I UNCLASSIFIEDHLIMITTECT- IIEFENSE TEBIINIGAL RENTER DEFENSE INFORMATION SYSTEMS DEFENSE TECHNICAL INFUHMATIDN CENTER 3725 JOHN J KINEMAN ROAD 0944 FORT VIRGINIA 22060-5213 t'Nt Policy an the Redistrilmtiutt ul' TIC-Supplied lnt urmutittn s 1 tor ert tees all tnturmuttnn recess-ed Item that ts n t clean marked for public release ml be used only to ml or nerturm work under a 1 tunemmem or grant or for purposes 5p Cl C Jlj uuthuneed bx the ties-emment agent that ts punsunng access Further the tnt mmuttnn mil not be fur pro t or tn 111 uttered for sale may 7e5ult tn ternunattnn nt access und 1 to return all mtormutmn obtained from DTIF Ni We are pleased to supple this document tn response tn your request the of technical reports toter etc 15 an acme ungmnu prourum at the Defense I'echntenl Informant-n enter that depends tn part on the ell't'trts lnd nterest users and Therefore tfyou knew ut' the extstence pl anyr 5tgn1tleunt reports etc that 1te nut tn the colleetton we 1attituld Ippteetate cuptes or tntormuttnn related to the-tr wurees tnti t'alh Jbttity The upptuprtate regulattuns ure Department ut' Defense 12 Dull and I'eeltnteal Program Department t3-t' Defense 5231 2-1 nn Fechnteel Documents Urgunmattun standard Z39 ill-1995 Selentt c and Technical Reports - Elements llesten Department of Defense 5300 HI Seeunty Regulatth Hur equnsitinm Branch w1ll tn resolving any uu hme cun- to he submnted Telephone numbers for the Mile th' ur l'he Reference md Retrtm a Seniee Branch 111 HRH mil duc- ument tuentltimtten urdenng and eleted questions telephone numbers tut the mike are nr nu 3'01 Mill Hits tmtt'stmt 'thlIlM Tt Information Warfare - Defense - Assessing CONUS Vulnerabilities and Adversary Offensive Capuhi- w 3-10 April 1997 Sponsored by Of ce of the Secretnry of Defense Net Assessment Pentagon Room 311930 Wuhingoo DC 20301 Boot-Allen J Hamilton Inc 43- Honk Fairfax Driw VA 22103 733 SHE-4844 Proprietary 1 I m hmumum m mm WWI-I mh l h Fri-which 1 II-aru- iri- lac H WA Win-twain Gnu u Hiram-HAL munch m I'll-uh mumm Pugh-1M1 i Administrivia - Classification of Seminar Seminar discussions at the TS level NO classified discussions in the hallways - Mail Stop Fill out notebooks with name and mail stop - hdessages Received at 703-902-4844 or 703-908-4300 fr Bum-Allen 8 Hamilton Inc 07 30 - 0800 0300 - 0805 0H05 - 0830 0830 - 0900 0900 - 0930 1030 - 1130 1215 - 1315 1315 - 1415 1-130 - 1500 Bow-Allen 8 Hamilton lnc IW-Defense Seminar Agenda Tuesday 3 199 and Registration Remarks Net Assessment COL Scott Rowe USA Overview Melissa Hathaway Booz Allen Hamilton of the PCCIP Brent Greene - Break - of the Nil Di Mark Jacobsohn Booz'AIlen Hamilton Infrastructure Rich Phares Benz-Allen Hamilton Infrastructure Brad Bigelow Working Lunch Teleeommunications Infrastructure Me Sobetka Baez-Allen 6 Hamilton Security and Information Warfare Networks At Risk Ted Phillips Booz Allen 6 Hamilton -- Break Indications 8 Warning LT Sean Heritage USN da ri119 7 n' ued -- Break 1515 - 1615 Reading 1615 - 17 00 ril 0 30 - 0800 Breakfast and Registration 0500 - 0830 Deliverable Overview Melissa Hathaway Booz-Allen Hamilton -- Break -- 0845 - 1 00 Break into two teams Working Lunch served at 1200 Team Responsibilities Select CON US targets targets critical to military operations Identify targeting criteria why chosen how to attack when to attack - Attack objectives disrupt delay deny destroy what nodes Identify implications of attacks impact on ultimate objective of attacks - Assess operational implications on US force projection and operations 0'230 - 0800 Breakfast and Registration 0800 - 0900 1 Briefing 0900 - 1000 2 Briefing - Break - 1030 - 1200 Discussion of Team Results - Working Lunch - 1230 - 1430 Structured Discussion of Current and Potential Nations Actors 1430 1500 Wrap Up Bow-Allen a Hamilton inc Proprietary Irrfonmltion nformation Warfare-Defense Seminar 8-10 April 1997 Sponsored by Office of the Secretary of Defense Director of Net Assessment COL Scott Rowell Pentagon Room 3A930 Washington DC Conducted at Booz-Allen Hamilton Inc 430 North Fairfax Drive Arlington Virginia 703 902-4844 Benz Allen Hamilton Inc Proprietary Purpose of Seminar - Review critical CONUS infrastructures and identify assess their vulnerabilities and impact if targeted on military force projection and theater operations - Provide a framework to focus the Net Assessment Baal-Allen 8 Hamilton Inc Propriet ry Seminar Objectives Review and understand infrastructures and identify and explore their vulnerabilities - Identify and evaluate interdependencies between civil and military infrastructures Identify technologies and capabilities necessary to exploit infrastructure vulnerabilities and the I implications of exploitation risks - Identify nations actors that maintain or could obtain those offensive capabilities Identify potential sources of critical technologies and capabilities Benz-Allen 3 Hamilton Inc - 3 Pmpri ary Infannatr'un Overview Day One I A Indications 8- Warning I I li I'l Network Vulnerabilities Infrastructure and I Vulnerabilities Telecommunications I Power Infrastructure I rampomtion Infrastructure MUDII Overview PC CIP Overview I A Game Design Where we are Tnday Bonz-All n Hamilton Inc 4 Proprietary Infomatian Day Two Players Divide into 2 Teams Team One Team Two PACOM ACOM 0U THCOM CENTCOM Baez-Allen 8 Hamilton Inc 5 Proprietary infant-nation Net Assessment Focus for Seminar War ghter Functions Information Warfare Capabilities Observe Deny Degrade Destroy Interee pt Exploit Corrupt Command Communicate Logistics Navigate Focus on the Operational Level of War Target What does it mean to a CINC if one of these functions is vulnerable What does it mean to a Theater level operation Strike Booz-Allen t Hamilton Inc Mum Team Mission Objective - Delay deny exploit a notional deployment of a Corps and its supporting assets air I sea communications etc to any AOR If 1 - Born-Allen 8r Hamillnn Inc 7 Proprietary Overview of Day Two Teams identify target sets critical nodes etc in the sectors of power telecommunications and transportation Identify why targets chosen Identify what offensive capabilities used Identify and discuss implication of targeting choices Batu-Allen 8 Hamilton Inc a 1 111111111 I mpriefaw Analysis of CINC Dependencies I Origination Points I aurFu-u 84 Trans-shipment Points Ber-hum Huuhm Inc - Mill-r BoozoAllen 3 Hamilton Inc Nominated Methodology Wm Inwn ad Wm um - um Wm Fumhnu i Ema Fm - I Proprietary Infant-ration Boon-Allen Hamilton Inc 10 Proprietary Infanan Hon Deliverables I - Teams prepare briefings for plenary session highlighting the most significant vulnerabilities by sector that will impact Notional military deployment - to overseas AOR Logistics associated with the deployment Communications that support military operations I Benz-Allen 8 Hamilton Inc 11 Proprietary Overview of Day Three - Teams brief results of Day Two sessions - Participants discuss results of Day Two sessions Target set choices Offensive capabilities used Nations actors that possess or could obtain develop those capabilities at what cost Baal-Allen 8 Hamilton lnc Seminar Discussion Questions - What are the 2 or 3 most critical vulnerable nodes in each of the three infrastructures telecommunications power transportation - What measures must be taken to fortify these nodes - What is the major offensive capability or action that could be used to destroy delay disrupt deny or degrade CINC deployments operations in each AOR physical destruction electronic human r - v Qooz-Allen 8 Hamilton Inc Proprietary Seminar Discussion Questions - What specific countries currently possess or could purchase the capabilities necessary to carry out the postulated attacks cited in the previous questions - What additional countries could carry out these attacks in i years Sources of technology and capabilities Importance of management and planning - Which CINC AOR is the most vulnerable easiest to impact if the CONUS infrastructures are attacked What is this based upon fewer critical nodes less redundancy Easier access to critical networks or nodes supporting that Baez-Allen Hamilton Inc 14 Proprietary Infommfion Seminar Discussion Questions - Which infrastructure s outages impact the deployment operations the most I Are there operational work-arounds to avoid serious delays I or disruptions in deployment operations for that CIN BoozoAllen 8 Hamilton Inc 15 CLASSIFICATION TACK Team Mission Objective CI Corrupt Cl Dcny 2 Delay Degrade El 3 Esploil Method of Attack Cl Physical Destruction Ll Human Military Installation Afflicted Transportation Electric Power Telecommunications 1 irclc on Physical Target s Functional Functional Characteristics Know Nyud to Eng - Physical Electronic Operational CLASSIFICATION Ill CLASSIFICATION Comte-measures Now in Place Protection and Security Redundancies Likely Future Countermeasures Protection and Security OperaLional Alternatives Contingent r Plans Measures of Effectivenessl Primary and Cascading Operational Implications for US Force Deployment Projection and Operations Include Primary or Collateral and Cascading or Synergistic effects CLASSIFICATION IJ CLASSIFICATION ATTACK PLANNING FORM Example Team Mission Objective ClCorrupt IDcny mg Ichradc JExploit Method of Attack Cl Physical Destruction Wig Human Military Installation Affected Electric P0wcr Telecommunications irct'c one Physical Writer Transportation Functional Marl-t Functional Characteristics hm it My Physical I i 5 Electronic 9 st mwalls Mammal w OPCWionali Whom CLASSIFICATION 111 Ill 1111 I CLASSIFICATION Now in Place w Protection and Security Redundancies Hamming of an wilgl Iimwalls Likely Future Countemteasurcs Protection and Security Optrotional Alternatives EHIEE v I mi mm Contingency Plans 9 Another MEF is dcnlovcd Measures of Primary and Cascading 3 - Operational Implications for US Force Deployment Projection and Operations Include Primary Secondary or Collatcra and Cascading or CLASSIFICATION IJ Table of Military Bases BoorAllcn and Hamilton Proprietary BASE CIMC C2 MODES FISHER I Blmdaia AFB LA Bth Air Force '3 intar_statas 2nd Bomb Wig 3-525 F2 Iinas m highways 4911'11 1 Wing ilk 105 3-525 1D__rai lines i airport - I J FCamp Lajauna NO I rm inodas r highways ammo 2nd Marina Division lines _1 rail line Elm 4 t Mutilation on IMEF 3 nodes I4 maior highways 1151 Marina Division '2 lines '1 rail line Farr-p Smith I-ll hPAooi icon Ho Camp Sm' h 3 nodes L3 ports Paari Harbor Hickam_AFEl __ IPACFLT HQ Paad Harbor 1 Charlasion SC d_ Naval Faciliti Submarina 6 nodes '1 intargala 73% for fumes from Transponalion Node J12_ inaa 3 maior highways Bragg 4 rail lines 4 I1 pan 1 airport Booz-Alien and Hamilton Proprietary BAEE lm 02 MODES WSWAUON I i C0 ng es 2 interstates md _Falccn AFB 52011-1 Ef e Faicc_nAFB satiellitas iines_ T3 rail lines LCELTW Wing Space Wadaicenter EPACEW d1 airpcn gm ers m' gage- Space Command 2151 Space 1PM Wing 4' '1 1 A Dress TX ir'th Wing Bi-lg j_ 4 n s 2 interstalcs 432 lines jz m_ajcr highways Eg 1'5 rail lines W Dover AFB DE A 436m Airlift mm 0-55 Transpmicn Nude F3 nu ei 3 major highways Em 512th Airli Wing I 6 lines cmrcom Egiin AFB FL ng_ 53rd er Wing 500 2 nodes 4 major highways 1 1 4 lines 33rd fighter Wing 919m Speciaf Operation Wing i 'pAcou a Benz-Allen and Hamiitcn Proprietary 2 BASE 1m C2 NCDES Ellsworth AFB SD A a 1% 23th Bomb Wing 3-15 4- nodes 2 intaratataa lines 2 major highways EUIIM 1 3 rail lines Pm 1 Ft BanningI GA 4 1 Pm 3rd Ede 3rd ID nodes 3 maior highways ACOM _5th Hangar H imant 8 line '4 rail lines CENTW 1 4 Ft Bragg NC 1m Airborne Carps eciai Operati s 9 nodes '2 intaratatas 82nd Airborne Command 10 lines 4 maior roads 1 4 __4Ih PUG lines Arm Spatial Forces 4 Command 1 Special Forces Group #3111 Special Fomes Group Fl Campbell KY L 4101 Air Aasaul_t Divisnon 5 nodes 2 interstate CENW 43 lines 3 major roads ih Special Farcas Group 1_rai line i Baez-Alien and Hamilton Proprietary BEE pm 32 LONG-HAUL WHEN Ft CD LW 3rd Armored Cavalry Figl 1 4 nodes i 2 intarstatea 3rd Ede 41h ID Tr' lines 2 maior highways 1mh_Spaclal Forces Group i4 rail lines 1 airport 1- t 1 - - Ft Drum NY Quin Mountain Dixie-5E _5 E35 2 interstates Jr lines 2 major highways _1 rail line 5 Hood n _ gorps m3 H0 5 nodes 2 integrates is and 2nd Ede layer-5 J1 high y 41h Infant Division 4 rail fines _1 i Jr Pm 1st SEMI Fur_ces Group 1_ inl ital _ fLirboma _10 lines 2 major highways Corps T1 pon 34rd Eda 2nd ID Lard Bda 251h ID i i Baez-Allen and Hamilton Proprietary 4 BASE LMILITAFW C2 MODES Ft Riley KS 6 1F 3921 1st Bda lot 3 8 nodes 2 inlaraiataa _3rd Eda Armored i 6 linas _1 maior highway _h a 4 i Ft Stuwln 3i 15 Eda 3rd ID d_ 5 nodes IE maior highways ADOM 2nd Eda 3rd ID 5 lines rail Iinoa ca-noou 1 J polyester TI I __Navy MGM HQ i-D 4 ri es 12 major highways 3 lines 41_por1 Jr2 airports 30Gulf Purl M5 1 4_ 2 Frigales nodes '2 intarstalas LW 1 cruiser 6 ina_s 1 major highway A 3 rail lines 1 port A 1 n Booz-Allen and Hamilton Proprietary BASE TGINO RESPONSIBILTTY JIUTERYCE MODES PDMEH _Holn n AFB NH 4 _r rM'i'lh figh 13 15 nodes inyjor highways m _5 lines 2 rail Iines Ema h_ Pm Jacksonville FL POElor 1b_rces in nodes 3 inlgratates Ft Campbail 4 lines ijor high Haj l_5 rail lines - 4 I 5 Langley Ila mom 4mm lLu 5 nodes 3 inter ratateq _11st Fighter W mgiEI s '6 lines 2 higi ays 4 2 rail lines _1 pon _1 airpori Hac_Dll AFB I W CINCI-D lQ nod_es _4 Interstates _10 lines 2 hrg hue-E 5 rnmes '1 airport Benz-Allen and Hamilton Proprietary 13111111111111 on wgrmicamoras Pcwaa chhord ALB WA 3mm Wing _FTransporta on Node nodes _1 inlarsta_to Jr 0141 10 hnes_ _L l port _o 4 airp l 1 Mountain Home a 355th Wing Cc posito J4 nodes 1 mi or hig way 4m 6 lines I Jam 1 Hana i_ - PADDM - Hollis AFB NV 1 jA a ra ntar r5316 L2 ir eistales 15111- W mg magma illinee 1 orllighway ELSE Predator _2 rail line mmpou unvs Pm 1 Norfolk VA 4 loom tagUBGs _Multiplo Naval 02 nodes 5 nodes _1 interstate _soum Edolk Naval Station lines _5 major highways lume Creek Amphibious Egan 1NAS_Norfolk carrier OGBBHE carrie_r aircraft 4 1 _5 rail lines L1 pon _1 airporl Booz-Allen and Hamilton Proprietary BASE ping 1Ll'i liLiTiliFiY C2 MODES ILDNEHAUL Sin Diego CA i g Fleet IE3 I19 _i3 nodes 5 Ear highways 2 Submarine lines _2 ram 195 TMCAS Miramar T1 pori 1 airport cott A l i 1rTinsumzirtaticm we Judas interstatis 4m _ nas 2 highways Junker Air'l Emmi Carder #3 rpii lines PW l1 part 11 airport - Travis AFB CA Pm ilth A oma _4 Tr spor ipn Node 3 nodag Eltorstataj 0-1415 6 lines 3 major highways 4 1 -1 41 airport _a rail lines i i Whiieman APE HO i mi 305% Bomb Wing 13-25 3 nodes Halor ghways 09110 lines 1 rail line_ lama PAW Booz'Alien and Hamilton Proprietary ENE-E GE MODES PCMIEI Willow Grove PA m math Airlift Wing node 2 interstates Fm 193rd 50G lines _3 major highways Em 41h FOG _1 airpon _1 port Pm 6 ran lines Baez-Allen and Hamilton Proprietary -aLr-Iur Newman an I Eta-ac Mn I Navy Fun L'crp Woman Areas of Responsibility rlgmatmn Mum Muumn Hum um Au Lha can kuu Huh rm I i l qu Wain-m L nImSin L klml mini Ii Num- us if I I 13 Lrjcune a an - I II par his I - Hakim xi a Evelina In 3 Victim's ihhuu OHM Jill In lacun- an Mm - 1 Origination Points I Navy MF cc Trans-shipment Points BOO Humllnu - Nu I Mr I'D-tit I M11 Cup a Hm I All Hmullon Im 5n F lauu I h Inl llt' um Trans - shipment Nil-1 Fem Mn- Alp-c3 Bun 0 Alien Hundqu It i i 1- tun-l Imln um C1 Nudes National Information Infrastructure NII Defense Information Infrastructure DII Presented by Mark Jacobsohn Booz'Allen Hamilton Inc 8 April 1997 BDDL 'Allen Hamilton Inc -- _Why the NH and are Important For economic reasons increasing deregulation and competition create an increased reliance on informaticm systems to Operate maintain and monitor critical infrastructures This in turn creates a tunnel of vulnerability previously unrealized in the history of con ict DSB Task Force on Information Warfare Defense Most communications travel over publicly switched networks 0 lm Re The Global Information Infrastructure Gll encompasses both lationship Between the Global National and Defense Informa_ti_0_n the N11 and - The NH and DH are inextricably intertwined with near constant interfacing among the three on Global Information Infraaru ture_ ll 1 NH National Information Infrastructure The Information Warfare Battleground Booz Allen 3 Hamilton Inc 3 1 Proprictn ry Infonna tiou National and Defense Information 1 Infrastructures - National Information Infrastructure NII National interconnection of communications networks computers databases and consumer electronics that allows users to gain access to vast amounts ofinformation - Defense Information Infrastructure The a component of the is the shared system of computers communications systems data applications personnel and other structures supporting Department of Defense local national and worldwide information needs provides mission support command and control and intelligence information through telecommunications voice - imagery video and multimedia services It includes all C2 tactical intelligence and commercial communications systems used to transmit data Bouz -A len 8 Hamilton inc l ropn etnry ht mnntinn National Information Infrastructure - Designed built owned Operated and used primarily by the private sector Lacks central control or oversight Key characteristics include Rapidly moving technology Highly elaborate and interconnected Multiple innumerable potential points of entry Anonymity ambiguity Composed of the following Telecommunication elements Internet Public Switched Networks PSN Cable Wireless Satellite communications Public and private networks I Proprietary Information Defense Information Infrastructure 1 - Mission - A new integrated computing and communications environment to provide information services in-demand to the user community I $23 3 l7 Sustaining Base Daployed Joint Task Force Industry 171 7 31 m m-J Government - wq _Hd Dip-n lu- I emu - I 2 113 212 terp n5 9 Se nu ces Proprietary lnfonmttion Defense Information Infrastructure 2 DII Components Enterprise Baseline - the global communications infrastructure processing centers management control centers and services that support the other baselines and includes Defense information System Network DISN - the global long-haul communications infrastructure Defense MegaCenters DMCs - information processing and business reengineering testing and evaluation Control Centers - provide management service for the Dll Value-Added Services VASs - additional enhanced capabilities or utilities provided by information systems and or capabilities that use the DISN Sustaining Baseline - provides information processing and communications infrastructure to national mission support intelligence and C2 communities Deployed Baseline - provides information processing and communications infrastructure to in-garrison and deployed JTF operations H02 Hamilton Inc- 7 1111 1111111 Defense Information Infrastructure 3 Proprietary infomm Hon - Goals are to provide - Information services end-to-end across the global C41 warfighter space - A seamless interface across infrastructures that incorporates rapidly changing technology in the areas of computing communications and information services - Standards-based design and implementation methods Objectives - Maximize use of COTS products - Take advantage of dual-use research and develoPment - Ensure mechanisms for emerging technology insertion Booz Allen 8 Hamilton inc 8 Proprietary Infannarimr 115 Transportation System Vulnerabilities Presented by Rich Phares Benz-Allen Hamilton Inc 8 April 1997 Ha z-Allen 8 Hamilton Inc 1 Agenda 1' Methodology I Categories Examined Analysis by Category Ten Most Critical Commercial Nodes I Vulnerability Examples Three Military Deployment Examples I Army Divisions vs Embarkation Points Commercial vs Military Booszllen 8 Hamilton Inc Methodology 0 Statistical data was obtained from the US Department of Transportation Bureau of Transportation Statistics 0 Divided country into region each i region comprised of several nodes East Coast Gulf Coast East Inland Great Lakes West Inland and West Coast 0 Selected major urban areas in each region Booz Allen 8 Hamilton Inc l mrril'fnru limrmaatrr Methodology cont Analyzed nodes based on several categories of commercial transportation as well as proximity to military facilities - Categories were examined for heaviest traffic most tonnage processed etc I Nodes were ranked in each category and top ten were chosen - Baal-Allen 8r Hamilton Inc Proprietary Infommtimr Categories Examined 0 Volume of Rail Freight 0 Largest Airline Hubs Rail and Bus System Passenger-Miles 0 Ports Tonnage Interstate Highways Number of highways that feed into a node 0 Highway Delay Hours Amount of hours travel time increased due to traffic congestion 0 Proximity of Military Bases Baez-Allen 5 Hamilton Inc Analysis by Category 0 Heaviest rail activity 30 000 000 Ton- miles year Kansas City St Louis Chicago Detroit Cleveland Bum-Allen 3 Hamilton Inc Analysis by Category cont 0 Heaviest Air Traffic 15 000 000 people year San Francisco Bay Los Angeles Basin - Dallas Chicago New York Northern New Jersey Buuszllen 8 Hamilton Inc mprr'rhiry Analysis by Category cont Heaviest Rail Bus 3 000 000 passenger-miles year San Francisco Bay Los Angeles Basin Chicago New York Northern New Jersey Booz-Allen 8r Hamilton Inc Proprietary Informatinn Analysis by Category cont 0 Heaviest Ports 100 000 000 tons year Anchorage Los Angeles Long Beach Houston New Orleans Vicksburg I Dover Philadelphia New York Northern New Jersey Benz-Allen Hamilton Inc 9 - Prawn-turn Information Analysis by Category cont Most Interstate connections 3 or more Los Angeles Basin Dallas Kansas City St Louis Chicago Atlanta Baltimore Washington I 8 Hamilton Inc 10 Proprietary Infanml on Analysis by Category cont 0 Heaviest Highway delays 1 000 000 hours year San Franciso Bay Los Angeles Basin Chicago Baltimore Washington I New York Northern New Jersey BnorAllen 8 Hamilton Inc 11 In lmmlunr Analysis by Category cont - Proximity to military installations 2 or more major formations - Division Wing CVBG Major Command or Agency Baltimore Washington Norfolk San Diego County Puget Sound Honolulu nal-Allen 6 Hamilton Inc 12 Proprietary Ten Most Critical Commercial Nodes 0 Chicago 0 Los Angeles Basin 0 New York Northern New Jersey I 0 Baltimore Washington 0 San Francisco Bay 0 St Louis 0 Kansas City k- Dallas Booz-Allen S Hamiitan Inc Proprietary Infommtinn Vulnerabilities 0 For any node Loss of electrical power would I Affect loading and unloading of cargo Disrupt communications and computer systems at all types of transport facilities 0 Port nodes are Dependent on electrical power for Port loading unloading machinery - Port systems Dependent on computer systems for Tracking cargo - Tracking vessels rail cars trucks Baez-Allen 8 Hamilton Inc Proprietary Infommtinn Vulnerabilities cont 0 Baltimore Washington A central control switching facility for east coast rail traffic identified by DSB Task Force as a potential single point of failure for exploitation The facility is in Florida yet impacted on events in the Baltimore Washington area Boat-Allen 8 Hamilton Inc 15 Proprietary Information Deploy the 1015i Air Assault Division Brigade Personnel moved by air from Campbell Army Airfield Equipment moved by rail to Jacksonville Fl then by ship to Saudi Arabia 0 2nd Brigade and Aviation Task Force - Personnel and equipment ew 60 C-14ls and 50 C-55 directly to Saudi Arabia 0 3rd Brigade Personnel drove 438 vehicles 787 miles to Jacksonville via interstate highways - Personnel then returned to Campbell AAF to y on to Saudi Arabia Benz-Allen 3 Hamilton Inc 16 Proprietary Infamatl'a Deploy the 1015t cont FL Camphen To Saudi Arabia Bouz'Alle-n Hamilton Inc 17 Aircraft ew from Campbell Army Air Field -- Disruptions against the national and military traffic control systems could be attempted Personnel processing stations were a possible target Equipment went by rail or interstate Trains are easier to disrupt than trucks Born-Allen 3 Hamilton Inc 13 Proprietary fufanrml inn Deploy the 366th Wing Composite Wing located at Mountain Home AFB Idaho Composed of five squadrons one each of F-15C F-15E F-16C 8-13 and KC-135R Supplemented with E-3C EF-111A aircraft from other Wings Deploys in three waves 24 to 36 hours apart Flies in groups of 41 21 and 13 aircraft Requires 80 C-141 lifts for personnel and ground equipment Burn-Allen 8 Hamilton Inc Pmprirl'nru Deploy the 366th cont '1 IJ an Mnumzun Hdmr m I Am kyq - ulna-mu- nu Haw-nu - - I'in 1 1141 I mum Whip Wilma I-Lll hi- 411ng 31m a Ring - - Cult It i 1 r In ACUM II in ll-1n I A ll Phil-n 5- lH-Ir Sir-'1 '01 a ml H 1 1-1 I nun-m an TE CENTCOM 1 In Booz Allen Hamilton Inc 20 How to stop the 366th 0 Requires coordination between Wing AMC and ACC Databases e-mail and other computer systems used for planning and coordination are possible targets 0 Sabotage of the tankers could have the greatest immediate effect on the deployment 0 The five basic squadrons are co-located together - the supplemental units y from their own bases Disruptions could be against the national and militarytraffic control systems Booz llen Hamilton Inc 21 f Deploy a VB Carrier Group or Cruiser Destroyer Group Staff is designated to deploy Carrier Airwing and Destroyer 1 Squadron staffs are assigned to the I Group Staff Carrier escorts supply vessels and submarines are assigned to the Group Staff Staffs embark on their assigned platforms Buoz-Ailen cHamiIton Inc 22 Proprietary Infonmltion Deploy a CVBG cont 0 Ships sortie from their respective home ports and join the carrier at a specific location 0 The various squadrons assigned to the Carrier Airwing fly into a central location from their respective home bases 0 Once the carrier is underway the airwing ies onto the carrier 0 The Battlegroup proceeds towards its destination Booszllen 3 Hamilton Inc 23 Pmpn'rrmy Infant an Deploy a cont Baez-Allen 8 Hamilton Inc Proprietary Mommas How to stop a CVBG 0 Requires coordination among several staffs ships wing and squadrons at different locations Databases e-mail and other computer I systems used for planning and coordination are possible targets 0 Any physical attacks against shipboard electronics or the propulsion systems could affect the deployment schedule BoozoAllen Hamilton Inc 25 Proprict a ry Informa Hun Divisions vs Embarkation Points 0 4th Infantry rail Cavalry rail - Ft Hood TX Houston Galveston TX 0 Brigade Infantry rail 3rd Brigade Armored rail - Ft Riley KS St Louis MO barge to New Orleans LA Vicksburg MS 0 10th Mountain drive - Ft Drum NY Albany NY barge to New York New Jersey Buoz Allen 8 Hamiilun Inc 25 Proprietary Divisions vs Embarkation Points cont 0 3rd Infantry rail - Ft Stewart and Ft Benning GA Savannah GA 0 82nd Airborne rail - Ft Bragg NC - Charleston SC or Norfolk VA 0 10lst Air Assault rail - Ft Campbell KY Jacksonville FL or Savannah GA 3rd Brigade 2nd Infantry rail - Ft Lewis WA Tacoma WA Benz-Allen 8 Hamilton Inc 27 Propn ttary Infomu Hun Divisions vs Embarkation Points cont Cola-do Spring Proprietary Infonnatinu Commercial US Military Comparison of military embarkation points and critical commercial nodes Markation Commercial Houston Chicago Tacoma Los Angeles Basin St Louis New York Charleston Northern New Jersey Albany Baltimore Savannah Washington Norfolk San Francisco Bay Jacksonville St Louis Kansas City Dallas Booz-Allen 8 Hamilton Inc 29 Proprietary htfonrmtion Commercial vs Military cont 0 Nodes most Vital to military operations may not match those most Vital to national economic operations 0 Overlaps between commercial and military uses must be identified Boaz-Allen 8 Hamilton Inc 30 Electric Power Networks and Security Major Brad Bigeiow USAF Of ce of the Manager National Communications System Government Coardinator Wet ol' rn- lineup-or I Nation-i Commumunont System Infrastructure Risk Assessments - NSTAC in investigating the risks facing the critical elements at the national Information infrastructure Tmecummunicatlons Electric power -- Financial services - Transportation - Focus is on r'telts derived i'rorn reiiance on networks and Information systems Internal control networks end appiications Interfaces to externai networks Dependencies on publlc networks Hatch 20 19 ore - ol the Hanan-r 1 National Communications Syn-m Risk Assessment Scope J- Broad dismb-utlon It 1r Extended duration Dump-nun - Focus is on vulnerabilities that could lead to outages with signi cant regional or national impacts March 1'3 1997 DMcanrma mag-u 'r Mai-hut Communication System In Electric Power Data Collection i Meetings with industry associations and government agencies - Utilities Telecommunications Council - Dept of Energy Energyincidentdatabase - Federal Energy Open access to transmission Regulatory Commission system information - North American Electric Telecommunications Subcommittee Reliability Council - Electric Power information security survey Research Institute OASIS EMSISCADA security - Joint Program Of ce EHSISCADA vendor survey for Special Technology Countermeasures March 20 199 om or Huang-or Nth-M11 Cnmuntlfi s Srlrum Typica Utility Architecture Hum 20 1997 3 LL 0115 or 'l Marlon-J Cami-ll Srlm'n Control center architecture Marc 2 11 195 1 11111111 Dl licl of fill Ill-roger Hill-unit Spurn Substation automation March 20 199 Of ce at UM Hull-Ir 3 Natal-Isl Cements sum Open Access Same- Time 0A Information tern a Requires transmission ownerefcontrollers to post information about availability services and pricing 0 Information accessible by all users on a comparable basis 0 Must support basic merchant transactions 0 Posting transmission information - Service requestetacknewledge receipt Posting of request status received pending accepted withdrawn reacted continued for scheduling - Continuation of saletacknowledge confirmation March 20 199 are or tea Ian-par National Consular-lacuna System - Physical destruction still the greatest threat facing the electric power Infrastructure Details on physical infrastructure and system capacity more easily accessible than ever in Electronic intrusion represents an emerging but still relaLiVely minor threat - Insiders the primary threat to information systems Downsizing Increased competition and the shift to standard protocols will add to the potential sources of attacks Threats March '20 199 Diluted-HM he National Comment-val System a If Deterren t5 Recent legislation increases the jurisdiction over attacks on electric power control systems as proprietary information - impediments to effective deterrence Lack of effective reporting mechanisms inconsistent use of logins passwords and warning banners Low probability of being detected caught and prosecuted Mitch 20 199 1 ill I 11 111 '31 Cl 'rce ol' the Hanan-or Nationai Communication Sprain Vulnerabilities - Substations represent the most significant information security vulnerability - Poorly protected dial-in access to automated devices - Combined with critical node analysis could result in major regional outages similar Weston-I states outages of Jul-Aug 1995 Other sources - interconnections between control centers and corporate data networks - widespread use of diai up modems - Use of public nehsorks 20 1907 'f 1- or radium-r Huron-i Communicama System 3 Protection measures - Widespread use of - Contingency analysis Back-upiredundant control centers and communications Dial-back protection Firewalls on OASIS sites and internet connections - Security through obscurity a Inconsistent organizational approaches to information security - Often excludes authority over operational systems I Lack of convincing threat a major barrier to senior management support for security investments Harm 99 Orr-es of tile Hanger linen-l Emmanuel-one If Operational discipline - Realvtime contingency analysis standard industry practice Live status ltelemetryi fed simuttaneously l lD' Dperationai energy management system - Contingency analysis simulator - Flags next worst event based current system activity - Key to anticipaung and preventing ripple effects Rigorous discipline of tracking outages Within control center System management and engineering analysis Mandatory reporting to HERE and FERC March 2 195' - Li Office arms Ian 2 National Comment-mu Sylvan ab Conclusions - No evidence of a disruption of electric power caused by an electronic intrusion - Three trends 1will increase the exposure of electric power control nee-works to attacks a The shift from proprietary mainframe conlrol systems to open systems and standard protocols - Increasing use of sutomationt outside contractors and External connections to reduce staff and operating costs - The requirement to preside open access to transmission system Information dlctated under FERC orders BEE and March 20 1937 1 Jill I Ill i Dim-I oft-n Hanan-r Holland Comment-lino Spill-In Recommendations Recommendations to - President - Electric power industry NSTAC 4- Structured according to model on increasing information alouranoe maturity Awareness inionnation exchange - Mechanisms for prevention detection response and restoration Building consensus on threat in priority Risk management is driven by what's known March 1-397 THE NATIONAL SECURITY TELECOMMUNICATIONS ADVISORY COMMITTEE Information Assurance Task Force Electric Power Information Assurance Risk Assessment FINAL NOT FOR EXTERNAL DISTRIBUTION December 1996 TABLE OF CONTENTS EXECUTIVE SUMMARY LO INTRODUCTION 2 0 OVERVIEW OF POWER GENERATION AND DISTRIBUTION 2 1 BACKGROUND 2 2 OVERVIEW OF ELECTRIC POWER INDUSTRY 2 3 OVERVIEW OF ELECTRIC POWER SYSTEMS 2 3 1 Control Center 2 3 2 Energy Management System 2 4 INDUSTRY LEGISLATIVE ENVIRONMENT 2 5 INDUSTRY TRENDS 2 6 PREVIOUS STUDIES 3 0 THREAT 3 1 PHYSICAL THREAT 3 2 ELECTRONIC THREAT 3 2 1 Insider Threat 3 2 2 Outsider Threat 3 3 THREAT CONCLUSIONS 4 0 DETERRENTS 5 0 5-I CONTROL CENTER VULNERABILITIES Corporate MIS 5 1 2 Other Utilities and Power Pools 5 1 3 Supporting Vendors 5 1 4 Remote Maintenance and Administration 5 1 5 Impacts 5 2 SUBSTATION VULNERABILITIES Digital Programmable Devices 5 2 2 Remote Terminal Units 5 3 COMMUNICATIONS VUWERABILITIES Private Infrastructure Vulnerabilities 5 3 2 Public Infrastructure Vulnerabilities NUMBER TABLE OF CONTENTS CONTINUED 6 0 PROTECTION MEASURES 7 0 POTENTIAL IMPACTS no CONCLUSIONS 9 0 RECOMMENDATIONS 9 1 RECOMMENDATIONS TO THE POWER 9 1 1 Aware-nose 9 1 2 Information Sharing 9 1 3 Mechanism for Prevention Detection Response and RCSIOFMIOH 9 2 RECOMMENDATIONS TO THE PRESIDENT 9 2 1 Awareness 9 2 2 Information Sharing 9 2 3 Mechanisms for Prevention Detectton Response and Restoration 9 3 RECOMMENDATIONS TO THE NSTAC 9 3 1 Awareness 9 3 2 Information Shnring 9 3-3 tot Prevention Deteetton Response and Restoration PAGE NUMBER Lb IA Lulu-IL I ll IJ dmf 0 Lu nl I I 1 National Security Telecommunications Advisory Committee Information Assurance Task Force Electric Power Risk Assessment Executive Summary The security ofelectric power control networks represents a signi cant emerging risk to the electric power grid This risk assessment is the result of a 6 month e 'ort by the Information Assurance Task Force of the National Security Telecommunications Advisory Committee that included interviews and discussions with representatives throughout the electric power industry The electric power grid is a highly interconnected and dynamic system ofover 3 000 public and private utilities and rural cooperatives These utilities have incorporated a wide variety of information and telecommunications systems to automate the control of electric power generation transmission and distribution The electric power industry is undergoing signi cant change fueled by marketplace forces and Federal legislative and regulatory activities New players are entering the power generation and delivery market and existing utilities are being required to offer open access to their transmission systems The functions of power generation transmission and marketing which traditionally hate been integrated are now being separated within mimics and in some cases even spun off into new companies Competition aging proprietary systems and reductions in staff and operating margins are leading utilities to rapidly expand their use of information systems and to interconnect previously isolated networks Physical destruction is still the greatest threat facing the electric power infrastructure Compared to this electronic intrusion represents an emerging but still relatively minor threat Insiders are considered to be the primary threat to information systems Downsizing increased competition and the shift to standard protocols will add to the potential sources of attacks whether from inside or outside a utility Recent legislation increases the jurisdiction of Federal state and local law enforcement authorities over attacks on electric power control systems However the lack of effective reporting mechanisms inconsistent use of logins passwords and warning banners and a low probability of being detected caught and prosecuted hinder effective deterrence of potential attackers Substations represent the most significant information security vulnerability in the power grid Many ofthe automated devices used to monitor and control equipment within transmission and distribution substations are poorly protected against intrusion Interconnections between control centers and corporate data networks Widespread use of dial-up modems and use ofpublic networks are other sources of vulnerabilities ESvl L'tilities use a yttrier of mechanisms to protect the electric power grid from disruption including contingency redundant control centers dial-back modems and rewalls Hawet et t'eu utilities have an information security function for their operational systems and the lack of convincing evidence ofa threat has led senior managers to minimize information security investments The recent US western power outages left 2 milliOn people without power for up to 6 hours on July 2 1996 and 5 6 million people without power for up to 16 hours on August 10 996 A critical node analysis combined with knowledge of wealt protections on substation automation elements could allow an electronic intnider to achieve similar effects A major coordinated attaclt could disrupt activities at a national level The study found no evidence ofa disruption ofelectric power caused by an electronic intrusion Three trends however will increase the exposure of electric power control networks to attacks' The shift from proprietary mainframe control systems to open systems and standard protoCols Increasing use ofautomation outside contraetors and external connections to reduce staff and operating costs The reqmrement to provide open access to transmission system information dictated under FERC orders 838 and 889 The probability ofa nationwide disruption ofclectric power through electronic intrusion short of ii major coordinated attack is extremely low but the potential for short-term disruptions at the regional level is increasing The report closes with a number of recommendations for the President the electric power industry and the NSTAC Of these the most important reconuriendaiion is that the President should consider assigning to the appropriate Depal'l ' r- or Agency the mission to develop and conduct an ongoing program within the electric power industry to identity the threat and increase the awareness of vulnerabilities and available or emerging solutions ES-E 1 0 INTRODUCTION In January 995 the Director ofthe National Security Agency briefed the National Security Telecommunications Advisory Committee NSTACJ on threats to 1 1 8 information systems and the need to improve the security of critical national infrastructures The NSTAC principals discussed those issues and subsequently sent a letter to the President in March ofthat year stating that lthe integrity ofthe Nation's information systems both governmem and public are increasingly at risk from intrusion and attack and that other national infrastructures such as finance air tra ic control power etc also depend on reliable and secure information systems and could be at risk President Clinton replied to the NSTAC letter in July 1995 stating that he would welcome continuing effort to work with the Administration to enunter threats to our Nation s information and telecommunications systems 2 The President further asked the principals with input from the full range of NH users to provide me with your assessment of national security emergency preparedness requirements for our rapidly evolving information infrastructure 3 In May 1995 the NSTAC formed the Information Assurance Task Force to work closely with the US Government to identify critical national infrastructures and their importance to the national interest Following several meetings With elements of the national security community civil departments and agencies and the private sector the task force determined that electric power financial services and transportation were some ofthe most critical ofthe infrastructures The task force determined that it svould study these infrastructures to assess the extent to which their dependence on information and information systems puts them at increased risk to denial-of- service attacks This document is a report of the findings of the Electric Power Risk Assessment Suhgroup s assessment ofthe risk that electronic intrusions pose to electric power distribution systems specifically examining the vulnerability ofthe systems that manage and control generation transmission and distribution This study represents a 6-month effort that included interviews with representatives from the operations security and information systems elements of eight utilities one power pool association the Utility Telecommunications Council UTC the North American Electric Reliability Council NERC the Electric Power Research Institute the Federal Energy Regulatory Committee FERC and a number ofindustry consultants The utilities interviewed ranged in size and location and included both publicly held companies and government-owned and operated p0wer administrations 'Letter from Mr William Esrey Sprint Corporation and Chair of the President's NSTAC to the President of the United States dated March 20 I995 2Letter from the President of the United States to the NSTAC dated July tbid During the course ofthe study interview teams worked under the assumption that the risk to the electric power infrastructure was a function