nric vi report – part 1: homeland security -the council has assessed vulnerabilities in the public...

NRIC VI Report – Part 1: Homeland Security -The Council has assessed vulnerabilities in the public telecommunications networks and the Internet and determined how best to address those vulnerabilities.

- The Council has produced reports containing prevention and restoration best practices.

- The Council is also addressing actions that may be necessary to ensure that commercial telecommunications services networks can meet the special needs of public-safety emergency communications.

- The Council also developed Mutual Aid guidance for service providers and network operators to follow during a crisis.

Federal Communications CommissionNetwork Reliability and Interoperability Council VI

NRIC VI Report – Part 1: Homeland Security

Session Chair: Karl Rauscher, Network Reliability Office, Lucent Technologies Bell Laboratories

Jeffery Goldthorp, Chief, Network Technology Division, FCC NRIC DFO

William Hancock, Chief Security Officer, Exodus

Mike Roden, Executive Director, Cingular Wireless

Gordon Barber, General Manager, Network, BellSouth

Federal Communications Commission

Network Reliability and Interoperability Council VI

HHOMELANDOMELAND S SECURITYECURITY P PHYSICALHYSICAL S SECURITYECURITY (Focus Group 1A)(Focus Group 1A)

SUPERCOMMSUPERCOMMJune 2, 2003 - Atlanta, Georgia

KARL F. RAUSCHER Chair Homeland Security Physical Security Focus Group (1A)

Chair-Elect IEEE Technical Committee on Communications Quality & Reliability (CQR) Director Network Reliability, Lucent Technologies Bell Labs

Chair NRIC V Best Practices Subcommittee Founder Wireless Emergency Response Team (WERT)

Vice Chair ATIS Network Reliability Steering Committee (NRSC)Representative DHS National Coordinating Center (NCC) for Telecommunications, Telecom-ISAC

Federal Communications Commission

Network Reliability and Interoperability Council VI

04/21/23K. F. Rauscher

4

HOMELAND SECURITY PHYSICAL SECURITY

FOCUS GROUP 1A

Network Reliability and Interoperability Council

Focus Group MissionFocus Group MissionThe Focus Group will assess physical vulnerabilities in the public telecommunications networks and the Internet and determine how best to address those vulnerabilities to prevent disruptions that would otherwise result from terrorist activities, natural disasters, or similar types of occurrences.

The Focus Group will conduct a survey of current practices by wireless, wireline, satellite, and cable telecommunications and Internet services providers, network operators and equipment suppliers that address Homeland Defense.

By December 31, 2002 the Focus Group will issue a report identifying areas for attention and describing best practices, with checklists, that should be followed to prevent disruptions of public telecommunications services and the Internet from terrorist activities, natural disasters, or similar types of occurrences.

The Focus Group will report on current disaster recovery mechanisms, techniques, and best practices and develop any additional best practices, mechanisms, and techniques that are necessary, or desirable, to more effectively restore telecommunications services and Internet services from disruptions arising from terrorist activities, natural disasters, or similar types of occurrences.

The Focus Group will issue a report containing best practices recommendations, and recommended mechanisms and techniques (including checklists), for disaster recovery and service restoration. The Focus Group will issue this report within twelve (12) months of the first Council meeting.

The Focus Group will coordinate with the Homeland Security Cyber Security Focus Group (1B) to assure that vulnerabilities in the public telecommunications networks and the Internet are assessed, and to determine how best to address those vulnerabilities to prevent disruptions that would otherwise result from terrorist activities, natural disasters, or similar types of occurrences. The Focus Group will also coordinate with other Focus Groups, as appropriate.


