A Primer on Network Security For Municipal and Public Utility Networks

Network security used to be something that network administrators worried about and annoyed end-users.  Originally, a simple anti-virus program was all you needed.  With Internet, this escalated to firewalls, to anti-phishing and spam filters, and finally into Intrusion Detection/Intrusion Prevention systems.  Hardware, software, and operating system manufacturers are integrating security and encryption from the desktops through the switches and on to the servers.  Security today goes way beyond simply protecting networks but also into protecting all networked infrastructure.

Network administrators, who are tasked with not only designing, installing, and operating network systems, typically don’t have the experience to implement appropriate security infrastructure.  In many cases, they also don’t have the financial resources or management support for it.  A lot of administrators simply rely on over-the-counter solutions without understanding the proper application or limitations of the products.  Administrators also can’t keep up with the amount of data being provided by these applications to formulate appropriate responses.  Management that assumes their internal network administrator is also a security expert may be putting unreasonable expectations on that person and their systems at risk.

High-profile security breaches involving everything from credit card numbers being stolen to National Security breaches in our highest security government computers has awakened everyone that security needs to be addressed immediately.  Many of the breaches are suspected to come from foreign government supported hackers; although, criminal security attacks seem to be just as well funded and organized.  After a series of security breaches that occurred at the State, Commerce, Defense, and Homeland Security departments, President Bush signed National Security Presidential Directive 54.  Current estimates are that it will take a billion dollars or more to complete this mandate.  In the United States alone, there were over 35 million data records breached in 2008.

Security is no longer limited to desktop computers.  Laptops being used in airports, coffee shops, and even fast-food restaurants have created problems not only for security managers watching the data, but also the physical act of the laptops being stolen.  Even cell-phones and PDA’s which handle more than just contact data, which is valuable in itself, are carrying email and other critical text information.  The camera functions also are a security issue if someone hacks the phone and is not only listening, but watching events such as meetings, high-security environments, or critical infrastructure locations.  Simply using a fax machine or an internet connection in a hotel in a foreign country could mean that your data is in the hands of your competitors or unfriendly governments in seconds not to mention anything you may have said out loud in your hotel room during a phone conversation.  China alone has stolen more data than what is contained in the Library of Congress.  However, even friendly countries are involved in military and industrial data gathering.

What types of data are most valuable?  With governments, it’s usually R&D for military, technological, and economic advantages.  With private companies, it’s usually R&D for technology, but also for marketing reasons.  In cases of critical technologies or economic positions, governments and companies work closely together.  China and Japan have both shown how to apply that in different markets.  The value of military and technology secrets that allow companies to circumvent the normal R&D channels runs into the billions of dollars every year.  Even at that, the actual value is probably much higher because many of the breaches never become public.  Even something as simple Paris Hilton’s phone records from her cell phone have value to somebody.

In the private sector, credit card numbers can be worth as little as a dollar or as much as $16.50 (the going rate for an Amex Gold in bulk for credit card thieves).  However, one of those cards could generate millions in losses to the credit card companies or more.  Fortunately, one of the biggest players in that game, Max Ray Butler, was arrested last year and several more arrests this year have taken down two of the biggest known credit card swapping sites.  In 2008, there was a 47% increase in the number of known data breaches with the majority of that in the business sector.

Security problems in the public safety and critical infrastructure sectors are also a huge concern.  Control systems for nuclear power plants, electrical distribution facilities, gas, oil, and water SCADA systems, and waste treatment infrastructures are all susceptible to security breaches.  Nuclear power plants are better protected than the drinking water systems, but hackers could easily do millions of dollars or more of damage by doing nothing more than running pumps that could cause overflows or storage failures.  A 7 million gallon flood from a water tank at the top of a hill could easily damage tens or hundreds of homes at the bottom and endanger many lives.  Older SCADA systems that run pumps, wells, and treatment plants are in many cases 20-30 years old and were never designed with security in mind.

The Internet itself had a serious bug that has been for the most part, repaired.  Last year, Dan Kaminsky announced a fundamental flaw in the DNS structure itself that allowed him to redirect the DNS servers anywhere he wanted, which meant the users went where he wanted them to go.  It took the efforts of many companies to patch this flaw before hackers could exploit this.  If hackers had found this bug first, the damage would have been incalculable.  However, there is the expectation that other security failures are yet to be discovered.

If you are responsible for network security within your company, either from a management or administrative position, realize that nobody in an organization can do it alone.  It takes cooperation at every level to provide a secure environment.  Management needs to realize that not every IT administrator is a security expert.  Although, additional training will definitely help, nobody is an expert at everything.  Management should provide administrators the tools or resources they need to bring experts to bear on the problem.  That part may be difficult for some network administrators to admit, but that is where managers have to step up and push to understand their level of competency.  Experts in data encryption, firewalls, hacking, and internal data auditing can help administrators monitor data at every level.  They can also assist with policy development.

Realize that having a network administrator responsible for security and then having a purchasing manager buying cell phones that are integrated with the network without input from the network administrator is probably not the best idea.  Anything that attaches to a network needs to automatically be considered a security issue and the network administrator need to be involved in that process.