of four factors threat deterrence vulnerabilities and protection measures in this model a threat is any circumstance or event with the potential to cause harm to a system in the form of unauthorized destruction disclosure modi cation of data or denial of service A deterrent is an attempt to prevent or discourage an action befOre it is taken thus mitigating a threat Vulnerabilities are points of weakness within a given system and are mitigated by protection measures Interviews with the utilities and power pool were conducted in a environment and utility Staff were all tort hcorning and helpful throughout the process In addition EPRI provided invaluable support to this study undertaking its own survey of industry managers to assess their views on information security concerns The UTC also assisted by arranging a meeting at its 1996 annual conference in Kansas City Missouri and contacts in a number of utilities ill 1 2 0 OVERVIEW OF POWER GENERATION AND DISTRIBUTION This chapter provides an overview of the electric power transmission and distribution Industry This overview describes the structure of the electric utility industry identities roles of key industry players and explains the basic structure of an electric power transmission and distribution system with an emphasis on the mission functions and system components of a typical electric utility control center Finally it highlights major legislative and industry trends causing change within the electric power industry and reviews previous studies of the security of electric power networks and information svstems 2 1 BACKGROUND Since Thorrtas Edison opened the New York City Pearl Street Station in l382 the 1 1 5 and Canadian electric power grid has grown into a highly interconnected international asset composed of 3 000 independent utilities The goal of the modern-day power systems is to generate and deliver electric energy to customers as reliably economically and safely as possible while maintaining the important operating parameters voltage frequency and phase angles within permissible limits To achieve this goal electric utilities use centralized automation technology incorporating high-speed digital computers supervisory and control systems and a variety of communication systems 2 2 OVERVIEW OF THE ELECTRIC POWER INDUSTRY There are about 3 000 independent electric utilities in the United States Each is interconnected with coordinated controls operations telecommunications networks and sophisticated control centers These utilities include investor-owned public uttlities government-owned systems cooperatives and manufacturing industries that also produce power Nearly 80 percent ofthe Nation s power generation comes from the approximately 270 investor-owned public utilities The Federal Governrrent generates another 10 percent of the Nation s power primarin through large facilities such as the Tennessee Valley Authority However the Federal Government owns few distribution facilities The remaining power supply is generated by the cooperatives and manufacturing industries There are approximately 1 000 cooperatives which generally have limited power-generation capacity and focus primarily on transmission and distribution systems In addition some manufacturing industries generate power for their own use but sell surplus power to utilities accounting for a small portion ofthe industry total The 3 000 companies that compose the North American power grid are divided into four regions Eastern Western Texas and Quebec Figure 1 depicts these regional divisions The Eastern Western and Quebec regional power grids are linked through an alternating Ouahle i I I l v 1 age-annuitfn Figure 1 Interconnections ofUtility Systems currentfdirect current ACIDC interconnecttom the Tesas regional power grid is not linked to the other regional pewer grids The four regions are further broken down mm 15 post er pools that share generation 1with one another and are generally r located within the same geographic region Several Federal organizations are involved in various aspeCIs of the electric pots er industry The Department of Energy's mission ts to formulate a comprehensive energyr policy encompassing all national energy resources including cleetricity The Federal Energyr Regulatory Commission is an independent agency the natural gas the electric utilities non-Federal hydroelectric protects and oil pipeline transport FERC was Created in October 1977 through the Department ofEnergy Organization Act and replaced the Federal Power Conm'tission FERC's principal mission is to regulate the wholesale sales ofelectricity in interstate commerce Other Federal agencies that oversee the electric power transmission and distribution utdustr include the Nuclear Regulatory Commission NRC the Rural Electri cation Agency the Environmental Protection Agency and the Securities and Exchange Commission SEC State public utility commissions play the most Signi cant role regulating the electric power PUCs control the rate structure for all municipal utilities investor-owned utilities and rural electric cooperatives that own maintain or operate an electric generation transmission or distribution system Within a state By controlling What constitutes an allowable charge classd'ytng accounts and structuring rates the PUCs I 1 can esert signi cant in uence over utilities The PUCs also regulate reliability for both operational and emergency purposes oversee territorial agreements and resolve territorial disputes between utilities The North American Electric Reliability Council NERC is the organization most involved in keeping the lights on in North Amrica NERC does this by reviewing the past for lessons learned monitoring the present for compliance with policies criteria standards principles and guides and assessing the future reliability ol'the bulk electric systems NERC is a nonpro t corporation composed ofnine regional councils focusing on interregional and national electric reliability issues The members ofthe regional councils are electric utilities independent power producers and electricity marketers The electric utility members are drawn from all ownership segments of the industry investor- mrn d State municipal rural and provincial These members account for most of the electricity supplied in the United States Canada and Mexico NERC was formed in 1963 in response to a cascading blackout that le almost 30 million people in the northeastern United States and southeastern Canada without electricity Although it is a voluntary industry consortium the NERC Engineering and Operating Committees set standards for the planning engineering and operating aspects of electric system reliability t t'hile NERC handles operational issues the Electric Power Research Institute is another signi cant industry player with a research and development focus EPRI's mission is to discover develop and deliver high-value technological advances through networking and partnership with the electric industry Founded in 1972 EPRI has more than 7 00 member utilities representing approximately 70 percent ofthe electricity generated in the United States The UTC ts another technology-focused industry association UTC represents the telecommunications interests of the Nation s electric gas and water utilities before Congress the Federal Communications Commission FCC and other Federal and State agencies UTC promotes cooperation among its member companies in all matters concerning teleconununications including the development and improvement of telecommunications media Other signi cant electrical power industry bodies include the following The National Rural Electric Cooperative Association The American Public Power Association - The Edison Electric Institute EEI NRECA is a national service organization representing private consumer-owned cooperative electric utilities NRECA provides legislative representation on issues affecting the electric service industry and its environment The APPA represents 2 000 municipal and other state or locally owned public electric utilities The APPA primary objective is to expand the publicly held utility base The APPA lobbies to impmve public utility access to other power networks The association also markets public as the non-pro t low-cost and innovative alternative to their private competitors The EEI is an association of shareholder-owned electric companies The assoCiation provides a forum for these companies to exchange information and acts as a representative on issues of public interest In addition the association develops informational resources and tools 2 3 OF ELECTRIC POWER SYSTEMS The basic structure of an electric power transmission and distribution system consists of a generating system a transmission system a subtransrrussion system a distribution system and a control center This con guration is illustrated in Figure 2 Power plant generation systems may include steam turbines diesel engines or hydraulic turbines connected to aiternators that generate AC CitlelCll Generators produce three-phase current at ioltages ranging from 2 000 to 24 000 volts This eleCtriciiv must be transformed to higher voltages for ef cient long distance transmission Modern transmission systems operate at voltages from 69 000 to 765 000 volts It is the interconnection of the transmission systems that forms the power grid which permits the interchange of electricity between utilities Transmission lines terminate at substations in which the mm 2 we volts - - - - - -- Eta Volt 2'3 a1 I a Lulu 16 Iiv- Flu lei-nil Cemented Induunll alum Figure 2 Overview of Electric Power Systems 1 ill voltage is reduced to the primary distribution voltage of34 5 kv to 15 l-tv This voltage is then supplied directly to large industrial users or further transformed down to 4 lo to 34 5 its for local distribution The Control Center The control center monitors 1 utility's generating plants transmission and subtransmission systems distribution systems and customer loads The primary functions ofan electric utility control center is to provide centralized monitoring of power system operations retain historical data and allow for the manual and automatic control of eld equipment The control center system presents the electric system data to operations personnel via a modern araphical user interface Based on the data gathered the operators may initiate control signals to various control points in the power system The control center system may also automatically initiate controls to the eld equipment such as control of generating unit output Figure 3 provides a schematic ofa typical modern distributed control center configuration Generally the communications between the control center system and the eld equipment takes place over utility-owned communications networks Today the minority of these networks are based on analog and digital microwave technology although ber optics is becoming increasingly more popular among the electric utilities Other communications media include dedicated leased lines power line carrier satellite spread-spectrum radio and two-way radio Control center systems acquire the electric system data through communications with hardwired or programmable equipment in the eld This eld equipment called remote terminal units acts as a clearinghouse for incoming data by continuously collecting the electric system data directly from the eld equipment involved in the generation transmission and distribution ofelectric power The in turn support the Iransmission ofthis information to the control center system when requested Newer more intelligent data collection equipment is now being deployed in substations by electric utilities as new substations are being built and as the old substations are being refurbished These computerized eld devices that are directly involved with the generation transmission and distribution systems are called intelligent electronic devices tlEDs These devices represent the growing trend in the industry of pushing the intelligence and decision making capabilities fanher and farther out into the eld closer to the data collection point The lEDs are typically networked together at the substation and communicate with a PC-based unit that replaces the remote terminal unit for the transmission of eld data to the control center system a as a Control Cantu Local Area 0 E135 Sit-stern PC Based Aamealms Caro m-ess Trout-e Ca I Load Management Operator Guts LewData madam rst Gut - Fltu Flam-cite Tom-u an r - IWEuec-acmau Lune-a tum PIN-ail Fair Hutu-m 1 veto-nu Ell-are Foil-t Figure 3 Typical Control Center Con guration 2 3 2 Energy Management A control center energy management system EMS typically houses the utility s systems' databases the operational applications and displays and the power system report- function The need to disseminate valuable electric system data ssithin a utility has resulted in many utilities connecting their EMS systems to their corporate local area network or wide area network to facmtate data sharing With other departments Signi cant historical infOrmation systems have been developed to support this requirement A control center energy management system generaliy consists of Four major elements The supervisory control and data acquisition SCADAJ system The automatic generation control AUG system The energy management applications and database - The user interface U1 system 8 1 ill 1 These elements are depicted in Figure 4 Energy- Manag-cmeru Earl-tern 9-H cud-u nun v n 50 him c I'll u- '11 Control Canto-I Ann moth a rant-u- Figure 4 Energy Management System The SCADA system manages the communications collects the electric system data from the field through a series of frontrend processors initiates alarms to the Operations personnel and issues control commands to the field as directed by the applications in the control center system The SCADA system typically consists of a host or master computer one or more eld data-gathering and control units RTUS and a collection of standard andfor custom software used to monitor and control remote field data elements SCADA systems may have 30 000 to 50 000 data collection points and may transmit analog information le g generator megawatts as well as digital or status information te g breaker openfclose state SCADA systems can also send a control signal leg start a pump as well as receive a status input as feedback to the control operation the pump is started Current computing power allows SCADA systems to perform complex sequencing operations and provides for frequent collection every 2 seconds of power system data The AGC system controls the utility's generating units to ensure that the optimal system load is being met with the most economical generation available The AGC system submits supplementary control signals to the generating units to adjust their output based on the load forecast unit availability unit response rate and scheduled interchange With other utilities The energy management applications and database are the programs and associated data sets that utility operations personnel use to manage state estimation power flow contingency analysis optimal power ow load forecasting and generation unit allocation The UI system provides operational personnel with an interactive utterface to monitor electric system performance manage system alarm conditions and study potential system conditions to ensure that network security criteria are met 2 4 INDUSTRY LEGISLATIVE ENVIRONMENT The electric power industry is in the midst ofa revolution driven largely by a mill of marketplace forces and Federal legislative and regulatory activity An understanding of the legislative actions driving theSe changes in the U S electric power industry is vital to comprehending where these dynamic changes will lead The Federal Power Act of the 1950s laid a foundation for a self suf cicnt vertically integrated electric utility structure The late lgb s and experienced the beginning periods of rapid inflation higher nonunal interest rates and higher electricity rates This resulted the government-sponsored construction ofeitpensive generation facilities Later the oil cartel collapse resulted in a glut of low-priced oi inflation and surging interest rates All or these elements substantially increased the costs ofthese high CHpuClt generating plants resulting in rapidly rising electrical rates Congress recognized that the utility-owned generating facilities were increasing rates and harming economic growth and re5ponded by enacting legislation and encouraguig electric utilities to develop alternative generation sources A new class of generating rms such as independent power producers lPPsi single-asset generation companies and utility- nrganized affiliated power producers sprang into eitistence Through these developments the seeds for a free-market economy were being sown While consumer-based rates helped to develop competitive bulk power markets two issues remained customer access to the transmission services and barriers h1ndeang open access to third parties The Energy Policy Act of 1992 opened up power generation to competition while leaving power transmission and distribution a regulated natural monopoly In March I995 FERC clarified the EPAC language by stating that all utilities under the commission sjurisdiction would be required to le nondiscrin'iinatory open-access transnussion tariffs available to all wholesale buyers and sellers ofelectric energy Concurrently FERC ruled that transmission owners and thetr affiliates did not have an unfair competitive advantage over the wholesale buyers and sellers in using transmission to sell power This rule requires that public utilities obtain information about their transmission system for their own wholesale power transactions via an open access same-time information system OASIS available on the Internet to July l996 in an effort to complete the deregulation of the power industry Congress enacted the Electric Consumers Power to Choose Act of 1996 The bill establishes federal mandates for all electric utilities including electric cooperatives and municipal utilities to provide retail choice to all classes ofcustomers by December IS 2000 After ID I ill 11 1 111 ll Ill 1 retail choice in a state has been esrablished state commissions would be prohibited from regulating the rates for retail electricity services Reasonable and nondiscriminatory access to local distribution facilities would be provided on an unbunclled basis to any supplier seeking to provide retail electricity service These mandated government actions will soon provide the consumers generation and distribution rms and power marketers open access to an unregulated electric power industry 2 5 TRENDS The structure ofthe electric power industry is changing The traditional attributes of the power industry such as monopoly status government ownership and government regulations are yielding to free-market forces The future ofthe U S power industry will be driven by competition privatization and deregulation Global competition increasing customer demands capital liquidity the relatively low price of natural gas and environmental concerns are all driving forces that when coupled with deregulation ofthe industry will create great change A number of key trends are affecting the use of networks and information systems in the power industry These include the rise of lPPs signi cant downsizing and restructuring the advent of consumer choice rate restructuring and structural reorganization of access to transmission lines Transmission capacity is controlled by the investor-owned utilities Under FERC order 338 transmission system operators must provide fair and equal access to their lines A number of utilities view the creation of independent system operators 805 as the answer to FE RC order 388 lSOs would coordinate and schedule transmission service independently of electric companies to ensure fairness and promote reliable operations ISOs would talte over management of regional electric transmission grids owned by various electric companies though the companies would continue to own their own parts ofthe regional grid Information technology will be the integrating force for many of the initiatives that utilities have undertaken to prepare for deregulation To prepare for this new focus industry organizations are successfully instituting standards and inter-utility protocols for the deseloprnent of utility systems The Utility Communications Architecture UCA and Database Access Integration Service DAIS have emerged as defer-to industry communications and database protocols for data exchange and DIAS allow the of more sophisticated and interoperable systems however the technical information about these open protocols will be available to a much larger population and thereby a much larger number of potential attackers 4Silt-erman Electric Power The Next Generation Quarterly January 199-1 ll The Te lecommunicat ions Act of 1996 also affects the power utilities by allowing public utilities to enter the telecommunications services market The act allows public utilities to enter the market so long as they do not subsidize their telecommunications activities With moneys from the power side of the business Some utilities are already exploring using their private ber optic networks to offer services rangmg from cable TV to telephone service to leased lines The deregulation of the electric power industry will force the utilities to move farther and faster than ever before The next 4 years hold considerable promise for the industry but also portend signi cant challenges and changes To succeed utilities must offer value- added services optimize the efficiency of their power systems and develop strong customer ties an aggressive economic development plan and a winning corporate culture 2 6 PREVIOUS STUDIES This assessment builds on several previous studies ofthe security of information systems and networks in the electric power irtdustry Them prestious studies include the Defense Advanced Research Projects Agency s DARPA's l995 Defensive Information Warfare study analysis of the security ofthe UCA and DAJS the National information Infrastructure risk assessrt'tem prepared by the Reliability and Vulnerability 1'ir lr'trirking Group ofthe and a study ofelectric power's dependence on PM by the Air Force's Air Command and Staff College In addition investigations by the Joint Program Office on Special Technologies Countermeasures and the Of ce ofthe Secretary ofDefense OSDfPolicy into overall infrastructure vulnerabilities have addressed the security of electric power networks Although none of the st studies were comprehensive they have all reached sutular conclusmns First and foremost these independent studies appear to agree that the transition from proprietary systems to standardized systems based on well-known unsecure protocols and architectures will greatly reduce the security of utility control systems These medics also noted potentially worrisome trends such as the reduced skill levels of operations and maintenance personnel ncar universal minimal front-end Heurity and increased interconnectivity through the use ofdial-in modem ports and the Internet One report bluntly stated that data security is negligible to non-esistent These sit-dis also noted the inherent risk to the utilities resulting from single point-of-failure systems None of the studies predicted any signi cant improvements in the near future because tighter operational budgets and efforts to trim costs have made it difficult to justify security expenditures s ll 1 i ll 11 3 0 THREAT This section addresses threats to the electric power grid A threat is any circumstance or event with the potential to cause harm to a system in the form of destruction disclosure modi cation of data or denial of service Generally Speaking threats can be placed into two broad categories physical and electronic 3 1 PHYSICAL THREAT Despite the growing concern about cyberspace attacks the physical destrucfton of utility infrastructure elements is still the predominant threat to electric utilities Physical threats to the infrastructure elerrtents of an electric power utility fall under the general categories of accidental and deliberate events Natural emergencies are the most significant accidental physical event to affect a utility and are the single greatest cause ofoutages in the electric power system However the impact of natural hazards on the power grid is the most manageable because utilities have years of experience with this threat and have designed facilities and infrastructure elements to minimize the impact ofsuch events Additionally service providers design systems and operational procedures to allow them to respond to Outages and restore service quickly Most utilities have extensive experience with storms and other natural disasters and exercise their response systems periodically After natural hazards deliberate physical attacks on utility infrastructure elements cause the most damage to the elecrric power grid Transformers microwave cornmunicat ions towers and transmission substations can often be found in isolated unpopulated areas These pieces ofequipment have proven to be popular targets for vandals criminals ecological terrorists and amateur sharpshooters Every utility visited during the course of this risk assessment recounted anecdotes about teenagers breaking into substations ecological terrorists blowing up or damaging towers supporting transmission lines or bored hunters taking potshots at insulators transformers and lines However transmission and distribution infrastructure elements are not the only target for physical attack as recently as February 1996 pipebombs were used to attack a SCADA system at a hydroelectric plant in Oregon 5 3 2 ELECTRONIC THREAT The electric power industry does not acknowledge a single incident of a power outage caused by an electronic intrusion However a majority ofutility members agree that an electronic attack capable ofeausing regional or widespread disruption lasting in excess of SBurcau of Alcohol Tobacco and Firearms Explosive hinder Listing le March l99t sl l3 24 hours is technically feasible The source for such an attack could come from within the utility or from an external source Insider Threat Insiders can be employees contracmrs or anyOne else with legitimate access to system components andl'or premises Generally insiders are granted varying degrees of access to the software and databases and may use legitimately or surreptitiously acquired computer access privileges to compromise them The primary motives that drive an insider to exploit a system are usually nancial gain or revenge Electric utility personnel believe that alienated employees pose the most signi cant insider security threat to information systems 1 Considering that between 1936 and 1992 the number of employees working for electric mimics has dropped from 529 664 in 1986 to 506 063 in 1992 there are signi cant numbers of potentially bitter former utility employees with system knowledge who could attack the power grid As evidence a letter appeared in the hacker magazine Fliran in which the author claimed to be an employee of an electric utility in Texas In the letter the author claimed to know quite a bit about the systems and hinted that his knowledge would be helpful if someone wanted to attack a utility's systems 3 2 2 Outsider Threat An Outsider is anyone not legitimately associated with the system in question Outsiders could be rival companies criminal elements or foreign national intelligence agenciea Examples include technical hackers motivated by the challenge terrorist groups motivated to in ict damage to systems for a variety of political ideological or personal reasons or rival companies seeking competitive information Until the passage ofthe Energy Policy Act the Electric Consurriers' Power to Choose Act and the FERC rulings most utilities operated as natural regulated monopolies This has changed signi cantly and utilities are now competing for customers power and transmission capacity- In this newa competitive environment rivals In the electric power market Will have signi cantly more motivation to collect information through whatever means possible As one respondent to the EPRI Electronic Information Security Survey I Infamiari on Security Server Summer 1996 bre Moulton Curtis More Customers Fever Workers Electric Perspective-r September I l il l l pg as team to the Editor Primer - April I 5 most 14 1 ll ll said As the utility industry has been heavily regulated many are naive to the potential risk of info security violations While there have been instances ofhackers breaking into electric utilities' business and support systems the utilities have not encountered the full-scale attacks that the telecommunications services providers have experienced in the EPRI Electronic information Security Survey 35 percent ofthose polled were not aware ofany breaches oftnformation and control systems at any electric utility and 60 percent were aware of only minor security breaches This is not to say the hacker corruttunity has not tried to enter the utilities systems members ofa radical environmental group were arrested for trying to hack into a data network However with industry deregulation the stakes are getting higher perhaps high enough to attract more attention Stanley Klein an industry consultant estimates that the pro t at an energy derivative delivery point could be as high as SID million a day certainiy enough to attract the attention of market manipulators and the intruder conununtty Furthermore ifan outside organization had goals beyond nancial gain a structured electronic attack targeting the utility's operations systems could be a way to cause widespread disruption to a given geographic region Organizations have used structured physical attacks on utility infrastructure elements around the world to achieve a variety of goals a Department of Energy database records 10 200 incidents over the past 16 years An organization with suf cient resources such as a foreign intelligence service or well- supportcd terrorist group could conduct a structured attack on the electric power grid electronically without having to set foot in the target nation and with a large degree of anonymity it is important to note that information systems do not just represent a way to dtrectly attack the electric power grid During the course of this study many ofthe electric utility of cials interviewed expressed a concern about the amount ofinformation about their infrastructure elements that is readily available to the public Utility officials felt that the information on the various FERC forms which are currently available in the public reading room at FERC in Washington DC and are posted on FERC electronic bulletin boards a ould be of value in planning an attack on the power grid Additionally the inforntat ton that is requiring utilities to post on their OASIS node will further Simplify the process of target analysis One utility of cial was asked to sapply a Federal agency with a list oftheir top ten most vulnerable locations as part ofan infrastructure study the utility refused to supply the agency with the requested information lForeigrt irtfoniroriort Senior-Weary Europe Edition #053 23 March 1989 llIIClein Stanley information Securin' impiirorious of FERC Orders 338 and 389 and Rrirtted Rt'tir'ttc'i t'mg Stanley Kiein Associates August 15 3 3 THREAT CONCLUSIONS The electric power industry clearly recognizes and has considerable experience in dealing with the risks to the energy infrastructure from physical threats However the implications of electronic intrusions are understood less well Given the limited experience with electronic attacks government efforts to identify and scope these threats must be coordinated Iwith an industry effort to identify and report intrusion incidents A clear threat identification combined with an infrastructure vulnerability assessment and guidelines for protection measmes is critical to stimulating effective response by individqu utilities I ll 4 0 DETERRENTS A deterrent is an attempt to prevent or discourage an action before it is initiated generally through fear or doubt The ability of law enforcement to investigate prosecute and com ict is the principle deterrent to computer crime Recent and pending legislation increases the jurisdiction of Federal state and local law enforcement authorities over attacks on electric power control systems However the lack of effective reporting mechanisms inconsistent use of logins passwords and warning banners and a low probability of being detected caught and prosecuted hinder effective deterrence of potential attackers The proposed National Information Infrastructure Protection Act HR 4095 would greatly expand the jurisdiction of Federal law enforcement authorities over attacks against the computer systems of critical infrastructures such as electric power In particular the act would Broaden the jurisdiction of Section 1030 of Title IB ofthe US Code from Federal interest computers to that of protected computers which would Include any use in interstate or foreign commerce or communicat ion Espands the de nition of damage to include any impairment to the integrity or at of a system that threatens public health and safety or causes any toss over 35 000 in value in addition the recent passage of the Economic Espionage Act of 1996 increases the penalties related to improper disclosure of proprietary information providing an improved deterrent against electronic intrusions aimed at gaining competitive advantage A number of factors tend to greatly reduce the effectiveness deterrents Most network and systems administrators lack ef cient tools to detect intrusions reliably Only 115% of the respondents to information security survey reponed use of any intrusion detection methods Even when intrusions are detected the ma le'Il of the organizations effected do not report these events ln a recent survey conducted jointly by the Computer Security Institute the Hill and the International Computer Crirre Squad less than percent of the 423 reSpondents said that they would notify lav r enforcemem if they thought the had been attacked Most ofthe respondents 70 percent said they feared negative publicity Furthermore more than 70 percent ofthe respondents do not have warning banners stating that computing activities may be rrtonitored hampering Investigations because law enforcement of cials would likely be able to tap computers or prove trespassing Use of shared logins and relatively weak passwords furtth cumpiicatcs this situation for the electric power industry ll'tomputer Study Finds Cancun But Insu 'tcicnt Action Tiltca l Hem-ark Securi'q- Review May I996 I3 11 Ill 111 I 5 0 VULNERABILITIES An organization s systems are most vulnerable at the point where the connectivity is the greatest and the access control is the weakest Figure 5 depicts the electric power generation transmission and distribution infrastructure with the supporting communications and control systems If someone opted to attack the electric power grid electronically rather than physically he or she would have several options to consider the control center the substation and the communications infrastructure The lollowing sections address the nature ofeach vulnerability any trends affecting the vulnerability and likely avenues of attack il- MSW Sumter-ar- Pn we Morme - Hy II II LIME put-ill Fiber tilt-volt 1- mm Eta-an PM Roam cam Loads Ln I-nldl Figure 5 Electric Power Infrastructure With Supporting Communications and Control Systems 5 1 CONTROL CENTER VULNERABILITIES There is no standard control center system con guration they range from isolated mainfrarne based systems developed in-house more than 20 years ago to off-the-shelf commercially developed networked Unix clienu'server systems The industry trend is for utilities to procure standard vendor system products based on the diStributed clienta server technology to reduce schedule risk and minimize project costs They continue to use their private commonications networks to support remote data acquisition 19 although the use ofthe public networks is increasing to interconnect corporate facilities neighbor utilities and the Internet As seen in Figure 6 an electronic intruder may access the control center through seteral interfaces Links to the corporate information system - Links in ether utilities or power pools - Links to supporting vendors Remote maintenance and administration ports The following paragraphs review the details of industry practices for each interface I 'itanutacturer Dawn ii qt RES-CABAL Connor I Srilem Center Locll L-r u' a To Corn-crate To PowerPo-ol TOOASIS Her-ark Figure 6 Typical Control Center interfaces Corporate 3115 Although not all utilities have an interface between the control center and the corporate information system the distinct trend within the industry is to link the systems to access control center data necessary for business purposes One utility interviewed conSideredi the bosiness value of access to the data within the control center worth the risk of open connections between the control center and the corporate network More common solutions used fuewalls or masked Subnet routing schemes to create a secure link between the corporate information system and the EMS Current trends towards intercOnnectivity further increase the chances ofan attacl through the corporate network by providing more access routes into the corporate network 20 111 1 111111 Internct connectivity modem pools and individual modems all can serve as points of access for an electronic intruder into the corporate sysrem and Subsequently into the EMS Despite the protective measures taken to isolate the control center network from the corporate information system the control systems are still vulnerable to an attack through the corporate system Utility operations personnel interviewed believed that rewalls and dial-back modems were suf cient to protect their systems from intruders and they were surprised to learn about the experiences of the telecommunications industry with hackers defeating these measures 5 1 2 Other Utilities and Power Pools Many utilities have links between their control room and the control centers of adjacent utilities and the regional power pool Most ofthese links are one way connections carrying system data that operators use to balance the load on the power grid schedule transmission compute economic dispatch and perform security analysis Application- level controls and proprietary protocols make these links dif cult targets for an electronic attack Several trends within the industry will increase the risk posed by these links As the industry migrates to standard protocols the pool of people with the knowledge to attack the system will grow signi cantly The flurry of mergers resulting from deregulation of the industry further creates a need for merger partners to communicate electronically increasing exposure The creation of 130 will signi cantly increase the amount of traf c exchanged between the utilities and their 130 In all likelihood this traf c will require two-way data flows Furthermore the information owing berween the organizations line capacity and scheduling information will have signi cant economic value and will enable a potential attacker to identify critical nodes in the transmission and distribution system Disabling these links would not however cause any direct disruption ofthe power system 5 1 3 Supporting Vendors As they move to client-server architectures utilities are using more commercially developed software and are outsomcing the customization and maintenance and sapporting applications To support the installation debugging and ongoing maintenance of these new systems utilities are providing remote access to manufacturers and integrators Remote access is generally accomplished through a dial in port on the system although some utilities have dedicated links in place These remote access links represent a potential point of access for an intruder A representative ofa major EMS manufacturer con rmed that all of his company's products with a dial-in port will al 10w the manufacturer s engineering staff to connect to the system to perform software updates and Electronic Information Survey Summer 1996 other maintenance functions These products frequently share a simple password that has not been changed in years One electric utility reported that an intruder accessed a chemistry-monitoring system in its nuclear division through a dedicated Link between the system and its manufacturer Once in the chemistry system the intruder moved into the utility's nuclear enginee ring support network accessed database entries and altered audit logs to elude detection Another utility increased access control on a dedicated line to a system integrator after it detected intrusion attempts 5 1 4 Remote Maintenance and Administration Many utilities are allowing operations and information systems personnel to access systems remotely for after-hours support Generally this Ls accomplished by configuring dial-up modems on the EMS network Operations and support personnel can dial into the EMS network through these modem pools and log into the EMS system Once in they can assist in troubleshooting perform system administration functions and in some cases operate EMS applications These dial-in links represent a point of access for electronic intruders Although some utilities have taken measures to limit the operations that can be performed remotely or have further strengthened access control with token-based authentication systems other utilities have only minimal protective measures place 5 1 5 Impacts Regardless of the access point once in the control system network the intruder may crash the EMS knowledgeable intruder Cari employ other more subtle options For example a sophisticated attacker could corrupt the databases causing signi cant economic damage to the utility by disrupting billing operations A knowledgeable intruder could issue false commands to the system opening and closing relays shutting down lines and potentially affecting generation An extremely knowledgeable attacker could manipulate the ow of data to the control center causing the control center operators to respond to spurious indicntions Fortunately the technical skills and speci c knowledge ofan individual utility's applications and procedures limit this kind of