With the publication of the Presidents Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure on May 29, 2009, the interdependency of public and private information infrastructures and the fragile security state of these infrastructures were highlighted. Satellite Communications are a key element of several National Critical Infrastructures. The Federal Information Security Management Act of 2002 (FISMA), consists of Title III of the E-Government Act of 2002 (U.S. Public Law 107-347) which was enacted into law at the close of 2002. FISMA provides an assessment framework for the protection of government information assets against various threats. By assessing the criticality of the information transmitted, and determining the protection capability of the providers infrastructure, an educated risk acceptance decision can be made.
Critical infrastructures are the mainstay of modern life. Without electricity, telecommunications, water, and manufacturing supply chains, our world would be very different. In the 1950s, information technology was a novelty. By the late 1980s, it was a necessity, and the microprocessor changed control systems as we know them. What was once considered an optional status system became our primary monitoring infrastructure, and we became in information technology dependent country. Within that information infrastructure, satellite communications are used to transmit status information from remote sensors to centralized control infrastructures. In the Cyberspace Policy Review, the fragile nature of our critical infrastructures is presented. One of the recommendations in the Policy Review is the application of U.S. Government information security practices to the private sector. This article explores the implications of that recommendation to satellite communication services.
Mission Critical Infrastructure
Satellite communications systems are frequently used by organizations that demand rapid access to status information from remote, isolated locations. For example, pipeline operations in rugged terrain that travel over long distances, transmit status data to control systems at central operations facilities. In such cases, satellite communications play a key role in maintaining an organizations cash flow and operational continuity without knowing the status of a pipeline, it becomes difficult to project an organizations ability to supply product to consuming subscribers.
Mission Critical Infrastructures should be part of the continuity of operations and disaster recovery programs of every major enterprise. In the most fundamental case, the determination of criticality is simple: will the organizations profit or operations be adversely impacted for a sizeable period of time? If so, an asset may be considered mission critical. Because of the role satellite communications plays in organizational communications, it would be difficult not to consider a satellite system mission critical.
How does an organization protect a mission critical infrastructure? The U.S. Government requires each Federal agency to conduct an annual review of its information security program (U.S. Public Law 107-347, including the security posture of mission critical systems). NIST Special Publication 800-37 provides a risk-based assessment technique that can be used to determine the security compliance of an organizations information technology systems. While a commercial entity is not a Government Infrastructure, the critical nature of communications in any enterprise requires some degree of protection.
When thinking about security countermeasures, we often think of firewalls, intrusion protection systems, and encryption techniques as the only types of countermeasures that matter in a network centric environment. In reality, there are three general categories of countermeasures that can protect critical information:
- Technical controls provided through the use of technology
- Managerial control provided through the use of project management or governance
- Operational controls provided in the course of daily process and procedures
Systems management makes the determination of how to balance the use of technical controls against operational policies, processes, and procedures. For example: there is a very expensive software solution to a particular security issue. It is also possible to address the issue with a low cost paper policy that involves manually examining some set of system parameters on a regular basis. The question becomes one of resource allocation: is it less expensive to have a system administrator examine the data, or is it more cost effective to automate the process? Figure 1 illustrates the responsible balancing of management, technical, and operational controls in an information system.
As a subscriber to net-centric systems, it is the consumers responsibility to perform security due diligence with its service providers. Assurances that our systems are secure should be reinforced with technical evidence upon request. If an operator cannot produce a policy describing what to do in the event of a security intrusion on the network, there is a high probability that the procedures required for responding to an intrusion do not exist.
The National Institute of Standards and Technology, (NIST) describes compliance with the Federal Information System Management Act (FISMA) as a risk management based approach to information security controls. Figure 2 above summarizes the FISMA compliance process as applied to an information system .
Again, the question comes down to categorizing the information processed by or transmitted through the system. If the information impacts the revenue or continuity of business operations, the risk of having the information fall into the wrong hands or not being accessible to the decision makers needs to be a consideration in designing the infrastructure that carries it. An informed decision that the risk level is acceptable should be documented and incorporated into the system design.
Risk Is A Continuous Function
The risk associated with operating an information system is much like the risk associated with every day events. For example, a person may determine that the risk of being run over crossing the street is minimal once, but looking both ways is necessary every time a person crosses the street. Such is also the case with information systems. Examining documentation once is not enough: any organization can generate a set of policy documents that say it is sufficiently secure. Annual audits, and/or continuity of operation drills validate the policy in an operational setting. These techniques ensure that policy is incorporated into the people, processes, and tools that comprise the communications services offering.
Figure 3 below demonstrates the effects of the IA audits and drills.
For example: a communications system with 10 highly critical vulnerabilities may not actually be a high risk communications system. Vulnerable protocols may be disabled for general use, and only accessible under emergency circumstances. If the protocols are not enabled; the protocols do not impact the security posture of the system. Another example would be stating that the organization has an access control policy. The statement alone is not sufficient. The organization is required to produce the policy, as well as device configuration parameters that demonstrate its enforcement and audit log entries that show exceptions to policy enforcement generate alerts.
Implications For Satellite Communications
To successfully address security controls with minimal effort, it is imperative that the supporting infrastructure be in place. To some extent, this infrastructure is common sense, and may already exist, but it needs to be expanded to address the pervasive nature of information networks in todays economy. Organizations are frequently reluctant to pay for security services until a system compromise occurs.