5


FOCUS GROUP 1A


NRIC FGs

Stakeholders

Big Picture of Process FlowBig Picture of Process Flow

Focus Group 1AFocus Group 1AFocus Group 1AFocus Group 1A

VulnerabilitiesVulnerabilitiesVulnerabilitiesVulnerabilities

ThreatsThreatsThreatsThreats

Existing BPsExisting BPsExisting BPsExisting BPsP & R ReportsP & R ReportsP & R ReportsP & R Reports

RecommendationsRecommendationsRecommendationsRecommendations

CouncilCouncil

Areas for Attention

Checklists

Best Practices

Mechanisms

Techniques

SMEs $

Broader Industry

AssembleAssembleVulnerabilitiesVulnerabilities

AssembleAssembleThreatsThreats assess determine

conduct issue report develop

CoordinationCouncil Charter

Steering Committee

FCC

&

IndustryAssembleAssemble

BPsBPs

Survey

Council

Council

INP

UT

S

OU

TP

UT

S

SUPPORT

OVERSIGHT


6


FOCUS GROUP 1A


Team MembershipTeam Membership

Fred Tompkins

Virgil Long

Mike Kennedy

Cathy Purvis

Karl RauscherJim RunyonRick KrockTed LachAnil Macwan

Steven Warwick

Richard Biby

Steve McOwenChris MillerArt Reilly

Equipment & Software SuppliersService Providers & Network Operators

Ralph WhitlarkShawn CochranRalph WhitlarkShawn Cochran

P.J. AduskeviczRick CanadayFrank Maguire

P.J. AduskeviczRick CanadayFrank Maguire

Steve MichaleckiSteve Michalecki

Michael ClementsMichael Clements

Jayne McCulloughJayne McCulloughThomas Priore, Jr.

Daniel JenkinsDaniel Jenkins

Loye Manning

John Morovich

Percy Kimbrough

John Cholewa

Wayne ChilesDick CraftLiz GeddesRoger Kochman

Craig Swenson

David PorteDavid Porte

Government & Other Entities

Bill Klein

Perry Fergus Larry Stark

Hank Kluepfel

Chao-Ming LiuTom Soroka, Jr

Molly Schwarz Schwarz Consulting

George Caldwell IBSS

Al Woods New York Clearinghouse

Jennifer Meredith

Scott JonesEverett Dennison

Delgie JonesCraig McQuate

Eric GuerrinoJennifer DickersonHeather Wyson

Government & Other Entities

Service Providers & Network Operators

Rick Kemper

Ken Buckley Federal ReserveSystem

Eve Perris

Ed Bickel

Keith HopkinsBob Postovit

John L. Clarke III


7


FOCUS GROUP 1A


ScopeScope

• “Physical” Security in context of Homeland Security– Complement Cyber (FG 1B) to ensure 100% coverage– In context of Homeland Security:

• Reliability of Services• Security of Networks• Security of Enterprises

• Network Types – wireline, wireless, satellite, cable, and the Internet– circuit switched, packet switched and converged technologies

• Industry Roles – service providers, network operators, equipment suppliers

• Threat Sources– terrorist activities, natural disasters, or similar types of occurrences


8


FOCUS GROUP 1A


DefinitionsDefinitions

Vulnerability

A characteristic of any aspect of the communications infrastructure that renders it, or some portion of it, susceptible to damage or compromise.

Threat

Anything with the potential to damage or compromise the communications infrastructure or some portion of it


9


FOCUS GROUP 1A


HardwareHardware

SoftwareSoftware

EnvironmentEnvironment

PayloadPayload

NetworksNetworks PolicyPolicy

HumanHumanPowerPower

Communications InfrastructureCommunications Infrastructure

CCOMMUNICATIONSOMMUNICATIONS I INFRASTRUCTURENFRASTRUCTURE

Other InfrastructuresOther Infrastructures

TRANSPORTATIONTRANSPORTATION ENERGYENERGY

FINANCIALFINANCIAL

PUBLIC HEALTHPUBLIC HEALTH

LAW ENFORCEMENTLAW ENFORCEMENT


10


FOCUS GROUP 1A


Vulnerabilities – Threats - Best Practices FrameworkVulnerabilities – Threats - Best Practices Framework

Vu

lner

abil

itie

sV

uln

erab

ilit

ies

ThreatsThreats

EnvironmentEnvironmentaccessible

identifiable

physical damage

HardwareHardwarevibration / shock

temperature extremes

electromagnetic radiation

PolicyPolicyforeign national ownership

ele

ctro

ma

gn

etic

w

ea

po

ns

the

rma

l nu

cle

ar

wa

r

hija

ckin

g o

f a

n

etw

ork

X-111X-999

X-555

X-123X-789

Best PracticesBest Practices that

a) address VulnerabilitiesVulnerabilities

b) address ThreatsThreats

by preventing the exercise of vulnerabilities, and/or mitigating the impact should a vulnerability be exercised