attack to a very small number of potential attackers Furthermore most utilities can revert to manual coordination if all control center functions are lost however this is a costly measure fOr the utility 5 2 SUBSTATION VULNERABILITIES A substation serves as a clearinghouse for power as it is stepped down from the high voltages used to transmit the power across the scryice area and then directed to i ll 1 distribution systems for deliver ' to residential and commercial customers In an effort to provide higher service levels to customers and reduce staffing requirements the electric power industry is automating substation operations with remote terminal units and a of intelligent electronic devices An automated substation is depicted in Figure 7 Digital programmable breakers switches and relays are being produced by several manufacturers and utilities are now using them in place of xed or manually set devices Both the RTUs and the new automated devices are susceptible to electronic attack Digital Programmable Devices Ev dialing into a port on a digital breaker a utility engineer can re5et the device or select any of six levels ofproteetion An electronic intruder who could identify the telephone Pa we Dance Active Dev- 6 Digital Pregame-bl Device Modem for Female Terminal U ll RTU Flernote Access blotter-n let-r Hen-note Access ultra- 3 ED CDHHOF Canter d an Leaf-l nmnw J mn Figure 7 Typical Substation Interfaces line serving such a device could dial into an unprotected port and reset the breaker to a higher level ol'tolerance than the device being protected by the breaker can withstand By doing this it would be possible to physically destroy a given piece of equipment within a substation The intruder could also set the device to be more seusitive than conditions for normal operations and cause the system to shut down for self-protection Several ofthe utilities visited did not have any type of security or access control on these dial-in devices In either case utilities reported that such an intrusion capable of a major irnpact would result in no more than a minor alarm 5 2 2 Remote Terminal L'nits Besides collecting data for the control center an operates as a clearu'ighouse or control signals to transmission and distribution equipment A number of utilities reported having rttaintenance ports on substation RTUs that can be remotely accessed through a dial-up modem some without even dial-back protection An intruder could that into this port and issue conunancls to the substation equipment or report spurious data back to the control center Due to the highly networked nature ofthe power grid knocking out an RTU can have a signi cant impact on any systems or customers from the substation housing the RTU 5 3 COMMUNICATIONS Utilities rely on a mix of private microwave radio private ber and the public networks for communications among control system elements Any one of these mediums could be exploited in an electronic attack In most cases an attack on the communications Infrastructure alone would constitute a nuisance attack In such an event most utilities would equip personnel with cellular phones and mobile radios and dispatch them to key sites to report operating data back to the control center However an attack on the communications infrastructure in conjunction an attack on the electric power control system was characterized by one utility offiCial as a nightmare scenario Restoring power would be extremely ditt'icult and dangerous ifall inc-ans of coordination between the control center and generation and transmission elemems were 10st 5 3 1 Private Infrastructure Vulnerabilities Microwave s stems operating in the 2 and gigahenz range and aerial or buried ber optics make up the majority private communications networks Utilities view their private communications network as a key asset several utilities stated that they would rather lose access to the public networks than to their private systems In several cases utilities sell excess capacity on these networks to corru'nerCial carriers or plan to use these infrastructures to enter the telecommunications market A utility's private communications infrastructure is nearly as vulnerable to intrusion and physical attack as the public network Utilities reported instances til then of voice services as well as the loss ofvoice and data service resulting from physical damage One utility lost to most ofits private ber network when a truck knocked down a pole at a critical Juncture in the system Microwave communications can be intercepted or Jana-nod quite easily There are multiple sites on the Internet with direction for assembling an inexpensive microwave jamming unit One utility interviewed was experiencing severe disruption of its microwave communications system which it nally traced to frequency 2-1 I 11 spillover from a cellular service provider Despite all of this utilities seem to believe that bet ause their private systems are isolated from the public networks they are safe and 5 3 2 Public Infrastructure Vulnerabilities Roughly a third ofthe electric utility control communications traf c is carried on the PN Most utilities use the PN to augment their private networks in the form of redundant communications lines to key I substations in geographically remote regions or in last mile situations Utilities appear to be aware of the threats to the PM and take risk nutigation measures on critical control links such as requiring diverse routing in leased line contracts or providing for redundant transmission media Several utilities reported that outages had isolated pans of their control networks and led them to increase private net working to key facilities It is worth mentioning that the single greatest source of interdependence between the electric power tnlrastrueture and the PN is in their use of common In many cases public carriers lease spare conveyances or share transmission paths with utilities In such a situation a physical attack is more likelon disrupt multiple infrastructures than an electronic attack would 0 0 PROTECTION MEASURES Electric utilities use a variety of mechanisms to protect the electric power grid from disruption The most signi cant measure is a double contingency analysis system which uses a real-time simulator to look for the two worst things that could happen to the grid at any instant and offers Operators corrective actions to consider and initiate These security systems are powerful however the system does not loolt at elements beyond the power grid and is only as accurate as the data that it receives from the eld If the flow ofthis information from the eld is cut off the value ofthis system is reduced drastically Beyond actively monitoring the status ofthe power grid most utilities have taken measures to guard their control centers and EMS systems from both physical attack and system failure Practically all utilities have established back-up control centers some collocated others in separate facilities that include uninterruptible power supplies and backup generators Other utilities have installed completely redundant telecommunications lacilities svith their own telecommunications control center In most cases is herever the EMS interfaces with the outside world utilities have Installed dial back modems and firewalls Furthermore most EMS systems Support individual logins and passwords and have extensive alarms and event logs Organizationally all utilities have a robust physical security depart ment and most utilities have some information systems security function to handle the information security requirements fer corporate systems The corporate information system security office in conjunction with the internal auditing depart menis will generally conduct or contraCt for security evaluations and audits ofcorporate systems But these audits rarely extend into the operational elements ofthe utility and few utilities have an equn'alent information security function for their operational control systems In an effort to improve security utilities reported that they are considering a variety of improvements Conducting intensive security evaluations and audits Ensuring dial access control modem security Using existing security features - Eliminating security holes - Evaluating and deploying new security technologies 26 - Improving coordination betv een operations staff and corporate information security staff - Improving skills of the security staff - Establishing security awareness programs However utility personnel consi5tently stated that such investments were dif cult to sell to senior managers who were often unaware of or skeptical of the risks to their information systems Many expressed concern that reduced operating margins would further threaten their ability to implement effective security Forty percent of the respondents to the Surnmer 1996 Electronic Information Security Survey believed that internal priorities in a competitive environment were the most signi cant obstacle to tiiaintaining a high level ofinformation security 7 0 POTENTIAL IMPACTS The electric power grid is a complex l'llgl'll networked entity whose elemems are highly interdependent A of the highly networked power grid is the potential for a cascading power failure When transmission capacn is unexpectedly lost generation must immediately be taken off-line otherwise the generator's output Will reroute and overload remaining transmission lines This creates voltage oscillations that will ripple through the power grid Unless corrective action is taken these oscillations can pull down significant portions of the electric power grid The largest instance of such a widespread event was the famous New York blackom of November 9 1965 which knocked out power for up to 13 hours and affected 30 million people in eight States and Canada More recently on July 2 1996 a cascading power failure in the Western Interconnect region affected 2 million customers in States Canada and Mexico Most customers had power restored within 30 minutes but some did not regain service for over 6 hours This situation was repeated on August 10 19% when all major transmission lines between Oregon and California were dropped This outage affected 5 6 million users for up to to hours in 10 western States see Figure Even regional outages can have wide-ranging effects On May 14 1996 an improper setting on a high-Voltage circuit breaker at a single substation resulted an 8thour hlackout affecting 290 000 customers through southern Delaware and across the eastern shores of Maryland and Virginia Michael Conte an economist at Towson State Scrum-d outta-q meals in 4 ti mun-m users Ion poser Min-1M has-red wag-s trimmer- sag-s mama IE S lmI pn-It Lung-1mm mum earl-mm Tainan Iranian-nutter in mm mauled-via whine-tin cue-no accent-gr melamine-n M5155 Figure 8 Effects of August 1996 Western Outage 23 1 University estimated the loss for regional businesses to be as high as $30 8 million H These outages illustrate the tremendous effects a dismption of the electric power system can have on a given region Signi cant portions ofthe US economy and infrastructure are dependent on electric power including and certainly not limited to transportation financial services health care and telecommunications services While many facilities have back-up generators these systems are not foolproof and in many cases are not exercised on a regular basis During these aforementioned outages traf c lights stopped working ight operations were suspended schools were closed and nuclear reactors were shutdown In addition a sewage treatment plant released six million gallons of sewage into the Paci c When electrically powered pumps stopped working Critical node analysis combined with an attack on poorly protected elements of substation automation systems can achieve effects equivalent to these recent outages More than 50 percent ofthc electric utility personnel who responded to the EPRI Survey believed that an intruder in the information and control systems at an electric utility could cause serious impact on or beyond the region for more than 24 hours Open sources including FERC lings electric industry publications regional maps and the Internet would provide enough information to identify the most heavily loaded transmission lines and most critical substations in the power grid Relatively simPlc hacking techniques could then be used to locate dial-in ports to these points and modify settings to trigger an outage Only a detailed review of logs or the elimination ofall other factors would lead to the detection of such an attack IIJ'Humphrey Theresa Power Outage Darkens Delmarva Peninsula The May 29 CONCLUSIONS The Electric Power Risk Assessment subgroup found no evidence of power outages attributed to deliberate electronic intrusion into utility control systems The greatest risk facing the electric power infrastructure of the United States remains physical damage and destruction Compared to the threat posed by natural disasters and physical attacks on electric power infrastructure elements electronic intrusion represents an emerging but still relatively minor threat However changes within the electric power industry and in technology are increasing the risk posed by electronic intrusion As detailed in the preceding sections the security of electric power control networks and information systems varies widely from utility to utility In general though three trends will increase the exposure of electric power control networks to attacks and raise the probability of disruptions due to electronic introsions First the shift from mainframe-based control applications relying on propriemry communications protocols to client-server applications using the Utility Control Architecture or other publicly documented protocols built on the transmission control protoml nlernet protocol TCPIIPJ expands the population of attackers with sufficient technical knowledge to attack these systems This migration to client-server applications also introduces a potential for extended disruptions as the complexity of interactions continues to outpace tbe skills and tools of systems adminiStrators Sec0nd the pressures to downsize streamline autontate and cut costs resulting from increased competition tn the wholesale and eventually retail power market will drive utilities to rely even more on remote automation administration and maintenance on outside contractors for applications development and support and on intemetworking ot control systems with corporate networks Without a clear business case to support investments in information security the relatively inunature level of information assurance within the industry is likely to continue Third the requirement to previde open access to transmission system information dictated under FERC orders 333 and 389 introduces two new sources of exposure to attack the interface to the OASIS host and new links required for the separate p0wer marketing effort Having to post transmission system information on a World Wide Web Server connected to the Internet requires utilities to establish some kind ofinterface between their EMS and the Internet Although in all known cases this will be an indirect connection controlled with fire walls screened subnets or proxy servers the individual utility's 30 1 i Jill interface to its OASIS host creates a new and signi cant point ofettposurc Apart from insider attacks the internet is the greatest potential source of inforrnatiOn system attacks Utilities are in many cases relatively new to Unix and security and the short given for activating an OASIS site increases the opportunity for vulnerabilities to be introduced in the rush to meet FERC's deadline These rulemakings are forcing utilities to separate power marketing from transmission system management These functions were formerly integrated and operated on the unquestioned principle that system reliability always took precedence over economic pro t The procedures for resolving system problems between utilities were relatively informal which was understandable given the consistency of operating philosophies and exposure to risk of the players involved At the inlortnation systems level the separation of these functions is forcing utilities to disconnect networks and applications often in the midst of already ongoing redesign efforts Under great pressure to meet deadlines and costs information systems staffs may resort to workarounds that could ultimately introduce major vulnerabilities At the operational level it is not clear that the industry will be able to maintain the principles and procedures that have guided it for the past 30 years Today utilities resolve imbalances of generation load and transmission system capacity on a relatively informal basis relying on phone ecordinat ion and recognized rules of conduct in the new OASIS environment this arrangement may not suf ce especially when transmission system operators may begin driving their lines further towards capacity At the industry level these rulemakings will certainly lead to a major restructuring as terttcaily integrated utilities spin off functional elements and a new set of players power marketers independent system operators derivatives traders retail power resellers develops The interactions ofthese businesses create new and unforeseen tensions tnotivat ions and risks With vertically integrated utilities the responsibility for the reliability of electric power was clear The responsibility for reliability in a restructured industry is for the moment largely theoretical In sum these trends suggest that in the future the electric power industry and its infrastructure will become more complex and networks and information systems will play a major role in how individual utilities deal with the new business environment As a result electric power control networks will be exposed to a considerably wider range of attacks and potential attackers Although the probability ofa nationwide disruption of electric power through electronic intrusion will remain extremely low for any but a major structured attack short-term disruptions up to the regional level may become easier to achieve unless appropriate precautions are taken 3 9 0 RECOMMENDATIONS The recommendations of this study are directed toward three different groups the President the p0wer industry and the NSTAC Each set of recommendations is further organized into three categories that reflect increasing levels of maturity in a program of information assurance Awareness - Information sharing - Mechanisms for prevention detection response and restoration Before effective mechanisms for'coordinating information assurance activities between and industry can be established there must be a consensus on the threats risks technical issues business censiderations legal constraints and other factors IIlH ll i'ULl This consensus cannot be established ifthe two parties disagree on whether a problem exists in the first place For that reason the recommemanons aimed at increasing awareness of network and information systems security should be given first priority RECOMMENDATIONS TO THE PRESIDENT 9 1 1 Awareness The President sht'iuld consider assigning to the appropriate Department er Agency the mission to develop and conduct an ongoing program within the electric pou er industry to identify the threat and increase the awareness of vulnerabilitiea and available or emerging solutions The prOgrarn should be coordinated with other Departments Agencies and advisory groups as appropriate to insure completeness and to maximize effectiveness 9 1 2 Information Sharing The President should consider establishing an NSTAC-liite advisory comn uttee to_enhancc industry-Government cooperation in light ofsigni cant regulatory changes affecting power generation transmission and distribution and the critical importance of electric power to National and Economic security the gavernment and its eituenry The committee should advise the head of the Department or Agency assigned the lead role for National Security and Emergency Preparedness protection of the national electric power infrastructure Such an advisory committee could perform a number of functions to include the following Provide informatioa on factors affecting the reliability of the electric power infrastructure 1 - Provide the means for sharing information between Government and industry on potential electric power system faults vulnerabilities and protection measures - Provide a forum for reconunending Government support activities to help ensure a highly reliable and available nationwide electric power capability Review existing or proposed legislation and advise the Government on the potential NSEP irnplications for the electric power infrastructure 9 1 3 Mechanisms for Prevention Detection Response and Restoration The Government should provide threat information and consider providing incentives for industry to work with government to develop and deploy appropriate security features for the electric power industry 9 2 RECOMMENDATIONS TO THE POWER INDUSTRY A wareness Electric power associations executive bodies and individual organizations need to promote information systems security within the industry as a whole With industry restructuring and the interoperability and networks a lack of security in one element ofthe electric power industry could likely impact other providers or power transporters 9 2 2 information Sharing Electric power associations should establish procedures for sharing sensitive information among member companies This sensitive information might include threat and vulnerabilities data security processes procedures tools and techniques and lessons learned 9 2 3 Mechanisms for Prevention Detection Response and Restoration A secure network communications and computing environment will be important to the continued reliability of the electric power infrastrueture Security needs to be considered in communications and systems architectures and standards in products that are purchased and in employee methods procedures and training Additionally industry should consider establishing an electronic incident reporting and clearing function for electronic intrusions similar to what is already done for power outages and physical attacks 33 9 3 TO THE NSTAC 9 3 1 Awareness The NSTAC should reach out to the electric power industry and offer its support expertise and assistance in establishing an NSTAC-lilte capability NSTAC should share past reports and recommendations to the President prO t'lLlC advice on lessons learned throughout its tenure and perhaps sponsor meetings to discuss common concerns 9 3 2 Information Sharing The NSTAC should invite representatives ofthe electric poster industry to part icipaie in open activities of the Network Security Information Exchange and appropriate meetings of the Information Assurance Task Force In addition NHTAC should actively foster opportunities for the exchange of information on protection technologies attack trends assurance programs and other aspects of information security with industry assocmtions 9 3 3 Mechanisms for Prevention Detection Response and Restoration The NSTAC should consider the needs ot the electric power control networks in its insesligations of tntrusion detection indications and warnings coordination mechanisms and other elements of infrastructure assurance Proprietary Information if if Telecommunications i Infrastructure An Information Brief to the 8 April 1997 Benz-Allen 8 Hamilton Inc I Proprietary in rmmiiou Purpose - Provide an understanding of basic telecommunications infrastructure Establish a common vocabulary Overview system critical dependacies - Present an example of critcal node analysis Hoax-Allen 8 Hamilton Inc Proprietary lry'ommtiun The Telecommunication System Am - Ma or InlerExchan Carriers lnterExchange 9 Nehuork I Sprint - WilTel IEC Point of Presence I Major Local Exchange Carriers Local - Regional Bell Exchanne Operating Companies - - GTE Customer Premises Equipment I l d p danla Major systems each of the carriers utilize in delivering service to the customers Benz-Alien 8 Hamilton Inc Proprietary Infumml iun Switching Systems - Switches provide one of three basic functions Signaling monitor line activity and send information to control functions Control process signaling information and set-up connec ons Switching make connections between input and output lines Booz-Allen 8 Hamilton Inc 4 'tching mammary Local Exchange Elements - End offices E05 Connect all telephones through local loop Provide dial tone - Switch calls between telephones and outgoing trunks - Trunks Provide connections between telephone equipment 5 - Tandems Switch calls between trunks Telephones can not be directly connected to tandems I Benz-Allen 3 Hamilton inc 5 Proprietary fufunrmfiun Exchange Equipment E0 04 000 9 000 Remotes TANDEM 1 000 TRUNKS Buoz AIIen 8 Hamilton Inc 111111 I Ill 1 Pruprit m ItJurmu un InterExchange Equipment 500 perCarrier 3 SWITCH 50 - 150 per Carrier II- SWITCH POP Bouz-Allen Hamilton Inc 7 I lnterExchange Elements I Points-of-presence POPS An IEC facility where traffic is handed off between LECs andlECs - IEC switch Routes calls through the IEC network - Communicates with other switches signaling - Creates billing records Performs customer validation number translation and collects statistics 4 Hoax-Allen 8 Hamilton Inc ll 0 Proprietary information Signaling Functions Supervisory signals convey status or control network elements Request for service off-hook Ready to receive address dial tone - Call alerting ringing Call termination on-hook Request for operator hook ash Network or called party busy busy tone Information bearing signals Called party address called number Calling party address calling party number Toll charges There are also supervisory and bearing signals of network control and maintenance Maintenance test signals - Equipment failures All trunks busy - Routing and flow control information Benz-Alien El Hamilton Inc 9 a f ruglrivmm Inf-urn HIM ORE LEC HI mowm qh' if-1 SH itch a S itl41 xi I ll 0 - a la 0 Networks Iry ormntiun Ill Signaling - SS7 networks are hi speed 56 or 64 kbps packet- switchid networks at overlay the carriers circuit-switched networ - 3 types of signaling nodes perform unique functions in the network Signal transfer point STP Packet switches that route signals through the 88' network - Signal switching point SSP The interface between the circuit-switched and networks Collocated with a circuit-switch - Connect to a minimum of2 STPS Signal control point SCP Databases that perform special translation and advanced network services SS7 networks are engineered to a downtime of no more than 3 minutes per year K Benz-Allan 8 Hamilton Inc Proprietary Information Transmission Systems A link is a direct physical connection between two nodes using a single propagation medium The medium may be Iine-of-sight microwave satellite copper cable or fiber optic cable - Routings rules are the instructions or steps for selecting the Optimal circuit path on which to transfer traffic from one destination to another Routing rules establish logical paths between network nodes by using one or more nodes in tandem Baez-Allen 8 Hamilton Inc Proprietary smission Long Haul Routes i BDOZ'AllenSLHamiltonlnc l3 irrfummtimi Network Management - Network management principles Keep all circuits filled with successful calls Utilize available circuits G_ive priori to calls requiring a minimum number of circuits to orm a connection when all crrcurts are In use Inhibit switching congestion - Network management controls Expansive - effect of expanding the network - Protective - remove traffic from the network - Examples of some control descriptions include Booz Allen Hamilton Inc Proprietary Info mm Hun Logical View of the Network Logical Layer - Calls and Services CO co 9 Physical Layer - Transmussmn and Booz-Allen Hamiltoninc i I5 Proprietary htfommlion Impact of Facility Failures Physical Network Logical Network - Low physical connectivity high impact on the logical network High physical connectivity Low impact on the logical network Trunk diversity low impact on the logical Q network 3 Impact ofa physicalfailure on logical connectivity depends on the underlying architecture 1 Inc 5 16 Proprietary Information fTechniques Used to Achieve Network Reliability - Automatic Protection Switching - Dual Homing - Self-Healing Rings Reconfigurable Digital Cross-connects - Adaptive Bandwidth Management Schemes PSN ATM Baez-Allen Sr Hamilton Inc Proprietary Irgforirmtiuu Multiple Layers of Network Reliability Services Layer Logical Associates resources according to service needs Manages congestionlcontention among services Switched Layer Reliability achieved by redistributing call flows on trunk capacity Cross-connect Layer PhysicallLogical Reliability achieved by reallocation of spare capacity Facilities Layer Physical Reliability achieved by facility diversification and channel Reallocation Benz-Allen lit Hamilton Inc 18 1 Network Management ystems Mechanism Basis Description Protocol SONET Based Alternate Path FASTAR Phil Sica' Wm I Cablel Based Cut Di it I Crossgoanneet 52311 swim Direct Path Cable RTNR Switching Based Benz-Allen 8 Hamilton Inc I Network Examples l9 Proprirmry lnfommtiuu Evolution of the PSN - The U S telecommunications industry has been subject to_ regulation since its beginning - Government regulations are created and implemented by Federal Communications Commission State Public Service Commissions -- Courts and Congress - The moist signi cant event affecting the current structure of the telecom industry was the Modified Final Judgement MFJ was a monOpoly that controlled the majority of the local and long distance markets Long distance providers and equipment manufacturers demanded changes in the way ATE-T did business Equal access to the PSN Elimination of monopolistic pricing by 20 Proprietary hi rmmt ion Structure Post-divestiture PS - The MFJ established rules and regulations concerning deregulation and divestiture of and the Bell System - Created network partitions - Inter-exchange carriers IECS - Local exchange carriers LECS Established local access and rampart areas LATAS - LECS carry intra-LATA within a LATA traf c - lECs carry inter-LATA between LATA traf c Established equal access for all IECs Each can have one POP in each LATA - Connection for each identical in type price and quality - Required that connections between a PCP and E0 have at most one intermediate switch I Booz-Allen ti Hamilton Inc Proprietary ln muariun PSN Structure Post-divestiture PSN Topology IEC NOTE POPS are usually collocated with a network element E0 AT or switch I 8 Hamilton Inc 11111111111 an rm US I'd-n- MEI-5 4 i l hr may Proprietary htfunmltiuu PSN Structure Telecommunications Law of 1996 - The Telecommunications Law of 1996 will change the I structure of the telecom industry by allowing more competition and removing regulatory barriers between market segments - Among its many provisions the Law will Allow the RBOCs to enter the long distance market - Allow competition in the local exchange - In anticipation of sweeping telecom reform many companies have announced plans to merge or divest divisions to become more competitive ATS-T has Split into three separate companies Sprint aligned with three cable TV companies to develop a nationwide PCS system and spun off its cellular holdings - US West issued separate classes of stock for its core local exchange business and its media and cellular prOperties Baez-Allen Hamilton Inc Proprietary infommtion i Analysis Methodology To determine critical telcom assets and facilities two approaches are used Critical Asset Analysis Coverage Area Analysis The critical asset analysis identifies key nodes E05 ATs that are essential for network connectivity The coverage area analysis identifies the regions served by key nodes BooerIlen 8 Hamilton Inc Proprietary lnfommtfon Critical Asset Analysis I - Acquire data for telephones at critical location Area Code NPA - Exchange COC Identify the telecommunications facility that serves the critical location End office E0 or remote REM - Specify the LEC homing arrangements Access tandem AT 8 Hamilton Inc 36 61mm Methodology Results Proprietary h onnotfon Hoax-Allen 8 Hamilton Inc Proprietary information Coverage Area Analysis - Identify AT sewing critical E0 - Identify other EOs served by critical AT - Identify all NPA-COCs served by these EOs - Plot latitude-longitude coordinates of all customers with these NPA-COCs - Trace outer perimeter of these points Booz-Allen Hamilton Inc Proprfom Information Anafysis Methodology Res Booz-Allen 8 Hamilion Inc NATIONAL COMMUNICATIONS SYSTEM Plans Customer Service and Information Assurance Division FEB a pm HEMDRAHDUH FOR NETWORK SECURITY INFORMATION EXCHANGE MEMBERS SUBJECT InternetJPublic Switched Network PEN Interconnectivity and Vulnerability Report 1 The subject document is enclosed for your information and use The purpose of this report is to provide an understanding of how the Internet uses and relies on the FEM In addition a rudimentary analysis was begun to identify key Components used for transmitting Internet traffic 2 The Internet is having a profound impact on how America conducts everyday business in both the public and private sector The exponential growth in traffic and users has fostered the concept of the Internet as the ubiquitous tool for sharing information Hovever the accessibility and availability of the Internet depend on a physical infrastructure of software routers and transmission media It is commonly perceived that the Internet and the public telephone netuorks in the 0 5 are two separate and distinct systems thle this is true to a certain extent most modern data networks including many leased government Internet Protocol IPJ-based networks rely on the traditional commercial carriers to transport their traffic 3 The Office of the Manager National Communications System as veil as other government organizations is beginning to assess the impact of the Internet on its operations and planning particularly as it affeCts national security and emergency preparedness NSIEPI This report describes the evolution and current operation of the Internet and begins to evaluate potential vulnerabilities that may hinder Internet reliability security and availability The OHHCS will continue to analyze the impact of the Internet on telecommunications 4 Questions or comments on this document should be referred to Mr James Kerr HES Information Assurance Branch at 103 BOT-6133 or through E-mail at kerrjencs gov D DIANE FOUNTAIHE Doputy Manager 1 Enclosure afs ll 1 Ill I INTERCONNECTIVITY AND VULNERA BI LITY REPORT December 1996 Office of the Manager National ommunicati ens System 701 South Courthouse Road Arlington VA 22204-2193 INTERCONNECTIVITY AND VULNERABILITY REPORT December 1996 Prepared by Booz Allen and Hamilton 8283 Greensboro Drive McLean VA 22102 Prepared for Office of the Manager National Communications System Under Contract DCA100-95-C-0113 Optional Task Orders EP Telecommunications Performance Analysis Task Network Security Support CDRL Item L001 and lnternet PSN lnterconnectivitjrr and Vulnerability Report Section 3 2 5 Contents Table of Contents 3 2 6 Figures and Tables List of Exhibits 3 2 9 Symbols Abbreviations and List of Acronyms Acronyms 3 3 1 - 3 3 6 Summary and Body ctions 1 - '3 References Reterences ill 1 lill Jill I I TABLE OF CONTENTS EXECUTIVE SUMMARY 1 INTRODUCTION 1 2 1 3 ORGANIZATION 2 HISTORY OF THE 3 INTERNET 3 1 INTERNET SERVICE PROVIDERS 3 1 1 National Service Providers 3 1 2 Regional Service Providers 3 1 3 Resellers 3 2 INTEREXCHANGE 3 2 1 IXP Functionality and Architecture 3 2 2 IXP Peering Agreements 3 2 3 National scope IXP Architecture Example 3 2 4 Metropolitan IXP Architecture Example 3 3 INTERNET ROUTING PROTOCOLS 3 3 1 Routing Information Protocol 3 3 2 Open Shortest Path First 3 3 3 Border Gateway ProtOCol Version 4 3 4 INTERNET ACCESS 3 4 2 Residential Access 4 INTERNET 4 1 INTERNET ANALYSIS TOOL FUNCTIONALITY 3-4 3-8 3-10 3-11 3-12 3-13 3-1-1 3-15 3-16 4 1 4 2 INTERNET ANALYSIS TOOL IMPLEMENTATION 4-3 4 3 INTERNET ANALYSIS RESULTS 4 3 1 Internet Analysis Methodology 4 3 2 Internet Analysis 5 VULNERABILITIES 4-4 5-1 5 1 INTERNET SERVICE PROVIDERS 5 1 1 Ill l Ill II all 5 1 2 Regional Service 5 1 3 Raellers - 5 2 INTEREXCHANGE INTERNET ACCESS aI-nunynunua-u APPENDIX A APPENDIX 3 LIST OF ACRONYMS REFERENCES iv 3 3 5 5 5 5 LIST OF EXHIBITS Exhibit 2-1 Internet 2-1 Exhibit 2-2 Original NSFNET Exhibit 2-3 NSFNET Three Tier Infrastructure 1986-1995 2 1 Exhibit 2-4 1938 T1 Backbone 2-5 Exhibit 2-5 1992 T3 NSFNET Backbone Exhibit 2-6 The National Science Foundation VBNS Network 2-9 Exhibit Countries and Networks Connected to NSFNET as of April 1995 2-1 Exhibit 3-1 REpresentative NSP Backbone Network 3-3 Exhibit 3-2 NorthWestNet Backbone Network 3-6 Exhibit 3-3 Backbone Network Exhibit 3-4 Selected Major IXP Locations 3-8 Exhibit 3-5 Typical National-scope IXP Configurations 3-9 Exhibit 3-6 PacBell San Francisco NAP Hybrid 3-12 Exhibit Analog Modern and ISDN Characteristics 3-18 Exhibit 3-8 Asymmetric Internet Access Characteristics 3-13 Exhibit Sample Output From the 4-2 Exhibit 4-3 IAT Site Locations 4-3 Exhibit 4-3 Internet Analysis Methodology 4-5 Exhibit 4-4 Status of IAT Traces 4-6 Exhibit 4-5 Categorization of Unsuccesstul IAT Exhibit 4-6 Average Round Trip Time Versus Time of 4-8 Exhibit 4-7 Typical Traffic Patterns at Exhibit 4-8 Typical Traffic Patterns at MAE-WEST Exhibit 4-9 Average Number of Hops Versus Time of Day Exhibit 4-10 Top 50 Routers' Normalized Frequency of Use 4-11 Exhibit 4-1 Normalized Frequency of ISP Network 4-12 Exhibit 4-12 Booz-Alien s Critical ISP Networks 4-13 Exhibit 4-13 Proxima s Critical ISP Networks i 4-13 Exhibit 4-14 Shared Critical 4-14 Exhibit 5-1 PN Three Tier Restoration Architecture 5-2 Exhibit 5-2 Internet Architecture Vulnerabilities 5-4 EXECUTIVE SU ARY Background The Office of the Manager National Communications System performs a broad range of activities in fulfilling its mission These activities include analyzing communications networks that support national seCurity and emergency preparedness EP communications As more businesses government organizations and the public use the Internet for their daily activities it has become more important for the OMNCS and its constituents to understand the operation of the Internet and its dependence on the existing conununications infrastructure The phenomenal growth of the Internet has been one of the most significant technological events of the last several years As an instrument for sharing and distributing information the Internet will be iudged one of the maior milestones of the latter part of the 20th century The exponential growth in lnternet traffic has fostered the concept of the Internet as the ubiquitous tool for sharing information However the accessibility and availability of the Internet depend on a physical infrastructure of software routErs and tranSmission media It is commonly pErceived that the Internet and the public telephone networks in the United States are two separate and distinct systems Although this is true to a certain extent most data networks including the Internet rely on the public networks PN to transport their traffic Internet Definition At the highest level the current Internet consists of multiple national and regional Internet Service Providers and interconnection points where the lSP's meet and exchange traffic This infrastructure is similar to that of the old National Science Foundation NSF network NSFN ET which consisted of a structure - Backbone network - Regional networks I Local campus networks The NSF NET was decommissioned in 1995 In its place are multiple nationwide networks similar to the original NSFNET backbone network Regional networks still aggregate their traffic and hand it off to the nationwide backbone nehvorks to which they are connected Interexchange points are located nationwide to facilitate the exchange of traffic between national and regional ISPs ationat Service Providers provide national backbone service This type of service provider owns or leases its own backbone network and has a nationwide customer base Additionally NSPs are generally cennected to all the major and vi 1 111 have peering agreements with other major NSPs at these exchange points Traffic originating with a customer on an that is destined for a customer on another NSF is transferred from the originating network to the terminating NSP's network at an Regional Service Providers are similar to the NSPs in that they own or lease their backbone network but they are much smaller in scale Their networks encompass a single region and usually have a regional customer base RSPs have peering agreements with NSPs to transfer traffic over the Internet RSPs either connect directly to the NSP or connect to an where they transfer traffic to the NSP network With the dissolution of the NSFNET backbone the NSF sponsored three primary and one secondary Network Access Points NAP The NSF's concern was that without the sponsorship of a core set of exchange points the commercial backbone providers would set up a conglomeration of bilateral connection pomts that would potentially result in routing chaos Each NAP operator provides the exchange facility while the that connects to the NAP establishes peering agreements with the other connecting to the same NAP The purpose of a peering agreement is to ensure that traffic from one ISP can reach all the customers on another by exchanging routing information between the two lSPs The current number of on the Internet far exceeds the original four NAPs sponsored by NSF The term is applied only to the NSF-sponsored lXPs whereas all IXPs provide the same functionality which is a common place for ISPs to exchange data Analysis The Internet is a very dynamic entity in that it is constantly evolving and growing Therefore it is impossible to accurately identify all components of the current Internet To develop the data for this report the Internet was analyzed to identify key components used to transmit network traffic across the Internet To achieve this purpose a software tool called the Internet Analysis Tool 1A1 was used to automatically trace the routes used to send traf c between two hosts on the lnternet The collects data from the set of routers an internet packet traverses on its path from one host to another The analysis