Network Reliability and Interoperability Council Vihomeland Security

Network Reliability and Interoperability Council VIHomeland Security

Focus Group 1APhysical Security

NETWORK RELIABILITY AND INTEROPERABILITY COUNCIL VI

HOMELAND SECURITY

PHYSICAL SECURITY

(FOCUS GROUP 1A)

FINAL REPORT

ISSUE 3, DECEMBER 2003

About This Document

Because of the urgency of its mission, Focus Group 1A reported its vital information to the communications industry as it became available.

• Issue 1, Prevention Report. The first Issue contained material that focused on Prevention of service disruptions of public communications services and the Internet from terrorist activities, natural disasters, or similar types of occurrences.

• Issue 2, Prevention and Restoration Report. This second Issue includes material that focuses on Restoration of services of public communications services and the Internet from terrorist activities, natural disasters, or similar types of occurrences. In addition, enhancements to material in Issue 1 have been incorporated.

• Issue 3, Final Report. The third Issue includes additional Areas for Attention, Recommendations, and discussion of coordinated activities with Focus Group 1B (Cyber Security) on Blended Attacks.

Subsequent versions integrate the newer material with that of the previous issue, and thus make the earlier issues obsolete.

PREFACE

The pages of this document are devoted to technical and policy discussions of Security;

this page is devoted to the Homeland.

“Secure the Homeland”

The Homeland is a place where we value our communications infrastructure

because we value our communication.

The Homeland is a place where we value our communication

because we value our words.

The Homeland is a place where we value our words

because we value thoughts and beliefs.

The Homeland is a place where we value thoughts and beliefs

because we value each other.

The Homeland must be Secured.

KARL F. RAUSCHER

CHAIR, HOMELAND SECURITY PHYSICAL SECURITY FOCUS GROUP

DIRECTOR, NETWORK RELIABILITY OFFICE, LUCENT TECHNOLOGIES BELL LABS

Table of Contents

About This Document

Table of Contents

1Executive Summary

Systematic Assessment of Infrastructure Vulnerabilities and Creation of an Integrated Vulnerabilities – Threats – Best Practices Framework [Sections 2 and 3]

Twelve Council Recommendations to the FCC and Industry [Section 3]

Thirty-Seven Areas for Attention [Section 3]

Prevention and Restoration Best Practices [Sections 4 and 5]