X-222


11


FOCUS GROUP 1A


PowerPower

HardwareHardware

SoftwareSoftware


PayloadPayload



HardwareHardware

SoftwareSoftware


PayloadPayload


HumanHumanPowerPowerCCOMMUNICATIONSOMMUNICATIONS IINFRASTRUCTURENFRASTRUCTURE



FINANCIALFINANCIAL


LAW ENFORCEMENTLAW ENFORCEMENTPower – includes the internal power infrastructure, batteries, grounding, high voltage and other cabling, fuses, back-up emergency generators and fuel

Areas for Attention1. Internal Power Infrastructure Is Often Overlooked2. Rules Permitting Access to Internal Power Systems Increase Risk3 Priorities for Good Power Systems Management Compete with Environmental Concerns4 Power System Competencies Needs to Be Maintained

Example Best Practice (6-6-5207) Service Providers and Network Operators should take appropriate

precautions at critical installations to ensure that fuel supplies and alternate sources are available in the event of major disruptions in a geographic area (e.g., hurricane, earthquake, pipeline disruption).


12


FOCUS GROUP 1A


HardwareHardware

HardwareHardware

SoftwareSoftware


PayloadPayload



HardwareHardware

SoftwareSoftware


PayloadPayload





FINANCIALFINANCIAL


LAW ENFORCEMENTLAW ENFORCEMENTHardware – includes the hardware frames, electronics circuit packs and cards, metallic and fiber optic transmission cables and semiconductor chips

Areas for Attention1. Nuclear Attack 2. Hardness to Radiation 3. Solar Flares and Coronal Mass Ejection

Example Best Practice (6-6-5118)Equipment Suppliers of critical network elements should test electronic hardware to ensure its compliance with appropriate electromagnetic energy tolerance criteria for electromagnetic energy, shock, vibration, voltage spikes, and temperature.


13


FOCUS GROUP 1A


Leve

l of I

mpa

ct

Probability of Occurrence

HIGH

LOW HIGH

Spectrum of Threats to National Security & Emergency Preparedness

Civil Disorder

Earthquakes

Special OperationsTerrorism (includes Cyber)

Mobilization

Floods

TornadosHurricanes

Nuclear War

Cable CutPower Outage

Theater Cyber War

Strategic Cyber War

Conventional War

NCS


14


FOCUS GROUP 1A


ProgressProgress• Process Architecture

– aligned with mission– protects sensitive information

• Vulnerabilities Framework– systematic assessment– integrates information– enables quick access and focus

• Establish Vulnerability Task Teams – engage additional expert– more rigor

• Best Practices

NRIC FGs

Stakeholders

Big Picture of Process FlowBig Picture of Process Flow

Focus Group 1AFocus Group 1AFocus Group 1A

VulnerabilitiesVulnerabilitiesVulnerabilities

ThreatsThreatsThreats

Existing BPsExisting BPsExisting BPsP & R ReportsP & R ReportsP & R Reports

RecommendationsRecommendationsRecommendations

CouncilCouncil

Areas for Attention

Checklists

Best Practices

Mechanisms

Techniques

SMEs $

Broader Industry

AssembleAssembleVulnerabilitiesVulnerabilities

AssembleAssembleThreatsThreats assess determine

conduct issue report develop

CoordinationCouncil Charter

Steering Committee

FCC

&

IndustryAssembleAssembleBPsBPs

Survey

Council

Council

INP

UT

S

OU

TP

UT

S

SUPPORT

OVERSIGHT

Vulnerabilities Vulnerabilities –– Threats Threats -- Best Practices FrameworkBest Practices Framework

Vu

lner

abili

ties

Vu

lner

abili

ties

ThreatsThreats

EnvironmentEnvironmentaccessible

identifiable

physical damage

HardwareHardwarevibration / shock

temperature extremes

electromagnetic radiation

PolicyPolicyforeign national ownership

elec

trom

agne

tic

wea

pons

ther

mal

nuc

lear

w

ar

hija

ckin

g of

a

netw

ork

X-111X-999

X-555

X-123X-789

Best PracticesBest Practices that

a) address VulnerabilitiesVulnerabilities

b) address ThreatsThreats

by preventing the exercise of vulnerabilities, and/or mitigating the impact should a vulnerability be exercised