of the routes identified by the yields traffic trends and identifies key components in the Intemet infrastructure vii For this analysis two IAT source sites were chosen I Booz'AIIen Hamilton McLean Virginia on the network - Prosima Inc McLean Virginia on the MCI Network The tool collected routes from each of these two sites to 105 other sites located across the United States The type of Web sites chosen for this analysis wEre the following 23 NCS Member Organizations Web sites 50 State Web sites Major university Web sites Popular commercial Web sites The output from an execution is the set of routers in the path between two hosts For each router three datagrams were sent at different times of the day and the round trip time from the originating host and the router was collected Analysis Results Traces performed throughout the test period indicated high success rates averaging between and 89 percent Of the unsuccessful trace attempts most resulted from an unreachable node a router or the destination server in the path that was probably either shut down or incompatible with the IAT software Internet use is highest during mid-to-late afternoon business hours Based on the round trip time for packets to traverse the network congestion peaks between the hours of 12 00 noon and 4 00 pm eastern time This analysis indicated that the number of router hops did not var l in accord with the time of day or the dag r of the week Thus the predictability of internet routing along with an increasing dependency on this conununications medium renders it vulnerable to targeted and intended network disruptions Routers appear to share a somewhat balanced traffic load within the backbone networks excluding those routers closest to the two sources As expected a high number of router Visits occurred in the initial hops of the traces These initial routers are critical to the sources however they are not necessarin critical to the entire Internet As the trace moved away from the source and into the backbone networks the number of visits per router stabilized Therefore a single critical router could not be identified however it could be determined which net'WOrks were more heavily traversed For this analysis MCl s network was traversed most frequently and was therefore critical to the success of the traces i ll Vulnerabilities The Internet can provide service in a volatile unreliable network environment But like the PM the Internet has vulnerabilities that can severely degrade its level of service Because the Internet relies on FM packet and circuit switched networks it is vulnerable to the same cable cuts and other damage that can affect the PN In addition some restoration techniques used by the PN carriers for circuit switched traffic cannot be used on the lnternet's packet switched traffic National are critical to the operation of the U5 portion of the Internet An IXP failure could greatly reduce the Internet s ability to transport traffic nationwide or even worldwide Congestion at these has also convinced ISPs that it is necessary to establish secondary means of interconnecting with one another Network routing protocols dictate how traffic is directed through the network in that they determine the paths that should be taken through the network to avoid congestion and network outages Some Internet routers are vulnerable to thrashing the optimal path through the network changes so frequently that the router spends more time computing these paths than actually routing users data In summary the initial analysis has determined that the Internets physical vulnerabilities are consistent with the vulnerabilities of other large communication networks most notably last mile issues and loss of backbone transport Additional vulnerabilities exist that are distinct to the Internet congestion exponential growth in traffic routing software and network server management issues 1 INTRODUCTION The National Communications System NCS is a federation of 23 federal departments agencies and organizations that are responsible for the survivability and interoperability of various components of government communications supporting national security and emergency preparedness activities The Office of the Manager National 'Communications System 0MNCS is the planning and operational element of the NCS The OMNCS pErforms a broad range of initiatives in fulfilling its mission including analyzing communications networks that support EP communications The analysis process utilizes a standard OMNCS modeling methodology that incorporates OMNCS and commercial-off-the-shelf models as well as public and proprietary data BACKGROUND The phenomenal growth of the Internet has been one of the most significant technological events of the last several years As a instrument for sharing and distributing information the Internet will be judged one of the major milestones ot the latter part of the 20th century The introduction of Web browsers dial-up communications protocols Point-to-Point Protocol Serial Line Interface Protocol SLIP and inSock and the increased efficiency of routers have made Internet access possible and cost effective even for small-business and at-home personal computer PC users The exponential increase in Internet traffic has fostered the concept of the Internet as the ubiquitous tool for sharing information However the accessibility and availability of the Internet depend on a physical infrastructure of software routers and transmission media As more businesses government organizations and the public use the Internet for their daily activities it becomes more important to understand the operation of the Internet and the reliance of the Internet on the existing communications infrastructure The infrastructure that supports the Internet has evolved from mainframes and large minicomputers using dedicated transmission lines to low-cost routers and dial-up access from modems on PCS Additionally a growing support industry is providing Internet services software and content As the Internet continues to evolve its users will increasingly be dependent on not only the physical infrastructure but also the supporting services that have allowed the Internet to become an unparalleled information sharing tool 1 2 SCOPE This report describes the Internet by tracing its growth and development over the last three decades It is difficult to provide a detailed definitive history of the Internet 1-1 Ill Jill I because much of its history has incorporated computer folklore and anecdotes However the major Internet milestones have been captured and serve as a baseline for its future growth In context of the current description of the Internet and the Public Networks PM this document addresses several lute r vulnerabilities These vulnerabilities are quantified using a simple route tracing tool that determines the physical path of Internet traffic The Internet routes are then overlaid onto the PN infrastructure to iilustrate the interdependence of the PM and the Internet 1 3 ORGANIZATION This document is organized into five sections Section I Introduction provides the background and scope of the Internet PEN lntercormectivity and Vulnerability Assessment Section 2 the History of the Internet provides a detailed description of the history of the Internet from its earliest inception in 1969 up to the dissolution of the National Science Foundation s NSF backbone network in 1995 Section 3 Internet Definition presents a breakdown of the different types of service providers a description of the Internet infrastructure at a high level and a discussion of the relationship of the Internet infrastructure to the PN infrastructure Section 4 Internet Analysis describes the Internet Analysis Tool IAT functionality and implementation This section also presents the analysis methodology and results from the IAT Finally Section 5 Vulnerabilities analyzes the current infrastructure of the Internet and discusses its major vulnerabilities 1-2 1 HISTORY OF THE INTERNET The Internet is a very complex entity of more than 10 million hosts connecting over 95 000 networks To fully describe what the Internet consists ot today it is necessary to look at how the internet began and evolved to its current state The roots of the technology employed by today's Internet are found by analyzing its evolution This section provides a detailed description of the history of the Internet beginning with the initial work performed by the Defense Advanced Research Projects Agency in 1969 to the recent commercialization of the Internet and the dissolution of the National Science Foundation Network NSFNET backbone in 1995 Exhibit 2 1 shows a timeline of the history of the Internet that this section will discuss in detail Exhibit Internet Timeline ARPANET - - arr Comma al - I lme 59 D 3 n NAP no and HILHET are - meat print Roule Servers pp imm- Eumf A tasF antral-ts Ht Irlem 9 Faro-1 lms for 1 All Han ns Pro-at T F '9 mg a radeh roe-t BVDWI 5 Est-Him I 39' Ca 1970 1980 1990 1995 I I i I inn-L and 73 p sub-shad I Standard APPANET NSF ssues Macaque Draiml fur Esubiuhl-d Flutrao Sol-Citations ta- Pacnl Swiss-nag DAR PA a ARPANET Using Prop-nus tor Tia- door NSF Ind DOD merrier VP HS le Arc-i Hume m Ere-W 'mnm Ul' CSHET Gateway In cu Em CSHET Ind temp- 11 Corinna Dun ARPAHFT m elm-i research Cmm il tra'fc TCPIIP Prom-Cd ISF tram now romeo thmuqh wIErmnnecte-a 2 5mmqu nth-on The inception of the Internet can be traced to 1969 when DARPA was commissioned by the United States Department of Defense DOD to develop a communications system that would be survivable in the face of enemy attacks including nuclear war In addition the network should allow military and academic researchers to collaborate on research projects and share computer processors across the coun In response to this 11 direction DARPA later renamed ARPA set up a network consisting of the following four nodes I- University of California at Los Angeles - Stanford Research Institute 0 University of California at Santa Barbara University of Utah ARPA used this four-node network referred to as ARPANET to experiment with the linkage to be used between and military research contractors In 19 0 ARPA began researching packet switched technology The goal of this technology was to decentralize the network by giving all nodes on the network equal authority to transmit and receive packets across the network The route each packet took to its destination was unimportant as long as it reached its destination Thus packet switching technology was effective when network connections were unreliable This packet switching technology employed by ARPA during the seventies was known as the Network Control Protocol NCP By the end of19 1 there were 15 nodes connecting 23 hosts to ARPANET in 1973 ARPA began the Internetting proiect The goal of this project was to develop a protocol that could seamlessly pass information between different networks This project culminated in 197 in a demonstration of networking through various media including satellite radio telephone and Ethernet The protocol developed in this project formed the basis for the Trans mission Centre Protocol and Internet Protocol If where IP handles the addressing of the individual packets while TCP coordinates the proper transmission of information By the end of 1982 ARPA established IP as the protocol suite for the ARPANET requiring that all nodes connecting to ARPAN ET use Additionally declared that l was to be its standard protocol The official cutover from NCP to IP was executed on January 1 1983 Aiding this transition was the incorporation of into Version 4 2 of Berkeley Standard Distribution of UNIX This version of the UNIX operating system was free to anyone who wanted it thus ensuring a wide deployment for The marriage of and UNIX began a long-standing affiliation between the Internet and the UNIX operating system that continues today Another major event in 1933 was the division of ARPAN ET into two networks ARPANET and MILNET MILNET was to be used for military specific communications whereas ARPAN ET was to continue its research and development in networking computers MILNET was integrated with the Defense Data Network created in 1982 The funding for ARPANET was provided by Defense Advanced 9 Id Research Projects Agency DARPA By 198-1 the number of hosts connecting to the ARPANET was more than 1 000 While the ARPANET was undergoing major changes another significant event in the history of the internet occurred In 197 representatives from DARPA and the NSF and computer scientists from several universities met to establish a Computer Science Department research computer network CSNE F One of the driving forces for the establishment of CSNET was the concern that computing facilities located at universities not connected to ARPANET did not have the same advantages in research and staff and student recruitment as those who were connected In 1981 CSNET was fully operational through money granted by NSF AlthOLigh designed initially to be a standalone network CSNET later incorporated a gateway connection to the ARPANET In the summer of 1980 a DARPA scientist proposed the interconnection of the not yet established CSNET and ARPANET using protocols that would provide services and the seamless transmission of information between users regardless of the type of network This set of protocols was IP The gateway connection between the two networks was established in 1933 In 1936 the NSF created the NSFN ET The purpose of this network was to provide hi gh- speed communications links between five major supercomputer centers located across the United States Although ARPANET was ourishing its S -Kbps backbone and network topology could not fulfill the demand for high-speed networking req uired by multiple research projects The goal of the NSFNET was to provide a reliable environment for the U5 research and education community and access to the major supercomputing centers The NSFNET essentially duplicated the functionality of the ARPANET NSF chose TCPX as the standard protocol for its new network This new network ultimately led to the downfall of ARPANET in 1990 ARPANET was formally retired The infrastructure of the NSFNET was a three-tier hierarchical structure 0 National backbone 0 Regional networlq - Local area networks LAN The original backbone of the NSFNET depicted in Exhibit 2-2 consisted of a So-Kbps nethrk This backbone network is Considered the basis of what is now called the Internet Regional networks hung off the backbone network and provided services to LANs at education and research facilities Universities and research associations combined to form the regional networks which in turn would aggrEgate their traffic and hand it off to the NSFN ET backbone Exhibit 2-3 depicts the three tier structure implemented in the NSFNET thmughout its existence Ill 1 Exhibit 2-2 Original NSFN ET Backbone 1935 mu m NSF Exhibit 2-3 NSFN ET Three Tier Infrastructure 1986 - 1995 rennin the Internal 5 Infrastructure Cone-sled oi a three-tiered oi smellm from nonmetal-lg upward tn linger 'm l'l Chm backbones of ever-mung bandwidth 45 COWHIE Research and cam Research ad campus Development Devebpn-Ient Educallonll Educatnnal Inst-tum Inshluie We Cmumam Because NSFNET's primary focus was for nonprofit research and development by universities and research groups NSF instituted an acceptable use policy that restricted the of the NSFN ET to noncommercial activities Additionally NSF offered financial help to those regional networks composed of university and research facility LANs who wished to connect to the NSFNET backbone By 1937 the NSFN ET outgrew its existing capacity NSF awarded a five year contract to Merit the Michigan state networking organization with MCI and IBM The purpose of this contract was to transition the NSFNET backbone to T1 links and provide several access points around the country Merit's role was to manage the backbone including routing whereas 18le provided the routing equipment and MCI provided the trunk lines- The transition to a T1 backbone was completed in 1988 By the end of the 19805 more than 100111 hosts from 1 countries worldwide were connecting to the NSFNET Exhibit 2-4 depicts the T1 backbone of the NSFNET in 1983 Exhibit 2-4 1933 T1 NSFNET Backbone l 988 Seame WA WHJ Pain Alto CA College Pam MD Sou rce NSF As the NSFNET grew some organizations realized that providing services and functionality similar to that of the NSFN ET without the access restrictions was a golden business opportunity These organizati0ns experienced in providing regional network operations seized the opportunity to set up their own natioHWide backbone networks Thus the first commercial Internet service providers were created These providers included Performance Systems PSlNet and Alternet which was generated from 1 Jill I I I Technologies The main focus of these networks was to provide the same functionality as the NSFN ET over their own networks but without any access restrictions In 1991 the fourth year of the five-year contract Merit IBM and MCI formed a new nonprofit corporation Advanced Networks and Services ANS which was given the operational responsibilities of the NSFNET In June 1991 ANS announced it would provide commercial access to the Internet thus nullifying the acceptable use policy By broadening access to the Internet ANS increased its efforts to expand connectivity and make the Internet a more powerful tool The new evolving private commercial networks were hindering research forcing researchers to spend time accessing several networks all in the name of science With expanded commercial providers on the lnternet there was a single common network that increased a researcher s ability to find any information needed and focus on the research at hand When NSF lifted its access restrictions in 1991 allowing commercial traffic on the NSFNET ANS formed a for- profit subsidiary ANS Commercial Research 6 Education to provide full commercial traffic across the backbone Once the acceptable use policy had been abolished Technologies and General Atomics created the Commercial Internet Exchange CIX CIX was a traffic exchange point between the NSFN ET and the commercial Internet service providers networks The other major event that occurred in 1991 was the transition of the NSFNET backbone from T1 links to T3 This transition like the initial transition from S -Kbps to T1 links in 1988 was because of the capacity of the backbone network could not meet the traffic loads Although this transition required new routing equipment and interfaces and at times proved to be technically challenging it was accompiished with relative ease This was due to the fact that the same organizations who were managing the old T1 backbone were responsible for implementing and overseeing the new T3 backbone network Additionally the T1 backbone still existed as a backup if the new network tailed Exhibit 2-5 depicts the T3 backbone as of 1992 In 1992 Vice President Al Gore drafted legislation that proposed a National Research and Education Network NREN This new network would consist of T3 links separate from those making up the NSFNEF backbone and would connect all schools libraries etc for a cost of over $2 billion Even though the legislation was passed no new network ever came into existence The REN effort did however succeed in sparking a greater interest in the Internet 9 Exhibit 2-5 1992 T3 NSFNET Backbone 1992 Seams WA ten MA Lincoln NE F an Ann NJ Plr l MD 3 Exterior Nod-es 0 Core inter-or Nodes rwource' NEI- The new public lnternet coincided with the release of the first Microsoft Windows version of Mosaic in 1993 Mosaic developed by the University of at Urbana- Champaign was an X-Windows interface to the World Wide Web The concept of the was started in 1989 in Switzerland as a means to easily share information among researchers in high-energy particle physics In 1991 the first server came into existence but without any client software The introduction of the first interface to included the capability to navigate through the Web via the mouse Today s Web browsers such as Netscape include File Transfer Protocol FTP E-rnail Telnet and many more capabilities The use of a graphical interface to access the Internet has played a significant role in the popularity growth of the network because it allowed access to the Internet without having knowledge or possession of the UN 1 operating system While the look and feel ot the Internet was undergoing changes NSF in 1992 began to question its role in the network NSF observed that its backbone network was operating in conjunction with several commercial nationwide backbone networks Essentially NSF was paying for users to access its network and thus the Internet whereas the other commewcial service providers were being paid for access to theirs Although in 1991 the NSF had notified the regional networks that they would have to become self-sustaining it was 1992 before the NSF took action The NSF began considering ways in which it could successfully pull out of the Internet arena with little Jill I disruption to the Internet while continuing its commitment to the education and research community With the five-year contract between the NSF and Merit drawing to a close Merit was granted an 18 month extension brayond the original October 1992 expiration date to allow the NSF time to work out how to transition its backbone network into a new structure This work culminated in a solicitation for proposals Solicitation 93-52 in the foilowing four areas that compose the new national Internet structure a Network Access Points NAP 0 Routing Arbiter In Regional network provider awards In A very high-speed Backbone Network Service The APs act as interconnection points where commercial Internet service providers can meet and exchange traffic The NSF believed that without such interconnect points backbone providers would likely establish their own independent bilateral connect points that would stifle the NSF's plan for full connectivity for the research and education community The NAP manager contracts were awarded to the following I Sprint for a New York NAP I Metropolitan Fiber Systems MFS Datanet for a Washington DC NAP - Bellcore and Ameritech for a Chicago NAP In Belicore and Pacific Bell for a California NAP The Routing Arbiter is an independent group that operates route servers at each NAP The transfer of traffic among the backbone providers that meet at the NAPs is facilitated by route databases contained in the route servers These databases contain routing information and policy requirements for each backbone provider and therefore indicate to which provider the incoming information should be sent This contract was awarded to Merit and the Information Sciences Institute 151 at the University of Southern California which together make up the Routing Arbiter group l vfith the dissolution of the NSFNET and the introduction of NAPS and commercial traffic access to the Internet by the NSF subsidized regional networks was no longer free The commercial backbone providers were now paying a fee to interconnect with the NAPs and passing these charges to their users the regional network providers Therefore the NSF decided to the regional network provider contracts to alleviate the regional networks initial shock of having to pay for Internet access The awards provided the regional networks with annual NSF funding with the funding declining to zero over a four-year period The regional network providers would use the subsidy to pay the commercial Internet providers who were in turn required to connect to the NAPs There were 17 contracts awarded to regional network providers for interregional connectivity 2-8 The NSF also proposed to sponsor a new backbone the operating at a minimum speed of OC-B 155 Mbps to link the following five NSF supercomputer centers - Cornell Theory Center a National Center for Atmospheric Research I National Center for Supercomputing Applications - Pittsburgh Supercomputing Center - San Diego Supercomputing Center Unlike the general purpose NSFNET infrastructure the functions as an advanced research laboratory allowing research development and integration of new networking requirements using technology beyond just IP routing There is a strict acceptable use policy the may only be used for meritorious high-band width research activities and it may not be used for general Internet traflic NSF entered into a fivesyear agreement with MCI to provide the During this five-year agreement MCI is expected to participate in the development and use ot advanced Internet routing teIChnologies At the end of the agreement it is anticipated that technology will exist that will increase the transmission speeds beyond 2 2 Cbps Additionally the will act as an experimental platform for the development and testing of broadband Internet services and equipment Exhibit 2-6 depicts the NSF's network Exhibit 2-6 The National Science Foundation Network Cornell Th a a - r Hatlonm Canter - motor I for Atmospheric Il' Research dl in I g Putt-Dumb 3 an Due-go Cornouter unmet T1 T3 NetStar IP Router 3 Clsoo IP Router ATM Sw ch li'l 2-9 I The result of NSF's solicitation for proposals was a new Internet structure In April 1995 the NSFNET backbone was formally retired At that time 93 countries and more than 50 003 networks were connected by the NSFNEF backbone Exhibit details the number of networks by co untry connected to the NSFNEF backbone by the end of the project NSF's original task lwas to improve the previous NSFNEI backbone push the technology to newer heights and implement it on a national level It was hoped that this would place a powerful tool in the hands of the research and education community and create innovative use and applications goals were accomplished the NSFNET backbone connected most of the higher research and education community to a robust and reliable high-speed network and it served as the sole player in making the Internet industry The NSF's task will continue to evolve in two directions 1 providing support tor the research and education community by guaranteeing the availability of services resOurces and tools to keep the Internet connected and 2 by continuing to push networking technology using the VBNS 2-10 Exhibit 2-7 Countries and Networks Connected to NSFNET as of April 1995 ve-Country -- 'Tota1 emu-Country Total Country Total u Networks Networks Networks Algeria 3 Greece 105 Norwav 214 Argentina 2 Guam 5 Panama 1 Armenia 3 Hong Kong 95 Peru 4-1 Australia 1375 Hungarv 164 Philippines 46 Austria 408 Iceland 31 ola nd 131 Belarus 1 India Portugal 92 Belgium 138 Indonesia 46 Puerto Rico 0 Bermuda 20 Ireland 168 Romania 26 Brazil 165 Israel 21 Russia 105 Bulgaria 9 ltalv 50o Senegal 11 Burkina Faso 2 Jamaica 1o Singapore 107' Cameroon 1 Japan 1847 Slovakia 69 Canada 4795 Kazakhstan 2 Slovenia 46 Chile 102 Kent a 1 South Africa 419 China 8 Korea South 4113 S in 25 Colombia 5 Kuwait 8 Swaziland 1 Costa Rica 5 Latvia 22 Sweden 415 Croatia 31 Lebanon 1 Switzerland 32-1 Cvprus 25 Liechtenstein 3 Taiwan 525 Czech Rep 459 Lithuania 1 Thailand 1117' Denmark 48 Luxembourg 59 Tunisia 19 Dominican Rep 1 Macao 1 Turkei' 3 Ecuador 85 Malaysia 6 Ukraine 60 Egypt 7' Mexico 126 Unit Arab 3 Emirates Estonia 49 Morocco 1 U K 143a Fiji 1 Mozambique United 28-1311 States i nla nd 0-13 Netherlands 406 rugpa 1 France 2003 New 1 Usbekistan 1 Caledonia French Polynesia 1 New 556 Venezuela 1 Zealand Germanr 1 7'50 Nicaragua 1 Vietnam 1 Ghana 1 Niger 1 Virgin 4 Islands Source Merit Network Inc 2-11 3 INTERNET DEFINITION At the highest level today's Internet consists of multiple national and regional Internet Service Providers ISP and interconnection points where the ISPs meet and exchange traffic This infrastructure is similar to that of the old NSFNET which consisted of a three-tier structure - Backbone network 0 Regional networks 1 Local campus networks On the NSFNET regional networks would aggregate their traffic and hand it off to the NSFNET backbone The regional networks comprised multiple local business and campus networks Although there were many regional and local networks there was only one backbone network As mentioned in Section 2 the NSFNET has been decommissioned In its place are multiple nationwide networks which are similar to the NSFNET backbone network Regional networks still aggregate their traffic and hand it off to the nationwide backbone network to which they are connected Interexchange points are located around the country whEre traffic is exchanged between national and regional lSPs Peering agreements are used between the connected at an IXP to determine how traffic is routed These service providers and interexchange centers are the main components of the US Internet This section will describe different elements of the Internet architecture and the different routing protocols used on today s lnternet 3 1 INTERNET SERVICE PROVIDERS ISPs are classified according to their network and customer base The network classification refers to whether or not the ISP owns or leases its network An 15 that does not own or lease its network is referred to as a reseller The customer base classification refers to an type of customers national or regional A particular 19 may have national and regional customers but generally it has more of one type than another There are three types of lSPs National Service Providers NSF - Regional Service Providers RSP Resellers The following sections provide further detail for each type of ISP 3 1 1 National Service Providers The first category of ISPs is NSF which provide national backbone service This type of service provider owns or leases its oWn backbone network and has a nationwide customer base Additionally NSPs are generally connected to all the major IXPs and have peering agreements with other major NSPs at these exchange points Traffic originating with a customer on an NSP that is destined for a customer on another NSF is transferred from the originating network to the terminating network at an IXP The NSPs network infrastructure consists of routers network layer and switches data link layer that are owned by the NSF The follow-ring are examples nt NSFs ANS BBN Sprint UUNEI Of the NSPs MCI and Sprint are the only two that own their entire network Other NSPs may own small parts of their networks but most of their networks consist of circuits leased from the PM providers Most of these circuits are leased item the large Intereuchange Carriers IEQI However some circuits are also leased from the Local Exchange Carriers LEC Bell Atlantic Competitive Access Providers CAP Metropolitan Fiber Systems and smaller lECs LDDS Exhibit 3-1 depicts a rePresentative backbone network for one of the NSPs mentioned above As shown in the exhibit like most NSPs has redundant connectivity between each switching node on its backbone network NSPs rarely sell directly to small consumers small businesses and residential customers because of the added customer handholding required by smaller less espe rieHCed users instead NSPs sell their services to large businesses and resellers Resellers in-turn resell Internet service to small business and residential customers It is important to note that not all NSPs resell their networks e g The architecture of an network may be separated into access and transport Access refers to the customer s connection to the NSF whereas transport refers to the backbone of the network Customers connect to NSPs via leased and dial-up lines Typical leased lines are 56-Kbps or T1 and usually terminate at an NSP's point of presence POP MCI advertises that 40% of all intemet traffic travels over MCI circuits This includes traihc on MCl's NSF and traffic on other NSF that use MCI leased lines 3 2 1 I 1 Jill I Exhibit 3-1 Representative NSP Backbone Network cumin-mu ill Hl Il For dial-up customers the NSP usually has digital and or analog modem banks terminating from its POP into the local central office using Tls Because NSPs have national presence and reach once a customer s traffic reaches an POP it has essentially reached the Internet The typical backbone of an NSP comprises routers and switches connected by T1 T3 or even OC-Jevel circuits These circuits may be leased from one or more IEC One NSF PSlNet leases backbone circuits from five different The NSP market has not escaped the notice of existing PN providers anxious to get involved in the growth of the Internet In the short term PN providers have chosen to partner with providers for internet backbone transport instead of deve10ping NSP expertise in-house For example GTE recently announCed a partnership with to provide internet access under the GTE name to customers in 46 US states Cross PN- NSP service agreements also exist behveen Pacific Bell and America On-Line which owns ANS and A I'dr'l and BBN 3 Washington Post luly 11 19% Page 19 3-3 The recently announced merger between and MFS may be a harbinger of tuture mergers between NSPs and PN providers PN providers own the data links necessary to run an NSF and have the marketing savvy to sell Internet service to business and residential customers NSPs on the other hand have the inshouse technical expertise to manage the switches routers and interconnection arrangements necessary to make the NSF backbone work Other future developments in the NSF market will include service differentiation to target selected customer markets For example MCI and BBN have announced services that provide a higher quality of service to business customers who subscribe to their NSF BBN provides priority treatment to business customers through Internet Protocol version 6 priority service protocols MCI provides a mparate network for its business subscribers' Internet traffic This separate network includes locally hosted mirror sites from popular Web sites on other NSP networks and in the future will include ll v6 priority treatment 3 1 2 Regional Service Providers The second category of ISPs are the RSPs These service providers are similar to the NSPs in that they own or lease their backbone network but are much smaller in scale Their networks encompass a single region and usually have a regional customer base RSl s have peering agreements with NSPs to transfer traffic over the Internet RSPs either connect directly to the NSP or connect to an where they transfer traffic to the NSP netvvork NorthWestNet is an example of an that connects directly to an NSF NorthWestNet which provides service to customers in Washington Oregon and idaho has direct connections to both and Sprint's NSF networks Lrols is an example of a network with a direct connection to an IXP Erols which provides service to customers in the metropolitan Washington DC area is connected to the Metropolitan Area Ethernet-East IXP where it can transfer traffic to most of the larger NSPs and several smaller RSPs RSP service is an attractive option for residential and small business customers Because of the small customer base can offer more hands-on assistance in the form of customer training and help desk operators trained to assist less knowledgeable users Like NSP networks the network architecture may be separated into access and transport portions though with different meanings In the scenario access refers not only to the customEr connecting to the RSP but also the RSP corumcting if at all to the Internet Transport refers to the backbone of the network As in the scenario customers connect to RSPS via leased and dial-up lines Typical leased lines are Sb-Kbps or T1 and usually terminate at an RSP's POP For dial-up customers the 1 111 i ll REP usually has digital andXor analog modem banks terminating from its POP into the local central office using Tls An RSP's backbone is typically restricted to a region as opposed to NSPs who have a national presence and whose backbone spans the entire United States Transport on an network or backbone comprises T1 and T3 circuits that connect their POPS and customers in a particular region These circuits are leased from LECs CAPs and IECs As noted above customers are primarily small business and residential Subscribers In the coming years new companies will enter this market Most notable are the Internet service offerings from the lECs and the Region Bell Operating Companies RBOC This increased competition may cause some consolidation of the REF market when smaller RSPs go out of business or are bought out by larger firms The remaining RSPs will survive by targeting market niches such as high volume residential users or businesses new to the Internet The exhibits below show two example RSP network backbones Exhibit 3-2 shows NorthWestNet s backbone and Exhibit 3-3 shows CERFnet's backbone Note that NorthWestNet has redundant connections to Sprint and MCI to transfer traffic whereas connects directly to NAPs to share traffic 3 1 3 Resellers Resellers are another member of the Internet provider family Resellers purchase service from NSPs or RSPs and resell this service to small business and residential customers Resellers are differentiated from RSP because resellers do not own or lease a network infrastructure Instead resellers typically operate out of a single site with a modem bank for customer access and a T1 connection to transfer traffic to the NSPX RSP network There are approximately 1 400 Internet resellers in the United States most of which base their business on subscriptions to Internet service As the Internet market matures Internet service is becoming a commodity This trend has been furthered by the entry of the RBOCs and IECs into the residential Internet service market Typically unlimited access is provided on a basis for a flat rate fee or a combination of flat-rate and usage-based pricing 3-5 Exhibit 3-2 NorthWestNet Backbone Network To International Internet Trar e To International Internet Traf c Sprint Exchange Centers to San 5 311 23 EthbsolnNse Franosco Chrcago New tori-t York and r and Washington KEY Global Internet Bad-room SIIE and Newark Operations Center - NorthwestNeI HUB erE Beau-non owes ho hi'hsl el Inc Boise ID source Inc Because Internet service has significant economies of scale the market favors the larger providers who can spread their fixed costs over a larger customer base Because of this many experts predict that the number of internet resellers will decrease dramatically in the next few years The Yankee Group predicts that there will only by 200 resellers left in business by 2000 The remaining resellers may survive by looking for market niches For example instead of providing Internet subscriptions resellers are already starting to provide value-added services such as Web page hosting Web page development security management and electronic commerce consulting In these areas a reseller may be able to provide better service to small businesses than a larger NSP or company 3 2 INTEREXCHA NGE POINTS With the dissolution of the NSFN ET backbone the NSF was concerned with maintaining connectivity between the commercial networks and the research and education community To address this i55ue the NSF sponSored three primary and one secondary NAPs Without the sponsorship of a core set of exchange points the NSF feared that the commercial backbone providErs would likely setup a hodgepodge of bilateral connect points potentially resulting in routing chaos 3-6 1 1111111111 1 111 11 Exhibit 3-3 Backbone Network I SHOE cut 34 San Jose 1m hm 1m All Ilpr 45 Hop-s 34 34 LDI l5 1013 Hour 100 Hops II 051 pm 05 45 bps 34 IIst Ear-Di atom a 9 mumps Bource Under the NSF model each NAP operator provides the exchange facility while the that connects to the NAP establishes the exchange agreements also known as peering agreements with the other ISPs connecting to the same NAP The purpose of a peering agreement is to ensure that traffic from one ISP can reach all the customers on another ISP by exchanging routing information of the two ISPs Today there are many more EXP centers on the Internet other than the original four sponsored by NSF The term NAP is applied only to the NSF sponsored IXPs whereas all provide the same functionality a common place for ISPs to exchange data Various cities and organizations have used different names for the exchange point NAP MAE CIX Federal Internet Exchange FIX Exhibit 3-4 presents a snapshot of several of the larger IXPs in the United States It is important to note that an does not have to serve the national lSPs There are metropolitan exchange points used today which are similar in structure to the Al s but service onlyr local and regional traffic This means that traffic originating and terminating in a single region would not traverse any of the national lSPs backbones thus removing some of the burden on these networks The remainder of this section describes the structure of an IXP and details the different types of peering agreements used by the at an IXP Exhibit 3-4 Selected M_ajor IXP Locations United States Ul'Ps MAE Chicago CD 0 CHI NAP FIN-AP 0 co SMDS 0 ms Lka MAE WEST MAE-LA MAE Dallas 0 MAE Houslm IXP N t NAP - Sprint hlAEs - Metropolitan Fiber in stem CH1 NAP - Arteritech C115 jointly operated by a Lonsortium SF NAP - Pacific ni 3 2 1 IXP Functionality and Architecture The large national-scope lXPs such as the NAPs or MAEs interconnect numerous national and may exchange data requiring large amounts of bandwidth The smaller regional or metropolitan le s will have fewer interconnects and require much less bandwidth The IXP structure is similar regardless of the size of the IXP or the technical architecture used to exchange the traffic IXP facilities generally consist of a high-speed LAN or metropolitan area network architecture capable of interconnecting various wide area network WAN technologies connect to the IXP LAN via either a high-speed router or an transfer mode ATM switch capable of connecting to the IXP architecture Each of the c0nnecting ISPs must negotiate bilateral or multilateral peering agreements with other interconnecting at the IXP The Routing Arbiter administers the traffic routing resulting from these peering agreements This traftic routing and addressing information is provided to each lSP's router by a route server within the IXP LAN Incoming packets are routed to the high-speed LAN ring where the route server indicates the pessible reutes available to the packet 3-3 1 The most common NAP architecture is a Fiber Distributed Data Interface FDDI dual ring backbone LAN running at 100 Mbps Routers for each ISP are horned to the dual ring bus in the