Management also needs to provide continuing education and information to end users at every level.  A policy and procedures security manual should be created.  It should contain items such as telling them not to use fax machines they aren’t familiar with.    They need to understand that critical phone conversations need to go over voice lines if they are in the United States instead of cell phones.  Also provide the security tools needed to ensure that, especially if they are traveling overseas.

If you have staff that travels frequently, instead of asking them to use whatever WiFi is available in an area, provide them cellular data cards.  They are harder to crack and by working with some cellular companies, you can create private subnets for the cards that also allow for a higher level of security. This eliminates many forms of WiFi hacking. In addition, all data on a laptop or cell phone should be either encrypted or will be deleted if the device is stolen.

SCADA systems that manage oil, water, gas, and other control environments could also benefit from using new technologies.  Although many of the new SCADA systems are using the same security technologies that network systems are using, they don’t take advantage of the higher bandwidths to support things like real-time cameras or video analytics that could give them a better overview of the physical security or to quickly view any problems.  Some of the newer SCADA designs also take advantage of mesh technology for a more robust network with greater uptime or can significantly lower costs by using new frequencies specifically designed for public safety from companies like Motorola, SkyPilot, BelAir, Alvarion, or Firetide.

Finally, we are back to the core computer network itself.  Security here is both the easiest and hardest to implement.  Administrators need to evaluate the network from the Ingress/Egress points to the fingertips.  Starting with the connections to the Internet, firewalls are critical.  Firewalls aren’t just designed to keep things out; they should be configured to also keep things in.  The firewalls should be set up to monitor and reject certain types of information going out.  Firewall reports should also be monitored and rules adjusted daily for the first few days or weeks until they are adjusted to the network and then routinely.  In addition, if you aren’t doing business with other countries, a block should be created for these countries.  Russia and China should be at the top of the list as well as every other country that you aren’t actively working with.  Security administrators should also work with departments to identify key files and information to create rules that won’t allow those files to be exported out without authorization.  Higher security environments should also employ standard security methods such as network DMZ’s and honeypots.

The network infrastructure should be the next location that security should be applied.  Networks should have some type of Intrusion Detection/Intrusion Prevention system that need the same level of monitoring and rules adjustments as the firewall.  This should be integrated with the networking equipment with the ability to respond and isolate in the case of Trojans or other viruses.  Microsoft, Cisco, Enterasys, and others have proposed and are implementing end-point client methodologies to improve security.

At the server level, administrators should be employing auditing of any file access.  User accounts should have passwords changed every few weeks with strict password requirements.  In high-security applications, data should also be encrypted at the server level with user access reviewed any time there is a change of status of an employee.  Server data access policies should also be reviewed periodically as environments change with administrators, management, and department heads.  Servers should also be physically isolated and secured.   Administrators should also implement standard anti-virus, anti-phishing, spam protection software or hardware solutions at the server level that manages client protection.

At the desktop level, administrators should implement limits on users of USB devices, CD or DVD burners, along with auditing.  No data should be stored on laptops except in rare instances and administrators should audit desktops to ensure that.  Computers should be locked down and users made aware that they are not to load their own software.  Users should also sign an accepted use policy of the computer to ensure that they understand what is appropriate within these guidelines such as which web sites they are allowed to visit.

Although many of these suggestions are procedural, a lot of these measures are going to cost money that many entities are finding in short supply these days.  Companies have been using outsourcing for years, but governments have been fairly resistant to the idea.  However, this is a good time to not only look at outsourcing, with an emphasis on security of the outsourcing company, as not only a way to save money, but also as a way to bring in outside expertise in specific areas that will help alleviate some of the responsibility to network administrators.

Security has come a long way since the days of anti-virus programs, and data is now the new gold coin of the computer age.  The speed that new technologies are implemented make security a much tougher proposition.  It can no longer be the responsibility of one person but of the entire organization.  Management can no longer drop the security problem in the lap of the IT department without deep involvement.  Departmentalization of the security and network infrastructure without cooperation or leadership by CEOs, CIOs, city managers, Mayors, or leaders of any organization will most certainly lead to inefficiencies and security lapses that may cost significantly more to clean up and repair than prevent in the first place.

* * * * * * *

About the author

Rory Conaway is president and CEO of Triad Wireless, an engineering and design firm in Phoenix. Triad Wireless specializes in unique RF data and network designs for municipalities, public safety and educational campuses. E-mail comments to rconaway at triadwireless.net. Rory writes regularly for MuniWireless.com.

Previous Article by Rory Conaway:

New Generation of Low-Cost Municipal Networks

About Rory Conaway

Rory Conaway has been in the IT and Wireless Industries for the past 25 years as an author and consultant. He currently operates a growing WISP operation in Southern Arizona. He consults with investors, manufacturers, and WISPs, and develops financial business models for startups. In addition to writing articles in industry publications such as Mission Critical Magazine, Mr. Conaway also writes the series “Tales from the Towers” that can be found on various such as www.triadwireless.net and www.muniwireless.com. He has also engineered several wireless designs such as S.P.I.R.I.T. and Guerilla Wireless as well as building integrated wireless and video surveillance for airport security, municipal and critical infrastructure, SCADA systems, and hotel/MDU deployments.