X-222

HardwareHardware

SoftwareSoftware


PayloadPayload

NetworksNetworks HardwareHardware


HardwareHardware

SoftwareSoftware


PayloadPayload

NetworksNetworks HardwareHardware


Communications InfrastructureCommunications Infrastructure

CCOMMUNICATIONSOMMUNICATIONS IINFRASTRUCTURENFRASTRUCTURE



FINANCIALFINANCIAL



Leve

l of I

mpa

ct

Probability of Occurrence

HIGH

LOW HIGH

Spectrum of Threats to National Security & Emergency Preparedness

Civil Disorder

Earthquakes

Special OperationsTerrorism (includes Cyber)

Mobilization

Floods

TornadosHurricanes

Nuclear War

Cable CutPower Outage

Theater Cyber War

Strategic Cyber War

Conventional War

NCS


15


FOCUS GROUP 1A


Results:Results: Summary Statistics Summary Statistics• 1 Report (Issue 2)• 10 Recommendations • 26 Areas for Attention• Best Practices

– 185 Prevention– 107 Restoration

• > 5,000 Participant-Hours in working meetings• Over 7 million possible Checklists (using 5 or less Keywords)

• Creation of an Integrated Vulnerabilities – Threats – Best Practices Framework • Systematic assessment of communications infrastructure vulnerabilities and

corresponding development of Prevention and Restoration Best Practices

Summary of Key AccomplishmentsSummary of Key Accomplishments

HH O M E L A N DO M E L A N D SS E C U R I T YE C U R I T Y PP H Y S I C A LH Y S I C A L SS E C U R I T YE C U R I T Y

( F o c u s G r o u p 1 A )( F o c u s G r o u p 1 A )

U p d a t e t o C o u n c i lU p d a t e t o C o u n c i l

M a r c h 1 4 , 2 0 0 3

K A R L F . R A U S C H E R C h a i r H o m e l a n d S e c u r i t y P h y s i c a l S e c u r i t y F o c u s G r o u p ( 1 A )

D i r e c t o r N e t w o r k R e l i a b i l i t y , L u c e n t T e c h n o l o g i e s B e l l L a b sC h a i r N R I C V B e s t P r a c t i c e s S u b c o m m i t t e e

V i c e C h a i r A T I S N e t w o r k R e l i a b i l i t y S t e e r i n g C o m m i t t e e ( N R S C )F o u n d e r W i r e l e s s E m e r g e n c y R e s p o n s e T e a m ( W E R T )

R e p r e s e n t a t i v e N a t i o n a l C o o r d i n a t i n g C e n t e r ( N C C ) f o r T e l e c o m m u n i c a t i o n sC h a i r - E l e c t I E E E T e c h n i c a l C o m m i t t e e o n C o m m u n i c a t i o n s Q u a l i t y & R e l i a b i l i t y ( C Q R )

F e d e r a l C o m m u n i c a t i o n s C o m m i s s i o n

N e t w o r k R e l i a b i l i t y a n d I n t e r o p e r a b i l i t y C o u n c i l V I

N e t w o r k R e l i a b i l i t y a n d I n t e r o p e r a b i l i t y C o u n c i l

HH O M E L A N DO M E L A N D SS E C U R I T YE C U R I T Y PP H Y S I C A LH Y S I C A L SS E C U R I T YE C U R I T Y

( F o c u s G r o u p 1 A )( F o c u s G r o u p 1 A )

U p d a t e t o C o u n c i lU p d a t e t o C o u n c i l

M a r c h 1 4 , 2 0 0 3

K A R L F . R A U S C H E R C h a i r H o m e l a n d S e c u r i t y P h y s i c a l S e c u r i t y F o c u s G r o u p ( 1 A )

D i r e c t o r N e t w o r k R e l i a b i l i t y , L u c e n t T e c h n o l o g i e s B e l l L a b sC h a i r N R I C V B e s t P r a c t i c e s S u b c o m m i t t e e

V i c e C h a i r A T I S N e t w o r k R e l i a b i l i t y S t e e r i n g C o m m i t t e e ( N R S C )F o u n d e r W i r e l e s s E m e r g e n c y R e s p o n s e T e a m ( W E R T )