various access configurations discussed below 1 The ISP provides and manages its own router collocated at the IXP facility The ISP Would have dedicated access to this router via its own dedicated line a T1 or T3 This option ma F not be available at all because of space limitations 2 The 15 leases an IXP provided router located at the IXP The ISP has dedicated access to the IMP router via its own dedicated line 3 The leases the dedicated connection and the router from the IXP 4 The ISP leases switched access service to the IXP facility from the IXP or another provider Switched access may include ATM Switched Multimegabit Data Service SMDS and frame relay These access coniigu rations are shown in Exhibit 3-5 For each of the access configurations all equipment is located in a single facility Exhibit 3-5 Typical National-scope IXP Configurations lhl Leased Dedicated Tl I I a if a EXP Leased I 0 I i c f 3 H2 Dedicated T3 Reuter a Leased Router 1 - g I Rework A-l - an Carrier Switched Service IXP Leased e 3 ENDS ltarrII rclayi Router i'pl'l l 3-9 Other IXP architectures that have been used include SMDS and ATM networks Lower bandwidth solutions such as may be more commonplace in regional or metropolitan IXPs All IXPs are privately owned and administered by lECs Incumbent Local Exchange Carriers Competitive Local Exchange Carriers CLEC or lSPs The four NSF- sponsored Al s are owned by Sprint MFS Pacific Bell and Ameritech Regional and metropolitan IXPs may also be owned by 151 s the SMDS Washington Area Bypass is operated by PSlNet The IXPs normally charge at interconnection tees and usage based fees to the interconnecting lSPs Large lECs and LECs can provide network management for their IXPs from their PM network management centers Most IXP operators will ensure reliability of service and mean time to repair and provide maintenance for collocated equipment The dual ring buses used in many large are also very robust to a single line fiber cut- A single dedicated connection from the ISP network to the IXP router will pose the greatest vulnerability in the IXP architecture Redundant connections to the IXP should be used by regional that do not have presence at multiple 3 2 2 IXP Peering Agreements The policies for data exchange at an are set forth by the parties involved Just because an ISP connects to a particular IXP does not guarantee that that can Exchange traffic with every other 51 connected to that exchange point Agreements that specify how traffic is carried and transferred and how billing is handled have to be established and maintained between the On an IXP Any ISP can connect to an as long as the agrees to the predefined policies Currently there are three different types of exchange policies Bilateral I Multilateral 4- Multi-party bilateral A bilateral agreEment is between only two ISPs at an exchange center A multilateral agreement is between many at an exchange center A multi-party bilateral agreement is between a small ISP and a large ISP to carry the small lSP's traffic to other ISPs The more a single ISP connects to the better the performance and reliability of the service Each IXP has its own procedures for establishing peering agreements among the lXP attached ISPs A peering agreement is defined as the advertising of routes via a routing protocol for customers of the IXP participants Specifically the is obligated to advertise all its customer s routes to all other participating and accept routes from the customer's 3-10 I ll 1 routes advertised by the SP are required to peer with the lXP's route server which facilitates the routing exchange between the routers The route sewer gathers the routing information from each router processes the information based on the routing policy requirements and passes the processed routing information to each of the IXP-attached lSPs Currently handles the work clone on the routing management system while Merit implements and maintains the route servers and route server databases 3 2 3 National-scope IXP Architecture Example Pacific Bell s NAP located in San Francisco California is fairly typical of national-scope lXPs PacBell s NAP is an FDDI hybrid LAN whereas other national scope IXPs may be straight FDDI design or an FE le Ethernet hybrid PacBell's use of ATM makes it one of the fastest IXPs capable of up to 139 for OC-3 access PacBell's FasTrak5M ATM Cell Relay Service offering is being rolled out in phases first utilizing Permanent Virtual Circuits PVC and in the future Switched Virtual Circuits SVC As the ATM technology matures and becomes more of an industry and user standard PacBell and other operators will migrate to fully switched ATM backbones SF NAP consists of ATM switching sites in the San Francisco area connected by OC-f v Optical Network SONET links Participants can access the NAP network using an ADC Kentrox ADSU and a Cisco 7000 or T010 router Access speeds reach 36 3 for DS-3 access and 139 for DOS access in addition to the ATM network the NAP includes an interconnected FDDI dual-ring LAN The FDDI LAN provides service to customers that require bandwidth less than 30 Mbps The FDDI LAN was added when PacBell tests indicated that the ATM network was dropping cells at speeds between 20 and 30 Mbps ISPs provide or lease dedicated T1 or T3 connections to PacBell DSUs and Cisco 7000 routers connected to the FDDI backbone Exhibit 3-6 depicts PacBell s San Francisco NAP hybrid network architeCtu re 3 2 3 1 Routing Each participating ISP must negotiate bilateral peering agreements with other before connecting with PacBell's San Francisco NAP Roo ng on the FDDI ring is accomplished via the route server database maintained by the Routing Arbiter On request PacBell will provide NAP clients with a PVC to the Routing Arbiter route server database to receive and provide routing updates Routing among peered may also be accomplished by direct PVC connections between the at the MAP without regards to the route server database 3-11 Exhibit 3-6 Pac Bell San Francisco NAP Hybrid Architecture Internet Service - - - - - - Network Serwce - Promotion and Regional Network Access palm Providers Network Providers 4 a r uh- Fi Em E mmg ij gw T i ir- L_r I Eff I ll rub-HUI 2 5 i -FDDJ Fm Ftoutlng Arbiter I - ma A fixem'u Em A I Clsoe 3 00 Router l2 353 ATM LII-ear Channel 053 I roou noun I m Hell 3 2 3 2 National ISP Clients The San Francisco NAP interconnects nuntcrou's national and regional ISPS National include ANS MCI and Sprint 3 2 4 Metropolitan IXP Architecture Example PSI Inc manages a metropolitan IXP in the Washington DC area 51 established the SWAB as an alternative IXP to the MAE-EAST NAP SWAB operates nearlyP identically to the national-scope lXPs requiring participating ISPS to negotiate peering agreements Unlike the NAPS the SWAB network is not facilities-based Instead each interconnecting ISP subscribes to Bell Atlantic s SMDS service over 1which the IP is routed 3-12 I Each participating must subscribe to Bell Atlantic's SMDS service at a specified access class speed SMDS may be accessed at up to 34 Mbps making it a lower bandh'ldtl l solution than FDDI or ATM The must supply its own dedicated access either T1 or T3 to the SMDS service To route over SMDS the must also provide an SMDS capable and an IP router that supports SMDS encapsulation at the SWAB interface SWAB provides broadcast capabilities by use of SMDS address groups The SWAB participants can have their SMDS address included in the SWAB SMDS address group for broadcast purposes 3 2 4 1 Routing The functionality of the Routing Arbiter's route server database is provided using SMDS address screening Address screening is used to filter out SMDS addresses from the SMDS connection analogous to how the 85 network can screen calls from a voice line An lSP's screen accepts packets from peered lSPs while refusing packets from other ISPs Each TSP must request that Bell Atlantic screen SMDS addresses from their SWAG interface 3 2 4 2 National 15 Ciients Currently and are the only national interconnected at the SWA B 3 3 INTERNET ROUTING PROTOCOLS The Internet as previously described is a collection of networks that allows conununications between research institutions universities and many other organizations worldwide These networks are connected by routers A router is connected to two or more networks appearing to each of these networks as a connected host Forwarding an datag-ram generally requires the router to choose the address of the next router in the path or for the final hop the destination host This choice called routing depends on a routing database located within the router The routing database is also known as a routing table or forwarding table The routing database should be maintained dynamically to re ect the current topology of the Internet A router normally accomplishes this by participating in distributed routing and least-cost routing algorithms with other routers Routers within the Internet are organized hierarchically Some routers are used to move information through one particular group of networks under the same administrative authority and control known as an autonomous system AS Routers used for this purpose are called interior routers and they use a variety of Interior 3-13 Gateway Protocols IGP Routers that move intormation between ASS are called esterior routers and they use Exterior Gateway Protocols EC P There is no standard protocol for either or EGP However there are three protocols that are used by the ISPs and at the on the Internet Generally ISPs use the Routing Information Protocol RIP or the Open Shortest Path First OSPF protocol Most use the Border Gateway Protocol Version -I as their routing protocol All three protocols are dynamic in that the routers interact with adjacent routers to learn which networks each router is currently connected The IGP protocols and 05PF are detailed in Section 3 3 1 and 3 3 2 respectiver is presented in ction 3 3 3 3 3 1 Routing Information Protocol RIP was developed by the Xerox Corporation in the early 19805 for use in Xerox Nehvork Systems XNS networks RIP is a dynamic protocol that continually updates its routing table based on intormation received from its adiacent routers RIP is a distance-vector protocol meaning that each router maintains a table of distances hop counts from itself to each other router in the system These routing tables are updated based on RIP messages from adjacent routers RIP performs five basic operations Ir Initialization - Request received - Response received a Regular roo ng updates Triggered updates On execution RIP determines which of the routers interfaces are up and sends a request packet out on each interface The purpose of this request packet is to ask each of its adjacent routers for their entire routing table A request received operation occurs when a router receives a packet from one of its adjacent routers asking for all or part of the router's muting table The router will process the request and reply by sending the requested data A response received Operation occurs when a router receives a response to its request tor all or part of its adjacent routers' roo ng table When a response is received the router must validate the response and update its routing table 3-H Regular routing updates every 30 seconds A router Sends either all or part of its routing table to all of its adjacent routers This ensures that each router on the network consistently has an accurate routing table Finally a triggered update occurs when a router notices that one of its routes has changed The router sends all routes from its routing table which are affected by the changed route which may or may not be the entire table Although RIP appears to be a very simple protocol it does have serious limitations First as shown by the series of operations in RI P the protocol propagates either all or part of a router's routing table every 30 seconds in addition to any triggered Updates Subsequently the protocol is very slow to stabilize when network failures or routing errors occur Second RIP limits the number of hops between any two hosts on the network to lo This means that hosts that are more than 15 hops apart within a single AS will not be able to communicate with one another As a result RIP is not well suited for large internetworks and works best in small environments Finally when faced with multiple routes between a router and a network RIP always chooses the path with smallest number of hops This choice does not consider other cost factors such as line speed and line utilization which are important when choosing a path between two nodes Although RIP is still a very popular protocol many companies are moving toward its replacement OSPF 3 3 2 Open Shortest Path First OSPF was developed by the Internet Engineering Task Force IETF as a replacement for RIP OSPF is designed to overcome the limitations of RIP and is supported by all major routing vendors OSPF uses IP and its own protocol and the transport layer not UDP or TCP OSPF is a dynamic link-state protocol unlike RIP which is a distance- vector protocol In a link-state protocol a router does not exchange distances with its neighbors Instead each router tests the status of its links with its neighbors and sends this information to each adjacent router Routers using OSPF are able to build an entire routing table based on the link-state information received from each of its neighbors In contrast to RIP OSPF does not make its routing decisions based on the number of hops to a destination Instead OSPF assigns a dimensionless cost to each of interfaces of the router This cost is not based on hop count but on throughput round trip time reliability etc When the router is faced with multiple paths for a particular route the routing decision is made using this cost If two routes exist with the same cost OSPF distributes the traffic equally among the routes Additionally OSPF allows multiple routes to a destination based on the type of service Telnet FTP SMTP This 3-15 means that a router can chose the best route for outgoing packets based on the type of traffic contained within the packet As described in Section RIP is not well suited for larger internetworks bacause of its functionality OSPF however is designed for larger networks and stabilizes much faster when network failures or routing errors occur OSPF also does not impose limitations on the number of hops between any two hosts because it does not use this metric when making routing decisions Although RIP is still very popular OSPF will ultimately replace RIP as the Internet grows 3 3 3 Border Gateway Protocol Version 4 The primary routing protocol used on the Internet is This protocol is used on Internet core high level routers to dynamically learn network reachability respond to outages and avoid routing loops in interconnected networks Although RIP and OSPF are lGPs is an EGP used to pass traffic between different autonomous systems uses the TCP protocol to communicate routing information with its peers Routers using classify traffic as either local traffic or transit traffic Local traffic is traffic that either originates or terminates in the router's AS All other traffic is classified as transit traffic The goal of is to reduce the amount of transit traffic on the Internet The system exchanges network reachability information with other systems This information includes the full path of autonomous systems that traffic must transit to reach the destination The network reachability information is used by the router to construct a graph of AS connectivity Once constructed routing Ioops can be removed from the AS connectivity graph and roo ng policy decisions can be enforced peers initially exchange their full reuting tables From then on incremental updates are sent as the routing tables change assigns a version number to the routing table and all adiacent routers will have the same version number for their routing tables This version number changes whenever the routing table is updated as a result of routing information changes To ensure that the each adjacent router is alive l-zeepalive3 packets are sent between peers whereas notification packets are sent in respowse to errors or other special conditions After a router using receives routing updates the protocol decides which paths to choose to reach a specific destination Like RIP is a distance-vector protocol that allows only a single path to a destination However BGP4 does not impose a limit on the number of hops between hvo hosts and stabilizes quickly after network failures or 5 The keepalive operation is independent from the TCP versitin of keep-alive 3-16 I ll telephone lines However ISBN is gaining popularity with residential users as ISDN equipment and service prices dr0p Both ISDN and analog modem connections use PN switched connections The characteristics of analog modem and ISDN connections are described in Exhibit 3a below The bandWidth allocation for ISDN and analog modems is symmetric meaning that there is an equal amount of inbound and outbound bandwidth Unfortunately many traffic applications are asymmetric whereby the user receives far more inbound traffic than he or she generates Examples of asymmetric applications include video-on- demand small request to access a movie results in many gigabits of high resolution video and Internet access small request to access a Web page re5uits in many megabits of text and images from the Web page Exhibit Analog Modern and ISDN Characteristics AhalogModem Speed 2 4 to 33 6 6-1 to 128 Equipment Cost $100 to $150 $300 to 5-100 Representative Flat Rate Plus Usage Service CosH 540 month 5100 month 5002 minute ILECs cable companies and direct satellite companies are testing and deploying several access technologies see Exhibit 3-3 below These technologies have up to 30 of inbound bandwidth and up to 2 of outbound bandwidth Exhibit 3-3 Asymmetric Internet Access Characteristics Characte stics Direct Broadcast I Cable Modems - Satellite Service DirecTV Satellite Cable Companies Provider Inbound Speed 400 1 544 to 6 10 to 30 Outbound 23 8 over 16 to 512 68 to 2 Speed analog phone lines Equipment 31300 $1 000 3500 Cost Service Cost 540 month 560 to $100 month 540 month Status Deployed In trial In trial 4 Includes the cost of service from the LEC and the cost of access from the ISP 3-13 routing errors occur- The decision process is based on different lactors including next hop path length route origin local preference always propagates the best path to its adjacent routers Currently is used by most IXPs on the Internet but is not defined as the standard EGP 3 4 INTERNET ACCESS he iast and in some ways the most vulnerable component of the Internet architecture is the link between the sarvice provider and customer This access connection is typically a single dedicated or switched line over PN facilities Because access is provided over a single PN line the connection is vulnerable to outages This situation is identical to the last mile vulnerability of the architecture Most other parts of the Internet architecture can use redundant lirth to route around outages However the access link is typically a single point of failure for an end u5er's connection to the Internet Internet access can be divided into two broad categories business access and residential access These categories are described separately below 3 4 1 Business Access Large and medium-size businesses use dedicated lines to connect their enterprise to the Internet These lines are either bundled with the ESP's service or leased separately by the company In either case the connection travels over PN tacilities- - Most large businesses use TI 1 544 Mbps or higher connection speeds Medium-size businesses use or fractional TI speeds 128 to 7'68 Kbps depending on their traffic requirements Small businesses 10 to 50 employee sites may be able to get by with a 56 leased line or a 123 Integrated Services Digital Network connection Leased line connections are available from ILECs and in metropolitan areas from CLECs Today CLEC companies include CAPs eg Metropolitan Fiber Systems Teleport Communications Group and in many cases lECs LDDS MCIMetro As legislation opens the local exchange to increased competition leased lines may be available from utility companies cable companies or other providers 3 4 2 Residential Access Residential access connects a single user's computer to an reseller or on-line provider Most residential access is through modem connections over a LEC analog 3-1 I ll 1 The direct broadcast satellite offering is the only one of the three that is currently in widespread distribution Direct broadcast satellite allows a user to receive inbound traffic over a 1-meter satellite dish and transmit outbound traffic over a standard analog modem line Asymmetric Digital Subsc ber Line ADSL is a technology developed by the to provide high bandwidth asymmetric connections over standard copper twisted pair wire ADSL was originally developed exclusively for the home entertainment market video on-demand interactive cable However as residential Internet access has grown in popularity the LECs have added Internet access to their ADSL marketing efforts ADSL is popular with LECs bewuse copper cable is the basis for almost every residential phone installation ADSL has a head start over its rival technologies because of the widespread deployment of copper wire which reaches 98 percent of US homes compared to 60 percent for cable However ADSL does have several drawbacks - Installation costs are high to upgrade existing copper cable to carry ADSL signals - Subscribers must be within 10 000 feet of the central office to reliably receive ADSL signals I Strong local AM stations can interfere with ADSL signals Ir The bandwidth available for communication is far less than the bandwidth available over cable modems Cable modems have the highest inbound and outbound bandwidth but also have the most obstacles to widespread deployment Cable modems depend on a two-Way communication path between the cable operator and the subscriber Almost every cable installation is designed to provide only a oneiway path for video To facilitate internet access over cable plant cable operators must upgrade their coaxial cable networks to two-way operation Once upgraded cable operators may have additional problems with the reliability of their plant cable wires are installed only several inches below ground level and are highly susceptible to outages due to unintentional cable cuts Once these issues are addressed cable modems may easily fill a niche in the new market of lnternet-enabled television Currently access for these devices is provided using analog modems over dial-up lines 3-19 4 INTERNET ANALYSIS As described in Section 3 the Internet can be viewed as an interconnection of national and regional networks end-users and organizations and intereschange points The Internet is a very dynamic entity that is constantly evolving and growing Therefore it is impossible to identify all of the components of today's Internet For this report the Internet is analyzed to identify key components used to transmit network traffic across the Internet To achieve this purpose a software tool referred to as the was used to automatically trace the routes used to send traffic between two hosts on the Internet The tool collects the set of rooters an IP packet traverses On its path from one host to another The analysis of these routes will identify traffic trends and key components in the Internet infrastructure This section provides an in-depth description of the IAT and analysis results Section 4 1 details the functionality of the IAT Section 4 2 details the implementation of the tool including the set of hosts that was analyzed- Section 4 3 presents the analysis methodology and the results of the analysis INTERNET ANALYSIS TOOL FUNCTIONALITY The purpose of the IAT is to collect the routes traveled by IP packets from one host to another Because it is impossible to collect and analyze routes between every host on the Internet a subset was chosen to provide an accurate sample of US Internet traffic Section 4 2 details the sites chosen for this analysis The utilizes a UNIX utility fmceronfe to record the different routers a packet traverses once it is sent from the originating host to the destination host The frat-aroma application is available with all UNIX and UNIX-variation operating systems traceronte use the Time To Live L field in the IP packet header to determine the routers in a particular path The purpose of the TTL field is to ensure that packets do not stay on the Internet for an infinite amount of time as a result of a routing loop Each router that receives an IP packet is required to decrement the TTL field in the 1P header by the number of seconds the router holds onto the datagram Because most routers process a datagram in less than one second the field effectively becomes a hop counter that is decremented by one by each router packets are usually transmitted with a TTL of 60 by the originating host When a router has an IP datagram with a TTL of one the router decrements the TTL to zero discards the packet and returns an error message to the originating host This error message is an Internet Control Message Protocol ICMP packet 4 1 I Ill ll that identifies the router that sent the error message and indicates that the time has been exceeded on the datagram The basic operation of the IAT is to send out tracer-mite IP datagrams beginning with a TIL of one then a TTL of two and so on until the entire route between two hosts is determined The router receiving the first 1P datagram with a TTL of one will decrement the TTL and return an ICMP message to the originating host This identifies the first router in the path The will then send out a second treccroittc 1P datagram with a TTL of two The first router decrements the TTL to one and sends the datagram to the next reuter in the path The second router will decrement the TH to zero and return the ICMP message This continues until enough datagrams have been sent to have one of them reach the destination host The destination will not discard the traceroute 1P datagram even though it will have a TTL of one because the datagram is addressed to that host For the LAT to detErmine that a datagram has reached its destination because it has not received the final ICMP message the IAT sends UDP datagrams to the destination host using a very high destination port number The destination host will not respond to incoming packets on this port number thus the destination host will send back an port unreachable error to the The IAT differentiates between the time exceeded and port unreachable errors to determine when the route has been full traced The output from an IAT exewtion is the set of routers in the path between two hosts For each router three datagrams are sent and the round trip time from the originating host and the router is collected Exhibit depicts the sample output from a source host to the destination unmadisamil Exhibit Sample Output From the Traci-route to 1 Cisco-AGS dcmetro bah com 15680 11 2ms 2ms 2 fr herndon va psi net 38 2 1041381219081219 45 ms 133ms 4 681115 541115 41 ms 5 137209 12 137209 12 Horns 168 ms 20-1 ms 6 1291115 132 ms 11-1 ms 7 164 112 2135 164117 213 13-1 ms 12 ms 13-4 ms 8 143ms 135 ms 125 ms 9 135 ms 1-17 ms 1 6 ms 4-2 4 2 INTERNET ANALYSIS TOOL IMPLEMENTATION This section details the implementation of the described in Section 4 1 For this analysis two sites were chosen as source sites 0 Boos-Allen t5 Hamilton McLean Virginia on the network - Proxima McLean Virginia on the Network The tool collected routes from each of these two sites to 105 other sites Deated across the United States The Web sites chosen for this analysis included the following 23 NCS Member Organizations Web sites i 50 State Web sites a Major university Web sites - Popular commercial Web sites Appendix A provides the entire list of Web sites used in this analysis Exhibit 4-2 also shows the geographic locations of these sites The IAT v hich collects the routes from the two source locations to all 105 sites is executed six times daily every four hours beginning at midnight This results in a sample of Internet traffic thrOughout the day The output from this tool is formatted and loaded into an Oracle database where the analysis on the collection of routes is performed Section 4 3 presents the analysis methodology followed by the study Exhibit 4-2 Site LOCations Web Sue Destinlhon Types 1 0 COME-J - Ed ttlt l-J l Fatima-annual Silt Dover- at 4 3 I I Jill I 1 ill ll 4 3 INTERNET ANALYSIS RESULTS The data collected using the IAT represents a general picture of Internet connectivity The destination Web sites used in the analysis were selected to provide both a United States and NCS specific view of the Internet's topology Internet Analysis Methodology An in-depth analysis of the physical topology of the Internet would be an incredibly complex and difficult task Because of the number of national backbones and regional distribution networks spanning multiple carriers the Internet's topology is an amalgamation of CLEC ILEC and IEC networks Determining the entire physical topology of the Internet may well be impossible without the cooperation of these PN carriers An analysis methodology was developed to provide the most complete and valuable view of the Internet and its topology The methodology defines the steps used to evaluate the data obtained from the IAT A description of the methodology is presented below I Identify Scope Although the internet is too large and complex to be handled in its entirety the scope of the analysis was selected to provide a representative view of the Internet The IAT is most useful in analyzing single specific routes not large network topologies Given enough representative routes the collective results of the IAT can provide a view of portions of the larger Internet By collecting data at various times of day from multiple routes the IAT provides a representative set of data The originating and destination sites selected for this analysis provide a distribution of sites across the United States The inclusion of the NCS Member Organizations provides a capability to capture and analyze data specifically f0r the NCS community I identify Pertinent Dale The data used in the analysis must provide a complete and accurate picture of how IP packet traffic will be routed over the Internet Variables such as the distance traveled number of networks traversed and the congestion of the network will affect how packets traverse the network The IAT provides a host of data that is used to analyze our representative Internet routes The data used in this analysis includes the following Origin to destination route - Physical distance of route in air-miles Time of day 4-4 - Round trip time Number of hops in route - Routers in route - Networks in route - Manna Valuable Results The purpose of the analysis is to identify the discriminating variables that affect the Internets performance Using the availabie data round trip time and number of hops in route the analysis shouid indicate differences in performance based on the following variables - Critical nodes Physical distance between hosts - Time of day congestion Number of networks traversed - Relative size of networks traversed NSF versus RSP These results will provide input to the analysis of the vulnerabilities of the Internet They may also identify how the OMNCS and NCS Member Organizations can improve Internet reliability by choosing certain lSPs mirroring important Web sites or performing in off-peak h0u rs Exhibit 4-3 illustrates the Internet analysis methodology Exhibit 4-3 Internet Analysis Methodology identify Scope of Analysis - Onginanng Sues I lestinatlon hues CON US coverage In 23 NCS Member Urganiuions 50 Sue neh sII-cs Hapr university ueb sues Popular commerclal ueh sites Identify Pertinent Data - Anal sis Constants Routes a Physical Distance - Anal sis Variables Rowers mule Networks in mun it 11 me in Round mourn-c in Time oi day 4 5 Results Identify Valuable I Collect Data and Complete Analyst Performance Vanables I- Cnlical nudes '3 of nonvolth mm at Nana-L size NSF ss Is 1111 ofDa lung Physical Distance 1 111 11 4 3 2 Internet Analysis Results The analysis focuses on identifying the path that is critical for transmitting data across the Internet s regional and national backbone networks The data provided by the IAT was analyzed to trace the paths through the Internet and to identify how Internet data traffic is affected by daily traffic surges and congestion and network outages This analysis is intended to provide an estimate of the performance characteristics of a portion of the U S -based lnternet However the results presented here cannot be assumed to represent the entire Internet or even the entire U S -based network This is because of the limited scope of the data and the sheer size of the Internet in terms of routers and hosts More thorough analyses of the entire Internet are planned as a follow- up to this initial analysis We chose to use two source hosts for this analysis one based on Booz- Alien Hamilton s network and the other on Proxima Inc's network Booz'Allen and Proxima Inc receive Internet service from two of the six NSPs and MCI respectively Therefore this analysis may primarily represent the characteristics of these two networks The data provided by the IAT traces is the basis of a statistical analysis of the number of hops and round trip time for the 210 source and destination pairs 2 sources and 105 destinations Traces were given a status of either successful or unsuccessful A successful trace was one in which the IAT packets generated reached the destination router address and an unsuccessful trace was one in which they did not Exhibit 4-4 shows the number of successful traces per source and the percentage of the total traces performed Exhibit 4 4 Status of IAT Traces Source Total Traces Success il Traces Unsiiccesstiil Traces 3mm Allen 5134 4468 ass 13 an Proxima Inc 9123 8098 it 1030 11 3 it A small percentage of the traces for both sources was determined unsuccessful An unsuccessful trace could typically be attributed to one of the followmg reasons 0 The destination name server entry could not be resolved and therefore the trace never began a An initial router of the ISP could not be reached - A router or gateway in the path of the trace was unreachable 1- The destination server was unreachable most liker due to it being shut down a The hosts network might use code that is incompatible with the testing protocol That might have resulted in a router not returning the ICMP messages required for the operation of the IAT Exhibit 4-5 illustrates an approximate categorization of reasons why traces were unsuccessful The percentages of those due to an unreachable path router an unreachable destination server or incompatible network code were combined A hop-by-hop analysis of all unsuccessful traces com prising nearly 45 000 hops would be required to determine the component percentages Exhibit 4-5 Categorization of Unsuccessful IAT Traces Booz' Allen Proaima Unresolved host name 2 6 a 0 u iSl unreachable 0 2 as 0 8 Do Router or destination machine unavailable 10 2 n 10 3 Total Unsuccessful 13 0 in 11 3 a The results described in the remainder of this analysis are solely based on successful traces 4 3 2 1 Traffic Congestion internet traffic encounters congestion due to surges in its use in daylight hours Traffic surges occur during working hours and most notany between noon and 6 00 pm Weekend traffic should not be as susceptible to Internet congestion because of the reduced number of business users Our analysis assumes the effects of congestion will become manifest in the response time for data traveling over the lnternet The collects the round trip time for a single datagram to travel to and from each of the destinations For each destination three datag'rams are sent and the total travel time is recorded for each The average travel time versus time of day for these datagram is shown in Exhibit 4-6 As Expected these results appear to coincide with traffic patterns for a typical east coast IXP MFS's MAE-EAST The additional traffic on the internet results in a proportional increase in the delay time Representative weekday and weekend data for MAE-EAST and MAE-WEST are shown in Exhibit 4-7 and Exhibit 4-3 respectively The traffic I ll 1111 increase between 12 00 noon and 4 00 p n1 shown in the MAE-EASI trattic profile is similar to that of our round trip time results Note that traffic on MAB bl located in lk'ashington DC and MAE-WEST located in San Jose CA are nearly identical for the time of day based on eastern standard time EST Because of the iarge amount of train traveling between the east and west coasts these two IXPs are interdependent the traffic generated on the east coast behreen 12 00 noon and 4 00 pm eastern time affects the west coast traffic patterns behveen 9 00 am and 1 00 p m Pacific time Exhibit 4-6 Average Round Trip Time Versus Time of Day 90000 _ so one moon some some i Round-Trip Trrne 40 000 I 3D DUG 1260 4GB 300 12Nocpn 400 60 Midnight a nu a Eastern Standard Tm Weekdays Baez-Allan EP Weekends oor-Allen BF Weekdays F'I-oxrre ISP Weekends Home ISP Fi 38 689 iti ii 63 ii 556 548 thlt'Scc 5' Exhibit Typical Traffic Patterns at MAE-EAST Nil Ht Inpurr'l ll 3 1'6'_ h r1 I - J Huh-In - uhIll I516 I-C II El 1'11 II-tort Source MI 3 Da la net Inc Exhibit 4-8 Typical Traffic Patterns at HIE urn - E1g us1cn II I 5 culuwilit 1 1 1 I i-urp Ill 11' - 5 1 l'r9--I- TI-I Poeltic Source- Datnnet11111 4 3 2 2 Network Outages Network outages are the most disruptive of the lnternet s vulnerabilities In the case of critical nodes a network outage can preclude access or egress from the network as in the case of an isolated regional or local network or severely hamper the flow of traffic as in the case of a NAP or IXP failure Network outages will occur with much less frequency than network congestion but they may result in a signi cant reduction of network capacity and availability depending on their severity We determined the number of hops in each successful trace from source to destination Exhibit 4-9 compares the average number of hops with the time of day for each source network It is clear that the number of hops does not depend on the time of day This indicates that the path taken from source to destination does not change freq uently due to outages or routing around network congestion Thl i is because lnternet routing tables are generally static Routing tables are meant to change during a disruption in service and In the event of network congestion Although some routing algorithms will route around link congestion th1s analyse indicates this is uncommon because the number of hops does not depend on the time of day while congestion does Creating large lnternet routing tables requires expensn'e processing power This process can result in more route thrashing than actual routing In fact routing tables will normally only be recreated when links become disrupted or when a network administrator manually replaces the routing table Exhibit 9 Average Number of HOPE Versus Time of Day -- I-ll I l-A_f Mon-gm Imam then 4 0me Ettme 4-10 We hypothesire that an outage in a critical nenvork node such as a national IXP would greatly reduce but not eliminate the ability of the Internet to route traffic quickly nationwide 4 3 2 3 Critical Network Nodes As explained in Section 3 2 the Internet relies primarily on the national IXPs to route and exchange traffic Exhibit 3-1 shows the locations of the major le s across the United States These high-speed LANs provide the majority of the routing among the backbone NSPs and the 151 s Additionally traffic is exchanged at private direct connects between networks Private direct connect exchange pomts of this kind are becoming more common due to congestion at the lXI s are establishing private direct connects to avoid congestion problems and improve routing redundancy The output provides the IP address of each of the routers traversed in the Internet traces Using this data we compiled lists of the most commonly visited routers for our two source networks Exhibit 4-10 shows the distribution of the normalized frequency of use for the top 50 routers for both sources The normalized frequency was obtained by dividing the number of hits on any router by the total number of hits recorded by the for that source This allows a direct comparison between the two sources The first second and third router in each trace is considered to be specific to the sou rce These three routers show a very high frequency of use for our sources and they are therefore critical to these sources but do not fairly represent the remainder of the Internet These three routers have been eliminated from the remainder of this analysis Exhibit 4-10 Top Routers Normalized Frequency Baez-Allan 115 Heart 15le 012 D1 003 005 00-4 002 1 3 5 l Honnaltzed Frequency of Use Top 50 Routers Non-denteali 4 11 I 1111 The network domain names provided by the IAT output identify the router's owner Using these domain names we identified the relative importance ot l iIJ networks to the two sources The normalized frequency of use tor each network is shown in Exhibit 4-11 Other networks were those networks that did not individually represent a large portion of the total frequency of use or that were not identified by a domain name Exhibit 4-1 Normalized Frequency of ISP Network Use 3 F'roxmaBPtlu a I Benz-Alien EP PSHatt 3 2 c 2 2 ED ED ISPNetwork The critical network nodes had the highest frequency of use Nehvork nodes were considered critical if 0 They had a high frequency of use - They were not too specific to the source routes the top three routers I 1 hey were not too specific to the destination routes All routers with normalized frequency greater than 0 004 were considered critical Each of the sources shows a dependence on multiple critical network routers to trace a path to the destinations Exhibits 4-12 and 4-13 show the critical ISP networks for the Booz' Allen and Proxima ISPs respectively 4 12 Exhibit 4-12 Booz- Allen s Critical Networks 31 Exhibit 4-13 Proxima s Critical Networks 33% ISBN Planet 31% Dapfll'Emil 2% 55% BBHHanet 15 lf Damn-14% - 5% mt TA I hbtcoI-n- 2% 2% Some of the critical nodes for one source were also critical to the other source These nodes become our most critical nodes which we can then