Coordination with Other Stakeholders

Next Steps

2Introduction

2.1Mission

2.2Scope

2.2.1Subject Matter - Defining “Physical” Security

2.2.2Network Types

2.2.3Industry Roles

2.2.4Threat Sources

2.2.5Deliverables

2.2.5.1Areas for Attention

2.2.5.2Checklists

2.2.5.3Best Practices

2.2.5.4Mechanisms and Techniques

2.2.6Specified Actions

2.2.6.1Assess Vulnerabilities

2.2.6.2Determine the Best Methods

2.2.6.3Conduct a Survey

2.2.6.4Issue a Report

2.2.6.5Report on Mechanisms, Techniques and Best Practices

2.2.6.6Develop Best Practices, Mechanisms and Techniques

2.3Participants

2.3.1Industry Representation

2.3.2Activities

2.3.3Citizenship

2.4Approach

2.4.1Key Elements

2.4.2Meeting Logistics

2.4.3Guiding Principles for Members

2.5Coordination with Other Stakeholders

2.6Other Focus Groups

2.7Non Disclosure Agreement

3Vulnerability Assessment

3.1Vulnerability Approach

3.1.1Vulnerabilities and Threats

3.1.2Definitions

3.1.3Integrated Vulnerabilities – Threats – Best Practices Framework

3.1.4Areas for Attention

3.2Communications Infrastructure Vulnerabilities

3.2.1Environment Vulnerabilities

3.2.1.1Task Group Participants

3.2.1.2Approach

3.2.1.3Best Practice Coverage

3.2.1.4Areas for Attention

3.2.1.5Recommendations

3.2.2Power Vulnerabilities

3.2.2.1Task Group Participants

3.2.2.2Approach

3.2.2.3Best Practice Coverage

3.2.2.4Areas for Attention

3.2.3Hardware Vulnerabilities

3.2.3.1Task Group Participants

3.2.3.2Approach

3.2.3.3Best Practice Coverage

3.2.3.4Areas for Attention

3.2.4Software Vulnerabilities

3.2.4.1Task Group Participants

3.2.4.2Approach

3.2.4.3Best Practice Coverage

3.2.4.4Areas for Attention

3.2.5Network Vulnerabilities

3.2.5.1Task Group Participants

3.2.5.2Approach

3.2.5.3Best Practice Coverage

3.2.5.4Areas for Attention

3.2.6Payload Vulnerabilities

3.2.6.1Task Group Participants

3.2.6.2Approach

3.2.6.3Best Practice Coverage

3.2.6.4Areas for Attention

3.2.7Policy Vulnerabilities

3.2.7.1Task Group Participants

3.2.7.2Approach

3.2.7.3Vulnerability and Best Practice Coverage

3.2.7.4Areas for Attention

3.2.7.5Recommendations

3.2.8Human Vulnerabilities

3.2.8.1Task Group Participants

3.2.8.2Approach

3.2.8.3Best Practice Coverage

3.2.8.4Areas for Attention

3.2.8.5Recommendations

3.3Other Infrastructures

3.4Blended Physical and Cyber Attacks

3.4.1Approach

3.4.2Key Findings

3.4.3Recommendations

4Prevention Best Practices

4.1Overview of Best Practices

4.1.1Homeland Security Best Practices

4.1.2Best Practices and Previous Councils

4.2Intended Use

4.3Summary Statistics

4.3.1Industry Roles

4.3.2Network Types

4.3.3Keywords

4.4General, Previous Council and Historic References

4.5Best Practices Expressions

4.5.1Basic Form

4.5.2Critical Communications Infrastructure Facilities

4.6Numbering Format

5Restoration Best Practices

5.1Approach

5.2Restoration Considerations for Elements of the Communications Infrastructure

5.2.1Environment

5.2.2Power

5.2.3Hardware

5.2.4Software

5.2.5Networks

5.2.6Payload

5.2.7Policy

5.2.8Human

6Industry Implementation of Best Practices

7Acknowledgements

APPENDIX A. Acronyms and Glossary

APPENDIX B. References

APPENDIX C. NRIC VI Council Charter

APPENDIX D. Best Practices Pertaining to Interaction or Coordination with Government

APPENDIX E. NRIC VI Physical Security Prevention Best Practices

APPENDIX F. NRIC VI Physical Security Restoration Best Practices

NRIC VI Physical Security Additional Best Practices

APPENDIX G. Industry Role & Network Type Matrix

APPENDIX H. Keyword Matrix

APPENDIX I. Letters from Focus Group Chair to Council Chairman (4)

November 27, 2002

March 5, 2003

September 9, 2003

November 6, 2003

1Executive Summary

The emphasis of the Sixth Council was Homeland Security. The NRIC VI Homeland Security Physical Security Focus Group was charged with the mission to assess vulnerabilities of the communications infrastructure and determine how best to address those vulnerabilities to prevent, minimize, or restore from, disruptions that could result from terrorist activities, natural disasters, or similar types of occurrences.

The Physical Security Focus Group reports seven major accomplishments:

1. Systematic assessment of communications infrastructure vulnerabilities

2. Creation of an Integrated Vulnerabilities – Threats – Best Practices Framework

3. Formulation of 12 Recommendations approved by Council vote

4. Identification of 37 Areas for Attention

5. Development of ~ 200 Physical Security Prevention Best Practices[1]

6. Development of ~100 Physical Security Restoration Best Practices[2]

7. Coordination with other critical stakeholders throughout the process

The scope of this work includes all network types: wireline, wireless, satellite, cable, and the Internet. In the context of Homeland Security, Physical Security for the communications infrastructure includes three aspects: the reliability of services, the security of networks and the security of enterprises. [Section 2.2]

Systematic Assessment of Infrastructure Vulnerabilities and Creation of an Integrated Vulnerabilities – Threats – Best Practices Framework [Sections 2 and 3]

The communications industry may be surprised by the method of a particular future terrorist attack, but it should notbe surprised about its vulnerabilities. The designers and builders of these systems and networks know their vulnerabilities. This report reviews the characteristics of each aspect of the communications infrastructure that are susceptibilities exercisable by attacks or stressed by natural disasters. By systematically addressing these vulnerabilities, the communications industry can directly prepare for any number of unknown threats attempting to exercise those vulnerabilities.

The systematic identification of the vulnerabilities within the communications infrastructure was an historic undertaking and accomplishment. Previous attempts to catalogue such vulnerabilities resulted in abbreviated lists of top concerns, but came far short of a comprehensive list.

The systematic vulnerability-based approach has fundamental distinctions from the traditional threat-based protection methods, and is vital for infrastructure protection in the post-September 11, 2001 world. As the airline industry had its “cockpit door” access vulnerability on that day, the communications industry must first identify and then effectively address all of its vulnerabilities. The systematic vulnerability-based approach is intended to be used in addition to the traditional threat-based approaches and is consistent with the President’s National Strategy for Homeland Security[3].

Twelve Council Recommendations to the FCC and Industry [Section 3]

The Council has approved twelve recommendations formulated by the Homeland Security Physical Security Focus Group. Each of the recommendations received strong support from the Council. The twelve recommendations are listed below; additional information for each recommendation is provided in the body of the report.