R e p r e s e n t a t i v e N a t i o n a l C o o r d i n a t i n g C e n t e r ( N C C ) f o r T e l e c o m m u n i c a t i o n sC h a i r - E l e c t I E E E T e c h n i c a l C o m m i t t e e o n C o m m u n i c a t i o n s Q u a l i t y & R e l i a b i l i t y ( C Q R )

F e d e r a l C o m m u n i c a t i o n s C o m m i s s i o n

N e t w o r k R e l i a b i l i t y a n d I n t e r o p e r a b i l i t y C o u n c i l V I

N e t w o r k R e l i a b i l i t y a n d I n t e r o p e r a b i l i t y C o u n c i l

March 14 Presentation

March 7 Council Letter

March 14 Draft Report 120 pages

(www.nric.org)


16


FOCUS GROUP 1A


Best Practices Access via WebBest Practices Access via Web


17


FOCUS GROUP 1A


Best Practices in My CompanyBest Practices in My Company

Throughout LifecycleThroughout Lifecycle

PlanningPlanning

& Design& Design

Provisioning

& Installation

Operation & Administration

Repair &

Decommission

All ElementsAll Elements

HardwareHardware

SoftwareSoftware


PayloadPayload



HardwareHardware

SoftwareSoftware


PayloadPayload



V P V P V P

C E O

ThroughoutThroughoutOrganization Organization Functions & Functions &

LevelsLevels

Across Network Across Network TypesTypes


18


FOCUS GROUP 1A


1. Work Is Critical and Urgent. . . Successful completion of our mission is vital to national security

2. High Quality, On-Time Deliverables that Are Trustworthy and Thorough. . . Fulfill applicable Charter requirements and meet the needs of the Nation

3. Clear Objectives. . . For team, and individual participants and organizations

4. Leadership Will Pursue Consensus of Team. . . Also needs to set pace & guide fulfillment of charter

5. Follow a Scientific Approach, Not Merely Collect Subjective Opinions. . . Be objective and practice a disciplined methodology

6. Capture Every Good Idea. . . Welcome new and different perspectives for consideration

7. Respect for Individuals. . . Open and honest interactions

Guiding PrinciplesGuiding Principles


19


FOCUS GROUP 1A


Seven Principles in Developing Best PracticesSeven Principles in Developing Best Practices

1. “People Implement Best Practices"

2. Do not endorse commercial or specific "pay for" documents, products or services

3. Address classes of problems

4. Already implemented

5. Developed by industry consensus

6. Best Practices are verified by a broader set of industry members

7. Sufficient rigor and deliberation

NRIC Best Practices bring the industry’s best minds & experience together to provide guidance that

could not be achieved by companies on their own


20


FOCUS GROUP 1A


Implementing Best PracticesImplementing Best Practices

• Intended Use– Implementation is voluntary – Service Providers, Network Operators, and Equipment Suppliers are urged

to prioritize– Guidance on how best to protect the U.S. communications infrastructure – Decisions of whether or not to implement a specific Best Practice are left

with the responsible organization

• History of NRIC Best Practices– ATIS NRSC confirmation of effectiveness– Fifth Council Survey Results

• Risk to not implement the Best Practices• Not a high cost to implement the Best Practices • Best Practices are effective in preventing outages• Already a high level of implementation of the Best Practices


21


FOCUS GROUP 1A


Examples of Industry Cooperation SuccessExamples of Industry Cooperation Success

622

299

618

427470 555

364305

481

345

414422

326223

519510

362

411

287

458

246

249

401

376376

440

331

412

300301 286

346

553

675

439

0

100

200

300

400

500

600

700

800

Quarter

Ou

tag

e In

de

x

Red

Yellow

Green

ATIS Network Reliability Steering Committee (NRSC)– provides NTSB-like function– reports on health of networks– monitors trends

38

54

28 29

3938

43

525552

4746

3441

43

4448

5248

35

4447

444847

4042

45

4042

35

38

48

4140

15

25

35

45

55

65

Quarter

Nu

mb

er o

f O

uta

ges

RedYellow

Green

FCC Reportable Service Outages(by number of events)