identify as critical to the Internet based on our study Exhibit 4-14 shows the distribution of these critical nodes to networks 4-13 1 Exhibit 4-14 Shared Critical Nodes mm Numberet omem ML BEN Fla net 4 3 2 4 Conclusions Traces performed throughout the test period indicated high success rates averaging between 87 and percent Of the unsuccessful trace attempts most were due to an unreachable node a router or the destination server in the path that was probably either shutdown or incompatible with the IAT software Internet use is highest during mid todate afternoon business hours Based on the round trip time tor packets to traverse the network congestion peaks between the hours of12 0'0 noon and 4 00 p m eastern time However the dependence of businesses on the Internet could not be determined the analysis did not determine whether the Internet was used to conduct Critical business communications and research or simply for personal use This analysis indicated that the number of hops did not depend on the time of day or the day of the week Generally routing tables are rarely modified to route around network congestion Unlike switched traffic the routes of Internet connections were somewhat predictable Therefore the predictability of lnternet routing along with an increasing dependency on this conununications media renders it vulnerable to targeted and intended network disruptions Routers appear to share a somewhat balanced traffic load within the backbone networks excluding those routers closest to the two sources As expected a high number ot router ylsits occurred in the initial hops of the traces These initial routers are critical to the sources however they are not necessarily critical to the entire Internet As the trace moved away from the source and into the 4-14 backbone nehvorks the number of visits per router stabilized Therefore a Single critical router could not be identified however it could be determined which networks were more heavin traversed For this analysis MCI's network was traversed most frequentiy and was theretore critical to the success of the traces 4-15 5 VULNERABILITIES This section addresses connectivity vulnerabilities that are inherent in the architecture of the Internet These systemic vulnerabilities result from the utilization of the current PN infrastructure by the Internet composite networks The vulnerabilities include second order effects such as availability and reliability due to outages on critical links and routing database errors Security issues and vulnerabilities from outside in uences such as hackers are not addressed Internet vulnerabilities from hackers are addressed in the Electronic Threat liitnisien Report The vulnerabilities associated with the lSPs IXPs and Internet access connections are discussed below 5 1 INTERNET SERVICE PROVIDERS As introduced in previous sectiOns the provide the basic backbone architecture of the Internet The lSF s can be divided into three categories NSPs RSPs and resellers Internet vulnerabilities that are unique to each category are detailed in the following sections National Service Providers The majority of the NSP links travel over dedicated lines leased from the PN carriers PN dedicated lines travel in the same conduit as other switched PN lines Thus the NSP links have a physical reliability comparable to that of the carrier's network The IEC maintain their high reliability standards through a three tier restoration architecture This architecture is based on protocols physical diversity and switching algorithms Figure 5 1 details this tiered architecture The PM providers' current restoration techniques for cable cuts the most frequent cause of outages are not available for the dedicated lines used in the Internet The switched based mechanisms are not available because of the fundamental differences between switched voice and data communications The protocol- and physical-based restoration mechanisms however could be employed for dedicated line failures Each NSP needs to work closely with the PN providers to ensure that their dedicated lines are afforded these restoration tectmiques For example SONET rings are currently being deployed to increase the reliability of communications links Traffic on a SONET ring automatically reverses its direction as a result of a cable eut HOwever a PN provider may impose additional charges to add dedicated lines to a SONET ring if there are unused protected lines available Thus the primary alternate routing schemes used to ensure connectivity is dependent on the routers routing protocol and restoration plans 5-1 Exhibit 5-1 PN Three Tier Restoration Architecture Heohanisrn Basis Description i SDHET Protocol Based i i Digital Physical Pat Cross Based I I l l nects on Gaol-9P Digital i Smith Cross Connect Fagin swimh I I Direct Path Cable Dynamically Switching Controlled Based I Routing in Standish #n v 1 NSPs connect to multiple nationwide Typically an connection at each of these is non-redundant if this connection is lost the NSF will lose its connectivity to the IXP and the ability r to exchange traffic with the other interconnected NSPs However it the NSP has connections to other lXPs either regional or national the can still exchange traffic with the IXP-attached NSPs The loss of the connection between an NSF and an IXP is critical only if the NSP does not have connections to multiple lXPs netWorks are also susceptible to routing problems such as slow convergence and routing loops The three routing protocols discussed BOP-1 OSPF and RIP - can affect routing within and between 151 networks Because BGl -l is an external protocol it can affect routing between ISPs RIP and OSPF which are internal protocols will onl r affect an lSP s internal network RIP the oldest of the three routing protocols discussed has particular vulnerabilities that have been addressed by the newer protocols RIP is a distance rector protocol based on hop count to the destination node RIP routing tables contain nnii the single best route from origin to destination when a better route is present it replaces the old route When determining the best route available RIP only considers the hop count and not other important factors such as bandwidth and line utilization Additionally RIP is very slow to converge after a network failure or routing error has occurred If a link in the route path is disrupted RIP may not settle on the new best route for several minutes During those minutes service between those particular nodes is disrupted RIP is also susceptible to routing loops In the minutes that it takes RIP to converge after a failure routing loops may develop that will cause packets to route endlessly over the network until their TTL expires Although there are modifications to the implementation of the RIP protocol that will help to avoid routing loops they are subtle and may not be present in every network using RIP Finally because RIP propagates its routing table to each of its neighbors every 30 seconds RIP networks that are already congested by user traffic will be congested further by these routing tables The OSPF routing protocol overcomes shortfalls The link state vector characteristic of OSPF allows each router in the network to have complete routing tables with multiple paths to destination This greatly improves convergence time during a netwmk failure and eliminates the chance of routing loops OSPF routinely propagates route advertisements every half hour OSPF also uses lP's multicasting capability to reduce the bandwidth requirement for these advertisements This reduces the overall bandwidth overhead on the network attributed to the routing protocol In time will replace RIP as the standard internal routing protocol on the Internet Exhibit 5-2 summarizes the vulnerabilities of the NSF networks RSP networks lXPs and the access portion of the Internet architecture These vulnerabilities are described in greater detail in the following sections 5 1 2 Regional Service Providers RSPs have similar vulnerabilities to those of the NSPs These vulnerabilities may be compounded since smaller geographic scale limits the availability of physical diverse paths and their choice of a PM provider This increases the possibility of isolation of the RSPs RSPs usually have fewer connections to lXPs These connections may also be limited to the region that the REF services If one or more of an IXP connections is disrupted the service will suffer greater degradation than an RSP service could be seriously affected by a regional natural or man-made disaster 5-3 Exhibit 52 Internet Architecture Vulnerabilities Samar 'Herwot- Software Cable Hmling Sat-r 3 'Lasth'lve Configurabon Cuts Errors Lira 'Js'ee'ac- a National Networks 7' a i I I a lites Regional ISPs 9 - a lovernmontf ullnut I I LAN - Because of an smaller geographic coverage traffic will be carried over fewer links If a major link fails because of a cable cut it can have a large effect on the traf c within the RSP's network For example in NorthWestNet's backbone shown in Exhibit 3-2 the 35-3 circuit between Seattle WA and Portland OR is a critical high-bandwidth link If that link fails Portland s bandwidth to the national Internet connectivity provided at Seattle will fall from EDS-3015 Mbps to 2 3 088 Mbps a possible 3 percent drop in speed and bandwidth Since RSPs have smaller networks much of their traffic is transmitted over other lSP s networks Thus the effect of EGP routing the IXP connection and bilateral NSP network connection failures are more pronounced in an RSP's network The RSP's traffic will also encounter the vulnerabilities of the NSP network carrying its traffic including the reliability problems encountered due to routing errors 5 1 3 Resellers Resellers depend on their host network to provide reliable and responsive service Resellers typically r have a single dedicated connection between their distribution facilities and its 15 This connection typically travels over PN dedicated I ll 1 I I I lines A failure in the dedicated line will result in a loss of Service for the users homed to that distribution facility A reseller's network may become a congestion bottleneck when multiple customers access a single distribution facility with dedicated lines If a reseller has not engineered the network connection for sufficient bandwidth to support dedicated and dial-up users congestion may occur This problem may occur in some reseller networks more than others Network availability is also a concern for dial-up customers of reseller networks The ratio of customers to reseller modems may vary from 5 to more than 15 During high congestion periods customers may be unable to gain access to the Internet Higher ratio resellers have a greater potential for customer blocking 5 2 INTEREXCHAN GE POINTS The interexchange point is the central location where meet to exchange network traffic Recall from section 3 that all the necessary switching and routing equipment for all lXP-attached ISPs and for the are physically located within a single facility Subsequently any disruption or disaster encountered at that facility could result in the loss of service at the IXP For most NSPs the loss of one is not critical bemuse NSPs generally have connections to multiple IXPs nationwide However for RSPs the loss of an IXP is more critical specifically if the RSP is connected to a single IXP In addition to the physical vulnerabilities are susceptible to routing problems between the various interconnected ISPs Routing problems could come from EGP protocol faults or invalid IXP routing tables operators attempt to eliminate routing problems by requiring a single EGP protocol at the IXP 5 3 INTERNET ACCESS The Internet access connection is the most vulnerable aSpect of the internet with respect to business and residential end users Business connections are typically single non- redundant connections from the business' LAN to the ER Like all critical single lines it the connection is lost the company loses lnternet connectivity Large companies with advanced nationwide WANs GE IBM and Boeing may employ redundant connections to the Internet for reliability A business' Web page will also be vulnerable to a cut in the Internet access link However businesses may have their Web pages hosted on an ISP Web server instead of hosting them on their own network This practice reduces LAN traffic and provides those Web pages with the additional reliability provided by the ISP network Residential access to the Internet is provided almost exclusively through analog modem or ISDN dial-up access Both connections are over single connections and are a single point of failure for the residential connection However overall reliability of the PN remains very high Reliability will drop when users access the Internet using alternate schemes such as cable which are not built to telephone industry standards Flat-rate pricing for Internet service has also introduced new availability issues for LEC PN networks These networks' demand and pricing models were designed based on a 5-minute voice call whereas Internet data calls can last hours During times of crisis when voice and Internet traffic surge long dial-up data calls may reduce the availability of the voice network using the same end-office switching capacity Continued growth in the use of alternative access techniques such as cable modems and DirectF'C satellites should eventually reduce these switching issues in PM carrier networks Some lntemet users connect over direct broadcast satellite services such as DirecPC DirecPC uses an inbound satellite connection over a l-meter dish and an outbound connection over an analog modem If either leg of this connection fails the entire connection will be lost The reliability of the analog modem link will be the same as described above The reliability of the satellite link will depend on the satellite terminal at the residential location and the satellite company's downlink location ADSL will be comparable is reliability to other LEC access technologies analog modem and ISDN However ADSL has limitations to where it can be installed ADSL cannot be installed near a strong AM radio station because of AM frequency interference on the ADSL signal Additionally only homes within feet of the LEC central office may be serviced by In the short term cable modem reliability is close to that of the cable television provider Cable modem service poses special reliability concerns because the cable industry unlike the voice telephone industry has not been required or expected to have the degree of reliability of phone service because it is not considered essential to public weltare 911 emergency access Typically the cable has not been installed to telephone industry standards and has been installed in shallow trenches typically less than 6 inches deep Additionally cable providers do not employ the restoration mechanisms of the traditional carriers These factors make the cable facility and ultimately the cable modem connection very vulnerable to cable cuts and outage-s Ill 1 APPENDIX A INTERNET ANALYSIS TOOL SITES Organization Central Intelligence Agency Department of Commerce Department of Defense Department of Health and Human Services Department of Energy Department of the Interior Department of Justice Department of State Department of Transportation Department of the Treasury Department of Veteran Affairs Federal Communications Commission Federal Emergency Management Agencyr General Services Administration Joint Staff National Aeronautics and Space Administration National Communication System Nuclear Regulator r Commission United States Department of Agriculture United States Information Agency r United States Postal Service FedWorid Information Network Library of Congress Alabama Alaska Arizona Arkansas California Colorado Connecticut Delaware Florida Geargia Hawaii Idaho Illinois Indiana Iowa Web Site immdtiodlamil W dl1h5 got r mtdoegov madoigov one usdoj wuwstatetgov mneustreasgov maragov tmaviccgov Wiemagov mmdticdlamil Washnasagoi' madmamil nwnrogov wowusiagov W usps gov mewiedworldgov mmlocgov mmnasced wumnstateiaki us muwstateaaus innustatecaus mmstatecous numnstatectus mm state de us ww state us Whawaiigov mowstateinus Kansas Kentucky Louisiana Maine Maryland Massachusetts Michigan Minnesota Mississippi Missouri Montana Nebraska Nevada New Hampshire New Jersey New Mexico New York North Carolina North Dakota Ohio Oklahoma Oregon Rhode island South Carolina South Dakota Tennessee TExas Utah Vermont Virginia Washington West Virginia Wisconsin WyOming Alta Vista America Online Apple Computer Inc Computer Network cnet CNN CompuServe Digex lnterport ISP wwustatoksus wwstatekyus wumtstatelaus wuwstaternans nuwstatems us wm' state mo us nris mls mt gov wuwstatenxnus W state nh us mastatenmus uwstatehiuus Watatenc us nm statendus nwoklaos stateokus wuwetateorus uwstatesdus W' state m us Wiexasgov state ut us wuwstatewpus altavistadigitalcom com wwapplecom mm' cnn cum whwcompusen'ecorn Winterportcom 111111 I Lycos Inc Macro Computer Systems Inc ISP Microsoft Inc MTV NetCnm ISP Netscape Olympics Oracle Corporation I rimenet ESP Sun Microsystems Inc USA Today r WebCrawler Windows Home Page Word Magazine on line W orld Wide Web Consortium Yahoo Massachusetts institute of Technologyr Ohio State University Stanford Universityr University of California Los Angeles University of Illinois Urbana-Charnpaig'n University of Michigan University of North Carolina University of Texas A3 wuwv microsoft com com mnetscapecom mun- prirnenetcom mm-so n com m usatoday com nmwmebcrawlercorn umw windows95 com wwyahooxom mwmitedu wuwosuedu nanuclaedu wuwurnichedu manutexasedu r101 burder -lde I net 00191 SanFrancmqunm net net FdduO-O A1101 Hal burden 10111110 n41 bordur'l JddI- reensbmu nt'l atlanIaZ-chE not 13-2 was-dc-qwl nalcomnlt - r1p5-gw ncr2n net mae-eastdgexnel fdd1 maa-ea51 nalcamnal I r1111 r101 arIan1a3-0r1 net burden-I'der KansasCurr mm 1101 mndnet KanmC1w mannet SILOUIS SILou-sl IJO 91 not 1113 1110 the 1-191 borderuT-IddI-D WulowSpr r110 r101 nil taunt- 11992 1 12 r1111 net 5 15 H210 T3 sl 1-11 2 F010 lackson-cr l buds -fddr hmago mum mem 11110111101 053 Chlcaun m1 1 net Wast rangu mm net 0 5111 TCOI ALTEHNET bOdellz-fddl- 1 Seattlemm r101 net 001102 Seattla mcu net 14412813534 wa-hsu-SE-oslommu MI - sl-lw-E H3fU-T3 nal 1191' fdd15-0 ch1cagu clc n dgb-fddIE-D chucaau010 1101 DC 13 nn5 nel BPS 114 1 2213 21 1 51 1204 10 104 521 1204 10 41091 1192 221 253 221 1132 39 33131 1204 1'0 3 341 1123103702491 1204 10 00 11 '1204 70 31 51 11922212511 11011292201111 211 109 32 21 1132 41 122 1151 1192411222101 1140222991921 1204 701 211 1204 0 3 1141 119222125 2901 11521211211 1204 70 2 061 1204 1'0 411 El 1192 35 111 351 1129 112 111 2411 1204 10 104201 32 233 33 101 1192233149 2011 119223133 21 1199 92129 21 114422310 5111 11442242021 11922215121 1204102321 204 W124 61' 113139100231 l204 0 1 2101 1132 39 11221 1204 10 203 1191 1192 141 119 51 1204 20 203 1131 1204 110 4 33 1144223135941 1204 101 21 1144 23 30 11 1144223103151 1131 103 1 191 1144 2211 30151 1131 1031121 MCI MCI BEN Planet Allarne l MCI NC-REN MCI MCI BEN Planet Netcom NC FIEN Olga Human-1 ANS MCI MCI BEN Planet EEN P191101 MCI MCI Other O'Ihal MCI BEN Planet BEN Planet EEN Planr BEN Plane-I Spun Spur- 1 EEN Planet MCI MCI Allarnet MCI Alternet MCI HWNGI MCI MCI Spun MCI BpIInl Sprinl 1 11 14 1 11 11 '4115 I ADSL ANS A NS RE ARPA AS ATM BGPI CAP CIX CLEC DARPA EGP EST FDDI FIX FTP IAT ICMP IEC IETF 1GP ILEC ISDN 15 ISP IXP LAN LEC MAE MAN MFS MXP NAP NCP NCS NREN EP NSF NSFNET LIST OF ACRONYMS Asyn'lmetric Digital Subscriber Line Advanced Networks and Services ANS Commercial Research and Education Advanced Research Projects Agency Autonomous System Transfer Mode Border Gateway Protocol Version 4 Competitive Access Provider Commercial Internet Exchange Competitive Local Exchange Carrier Defense Advanced Research Projects Agency Department Of Defense Exterior Gateway Protocol Eastern Standard Time Fiber Distributed Data Interface Federal Internet Exchange File Transfer Protocol Internet Analysis Tool Internet Control Message Protocol Interexchange Carrier Internet Engineering Task Force Interior Gateway Protocol Incumbent Local Exchange Carrier 1nternet Protocol Version Six Integrated Services Digital Network Information Sciences Institute Internet Service Provider Interexchange Point Local Area Network Local Exchange CarriEr Metropolitan Area Ethernet Metropolitan Area Network Metropolitan Fiber Systems Metropolitan Exchange Point Network Access Point Network Control Protocol National Communication System National Research and Education Network National Security Emergency Preparedness National Science Foundation National Science Foundation Network NSP OMNCS OSPF PC PN POP PVC EEOC RIP REP SLIP SM D5 SONET SVC TTL WAN luqu XNS National Service Provider Office of the Manager NCS Open Shortest Path First Personal Computer Public Network Point of Presence Point to-Point Protocol Permanent Virtual Circuit Regional Bell Operating Company Routing Information Protocol Regional Service Provider Serial Line Interface Protocol Switched Multimegabit Data Service Optical Network Switched Virtual Circuit SMDS Washington Area By pass Transmission Control Protocolenternet Protocol Time To Live User Datagram Protocol Very High Speed Backbone Network Sen r ice Wide Area Network World Wide Web Xerox Network Systems 11 ll Jill I 1111 JJ Is 10 12 SECTION 2 REFERENCES Cerf Vinton 3 Computer Networking Global Infrastructure for the let Century World Wide Web networks htmL 1995 Network Service Provider Interconnections and Exchange Points World Wide Web Cooper Lane The Commercialization of the Internet Week April 1 1996 pp 135-139 Fazio Dennis Hang Onto Your Packets The Information Super Highway Heads to Valleytair or Building a High Performance Computer System Without Reading the Instructions World Wide Web March 14 1995 Frazer Karen D The Phenomenon World Wide Web nsfnetf final reportf phenom html Hard Henr r Edward Short History of the Net World Wide Web 1995 MCI Telecommunications Corporation The Network World Wide Web network_map html 1995 Merit Network Inc Transition to World Wide Web umnmeritedu nsfnet final report transition html Merit Network Inc Router Server Technical Overview World Wide Web RAX rs over1 'iew h trnl National Laboratory for Applied Network Research Background Information World Wide Web National Laboratory for Applied Network Research Collaboration on the Very High Speed Backbone Network Services World Wide Web Wenlanrnet VBNS National Laboratory for Applied Network Research The National Science Foundation Network World Wide Web November 23 1995 13 National Science Foundation 93-52 - Network Access Point Manager Routing Arbiter Regional Network Providers and Very High Speed Backbone Network Services Provider for NSFNET and the Program - Program Solicitation May 6 1993 1-1 Quarterman lohn What is the Internet Anywayl World Wide Web gopheriiecomf Bf matrix news v4 what 403 1994 15 Rietz Randy Lewis Will Hiser of the Internet World Wide Web July 1995 Sprint Network Access Point Handbook October 25 199-1 Sprint SprintLink Customer Handbook Sprint Document #5953-2 October 11 1995 18 Zakon Robert Hobbes Hobbes' Internet Timeline v2 4a World Wide Web into isoc org guest zakon lnternet History HIT html 19% 'b I SECTION 3 REFERENCES 1 Ameritech The Chicago World Wide Web tech comf products data I map TheJChica go_N AP html 1995 2 Associated Press Computer Network Weathers Big Jolt Internet Users Swap News Worries After Quake Hits Associated Press January 13 199- DJ Bickel Robert Building Intranets luteniet World March 1996 p 33 4 T3 Backbone and interconnectivity World Wide Web June 1996 U1 Cisco Systems Case Studies Tutorial Section World Wide Web 6 Cisco Systems Protocol Brief 199-1 Cortese Amy Here Comes the Intranet Business Week February 26 1996 p 76 B Coy Peter Judge Paul Limo Service for Cruising the Net MCI and BT Will Help Business Surfers Go First Class for a Price Business Week June 2-1 1996 p 46 9 Detroit MXP What is an World Wide Web inswmainet mxp detroit ll Eng Paul M War of the Web Commercial Online Service Providers Upstart Companies and Telecommunications Companies All Fighting for Internet Market Busmess Week March 4 1996 p Finneran Michael Cable Modem Madness Busmess March 1996 p 68 12 Holmes Allan Flood Data Rides Internet Wave Federal Computer Week February 5 1996 p 1 13 IITF Reliability and Vulnerability of the National Information Infrastructure Nil information infrastructure Task Force August 17 1995 1-1 Loeb Larry The Stage is SET The SET Agreement Between MasterCard and Visa Could Pave the Way for Widespread E-corrunerce inter-net lVorld August 1990 p 5-1- 16 18 19 21 23 2-1 29 Mac Kie-Mason Jeffrey Varian Hal R Pricing the Internet World Wide Web gopher econ lsa mich edu April 1993 MacKie Mason Jeffrey Varian Hal R Economic FAQs About the Internet World Wide Web gopherecon lsa umich edu August 21 199-1 MacKie Mason Jeffrey Varian Hal R Some FAQs About Usage-Based Pricing World Wide Web gopher econ lsa umich edu November 4 199-1 Mendes Gerald H Next-Generation Takes Shape Communications Review March 1996 p 19 Mills Mike Offers Customers Free Internet Access The l asliiuglou Post March 19 1996 p C1 Netscape Netscape Announces New Real-time Audio and Video Framework tor Internet Applications Netscape Press Release Januar r 31 1996 Pacific Bell Mold-Lateral Peering Agreements Pacific Bell Network Access Point World Wide Web mpacbellcom Products NAP mlpa html August 14 1995 Pacific Bell Pacific Bell Network Access Point World Wide Web wuwpacbellcom products business fastrak networking nap PC Week puts ADSL on trial PC Week June 1996 p 3 PSlNet PSlNet Technology and Infrastructure World Wide Web psi-tech psi-tech shmil 1995 PSlNet - SMDS Washington Area Bypass World Wide Web misc Typical POP Design World Wide Web pop hmt1 Reilly Patrick More Publishers Charging for Web Services l dall Flat-cl Journal May 8 1996 p BS Rigdon Joan E Blurring the Line New Technology Aims to Make the Web Look and Act More Like Television Wall Street Journal March 28 1996 p R5 Sandberg Jared Making the Sale The Allure of On-Line Commerce ts Proponents Argue Will Eventually Prove Ovenehelming l'Vall Street Journal June 17 1996 p R6 1111 I ill 1 30 Scott D F The Underground Internet Through the MBON E the Internet May 36 Become the World s Largest Broadcast Service Computer Shopper March 19% p 548 Sprint Network Access Point Handbook October 25 199-1 Stevens Richard IP Illustrated Volume 1 The Protocols Addison-Wesley Publishing 199-1 Chapter 10 pp 9 -110 Swisher Kara By the Sweat of Their Browser District Entrepreneurs Turn a Web Search Idea Into a $38 Million Deal The Washington Post June 4 19% C1 Vaughan-Nichols Steven J Radio Comes to CyberSpace Byte October 1995 p 46 Verity John W Invoice M hat's An Invoice Electronic Commerce Will Soon Radically Alter the Way Business Buys and Sells Business I v eek june 10 1996 p 110 Winglield Nick to Connect Virtual Private Networks IrrfoWorM Ianuar 15 1996 p UUN ET The UUNET Network Backbone World Wide Web Ziegler Bart Up and Running Why Did the Web Replace IntEractive TV as the New Mantra A Simple Reason It's Here Wall Street journal March 28 19% p R6 SECTION 4 REFERENCES Asif Federal and State Government Sites World Wide Web immilinksnetf -ace government htmlitsh Bruno Charles Internet Health Report Condition Serious Network World Septernber 16 1996 pp 1 104-111 InterNIC InterNIC Whois Service World Wide Web MFS Datanet East Statistics World Wide Web ext2 mfsdatanet com MFS Datanet West Statistics World Wide Web University of Illinois at Urbana-Champaign Host Name to World Wide Web slamm ileI June 19 1995 Stevens Richard Illustrated Volume 1 The Protocols Addison-Wesley Publishing 1994 Chapter 10 pp 9 7-110 I ll 1 I AN ASSESSMENT OF THE RISK TO THE SECURITY PUBLIC NETWORKS NOT TO BE FURTHER DISTRIBUTED WITHOUT PERMISSION OF THE DEPUTY MANAGER NCS Prepared by be 11 5 Ind Nltional Security Adi-Pinon Cumming NSTAC Network Security Information Exchagu DECEMBER 12 1995 TABLE OF CONTENTS Preface Executive Summaerr 1 Introduction Background 1 2 Value of the Public Network 1 3 Scope 1 4 Mc mdclegy 2 Changing Business Environment 2 1 Reducing Expenses 2 2 Increasing Revenue 2 3 Changer in How and Where People Work 3 Threat 3 1 Motivation 3 2 Techniques and Tools 3 3 Overall Threat 4 4 1 law Enforcement 4 2 Legislation 4 3 Education and Amelie-55 4 4 Overall Deterrents 5 Vulnerabilities 5 Known Vulnerabilities 5 2 Firewalls 5 3 Internet Connectivity 5 4 Centralized ontro Centers 5 5 Open Protocols Page Numh_e_r L-JMIJH TABLE OF CONTENTS I r Continued 5 Vulnerabilities 1' Continued 5 6 Standards 5 7 New Technologies 5 3 Industry Restructuring 5 9 Overall Vulnerability 6 Protection Measures 6 1 Current Protection Mechanisms 6 2 Security Research and Development 6 3 Risk Manngemmt 6 4 Oswell Protection 7 Consequent Risk Appendix A The Risks to Optical Networks SONET from Electronic Intrusion Appendix The Risks to Transfer Mode ATM from Electronic Intrusion Appendix C Acronym List Appendix Reform-ices C-l PREFACE This report assesses the risk to public networks from electronic intruders and software-based attacks This assessment is based primarily on the knowledge and day to-day observations of the United States Government and Nationai Securityr Telecommunications Advier Cornnuttee Network Security Information Exchange representatives in the performance of their jobs it re ects a consensus among the representatives on the threats deterrents vulnerabilities and protection mechanisms that a ect the public networks By its nature network security is continually evolving Therefore this document presents a snapshot of the current state of security in the Nation s public networks and should be viewed as a work in progress ll SUMMARY Since early 1990 the United States Govemment and the President s National Secunty Teleconutturucations Advisory Committee NSTAC have been working together to address network securtty Issues Central to this process are separate but closely coordinated Govemment and NSTAC Network Security information Exchanges NE-Es The NSIEs provide a forum to identify issues involving penetration or manipulation of software and databases affecting national secunty and emergency preparedness NSIEP telecommunications The attached report documents a assessment the NSIEs prepared in 1995 This risk assessment focuses on the sorrel-it and near-term Public Network taking into account the security ofnew technologies for which implementation has begun or is planned It recogruzes that tar-reaching changes are occun'ing in communications structure technology and regulation and addresses the concomitant implications The assessntesit was based pnntarily on the knowledge and day-to-day observations of both the Gavernment and the NSTAC NSEE representatives in the performance of their jobs The complexity of the PN is housing and securing it is very dif cult Industry has been factoring network security risk factors and overall network into their decision processes and have been reasonably effective to date in mitigating serioth intrusions The last NSIE risk assessment in 1993 concluded that the risk to the Public Switched Network 'orn electronic intrusions was a serious concern The NSIE representatives believe that in 1995 the overall risk to the PN from electronic intrusions is greater than that reported in the 1993 risk assessment on the basis that threats are outpacing our deterrents while vulnerabilities are outpacing the implementation of protection measures The NSIE representatives based their observations on the following II Computer intruders are using increasineg an mneed so wnre totals and techniques to attack the PN They are motivated by nancial gain and there are troubling indications of links to organized crime and foreign nttelligence services I lnsome cases disruption ofthe PN may be the end goal for some of our adversanes interconnection her-teen diam technetiqu is rapidly fag the internet to the The potential impact of a single intrusion incident is becorrung greater as new nationwide National Information Infrastructure NTI services are rolled out and as network elements serve wider geographical areas ESrl Although tire effectiveness of our deterrents will never be as great as we may wish representatives believe deterrent activities are focused on the correct objectives and progress is being nude I Known security vulnerabilities persist despite aggressive efforts to eliminate them and new technologies bring with then new vulnerabilities Greater focus in security and vigorous efforts to provide it would lessen the security impacts 0 Changes in the business environment often a ect network security reliability and quality increasing competitive pressures on all aspects of the industry require lugh levels of attention to network security investments I The interconnection oran PM service pro ders into the voice anal data communications nutter brings additional security concerns I The PM is rapidly evolving to incorporate tnany dr erent emerging technologies and services and additional security standards are needed A single set of security standards for open system and networks should be a near-tent goal The protection of the Phil is important to maintaining our national security posntre supporting emergency preparedness activities realizing the capabilities and senrices offered by the emerging Nll ensuring our economic security and e ectively contpeting to a global marketplace Network and systems security is everyone's job' I Service providers must assure the reliability and assurance ofiretwork services and capabilities I Manufacturers must ensure that the seosnty capabilities of goods and services adequately re ect the needs of the marketplace I Users must subscribe to and pay for appropriate levels of privacy and security and I Tlee Federal Government must support the needs ofindustry by supporting research and development and developing laws to enable prosecution of offenders Representatives from each of these four sectors have contributed to NSIE deliberations in the past vents The NSIE process has proven to be effective for exchanging information on threats vulnerabilities and mitigation strategies related to telecommunications and should continue ES-2 111111111 Ill 1111 1 INTRODUCTION Ba round In recent years telecommunications services provided by the public network PH have expanded at an astonishing rate in both degree of sophistication and availability Advances in new computer software and hardware technologies are allowing the United States telecommunications industry to provide innovative and robust new services and to automate the operations administration maintenance and provisioning 0MP functions to reduce costs The public and pnvate sectors Increasingly depend on these new telecotrununications systems capabilities and services and this dependency can be expected to grow as new technology initiatives are developed as part of the National Information ln 'asnucture N11 Both sectors are concerned however about the threats posed to the system by computer intruders The PN and the services on which the public and private sectors depend rely heavily on the security of the software consequently the semrity of this software is of vital interest to the Government A software attack on the computer systems could have a signi cant impact on end users including national annuity and emergency preparedness telecommunications services users In April 1990 the Chairman of the National Security Council NSC Policy Coordinating Committee for National Security Teleconutnutications and Information Systems requested that the Manager National Communications System NCS identify what actions GOvermn-tnt and industry should take to protect critical national security telecommunications from the threat om computer intruders Working together the Manager and the President's National Security Teleconununications Advisory Committee NSTAC established a structure and a process for addressing network security issues Causal to this process are separate but closely coordinated Government and NSTAC Network Security Information Exchange NSIE groups Government member organizations include deparunertts and agencies that are major telecommImications semces users represent law enforcernem or have information about the network semtrity threat Industry member organizations include teleconununications service providers equipment vendors and major users NSIE representatives are individuals who are engaged in the prevention detection andfor investigation of telecommunications network software penetrations Both Government and NSTAC NSEE representatives are subject matter experts in their elds can Immersion-duping Tim harm Mann-Enemy Preparers-usi- he urn at I'd-anal W s-gum DC 1 139 1m 1 The NSIEs provide a forum to identify issues involving penetration or manipulation of software and databases affecting teleconunutucations The focus Is to exchange Information and views on threats incidents and vulnerabilities a ecting the software and identify actions to trutigate their impact thereby raising the effectiveness of all participants Penodtcallt' the NSIEs also assess the risks to the PN from computer intruders The last risk assessment was completed in 1993 1 1 Vglug 9f the Paglig gmg g The PN is an essential elemem of our country's communications and economic infrastructure on which all sectors of our society depend The PN's value can be viewttd from the three perspectives Government business and the individual GOVERNMENT The PN provides more than 90 percent of the Federal Government's communications capabilities ranging from day-to day business activities to handling crisis sinsations such as neutral disasters e hurricanes earthquakes and oods and national security crises at home the bombing in Oklahoma City and abroad Desert ShieldJ Desen Storm State and local governments also depend on the PM to conduct business provide basic and essential community services e g library telephone reference assistance and emergency-911 1 service and respond to emergencies which impact the community such as natural or manmade disasters e oods or major res BUSINESS Businesses depend on commutieations capabilities to provide products and services to their customers and manage their internal operations Communications capabilities enable businesses to reduce operating costs through practices such as maintaining 1 just-in-time inventory and to generate revenue The Administration's N11 initiative ts intended to strengthen the economy by taking advantage of advances in information services and communications technologies to create businessoppontmitiesand newjobs central robust PN INDIVIDUALS Individuals depend on communications capabilities in many different ways ranging from 5-9 I service in life-threatening situations to their role in supporting ut astructure activities transportation utilities and nance to keeping in touch with family members The public's con dence in the PN's availability and reliability is high and must remain so if citizens are expected to increase the use of services 1 3 Stop The PM is a network of networks composed of complex Interconnected communications systems that rely on computer-based so ware controlled network elements This architecture allows great flexibility for both service providers and end users to establish or modify network features and 2 services Remote access allows these activities to occur from centralized centers or from customer premises lntemal telecommunications company data networks are used extensively to control remote services to network elements These internal networks often called corporate networks support billing service proudsroning engineering maintenance switching network management and administrative systents databases signaling control signaling transfer and service control points and transport elements These networks provide remote access to network elements and enable legitimate users to perform their work functions expeditiously and cost effectively More network control elements are interconnected and integrated with corporate networks that use industry standard protocols such as X25 Common Channel Signalling CCS and Transmission Control Protocol ntemet Protocol TCPIEP If these netwerks are interconnected to the Internet the potential for intrusions increases The activities of the Government and NSTAC NSIEs focus on issues of unauthorized penetration or ntanipulation of PH software and databases affecting NSIEP telecommunications Their primary concerns are the identi cation and mitigation of vulnerabilities that could be exploited by computer intruders and result in denial of service or extraction of sensitive NSIEP infomtation Although there are other threats to the PN such as breaches in physical security this risk assessment addresses them only as much as they relate to electronic intrusions For example computer intruders sometimes exploit vulnerabilities in physical security to obtain lotowledge tools or access to systems that enable them to attack the software Previous risk assessments focused narrowly on network elements and their supporting systems such as their 0MP systems and addressed how computer intruders exploitation of software vulnerabilities affected the risk to NSIEP tdeeommunications services The NSIEs recognized however that the nature of the PN was changing rapidly not only in the technology but also in the convergence of tdecommunications and information services Because these changes will affect the sri-curity of the PM the NSIEs have included in the risk assessment factors such as lntemet connectivity open protocols industry restructuring and the changing business envirorunent The NSIEs continue to assess how these factors affect the risk to the PN This risk assessment focuses on the current and near term state of security of the PN It represents three changes from previous risk assessments it includes the security of new technologies Optical Network Transfer Mode for which implementation has begun or is planted 2 it recognizes that signi cant changes are occurring in the service provider community and to a limited degree it also deals with certain aspects of the lntemet addressing risks shared by both the Internet and the PN such as vulnerabilities in and risks to elements of the PN that result from its connection to the Intemet This risk assessment does