Homeland Security Physical Security Restoration Best Practices

RECOMMENDATION NRIC VI-1A-01

The Council recommends that the NRIC VI Physical Security Prevention Best Practices be implemented, as appropriate, by Service Providers, Network Operators and Equipment Suppliers, in order to promote the reliability, robustness, adequate capacity, security and sustainability of the public communications infrastructure throughout the United States during events or periods of exceptional stress and to prevent or minimize disruptions of public communications services and the Internet from terrorist activities, natural disasters, or similar types of occurrences.

(The NRIC VI Physical Security Prevention Best Practices are provided in Appendix E.)

Identify Air Handling Methods for Protection Against Chemical and Biological Agents

RECOMMENDATION NRIC VI-1A-02

The federal government should sponsor and fund a study to identify effective methods (e.g., electrostatic filters/precipitators) for protection against the introduction and dissemination of chemical and biological agents into critical facilities via air handling systems and air intakes. Results of such a study would support ongoing industry efforts to identify, compare, and implement effective mitigation strategies against emerging biological and chemical agent threats.

Voluntary National Background Checks for Personnel Accessing Critical Infrastructure

RECOMMENDATION NRIC VI-1A-03

The federal government should develop and fund a process to enable employers to voluntarily conduct national background checks (e.g., National Crime Information Center [NCIC]) on employees with access to areas of critical communications infrastructure.

Review of Infrastructure-Related Mergers and Acquisitions

RECOMMENDATION NRIC VI-1A-04

The federal government should continue existing processes to review all infrastructure-related mergers and acquisitions with particular attention to issues (e.g., foreign-owned infrastructure, foreign interests) that could potentially compromise communications services or have national security implications.

Homeland Security Physical Security Restoration Best Practices

RECOMMENDATION NRIC VI-1A-05

The Council recommends that the NRIC VI Physical Security Restoration Best Practices be implemented, as appropriate, by Service Providers, Network Operators and Equipment Suppliers, in order to promote the reliability, robustness, adequate capacity, security and sustainability of the public communications infrastructure throughout the United States during events or periods of exceptional stress and to more effectively restore from disruptions of public communications services and Internet services due to terrorist activities, natural disasters, or similar types of occurrences.

(A list of the NRIC VI Homeland Security Physical Security Restoration Best Practices is found in Appendix F. This list supplements the Homeland Security Physical Security Prevention Best Practices approved by the Council in December 2002.)

Role of the NCS/NCC and Telecom-ISAC in U.S. Homeland Security[4]

RECOMMENDATION NRIC VI-1A-06

The federal government should maintain National Coordinating Center for Telecommunications (NCC) and Telecom-ISAC (Information Sharing and Analysis Center) operations to support restoration efforts.

RECOMMENDATION NRIC VI-1A-07

The National Coordinating Center for Telecommunications (NCC) should be the focal point for sharing information (to include alerts and notifications) to and from relevant state and local authorities, and should implement an industry/government information sharing process to ensure that consistent and accurate information is provided from a centralized source.

National Security and Emergency Preparedness Priority Services

RECOMMENDATION NRIC VI-1A-08

The federal government should expand awareness of, and participation in, National Communications System (NCS)-administered priority services (i.e. GETS, WPS, SHARES, TSP, TESP).

Note: This recommendation has been merged with related recommendations from the Public Safety and Disaster Recovery and Mutual Aid Focus Groups by the Steering Committee for presentation to the Council:

The federal government should support an outreach program to expand awareness and use of NCS priority services including TSP, GETS, WPS, SHARES and TESP, by State and Local Organizations, including Public Safety entities, as well as applicable private sector organizations.

NSTAC Focus on Emergency Response and Service Restoration

RECOMMENDATION NRIC VI-1A-09

The National Security Telecommunications Advisory Committee (NSTAC) should review national policy implications for communications emergency response and service restoration, including new threats and evolving technologies.

CEOs Leadership in Corporate Security Culture

RECOMMENDATION NRIC VI-1A-10

The Chief Executive Officers of communication companies should reinforce or establish corporate cultures where all security procedures are consistently enforced and followed by all persons on company property at all times.

Additional Homeland Security Best Practices (addressing Blended Attacks)

RECOMMENDATION NRIC VI-1A-11

The Council recommends that the additional NRIC VI Physical Security Best Practices be implemented, as appropriate, by Service Providers, Network Operators and Equipment Suppliers, in order to promote the reliability, robustness, adequate capacity, security and sustainability of the public communications infrastructure throughout the United States during events or periods of exceptional stress and to more effectively restore from disruptions of public communications services and Internet services due to terrorist activities, natural disasters, or similar types of occurrences.

(The list of additional NRIC VI Homeland Security Physical Security Best Practices is appended to Appendix F. This list supplements the Homeland Security Physical Security Prevention and Resotation Best Practices approved by the Council in December 2002 and March 2003, respectively.)