FISMA guidance provides an enterprise a baseline set of direct and indirect capital costs that can be applied to allocate security investment. This investment can be allocated based upon system size, percentage of processing capacity, number of users, or any other cost basis. The significance is that security cost can be segregated, as illustrated in Table 1 (NIST, 2003B).
When costs can be allocated, it is easier to attribute the security expenditures to a given information system, or a given requirement that a system must fulfill. For example, if it is imperative that a given trading partner have connectivity to a corporate network, then the cost of all architecture components that provide isolation of that connectivity can be allocated. This would include the cost of firewalls, virtual private networks, intrusion detection sensors, spam filters, and any other architectural components deemed necessary to protect the corporate infrastructure.
The following sections along with Figure 4 describe the security implications for traditional data management disciplines in terms of the impact on existing tools, processes, and people.
There are a series of supporting subsystems that facilitate satellite communications security:
- Asset management a single data repository must be in place that can track all hardware, software, and firmware assets of the program. The state of all devices within the network must be maintained in a known, secure state. The customer can request a site inventory for any site, at any time, and expect the service provider to produce an accurate inventory and connectivity diagram including device configurations, cabling, manufacturer, and model
- Vulnerability remediation vendors discover vulnerabilities in specific products on a regular basis, and may release corrections to the product code base. Large, distributed networks require automated techniques for vulnerability scanning and patch management. This involves the use of a vulnerability scanner and a patch deployment tool. When used with an asset management system, it is possible to determine which devices and which sites may be vulnerable to a particular problem, and to establish an orderly plan for correction
- Integrity monitoring knowing who has modified a device, when it was modified, and what has been changed is a necessary part of defining the secure state of a system. Integrity monitoring software is available as a COTS product that can deliver an alert if the state of a device is modified by an unauthorized user
- Audit correlation and analysis all devices in a network capable of supporting an audit capability generate data. This data needs to be analyzed and correlated in real time to provide intrusion detection capabilities and allow for incident response
- Standardization in configurations a provider should define a standard device configuration. A standard device configuration enforces the concept of least privilege, removes unnecessary protocols, closes unneeded ports, and tightens the security posture of a device. It also facilitates troubleshooting, because each device has a clearly defined standard for normal operations
To address configuration management, incident response, vulnerability remediation, physical security, environmental security, media protection, and maintenance procedures, there should be defined, enforced processes for the providers environment.
Configuration management is not the traditional data management function: it is the living, organic, operational configuration management of the devices. The network must be maintained in a known, secure state, with an accurate inventory of all devices, hardware, firmware, and software versions deployed at any given site and throughout the network. Procedures must be coordinated between field maintenance and operations to ensure that replacement of failed equipment is coordinated and accounted for in the asset database.
Beyond this function, the physical and environmental security controls associated with each site must be maintained to the specifications. When network gear is placed at a customer site, it is a reasonable assumption that the existing sites security procedures are sufficient. This includes maintenance laptops, USB Drives, and all floppy disks, tapes, and hard drives associated with equipment. Prior to disposal of hardware, all volatile and non-volatile memory must be erased to ensure that no sensitive information is contained. This involves researching the devices with the vendors, defining the decommissioning procedures, and ensuring the procedures are followed.
Maintenance procedures and protocols must be defined and documented. These procedures ensure that the security of network and security management traffic is not compromised, and that new devices are appropriately and securely configured prior to deployment in the network.
This may include disabling ports, removing unnecessary services, or applying key management protocols as part of the device provisioning process. Documentation and enforcement are key elements of maintaining the system in a known, secure state.
Incident response processes prepare the operational management staff for the possibility that the security of the infrastructure may be compromised.
Distributed denial of service, viruses, Trojan horses, worms, and other malware could contaminate the network, corrupt data, and compromise the network infrastructure. Incident response procedures include maintenance of network forensic evidence that is required for successful prosecution.These procedures also involve notification of the Security Incident Response Capability (SIRC) and coordination of a plan of attack in the event compromise does occur.
Vulnerability remediation is the countermeasure deployed to address potentially exploitable flaws in information systems. The vulnerability remediation process includes deployment of virus and intrusion detection signatures in the infrastructure as preventative measures as well as patch management processes. The vulnerability remediation processes define the least intrusive correction plan and ensure that the network infrastructure is minimally impacted by the correction. This includes regression testing to ensure that a patch has no adverse performance or latency impacts.
Contingency planning and management must be accommodated. The network will support a primary and backup control center. An annually exercised plan to activate and transition to the backup operational control facility is mandatory. Similar planning exercises must be documented to address the potential loss of sites.
Beyond processes and tools, personnel policies must also be addressed. Program specific security information must be communicated to all team members and maintained through a security awareness program. Program personnel must be made aware of the security responsibilities and obligations to maintain the infrastructure in a known, secure state at all times.
Personnel also play a significant role in the contingency management process. If key personnel must travel between primary and backup facilities, arrangements must be made prior to natural disaster situations so the team is pre-positioned. Identification of key personnel for the stay and away teams and the teams respective responsibilities must be addressed well before the contingency management plan is activated.
A security compliance methodology is not flawless. Unless one has benchmarked a systems initial security posture, it is difficult to determine if that security posture is improved or degraded by changes to the technical or operational controls. A subscriber needs to assess the criticality of the information transmitted, and determine the protection capability of the providers infrastructure. When these tasks are accomplished, the subscriber can make an educated risk acceptance decision as an informed consumer. Ignorance of network security is no excuse for data compromise in the paper world, and it should not be a convenient defense in a network centric environment either.