FCC Reportable Service Outages(by outage index)

11

5

9

0 0 0

19

87

21

19

14

7

4

0 0

23

13

4

10

16 16

11

0

2

0

17

6

2

0 0

18

6 6

01

9

32

11

19

22

00

7

0

5

10

15

20

25

30

Inadequate/no

notif ication (dig-up)

Digging error Inaccurate cable locate

(dig-up)

Cable unlocated (dig-up) Other Shallow cable (dig-up)

Num

ber

of O

utag

e R

epor

ts2000

Baseline Years(1993 - 1999)

Figure 10: Number of Outage ReportsBy Cable Damage Root Cause Sub-Categories of Cable Dig-Up (DU) Facility Failures

180

35

88

0 0 0

7179

50 00

14

00 2 0

3227

0 0

143

53

65

0 2

83

31

18

0

249

4

29

130

56

195

46

86

11

146151

245

191

270

154143

101

00

50

100

150

200

250

300

Inadequate/nonotif ication (dig-up)

Digging error Inaccurate cable locate(dig-up)

Cable unlocated (dig-up)

Other Shallow cable (dig-up)

Agg

rega

ted

Out

age

Inde

x

2000

Baseline Years(1993 - 1999)

Figure 11: Annual Aggregated Outage Index ForCable Damage Root Cause Sub-Categories of Cable Dig-Up (DU) Facility Failures

www.atis.org, then “NRSC”

NTSB = National Transportation Safety Board


22


FOCUS GROUP 1A


NRIC VI-1A-NRIC VI-1A-0101 NRIC VI Physical Security Prevention Best Practices

NRIC VI-1A-NRIC VI-1A-0202 Chemical and Biological Agents in Air Handling Systems

NRIC VI-1A-NRIC VI-1A-0303 Voluntary National Background Checks

NRIC VI-1A-NRIC VI-1A-0404 Review Infrastructure-related Mergers and Acquisitions

Summary of 4 Council-Approved RecommendationsSummary of 4 Council-Approved Recommendations(December 2002)(December 2002)


23


FOCUS GROUP 1A


NRIC VI-1A-NRIC VI-1A-0505 NRIC VI Physical Security Restoration Best Practices

NRIC VI-1A-NRIC VI-1A-0606 & & 0707Role of the NCS/NCC and Telecom-ISAC in U.S. Homeland Security

NRIC VI-1A-NRIC VI-1A-0808 National Security and Emergency Preparedness Priority Services

NRIC VI-1A-NRIC VI-1A-0909NSTAC Policy for Emergency Response and Service Restoration

NRIC VI-1A-NRIC VI-1A-010010CEOs Leadership in Corporate Security Culture

Summary of 6 RecommendationsSummary of 6 Recommendations

(March 2003)(March 2003)


24


FOCUS GROUP 1A


Cost of SecurityCost of Security

Le

ve

l o

f S

ec

uri

tyL

eve

l o

f S

ec

uri

ty

LowLow

LowLow

HighHigh

HighHigh

National Security NeedNational Security Need

Market Place DemandMarket Place Demand

Security Gap• Need for Incentives• Government Support

Security GapSecurity Gap• Need for Incentives• Government Support


25


FOCUS GROUP 1A


Keyword AssociationsKeyword AssociationsNext StepsNext Steps

HardwareHardware

SoftwareSoftware


PayloadPayload



HardwareHardware

SoftwareSoftware


PayloadPayload





FINANCIALFINANCIAL



PHYSICAL

CYBER

HW

SW SW SW

HW HW HW

SW

SW

SW

SW

HW

HWHW

SW

HW

Blended AttacksBlended Attacks

Supplier OutsourcingSupplier Outsourcing

Industry SurveyIndustry SurveyTo

day

IndustryIndustry

OutreachOutreach

Report

Issue 3

www.nric.org


26


FOCUS GROUP 1A


• NRIC Best Practices provide unparalleled guidance for the communications industry for

– Network Reliability– Network Interoperability– Homeland Security

• When implemented, Best Practices are effective• Decisions for individual Best Practices implementation should be made by experts within each company

““Take Aways”Take Aways”

nric vi report – part 1: homeland security -the council has assessed vulnerabilities in the public...

Documents