not address access risks of the Internet itself 1 4 Methodolo This assessment is based primarily on the knowledge and day-to day observations of the and NSTAC NSIE representatives in the performance of their jobs It re ects a consensus among the representatives on the threats deterrents vulnerabilities and protection mechanisms that affect the PN Analysis of the NSIE Vulnerability Database was used to validate the observations of the 3 NSIEs However there are no nationwide statistics or measurements to quantify the problem As a result this document contains few statements of quanti cation The nle assessment In 115 document comprises four elements threats which are mittgated by deterrents and which are mitigated by protection measures This decomcnt describes each of these elements and concludes With an assessment of the consequent to the PN An important factor the nsi-c to the Phi ts the changing business environment Because threats deterrents mlnerabiltties and protection measures can best be understood witth the context ofthis environment it ts discussed in Section 2 2 CHANGING BUSINESS ENVIRONMENT Both the public and private sectors are changing the way they do business to reduce expenses increase revenue and compete in the global marketplace At the satne time rapid advances in technology allow businesses to do more with less These factors may make good security more di icult to achieve For example business decisions to outsource work or engage in joint ventures without a carefully thought out security plan can affect a company's security by making the company vulnerable to its vendors and partners This makes it essential to de ne and implement security policies and procedures that will explicitly de ne access privileges granted to contractors or business partners Three major factors in uencing the business environment are the need to reduce expenses 2 the pressure to increase revenue and where and how people work Each factor presents challenges to the security of any corporation and its ability to compete in a global marketplace 2 1 Reducing The following efforts to control expenses and improve pro tability bring with them new challenges to maintaining secure networks I Corporate lie-engineering Corporate process re-engineering reduces the number of employees and increases empowerment for those who remain Terminated employees often have the knowledge and skills to exploit the vulnerabilities of their former employers' networks and some could be thus motivated Remaining employees feel less secure in their jobs may be required to carry a greater workload and may generally feel less loyal to their employer They could exploit their increased access to conunit fraud as a source of nancial security or they may simply be less diligent in their duties All of these factors affect security Setmrity ad ministration is often considered a support function and downsizing generally hits support functions the hardest Without high-level attention downsizing could exacerbate the situation more people are capable of doing harm to the network and fewer people are dedicated to protecting it I Outsourcing Both the public and private sectors use outsourcing to reduce expenses and increase exibility in meeting sta ing renuirements Institutions which outsource can be at risk from the inadequate aeotnity measures of their vendors unless strong security controls are adopted Without these controls proprietary information could be at risk Outsourcing also could be a path for introducing malicious code I Software patches Because of the resources used in patching so ware to x vulnerabilities and the reduced time between major software releases less titan 13 months so ware vendors may be reluctant to issue interim patches to x software vulnerabilities This reluctance may give computer intruders a greater window of opportunity to exploit vulnerabilities Often patches are not entirely effective they may work in the laboratory but mction much differently in the real world where feature interactions affect their operation 2 2 Revenue E 'orts to increase revenue and pro tability bring with them new challenges to maintaining secure networks I Joint ventures Joint ventures affect security much the same way outsourcing does Since joint ventures generally include companies with expertise in di erent technologies or business areas each company may be unaware of security requirements peculiar to the other s specialty and may not adapt appropriate practices Again security should be included in joint venture planning Foreign ownership LLS companies are pursurng business opportunities in foreign markets to obtain foreign approvals the US allows foreigr companies to do business in the LLS The semrity implications of this trend are similar to those of outsourcing and Jill ventures Also there are security implications from the availability and transfer of 5 technology to foreign entities I Competition As competition increases the pressure to get new products into the market place also increases Scarcity matters need to be preplanned early in the product development cycle Because e orts to implement adequate semrity may delay product delivery the need to meet a market window may override the need to include a complete suite of security features This situation attends into product implementation as well customers may choose not to implement secrairy features in will delay implementation and operation of the product andfor increase its cost - Nondiscriminatory access Open competition is one of the tenets of the Government s initiative for the N11 The Govermnerrt believes that open competition will drive the develoth of new tools products and services required to ermtre that the US continues to be a major force in the Information Age To that end legislation has been drafted to give tl urd- party service providers nondiscriminatory access to elements of the telecommunications infrastructure to create and deliver services This access to the physical as well as access to databases and associated srgnal'mg elements necessary for call routing and completion multiplies the number of service providers connected to the network and the number of potentially exploitable access points Perhaps more importantly many tl'tll'd- party providers will be start-up companies operating with minimal resources artd security experience 11 1 ll ghang in pr and Technology has made possible changes in how and where people perform their work I Working at home or at a shared work station is attractive to many employees and diminishes the requirement for of ce space and the concomitant expense The additional connectivity required for telecommuting can create additional opportunities for intruders to gain access to resources or for employees to inadvertently transfer malicious code into the company s systems Whether the employee works from a home or from a shared workstation the terminal the employee uses e ectively becomes another node in the company network with the potential for anyone accessing that node to obtain corporate access Physical security of a telecommuting location therefore becomes an important consideration in preventing unwanted access I Laptops Laptop computers provide more coratectivity options than telecormnuting from limited locations and their portability exposes them to a danger of being stolen or lost The consequences of losing a laptop extend beyond the loss of computer and the proprietary or con dential information stored on the hard disk If the laptop is used for access to a mainframe or the network and the owner uses script les to store logon-id or password information anyone who has the laptop can access the same applications and functions as the laptop's owner unless additional strong authentication mechanisms are used I Upgrades and equipment leasing With rapidly escalating capabilities and the desire to keep up with technology more people are trading in their computers for ones with higher capacity There is also a growing trend to lease equipment rather than buy it giving users the exibility to respond to changing requirements When users upgrade their equipment or return leased equipment they must take sped c precautions to thoroughly erase their hard drives to prevent making all information and capabilities on them available to others I Migration from the mainframe environment Many applications are migrating from mainframes to PCs but mainframe aemrity features cg password strength pasSword aging do not nugrate This change is likely to be transparent to end users who may assume they have the same level of security with their personal computer PC application as they had when It was on the mainframe without being prompted they may never change their passwords I Customer Premise Equipment End users are migrating more conununicattons functions to their own equipment such as private branch exchanges and have greater access to telecommunications logic as in SEE interconnections and Intelligent Network IN services This access places control of and responsibility for applications security in the hands of customers who may not be as knowledgeable of the equipment s vulnerabilities and consequently may not talte necessary installation and operations precautions This makes it important for service providers to con gure their networks to control access to system so ware to overcome CPE security de ciencies 0 Communications Many de51re to be connected to the Internet to gatn access to 1nformatton or obtain services such as elecunnjc matl This destre leads to man secunty concerns because tntemal networks are exposed to the wlnerabilataes unth lntemet connectMt-y Frequently these vulnerabtlmes are not well understood The enwronment 5 a sccunt challenge taatng the 01' secuntt features esp-emails- as new are Introduced Corporate reengmeenng usually de nes the busmess process rst and Infonnattcn systems and secunty are secondm' Last to be con51dered IS hen to create a secure for legacy systems It often is a great challenge just to get working let alone unplement a strong secunn- plan 3 THREAT The PN is an attractive target for computer intruders 1' The cost to the attacker is low Computer intruders have acquired technical skills and knowledge through easily accessible publications and electronic bulletin boards These resources provide accurate detailed information and instructions to exploit the vulnerabilities of automated information systems and networks The equipment inu'uders need is affordable and readily available and most of it or its components can be purchased in the retail market Intruders o en avoid telecommunications costs through fraudulent activities with dialup access andror lntemet connectivity and hide their identities I re risk of getting caught is low Computer intruders can attack from almost anywhere and easily disguise their location so the chances ofbeing caught are Even iftheyare caught the chances of being prosecuted by the Federal Goverrunent are low since intent to do damage is currently required for a felony conviction and the evidence required to prove intent is di' icult to obtain Intrusions without intent to do damage are misdemeanors and are generally deemed not worth the effort required for prosecution l'lis'torically the chances of being convicted have also been low and even ifirnruders are convicted sentences have tended to be short although more recent cases show the courts are begitming to hand down longer sentences than in the past I re is high The PN itself is an interesting target and some computer inn-riders have found markets to sell information obtained from PN databases It can also offer access to other desirable targets such as nancial support systems public utility systems and law enforcement databases unless the targets have been properly secured Information carried by the PM may also be of considerable value credit card information Computer intrusions are not bound by political or geographic boundaries They come from both domestic and foreign sources and foreign snacks come from both friendly and hostile nations Intruders use the PN for toll hand and to illegally monitor or divert calls often as an aid to conunit other Crimes Intruders also use the PN to penetrate attached systems to commit industrial espionage Some foreign intelligence services F15 are able to use these same techniques for similar purposes to acquire information and potentially cause denial or degradation of service The effects of such anions could be exacerbated during war namnl disasters or othu' emergencies Dishonest and disgruntled insiders are also a concern and have more ready access to these systems less likelihood of being detected 3-1 Mischa Traditionally computer intruders have been viewed as young amateur computer enthusiasts motivated primarily by curiosity and technical challenge Analysis of computer intrusions In recent years however indicates that there is now an older generation of computer Intruders for which nancial gain is a more prominent motivator in addition to accessing telecommunications systems 9 for personal use these older intruders are willing to sell their skills for industrial espionage and there are troubling indications of their collusion with organized crime and F155 Law enforcement has seen evidence of such activities Society has viewed computer intruders as lacking intent to destroy or disrupt the network This paradigm may be changing Because of some of the more recent intrusion activities some in the telecommunications community are coming to believe that breaking into computers is passe the new target may be the network itseli Although most intruders appear to target the PN to access other systems or avoid toll charges software time bombs planted in network elements in Denver Atlanta and New Jersey in 1990 indicate denial of service could also be an objecrive 5 INSIDERS The primary insider motivation to exploit the PN still appears to be nancial gain or revenge insiders can be employees contractors alternate service providers or anyone else with legitimate access to the PN's components systems andlor premises Increasingly insiders also uiclude the customers of service providers because new services give them access to PN software and databases to directly control their own telecommunications services Insiders are usually granted varying degrees of physical access administrative access or both to the Na software and databases and may use legitimately or surreptitiously acquired computer access privileges to compromise them or inhibit access by others They know the security of the system and raise no alarm by their presence For these reasons insiders acting in collusion with an outside threat a competitor criminal organization or elements of a foreign country could provide targeted access to software and databases to meet speci c requirements of their outside accomplices In 1994 an insider provided thousands of calling card numbers to an outsider who then sold them to foreign computer intruders FOREIGN GOVERNMENTS F155 and other foreign goverruiient agencies may be interested in major telecommunications systems and soft ware within the US to assess whether the-y could be used to provide information and services and act as conduits to other targeted systems supporting the national infrastructure To support national interests many countries have developed strong relationships between government and business entities in the collection of economic intelligence scienti c and technological intelligence or both For some countries intelligence collection is often an expedient cost-effective way to upgrade and modernize Even technologically developed countries are known to target both types of intelligence for competitive purposes The traditional line between hostile and friendly nations has become blurred Information gathered by intruders from abroad could be used in intrusions against Systems in the US Because many US companies do not fully document report or share their intrusion expen'ences it is dif cult to estimate the true magnitude of foreign government sponsored activity Stove Buith ofBell Lin - noted in a ne-r'l lml' sen-ini- Althea-n May I995 pap 3 Th emimeWmh MdEmfw -a Taken ammo Anni-um Hat-m December 10 111 I Jill I The reasons given for attacking the PN are as varied as the types of intruders conducting these attacks Systems have been attacked for national interests nancial gain power revenge prestige ideology and simple curiosity 3 2 Teehnigues and Tools Intruders have demonstrated their ability to e ectively and systematically exploit PN so ware lntruders' skills appear to be increasing and the most skillful intruders are adept at eluding detection in the past attacks were laborious and time consuming and used social engineering and other techniques that took advantage of poor password management and other security weaknesses Although computer intruders continue to exploit some of these same vulnerabilities they also use increasingly advanced software tools and networking techniques At rst software tools were used just to gain access to network elements and hosts now malicious code can be attached to intrusion tools allowing intruders to use one tool to sinurlraneously gain access to and steal damage or destroy whare and databases They use customized software programs to target speci c types of computers networks or network elements e malicious code designed to attack a speci c software vendor's producr or viruses to target antisirus software NEW TOOLS Intruders o en obtain system administrator utility programs and electronic intrusion detection tools from the Internet and bulletin board systems and use them to snack network hosts They even create tutorials on bulletin board systems so Others can use these tools To rapidly share these tools with one another intruders make them readily available across international networks in one case an attack program was posted on a bulletin board and in less than 2 hours numerous computer intruders used the program to break into systems Unfornutately vendors usually cannot respond with xes in a sinrilar time Cooperation among computer intruders goes beyond merely sharing their tools and techniques they have launched coordinated attacks involving collusion between domestic and foreign computer intruders Because these tools enable amateurs to use techniques previously employed only by more experienced intruders they upgrade the amateurs' capabilities Also within the same amount of time it used to take to conduct a single attack manually the automated tools can erqioit data networks to attack many systems at various levels Automation of snacks masks the number and identities of intruders attacking the FN so it is unclear whether one or several intruders cause multiple attacks It rs also dif cult to determine whether a series of intrusion incidents re ects an organized effort to attack a speci c target for a particular purpose or whether the series is simply unrelated activnies without any speci c target or purpose it is possible that some of these incidents may be part of a coordinated effort to achieve a particular goal but the general profusion of intrusion attempts would obscure these organized activities DETECTION It is increasingly more dif cult to detect intruders The exisring and growing connections between the PN and the intenret offer intruders an avenue of snack melting it easier for them to disguise their 11 rrutral point of access and weave through the network Intruders use cellular telephones to make it more dif cult to determine where attacks onginate The software and databaSes are sizable and tecluucally complex It Is becoming more dif cult to nd malicious code Automated tools also prevent law enforcement from distinguislung Intruders from one another by their individualized attack methods With the use of programmed attacks it ts dif cult for law ent'orcemerrt to identify mtmders by their techruques or signatures Programmed attacks can make an investigation more dif cult In the late 19305 and early 1990 intruders began to systematically map the internal networks they were exploring Today some intruders are analyzing these maps and planting programs that capture and store logon-ids passwords password sni ers'j and other information gathenng programs at key network hosts where they can be used most e 'ectively SPOOFING The IP Spoo ng attacks reported in Jammy 1995 are an example of intruders skills and interests Spoo ng is creating packets and making than appear to be coming mm a trusted source This new form of automated attack exploits improperly con gured rewalls Firewalls should be con gured to recognize and block externally originating packets if they have not been authenticated or are not received from a ousted source address from within the netw0rk Some rewalls are not Although the vulnerability of this form of attack exploits is not new the concern is that recently automated tools have been developed to exploit the durability This attack would have previously required an intruder with advanced skills willing to devote a signi cant amount of time to this endeavor with the automated tool a novice can now exploit this vulnerability quicklr and easily HSIE member companies and agencies are reporting an increasing number of attacks against their networks This increase probably remlts from the availability of automated intrusion tools and their use of use NETWORK SCANNING TOOLS Another indication of the urn-eased sophistication of intrusion tools is the utterging use of graphical user rntet acea GU15 or icon-driven httetfaoes 1n the past accessing network systems toolt some level of skill which reduced the likelihood that intruders wotdd curve at a point in the syssem where they could accidentally damage it Lowering the skill required to access critical network elements to a point-and-click level allows individuals with minimal skills to access them increasing the potential for unintentional or malicious damage One example of a tool feaurnng a GUI is the Security Admirustrator Tool for Analyzing Networks SATAN winch was nude available to the public in April 1995 SATAN scans sysrems to nd several common networking-related secunty problems and reports whether the vulnerabilities exist on a tested system without actually exploiting ham-r Ht ATILT In 4 'lu 'll F's-h It Prue-not pail-hull II Conner Coll-urticaria Ruin Vol 21in Brawn-II 12 1 I ll them Although systems administrators can use SATAN to analyze their networks intruders could just as easily use this tool to identify vulnerabilities to enable snacks on the network Rootkit is a relatively new set of tools that hackers use to mask computer intrusions Often even skilled systems administrators using available State-of-the-art auditing tools Will not be aware when this set of tools is being used Although Rootkit has many different capabilities it can falsify data provided by the device itself reported le sizes dates and checksums not changing even though they have been modi ed through hacker activities such as planting Trojan horses modifying permission tables or granting access privileges Only now are researchers working on a tool to overcome the e ects ofRootltit no proven products are on the shelf It is easy for inn'uders to set up their equipment a PC phone and modem almost anywhere such as a hotel room or even at a pay telephone in an isolated area and launch an automated attack program The automated tools reduce the amount of time intruders require to access the targeted sysrem and the portability of their equipment diminishes their chances of being caught are increasingly using cellular phones TRADITIONAL HACKER ACTIVITIES Dumpster diving and social engineering are time-prover techniques that intruders continue to use effectively Dumpster divers sort through an organization's trash to obtain information to help in electronic intrusion Social engineers impersonate a telecommunications company employee customer or vendor and permade a legitimate ernployee to divulge information such as logon IDs and passwords Social engineering takes advantage of a company's lack of security training and its emphasis on customer service Reports by NSIE representatives of attempts at social engineering are also increasing The implications of this increase are unclear it could signal an increase in attempted attacks it could mean that employees are more aware of social engineering attempts and are more diligent about reporting them or it could be an indication of activities as yet unknown It could also indicate more effective security controls which would drive intruders to use social engineering techniques to gain access they used to be able to achieve on their own by using tools arch as default passwords or password crackers Fraud and the of services must also be considered as serious threats in commercial ventures therefore special consideration must be given to these problems These activities may be use il barometers of more destructive intruder activities an intruder detected stealing services may also be engaged in more destructive undetected activities 3 3 mas-am NSIE representatives believe the electronic intrusion threat to the PN is greater than It was dunng the last risk assessment in 1993 primarily because of the increasing sophistication of the intruders and the more advanced methods of attack Increasingly intruders are more experienced and motivated by nancial gain as show by the increasing indications of links between computer 13 intruders organized crime and F155 There is more evidence of coordinated attacks including collusion between domestic and foreign intruders Traditional intelligence methods do not provide suf ment detail on the role that foreign governments play in these coordinated aetiwties The threat can no longer be characterized as coming from a group ofadolescents trying it gain a few hours of' free telephone semce or satisfying their The threat now includes more purpose sl adults With increasingly malevolent objectives The tools available to intruders are increasingly automated easy to use and e euive Those who have no interest in spending long hours to become technically pro ctent now have tools to achieve their objectives Use of these tools has two consequences the number of indiinduals capable of attacking the PN Increases as the requ1red level of skill decreases and less-skilled mdmduals can gain access to systems about which they know very little increasing the likelihood that they could damage them even accidentally The determination of the intruders the growing ease W'lth wl uch the can attack the Ph the dif cult in detecting their actmties and the increasing complexity of recovenng systems are all reasons for serious concern Further intruders have the skill to access and damage the PH and can cause signi cant denial and degradation of semce The NSIEs are consumed that the intruders may choose to do so 14 4 DETERRENTS One important agent of deterrence is law enforcement Equipment and software vendors service providers and their customers must work in a partnership with law enforcement to report intrusions help identify intruders cooperate in investigations and help prosecute computer intruders who attack PN elements Although the number of computer intrusions reported to law enforcement has increased victims telecommunications equipment vendors service providers and their customers continually need to report incidents of network intrusions Law enforcement and the private sector also need to continue cooperating in activities such asjoint investigations training and exchanging technical information Sometimes victim companies may need to maintain the exploited vulnerabilities while evidence is collected to enable a successful prosecution This problem may put the company at risk for some time and be very costly It will continue even if the law is changed as discussed in the next section 4 1 Luv Enfmment Law enforcement is aggressively pursuing PN intrusions and has expanded its focus on this area of criminal activity as follows I it has increased training efforts to improve the technical expertise of agents and prosecutors assigned to these types ofcases 0 The Department of Justice DUI has established the Computer Tclecomtnunications Coordinator ETC program to ensure every US Attorney's of ce has at least one trained prosecutor to advise on technical issues and coordinate nniltidistrict cases - State and local law enforcement investigative abilities are improving Coordination between local agencies and Federal authorities has also increased and should continue to be emphasized I InteractiOn between US and international law enforcement entities has increased and is becoming more important although more needs to be done As their investigative abilities improve Federal State and local law enforcement communities are prosecuting more cases The number of convictions is increasing and judges are begituiing to Impose longer sentences There are certain constraints on the ability of law enforcement to deter intruders Limits on funds affect the number of of ces assigned to computer crirm and how much money can be spent on training and equipment Intruders can commit crimes against victims in the United States from anvwhere in the world in many cases US law enforcement of cials cannot pursue them either because the laws of the intruders country do not consider these activities a crime or law enforcement in that country does not have the resources to pursue such activities 15 Even within the US investigation and prosecution olcomputer intrusion cases can be complicated by the different laws and resources ofthe various jurisdictions involved it Federal State and local The Federal government is fragmented on computer tritruders and no focal point has been empowered to bring together all the information and activities for computer intrusions Although cooperation among different is improvmg some fragmentation will no doubt 4 2 gamers The NSIE groups have been concerned about de ciencies in Federal computer crime laws Recentlv DOJ proposed several Improvements to these laws that will be helpful if enacted The three changes that will have the greatest impact on the ability to prosecute computer intruders who attack the PN are the following I Upgrading a class of intrusions from misdemeanors to felonies increasing the likelihood of prosecution and the severity of the sentences I Revising the de nition of Federal interest computers to include those used in Interstate commerce and communications thereby expanding the law s applicability to most computers that are part ofthc PH and I Expanding the de nition of damage to include any impairment of data integrity or availability that threatens public health and safety In addition 5 proposmg changes tn sentencmg guidelines to encourage iudges to consider factors beyond econonuc loss to the wctirri when determining the severity 01 an intruders sentence The extent to which the intruder vrolated the victim's pnvacv ts an example of one such factor The Office of Management and Budget Oh-'18 approved proposal and these changes are reflected tn the N11 Protection An of l9in 3932 introduced into the Senate on June 29 1 95 The NSIEs support proposed changes 4 3 Lducation and Awareness Education and awareness programs are another form ordetcrrence They can help deter voung people from getting involved In computer crime by making them aware ofthe consequences of these intru5ions both for the individual i prosecution and for society e disrupting t- Jl 1 service Since intruders may begin their activities earlv tn life education and awareness programs should be targeted at school-aged children in the hope intrusion activities Young people car otten be deterred by warnings promotional efforts and diversions that give them opportunities in develop and exercise their computer skills in a more acceptable wav 16 Some companies have developed videos teacher's guides and student materials which they provide free to public schools Also industry and law enforcement professionals may reach this target audience through youth groups cg Boy Scouts parents' organizations teachers' associations computer game companies TV radio newspapers magazines or computer users' groups A single effort to educate young people on this issue cannot be measurany effective on its cum The message must be sent from many sources home school work government the media with persistence E orts to change behavior do not generally produce rapid and dramatic changes and are di icult to justify in the short term 4-4 mum By its nature deterrence always lags behind the threat Legislltion tends to be cussed on a wrong rather titan preventing it law enforcement of cials deal with intruders after they have broken the law The rst line of defense must be to protect the PM by taking full advantage ofthe security measures available law enforcement must be prepared to deal with intruders and victims must be vigilant to detect computer crime and prepared to report intrusions and work with law enforcement The law enforcement conununity uni-ently operates within many restrictions ranging from resource limitations a changing and challenging technical environment and the dif cqu of pursuing computer criminals across local state and national boundaries The law enforcement community is working to address these challenges The effectiveness of deterrents may be limited but deter-rent capabilities within the US are among the best in the world and are improving I D01 is addressing legislative issues I Law enforcement capabilities are improving I Prosecutions and convictions are increasing I Judges are ordering more sentences The increase in e 'orts to deter young people from becoming involved in computer crime is encouraging Although the progress is di cult to assess it is imponant to continue these efforts Although the e ectivmess ol'orur deterretns will never be as great as we may' wish NSEE representatives believe deterrent activities are properly foaased and progess is being made 17 5 VU LNERABILITIES Vulnerabilities are flaws in the PN's fabric that allow intruders to enter its computerized elements This section addresses eight areas known 1vulnerabilities i vulnerabilities that have hem well- ltnown for some time and for which remedies are available rewalls Internet connectivity centralized control centers open protocols standards new technologies and industry restructuring Section 6 Promotion identi es actions being taken to address vulnerabilities Known in recent years PN service providers and equipment vendors have become more aware of the vulnerabilities that a ect systems Security audits information sharing activities eg NSIEs and incident response teams Forum of Incident Response Security Teams have revealed many vulnerabilities Many computer owners have taken steps to mitigate these vulnerabilities others have not The potential impact of these known vulnerabilities on the PN has increased because the size and nationality of modern switching elernerns and support systems have grown over the years The compromise of certain switching demerits or operations support systems can have much more widespread consequences than in the past Although many di 'erent techniqules for mitigating these vulnerabilities have been well-known and documented for years in some cases systems administrators have not dream to close particular vulnerabilities or have not implemented xes correctly or consistently One example is the sendmail wlnerability in Unis which has resulted in intrusions to thousands of computer systems Another example is unprotected dial-up modems Despite exhaustive efforts to eliminate unpretected dialrup modems security audits continue to reveal new dial-up modems that employees have installed often without knowledge of management Modems serve an important need and as long as the need persists and other approaches are not available dial-up modems will continue to be used However protection is often a missing key element The failure to change default passwords on systems is also a well-known wlnerability Anather conunon vulnerability the use of weak and easily guessed passwords can be mitigated somewhat by the migration to token-based access and one time passwords but it will be some time before every system has these access methods Finally new software rdeases can reintroduce old vulnerabilities if the patches that listed those vulnerabilities are not incorporated irtto the new rdease Users o en assume that known vulnerabilities have been xed when a new version of software rs released and are unaware that they need to address it again 5-2 rs-mitt There is a growing trend by organizations to address network security by isolating their systems with rewalls Although rewalls can be effective ifirnplemented properly several factors need to be considered Router con gurations if not carc illy designed and maintained can introduce vulnerabilities to spoo ng attacks Section 3 2 and other intrusion techniques Routers themselves are increasingly targeted by intruders seeking to bypass rewalls administrators do not 13 1111 I properly implement a router's secunty feanires some users may be allowed to obtain more pnvileges than warranted In addition seldom-used features if left enabled could become entry points for intruders This ts an acute problem for organizations With a high turnover of systems adrrurustrators and users The Computer Emergency Response Team CERT Coordination Center has stated that although the current number of attacks on the Internet backbone infrastructure remains low there is a huge potential for intruders to snack routers at the network provider level and recon gure them Firewalls should be viewed as one component of comprehensive security programs not as a panacea The false sense of security provided by rewalls has caused many systems administrators to decrease their reliance on traditional systems security methods As a result many systems have become more vulnerable to intrusion attacks This fact is borne out in recent 1 spoo ng snacks against poorly con gured rewalls Elam-totem Connections to the lntemei are increasing and while many service providers have exercised due care in isolating critical network systems and components from more Open-enterprise data networks and the Internet there may still be potentially exploitable connectivity such as through a restrictive router or rewall An error in the design configuration or implementation of such a protective barrier could lead to compromise of critical systems from anywhere in the world For example a rewall that recognizes trust relationships between nodes within a network but does not restricr internal network addresses originating from outside the protected network may be susceptible to an attack by an intruder outside the network impersonating one of the trusted sites as demonstrated by the spoo ng attack in Section 3 5 4 War-Jan Many service providers have curtraliaed DAMP functions to corlrol networks from a single location This centralization has advantages from a security perspective for example it ts potentially easier to secure a single logical access pornt with uniform access control than to secure multiple access points with diverse or access control systems However a conipromise of a system serving one of these oerMalized centers would a ect conununications over a wider area than 5 or to years ago The same is true of switching and signaling elements since modern network elements serve ntany more subscribers over mare widely distributed geographical areas 5 5 Oggn Emtogols Migration to open protocols such as for network management systems renders those systems more vulnerable to compromise since the continunity at large understands these protocols and their associated vulnerabilities better than earlier proprietary systems Several carriers presently offer access to CCS-based customers through dedicated links from UNIX-based workstations Although these links are dedicated lines intruders could exploit vulnerabilities and may be able to access the caniers' CCS networks if they can intrude through the customer's gateway In fact NSIE companies and agencies are reponing an increase in the number of such vulnerabilities with potential impact on the PN As seen in the Internet conununity the results of attacks 19 can lead to disruption or degradauon of and disclosure or modi cation of data Some operating systems are being preloaded with software that provides cannectnrity capability Customers may not be aware of this software irtlrer even if they are aware of it they may not know how to enable security precautions necessary to prevent computer intruders from using Internet connectivity to access their systems and networks as sings-as Additional security standards are needed for teleoonununications networks Network Security Standards Oversight Group NSSOG examined this issue and in its October 1994 report identi ed 12 major issues in aeorrity standards that need to be addressed Efforts are now underway to alert standards bodies to the security issues associated with telecommtuiications networks so that network security standards can be developed as appropriate The issue of standards will be irther complicated as more entities such as Cable Television and wireless communications service providers become involved in the process bringing their own perspectives and approaches to integrating their services and technologies with those of the traditional telecorrununications service providers 57W in addition to known vulnerabilities of mature well-established PN's there is rising concern abbot the lack of security in emerging and future technologies New technologies supporting the are expected to bring with them new vulnerabilities computer have exploited existing technologies and there is Every reason to expect them to develop new approaches New technologies and new releases of existing network element software may not always include adequate semnty features Products lacking security features are brought to market before secunty problems are known or can be resolved Sometimes solutions to security problems in older technologies are not carried forward to the new technology For example as more applications are migrated from mainframes to PCs many of the well-established security features have been left behind password strength password aging New teleoomrrionications features such as remote call forwarding and selective call forwarding create new vulnerabilities