Protecting Critical Infrastructure Information

RECOMMENDATION NRIC VI-1A-12

As a general practice, government entities should not aggregate sensitive information critical to the communications infrastructure. Exceptions should be limited to information needed to address specific concerns in support of federal Homeland or National Security objectives. Federal, state or local government requests for industry information should be handled in accordance with, and given the protections provided by, the Homeland Security Act of 2002, Section 214.

Protecting the Character of NRIC Best Practices

One additional recommendation was developed by the Focus Group concerning protecting the character of NRIC Best Practices. Specifically, the recommendation clarified the voluntary nature of the Best Practices. The recommendation was agreed to by the Steering Committee, but withheld from presentation to the Council for vote because it was unnecessary given:

1. everytime Best Practices are approved by the Council, their voluntary nature is afirmed
2. the FCC Chairman confirmed the voluntary intent of the Best Practices in his comments during an NRIC VI Council meeting (see below)

The Focus Group agreed with the Steering Committee decision and presents its recommendation below, preceded with a brief introduction. More information is provided in Section 3.2.7.4.

NRIC has a ten-year history of developing effective Best Practices through this industry consensus process. This is confirmed year after year by the ATIS Network Reliability Steering Committee (NRSC) annual reports. The high regard given to NRIC’s Best Practices is encouraging and appropriate. However, there are increasing concerns that government entities may mandate the implementation of these Best Practices. Although, at the time of this writing, the Focus Group is not aware of any binding regulations along these lines, such actions are believed to be under consideration. During the NRIC VI September 15, 2003 Meeting, FCC Chairman Michael Powell addressed these concerns, stating:

“The diversity of our industry does not lend itself to the indiscriminate application of a monolithic set of Best Practices dictated from your regulator. Rather, NRIC Best Practices are most rapidly and most effectively applied by leaving specific implementation decisions to individual firms. When each company uses its own technical and operational judgment to determine where and when to deploy NRIC Best Practices, network reliability and security are improved, I believe, at least cost.”

The Chairman also emphasized the need for the industry to move forward with its initiatives in this area.

The communications industry has made substantial investment in developing over 750 Best Practices. The following Focus Group recommendation protects one of the industry’s most important tools in promoting network reliability, network interoperability, network security, and disaster recovery.

RECOMMENDATION NRIC VI-1A-13[5]

Federal, state and local government entities, when formulating policy, should take into consideration that NRIC Best Practices are developed as communications industry recommended guidance. As such, communications companies implement individual Best Practices when and where deemed appropriate. Individual corporations should maintain Best Practice-based processes and expertise dedicated to protecting and promoting the network reliability and security of their communications networks and systems.

The Focus Group recognizes the need for regulators to have some assurance that reasonable measures are being taken to protect the public’s Homeland Security interests associated with the communications infrastructure. The Focus Group supports the approach whereby individual companies voluntarily offer a statement to regulators as to their policy of implementing applicable Best Practices, which is preferred over any approach that forces implementation actions.

Thirty-Seven Areas for Attention [Section 3]

The Focus Group documents thirty-seven Areas for Attention in this Report. They are listed below, grouped per their infrastructure area. The body of the text provides further description of these items.

There are three Areas for Attention that span all vulnerability areas [Section 3.1.4]:

1. Vulnerability Assessment Needed

2. Maintain Integrated Vulnerabilities – Threats – Best Practices Framework

3. Security is Everyone’s Responsibility

ENVIRONMENT [Section 3.2.1]

1. Need for Periodic Re-Assessment

2. Any Environment Can Be Destroyed

3. Unique Circumstances Require Special Consideration

4. Overall Security Plan

5. Research Needed for Methodologies to Protect Air within Critical Facilities

POWER [Section 3.2.2]

1. Internal Power Infrastructure Is Often Overlooked

2. Rules Permitting Access to Internal Power Systems Increase Risk

3. Priorities for Good Power Systems Management Compete with Environmental Concerns

4. Power System Competencies Need to Be Maintained

HARDWARE [Section 3.2.3]

1. Nuclear Attack

2. Hardness to Radiation

3. Solar Flares and Coronal Mass Ejection

4. Control of Hardware Development

SOFTWARE [Section 3.2.4]

1. Physical Security of Software

2. Control of Software Development

NETWORKS [Section 3.2.5]

1. Network Redundancy and Diversity

2. Existing NRIC Best Practices Effectively Address Network Vulnerabilities

PAYLOAD [Section 3.2.6]

1. Physical Aspects of Securing Network Payload

POLICY [Section 3.2.7]

1. Inadvertent Negative Impact of Government Regulations

2. FCC Effects on Vulnerabilities and Best Practices

3. Preparing Telecommunications Service Priority (TSP) for Future Networks