and accurate information is provided from a centralized source.

National Security and Emergency Preparedness Priority Services

RECOMMENDATION NRIC VI-1A-08

The federal government should expand awareness of, and participation in, National Communications System (NCS)-administered priority services (i.e. GETS, WPS, SHARES, TSP, TESP).

Note: This recommendation has been merged with related recommendations from the Public Safety and Disaster Recovery and Mutual Aid Focus Groups by the Steering Committee for presentation to the Council:

The federal government should support an outreach program to expand awareness and use of NCS priority services including TSP, GETS, WPS, SHARES and TESP, by State and Local Organizations, including Public Safety entities, as well as applicable private sector organizations.

NSTAC Focus on Emergency Response and Service Restoration

RECOMMENDATION NRIC VI-1A-09

The National Security Telecommunications Advisory Committee (NSTAC) should review national policy implications for communications emergency response and service restoration, including new threats and evolving technologies.

CEOs Leadership in Corporate Security Culture

RECOMMENDATION NRIC VI-1A-10

The Chief Executive Officers of communication companies should reinforce or establish corporate cultures where all security procedures are consistently enforced and followed by all persons on company property at all times.

Additional Homeland Security Best Practices (addressing Blended Attacks)

RECOMMENDATION NRIC VI-1A-11

The Council recommends that the additional NRIC VI Physical Security Best Practices be implemented, as appropriate, by Service Providers, Network Operators and Equipment Suppliers, in order to promote the reliability, robustness, adequate capacity, security and sustainability of the public communications infrastructure throughout the United States during events or periods of exceptional stress and to more effectively restore from disruptions of public communications services and Internet services due to terrorist activities, natural disasters, or similar types of occurrences.

(The list of additional NRIC VI Homeland Security Physical Security Best Practices is appended to Appendix F. This list supplements the Homeland Security Physical Security Prevention and Resotation Best Practices approved by the Council in December 2002 and March 2003, respectively.)