unique to each feature Furthermore vulnerabilities result from feattu'e interaction When two or more features are used together they can produce unintended results Also as customers gain more direct control over their services the PN is potentially exposed to additional vulnerabilities through the interaction with end user systems and CPE New technologies are in various surges of implementation throughout the PN examples include the IN CC 5 ATM SONET and integrated Services Digital Network CCS technology is of particular concern There is a need for cross-industry creation and implementation of a baseline level of security requirements for the CC5 network elements their support systems and network protocols Also CCS applications developers should the level of security an application requires assess whether the baseline security on the CCS platform will provide that level and develop and deploy any incremental required if baseline security is inadequate for the application 20 ll JJ New technologies are expected to make the PE more vulnerable because of the following reasons I The ability provided by the new technologies to change the way the network reacts to subscribers' calls maltes them a potential liability if components are spoofed misprogramrned altered or corrupted Because new service logic is written in well-known programming languages rather than proprietary code intruders can understand it and manipulate it more easily I New technologies will undoubtedly be supporting NSIEP telecommunications in the nature Their ability to support sensitive government telecommunications may make these technologies targets of foreign governments and terrorists who could attack vital services as a prelude to or as integral part o an attack on the Nation I Advanced technologies will require more sophisticated troubleshooting and maintenance tools and expertise Because the development of such tools and expertise may lag behind the implementation of the new technologies troubleshooting and maintenance may be more dif eiilt initially I Because control of the technology will be more widely dispersed the number of people who have access to network components and operations systems will increase This increase in users means a larger potential threat from insiders with a corresponding increase in the potential for wrongdoers to masquerade as real workers I Expected open access to nontraditional drird-party service prOviders will trther increase the number of access points to the network and a corresponding increase the potential for abuse by authorized and unauthorized persons Appendices A and provide detailed discussions of SONET and ATM vulnerabilities 5-8 madam New service providers CATV providers are entering into the voice and data communications market and will require interconnection with more traditional service providers This entry of new providers raises concern over the impact on PN searrity CATV was initially intended to provide one way communications1 primarily for entertainment and education It was not generally considered an essent'nl service and outages have been frequent The CATV industry s primary security concerns in the past have been loss of revenue resulting from theft degradation and dismption of service and security measures have been irnpletnerrted to deal with these problems Providers implemented security measures appropriate to its initial functionality However CATV is now changing to include two-way or interactive services Security which is adequate to protect against theft of service or interruption of programming is not suf cient to ensure the level of reliability necessary for essential telecommunications service or to provide privacy While wrreless communications technology provides an effective and flexible communications alternative it also brings additional vulnerabilities It requires more nodes in its con guration and is 21 characterized by more opportunities for tntnision in addition wireless winerabilities may be compounded by wireless interconnection CCS networks Dig-ital mreless services such as personal conununications systems PCS will rely heavily on the ICE network and therefore will be subject to the combined vulnerabiliues of both technologies Another new network senace Cellular Digital Packet Data CDPD is also a concern CDPD will be implemented by installing data switches mobile data intermediate systems hm-15 in cellular networks These will be interconnected through public packet-switched networks such as the lnternet thereby interconnecting PN switching equipment and the lntemet Current Internet protection strategies such as rewalls will not protect Firewalls are designed to restrict the types of traf c allowed from external networks to internal systems but a CDPD MD-IS is speci wa required to route all types of tra 'ic to and from mobile terminals Thus an MDJS is conceptually similar to an Internet router rather than an Internet host system and current rewall technology is not designed to protect intermediate systems or routers 5 9 In The overall sadnerabiliry of the PN is an ino'easitig concern Many of the old vulnerabilities are still there and new ones are being created Computer intruders continue to exploit vulnerabilities that have been well known for years despite the existence of tools to help secunry administrators identify and x holes New technologies and the restructuring ol'the industry will uttro-duce new vulnerabilities Regardless of the technology involved data and services testing and maintenance features administrative services including security administration and communications interfaces to operations systems and other network component are considered potential points of vulnerability The level of concern is increased even more by the rapid proliferation ofinterconnectivity among all these technologies and the degree to which the winerabilities extant in one technology are expected to compound those in another Another aspeCI of this concern is that because of the degree of interconnecrivity and the capabilities of the new technologies the potential impact of a single intrusion incident is becoming greater For easinple an intruder intent on disrupting teleconununications service in a large area could accomplish that objective by disabling a mated pair of 005 signaling transfer points Causing equivalent damage in a non-CCS network would require much more e 'ort because the intruder would have to disable many more network elements to aclueve the same widespread e eet Further advanced technologies will require more soplusticated troubleshooting and maintenance tools and expertise whose development may lag Therefore troubleshooting and maintenance may be more dif cult As NSIE representatives become increasingly knowledgeable about existing and potential vulnerabilities in the PN their level of concern grows Theatre-marinade Twu n m mm Taken- cam DuemnrJ-Ieend daum 22 1 ill 1'11 6 PROTECTION MEASURES Telecommunications service providers and their hardware and software vendors are the first line of defense to protect the PN from computer intruders and the maximum bene t to secure the PM can be derived by taking full advantage of the tools and techniques available As customers gain increasing degrees of control of their services they must also assume their share of responsibility for secunty 6 1 ion hanirns In the 1990 NSTAC Network Sealrity Task Force report several rational and prudent steps were identi ed to protect the PM These techniques are still valid and apply equally to service providers their vendors and their customers Actions to produce near-term results include the following I Conducting intensive security evaluations and audits I Ensuring dial access control modem sectrriry I Using existing semrity feamres I Eliminating security holes I Evaluating and deploying new security technologies I Controlling proprietary information documentation storage and disposal I Improving skills ol'the security ME I Establishing secruity awareness programs Over the past few years the telecommunications industry has responded to perceived risks from electronic intrusions by implementing network security plans and programs Examples of these kinds of activities include I Firewalls There is a growing business need to connect with the Internet and other TCPJIP networks Implementation of these requirements brings new threats and Firewall technology has rapidly evolved to address this exposure In only the past 2 years the number of vendor products has grown substantially and numerous features and architectures are available The telecommunications service providers have been analyzing their needs and deploying rewall products at their Internet access points In addition to detect and react to unauthorized use network management has extended to the rewall with various degrees of e 'ectiveness However as noted in Section 5 2 rewalls must be properly con gured to he e 'ective I Internal network partitioning Historically security has been focused on controlling external access to networks Recently more emphasis has been placed on developing partitioning strategies to control access from internal users Internal network partitions also help contain intrusions recover from attacks and de ne network management domains for security Firewall techniques are being analyzed and implemented to secure critical networks eg those that directly suppon 0MP of network elements from other corporate network applications Additionally more attention is being given to assigning users to the privilege classes restricting access to root privileges I Strong authentication The deployment of advanced authenticaIIOn mechanisms such as one- time passwords has increased dramatically especially for users with unrestricted work access Administrative and maintenance-level access to network elements and systems has been a high-pro le target for electronic intruders in recent years One-time password technology while dramatically reducing the e 'ectiveness of hacker tools such as sni 'ers is still evolving to meet the network senirity requirements I Security Telecommunications service providers are constantly modifying policres to address security issues arising from new technologies services and operations architectures Policies are being constantly re ned and expanded to give direction to internal users and telecommunications vendors Strong security policies are the cornerstone of an effective network security program especially in light of changing business environments discussed in Section 2 I Security training and awareness Good semsity adminisn'ltion is one of the keys to e 'ective network security The quality of awareness and technology training has improved over the past few years enabling sta ' members to more readily identify unauthorized activity and alert systems administrators Real senirity exposures and experiences uttegrated into hands-on training are increasingly available both within telecommunications organizations and from outside consiiltants In many organizations this training has been expanded to include systems administrators security personnel vendors and users I Security standards The industry is addressing security on various levels protocols applications and architectures for existing and emerging tectuiologies and services More resources are needed to identify ismes propose technical solutions and pretotype and deploy security enhanced capabilities Also more attention should be directed toward streamlining security administration and managing senirity features Simple Network Management Protocol and the Telecommunications Mariagement Network which will lead to more consistent cost-e ective interoperable and widely deployed sensory features 6 2 Seuri has met Both Government and industry are engaging in security research and development The National Security Agency NSA and the National Institute of Standards and Technology MST have programs to make the results of their available to industry Products resulting from Rift in the private sector may be used exclusively within the company where they were developed or may be rrtade available to other companies through the marketplace As the public becomes more aware of the security issues associated with the NH demand for security products is likely to foster even more security MD 24 Besides the mechanisms mentroned the telecommunications industry has contributed to the development of security requirements for evolving network components high-speed security-enhanced commercial protocols and security architectures using secunty servers 6 3 Risk Management Although it is not feasible for organizations to prevent all intrusions from both internal and external sources they can operate within acceptable levels of risk Risk management principles suggest that organizations fours on spending resources to deploy safeguards to protect themselves against intrusions that could cause the greatest amount ofdarnage but be prepared to react to intrusions with lesser risk as needed Organizations must be able to detecr and react to intrusions Current capabilities do not always detect intrusions detection is the key to mitigation Many companies are slow to buy technological capabilities and adequate tools and provide su cient numbers of trained system security administrators to do an effective seetu'i'ty job because the perceived risks are low Awareness of the risks to the network and the implementation of prudent actions are critical steps enabling cost effective and sound security program Exchanging information on threats vulnerabilities and remedies as done in the NSIE groups helps improve understanding Similarly through and documents such as this one the NSIE groups can help increase awareness of network security issues throughout a broader segment of the industry Increased awareness facilitates incrused reporting elevates management awareness and results in more support of security activities Increased awareness and security programs have reduced the opportunity for intruders to gain access by using easily detected methods mode-m access default passwords and social engineering However eternal vigilance in the form of good security management and infomration exchange a sustained level of technical and procedural improvement and a program to continue monitoring network security and eliminating identi ed vulnerabilities will be required Further security and security awareness efforts in a company need to include the companys contractors customers and partners in joint ventures 6-4 MM Govenunent and industry recognizes the importance of promoting the PN from electronic intrusions and are continuing to work together toward that goal A great deal has been done and additional imtiatives are widens-ray to continue to improve security methods and tools including implementing rewalls both external and internal to the network using strong authentication such as one-time token-based password s developing security standards and R351 programs establishing strong security policies and implementing security awareness and training programs Resources competition cost and convenience may constrain an organization's decisions on security tools and techniques The industry is applying the principles of risk management in making these secunty decisions 25 7 CONSEQUENT RISK NSIIE representatives believe the overall rislt to the Phi is greater today than it was perceived to be during the last formal risk assessment in 1993 No speci c metrics are available to quantify tltis assertion instead it is based on conclusions from industry and goventment security professionals participating in the NSIE process Perhaps in the future this type of data will be available For some time the PN has been one of our Nation's most critical infrastructures providing routine and essential communications capabilities locally nationally and globally Other key infrastructures molt as transportation utilities and banking depend on the PN for reliable communications to tl ll their missions As the continues to evolve new applications and services will require even more capabilities and capacity from the Nation's communications infrastructure These new applications and services are expected to create economic growth vital to national and economic security Risks to the PM are a concern because they pose a risk to these other infrastructures our economic health and ultimately our national security The current trend toward increased network ituerconnection has profound implications for all networks Seem-icy programs are often widely inconsistent both within and across network domains allowing attacks to propagate to networks with relatively solid security postures Therefore weak security programs itt one network cert often increase risks in other imerconnected networks Government and industry have taken actions both independently and jointly to make the PN more secure The NSIE process is a major e 'ort through which Government and industry through NSTAC are addressing network security As a consequence they have come to realize the following facts I Technology alone will not solve the problem To a goat extent secunty is a people problem requiring both full attention and support of management and the continued vigilance of systems users and administrators 0 There is no silver bullet II Protecting the PN 'n a continuous dynamic and growing process Measures such as training and audits are not one-time efforts and there is no guararncc that past measures wi continue to be effective in the future 0 Security is everybody s problem Service providers and equipment vettdors are responsible for protecting the network components over which they have control However as customers gain access to network components that allow them to have greater control over their own services they must also take responsibility for protecting those network components I The changing business environmt should prompt periodic reviews of security programs Efforts to reduce operating expenses frequently entail workforce reductions 26 11 Terminated employees have the knowledge and may have the motivatron to attack the resources of their former employers retained employees may become disgruntled or may simply be unable to devote as much time and attention to security related activities as is needed Companies that outsource their work or embark on joint ventures may be exposed to the vulnerabilities of their vendors and partners Changes in how people do their work such as telecommuting and the increasing use of laptops create new vulnerabilities The threat to the PN is increasing Today s computer intruders are older and more purposeful often motivated by nancial gain and armed with effective automated tools that facilitate software attacks on the PN There is considerable concern about the ability and motivation of computer intruders to seriously damage the PN itself Today s intruders share their knowledge and skills and coordinate activities to achieve their objectives Increasingly user-friendly intrusion tools intensify the threat by lowering the skills required to attack the PN and their widespread availability increases the number of users who have access to them Evidence gained in criminal prosecutions continues to substantiate this change in the nature of the threat The deterrent capabilities in the U S are among the best in the world and are improving is addressing legislative issues that have hampered the ability of law enforcement to prosecute computer intruders The increasing numbers of prosecutions and success rl convictions in combination with longer sentences demonstrate that the law enforcement community is increasing its capabilities to investigate and successfully prosecute crimes of this nature Public education to increase awareness of the consequences of attacks on the PN both for the individual and for society overall is just now beginning to emerge and it is too soon to assess its effectiveness Although such efforts are needed they do not generally produce rapid and dramatic changes Deterrents are usually a reactionary step taken to address a threat therefore they cannot be expected to keep pace with the level of the threat particularly because of the rate at which the threat is growing The vulnerability of the PN is also increasing Old vulnerabilities are still being exploited despite readily-available tools and techniques to eliminate them New technologies such as IN ATM and are bringing new vulnerabilities into the PN as are new teleconununications service providers Because of the increased capabilities and interconnectiVity of new technologies the impact of a single intrusion incident has the potential to be more widespread and severe than with the older technology Although progress has been made in developing tools to protect the PN these protection measures have not kept pace with the vulnerabilities1 nor have they been ubiquitously applied Government and industry recognize the importance of protecting the PN particularly as society moves towards using capabilities and sen-ices offered by the emerging NII Consequently they are taking advantage of available protection measures and continuing research into improved methods and tools to strengthen PN security In addition to the tried and true methods cg intensive security evaluations and audits improving skills of the security staff and controlling proprietary information Govertunent and industry are pursuing new tools such as advanced authentication mechanisms and internal network partitioning Howeven Just as the threat 15 outpacing the deterrents the vulnerabilities are outpacing the protection measures The bottom June of this risk assessment is the following I Reliance on the PM is growing I Complexity of the network and its technology Interfaces and vulnerabilities is growing I Detenmt are improving and require cominued conunitments of resources and industry and govenunent coordinated efforts I Protection mecharusms are Improving but have not ltept pace With new and emerging vulnerabilities In conclusion the NSIE subject maner experts feel that while a great deal has been accomplished much remains to be done 25 APPENDIX A The Risks to Optical Networks SONET from Electronic Intrusion SONET an industry standard for high-tapered transmission over optical ber is a transport velucle capable of delivering bandwidth in the gigabit-per-second range SDNET technology will form the foundation for future telecommunications transmission networks inter-exchange and local exchange carriers as well as many private network operators are deploying SONET widely Virtually all new ber optic installations by commercial carriers are cun'ently being con gured as SONET networks Because of SONET technology's rapid penetration in the commercial can-let networks security is important to address SONET security issues can be grouped into three areas described below information security management functions SONET nenvork element security and SONET network con guration and operation 1 Information Security Management Functions The protocol under development since 1935 provides many advantages over existing transmission facilities including exible bandwidth and network element management Many in the standards community believe that sconity concerns we not adequately addressed during the protocol's development Currently the protocol as de ned in the International Telecommunications Union Telecommunications Standardization Sector ITU-TSS N130 recommendation allows four basic management levels in the network network element network management service management and business level management Within these four levels are embedded a series of management snctions that provide basic processes to operate SONET networks The SONET architecture does not speci cally address secluin as a management in the SONET ltierarchy The information seairity management inction has been introduced to the standards community to provide a generalized way for network operators to control the information made visible across a network interface Information security management has received very linle attention to date from the standards community The security inction is considered a very general aspect of management and bettause the other protocols traversing SONET networks provide their own security functions SONET-speci c soutrity functions are unlikely to be developed However the SONET interoperability Forum has recently begun to address aspects of the SONET management functions Other management functions also have a bearing on infonnation security in networks The nenvorlr element mamgemenr level provides anctions such as con guration management alarm reporting performance reporting and cross-connection The nenvorlr management level provides functions such as event management performance management fault correlation and dynamic trail control The service management level provides functions such as billing management quality of seniors tracking customer service packaging and service contract details The business management level is not well de ned yet but it is expected to provide functions such as service ifs-1 desrgn and planning inventory control network design and planning All of these functions could severely a ecr the performance of a SONET network if compromised The SONET protocol de nes a link-bits per second bps section-layer data commumcations channel DCC that anctions as an embedded message based operations channel The section-layer DCC is reserved for operations administration maintenance and provisioning CAMP messages transmitted by network elements operations support systems and network management systems also de nes a 57'6K-bps line-layer data communications channel The line-layer DCC is reserved for between line termination equipment such as multiplexers Access to these DCCs can be restricted to authorized users but adequate security erasures have not been designed to e 'ectively protect these channels from electronic exploitation An intruder who has broken into a DCC could compromise SONET network elements or read modify or delete other users' traf c Until security mechanisms have been designed and implemented for SONET DCCs they should be considered highly vulnerable 2 SUNET Network El n th Security SONET is identi ed not only by its protocol but by the hardware and software that comprise the structure of installed rings These network elements fall into three basic categories access switching and transport Speci c network elements include ABMs broadband and nddeband digital oss connects DCS digital loop camers regenerators broadband switches terminal multiplexers and switch interfaces ADMs are the primary building blocks of SONET networks they serve the important inctron of adding and dropping traf c oor the SONET ring They are unique to the SONET architecture and are equivalern to the M13 multiplexers found in D56 networks Since each access point on a ring has an ADM inforrnati'trn on the ring traverses through each ADM Proper precautions are needed to physically protect the ABMs to electronically protect the information traversing them and to ensure that information is not improperly disclosed or monitored Other network elements such as switch interfaces digital loop carriers DCSs broadband switches temunal multiplexers and ber signal repeater stations need to be considered in a SONET vulnerability analysis as well Most of these devices can be electronically accessed for many different purposes including operatidns administration maintenance pro sioning and testing Any element used as part of a SONET system should be considered vulnerable to electronic and physical an ack 3 SONET Network Con guration and Operation Controlling access to the information transirritred across a SONET network is an imponant concern because of the security issues identi ed in this assessment Because of the lack of built in security features the security of a SONET network depends largely on its con guration and operation Because SONET is a relatively new protocol that is jusr now being implemented widely security has not been fully analyzed in SONET networks installed by service providers Secunty is especially important because SONET network elements such as are being 11-2 11 Ill 1 1 ll managed remotely through packet data network connections Thus network elements are vulnerable to electronic intrusions on carriers' internal corporate networks Il these corporate networks are not adequately protected with advanced authentication rewalls and other secunty mechanisms SONET network elements could be exposed to substantial risl-ts Another important implementation issue is related to the interconnection of networks SONET was originally designed to connect major tnmking facilities in telecommunications transmission networks However as SDNET became more widely accepted in the industry it evolved into a complete transmission architecture supporting can'iers end users service providers and other entities This evolution has created sectu'ity issues because SONET does not provide standardized rewall or gateway network elements Therefore there is no mechanism to lter or restrict traf c traveling between SONET networks and crossing administrative domains Filtering traf c is especially important in relation to the DCCs mentioned earlier Since access to DCCs cannot be effectively restricted many service providers are completer disabling the DC Cs because they fear the DCCs may be abused by intruders from other interconnected networks In commercial SONET installations network operators normally protect their network elements with a goal of providing an acceptable level of security that balances perceived risk with the cost of mitigating this risk The differences between this industry security approach and the Goverrunent s national security and emergency preparedness approach may cause some concern in the Government because both the industry and Gcwernment have a great deal of experience with electronic intrusions However industry is working to resolve these issues and build security into o lthe-shelf SONET products APPENDDL The Risks to Transfer Mode ATM from Electronic Intrusion ATM is an emerging packet based and multiplexing communications technology ATM will integrate many di erent traf c types voice data video etc on a single physical network ATM was designed to use ber-optic transmission media and suppon very high transitussion speeds up to gigabits per second it can also operate at lower speeds over copper and wireless conununications links Am can be used for local area networks with a single protocol and to interconnect many di erent higher-layer network protocols and tral c types Together ATM and form the foundation of the Broadband Integrated Services Digital Network B-ISDN ATM s role as a major interworking protocol make the security aspects of this technology critical Three speci c risk areas are discussed below information security network element secunty and network and semuity ntariageinmt 1 Information Security Oneofthe biggut tisksinanynerworkisthe monitor-ingot modi cation ofuser information by unauthorised individuals Protecting this infonnation from tauntended exposure is referred to as con dentiality is increasingly providing con dentiality of communications can negatively a 'ect network performance by causing added information n-aititn'iission delays while data is If is implemented at the ATM layer the mechanisms must introduce as little delay as possible ATM will require the use of a key distribution and management scheme that is designed to support network speeds and high speed applicatidns that run on ATM networks In certain circumstances implementing at higher layers may be preferable Several ATM products are currently being developed Preventing disclosure of user tra ic to unauthorized individuals is referred to as traf c con dentiality protection ATM transfers information using fated packets called cells that uniquely identify the switclung route witldn a network element Since each value is unique only within a network element each switching element along a network path must be capable of reading the value and changing this address for the nestt network element This ndnerahility makes it very di 'icult to protect cell destination information from disclosure during transmission Without traf c confidentiality protection an eavesdropper could observe where particular traf c is going simply by looking at the values A related vulnerability is that a malicious party who has access to a switch could modify the values and traffic would be rerouted on an unintended network path Protecting user information against modi cation is referred to as protection The ATM cell payload does not provide an integrity service As a restilt a higher layer protocol must provide integrity integrity is typically provided using some type of checksum mechanism As with con dentiality protection this mechanism may introduce unwanted delays it requires a key management and distribution system A system may provide both the con dentiality and integrity services simultaneously B-1 2 Network Element Security ATM network elements include snatches workstation adapter equipment routers hubs and other related equipment These elements will be in many different places from private corporations and private service locations to public network service providers and government locations A wide variety of network elements could handle information traveling across an ATM network The degree of security inherent in each of these intermediate elements may vary greatly and some of them may not meet the user's reqnirements for security Consequently the end user should not send sensitive information without some assurance that the information is protected This assurance may be achieved through mechanisms the end user controls con dentiality provided above the ATM layer or by con rming that intermediate network elements have adequate security Also ATM switches are designed to be fast and simple to support the low latency switching and transmission speeds required for ATM networks Adding security features may impede this fast transmission As a result many overhead services such as sensory are being performed outside the ATM network through adjunct devices such as security servers 3 Network Management and Security Management Management of ATM networks is a developing area Standards and interoperability groups such as the ATM Forum are developing network management solutions However security and security management are just beginning to be addressed Network management solutions using the Simple Network Management Protocol SNMP and the Common Management Interface Protocol CMIPJ are being considered but neither protocol is considered to have robust security features The risk of exposing network rnanagetnent information is expected to help motivate ATM service providers to develop and implement security measures As a developing technology other aspects of ATM are still evohring that may pose risks that have not yet been identified Examples include the following Traf c management involves de nition of traf c contracts di erent levels of quality of service and congestion control mechanisms Many items published in open literature indicate that there are still signi cant theoretical problems in these areas The security risks cannot be clearly identi ed and remedied until solutions to traf c management issues are developed and adopted Denial of service a condition in which authorized users cannot obtain the network services they require In ATM networks conditions exist where a rogue network user could flood a network with unauthorized traf c thereby preirenting legitimate users from obtaining services Developments In traf c management should prevent denial-of-service attacks Increased use of switched virtual circuits on-demand versus dedicated network connections logically equivalent to our use of the telephone system today Initial tests of ATM networks involve mostly permanent virtual circuits that are dedicated manually con gured connections 3 2 4 Summary In general the ATM development community acknowledges that security issues need to be addressed Because the technologv ts nets-1 larger unteSted with features detreloptngI rapidly secunry risks continue to be Indeterminate As an mtem-orkmg protocol ATM could serve as the convergence pomt for networks of many different protocol types As a result the seeunty and availability of ATM networks become critical issues that may affect many diverse networks and applications Although this appendix prondes a Pugh level WCW ofthe risks of ATM it should not be considered a comprehenswe treatment of the seeunty issues surrounding ATM The most thorough means of evaluating secunty w l l ClUdE assessment ofspee't e applications and svstems I I Ill 1 ADM ATM B-ISDN BPS CATV CCS CDPD CERT CMIP CPE CT DCC DCS DOJ 15-911 FIRST F15 GUI ISBN ITU-TSS MD-IS NCS HIST NSA NSC NSIE APPENDIX ACRONYM LIST Ade Drop Multiplexer Transfer Mode Broadband Integrated Services Digital Network Bits per second Cable Television Common Channel Signaling Cellular Digital Packet Data Computer Emergency Response Team Common Management Imetface Protocol Cus'tomer Premise Equipment Computer Telecommrtications Coordinator Data Communications Channel Digital Cross-comet of Justice Emergency 91 1 Forum of Incident Response Security Teams Foreign Intelligence Service Graphical User Inerface Intelligent Network Internet Protocol Integrated Services Digital Network International Telecommunications Union Telecommunications Standardization Section Mobile Data Intermediate Syntu'n National Communications System National Information Infrastructure National Institute of Standards and Technology National Security Agency National Security Council National Security and Emergency Preparedness Network Security Infomtation Exchange NSSOG NSTAC 0MB OMNCS PBX PC PC PCS PN PSN Rail SATAN SNMP SONET STP TCP TCPIIP TS ACRONYM LIST Continued Network Security Standards Oversight Group National Scmrity Telecommunications Advisory Comm Opcrations Administration and Provisioning O icc of Management and Budgct Of ce ome Managcr National Communications St'sttm Private Branch Exchange Personal Computer Policy Coordinating Committee for National Security Telecommunications 1nd Information Personal Communications Systems Public Network Public Switched Network Roswch and Security Adrturustrator Tool for Analyzing Networks Simplc Network Protocol Optical Notworl Siytaling Point Transmission Control Protocol Transmission Control Protocol Telecommuqu Service Priority Ill 1 ll APPENDIX REFERENCES Initial Tasking Document Memorandum to the Manager National Communications System Subject Public Switched Network Anion Plan from the Chairman of the National Securin Council Policy Coordinating Committee for National Security Teleconununioations and Information Systems Apri123 1990 Previous Status Reports Manager National Communications System Seem-tor of the Public Network A Status Report to the Chem Pottcy Coal-diluting Guarantee Nunavut Securin- Telecommunications minim-matron Systems August 1991 ME National Comanoations System Seem-tor qt the Public Switched Network The Second Status Report to the Charm Policy Coordmattng Nottoru Seem-try Tetecanmunteattom mad Information Systems July 1992 Manager National Communications System Status Report on Security of the Pooh Switched Network - Report to the atth to the Prendentfor Secunty A otrs December 1993 Manager National Commnnications System Status Report on Sammy of the Public Switched Network Report to the A t m tt to the President for Security A atrs January 1995 National Security Telecommunications Advisory Committee Documents I Network Security Task Force qurts - Float Report ofthe Network Seeing Task Force June 1992 - Report qt the Network See-ting Tank Foroe Novunber 1990 - Stan-ts Report ofthe Network Securth Task Forcefor August 1991 - Nottonal batman Tat-k oree Report to NS XVII January 1995 I NSTAC's Network Sout ty Standards Overaigi n Group 145506 - Network Seennty Sstfar the Public Stan eld Network Issues and Recommendottons October 13 1994 REFERENCES Continued NSIE hlrters hotter for the Federal Newark Information Exchange June 25 1991 Newman Seem-in Adwsonr NS TA C Network Security Information Belunge NEE Charter May 1991 NSIE Products Digital Cross-connect System DES Security Emluotioii Aid Consists of three parts a DCS Con guration Pro le 3 DCS Security Checklist and In Operations Support 05 Secunry Checklist Used in combination these time tools will enable organizations with DCSs to perform rigorous assessments of the security r of their DCSs The DCS Evaluation Aid has been provided to the Network Reliability Council for dissemination to the broader telecon urtuiucstions audience 1993 Proceedings Network Security swpomim The Of ce of the Manager National Communications System and the President's National Security Tdecommunicltions Admsory Committee co-sponsored this symposium which took place Fetirunrg r - 3 1994 in Reston Wt The proceedings were published and distributed in August 1994 Proceedings Wot-isles on Network Firewallsfor Canmunicniions The NSTAC and Goverrunent NSIEs cosponsored this symposium which took place on June 28 1994 in McLean VA The proceedings were published and distributed in August I994 OFFICE OF THE MANAGER NATIONAL COMMUNICATIONS SYSTEM OMNCS - Sponsored Documents National Communications System Manual 3-1 1 Sci-wee Priorio- TSP Svstem for National Energetic - must M Service User Manual National Communications System Washington DC July 9 1990 Hie Electronic Inn-listen Threat to Hilliard Seminal triad Emergenq- Preparedness MS Telecommunications A it Aweness Dedumerii Of ce of the Manager National Communications Synem Septunber 30 1993 The Electronic Inmim Hit-eat to Hanan Seciirrit I and Emergency Preparedth MS Telecommunications An Awm-eness Document Of ce of the Manager National Conununicltions System October 31 I994 i REFERENCES Continued in Open Systems NIST Special Publication 300-7 Computer System Laboratory Computer Systems Laboratory National institute of Standards and Technology Guithersburg MD July 1994 International Vulnerabilities of the PEN Volume I Coiici usronr and Remnaneradotions Marlo Park CA January 1993 Client Private Prepared for OMNCS Arlington VA may not be distributed without the consent of the Goverrunent and NSTAC Network Security Information Exchanges SRI International Vulnerabilities of the PEN Volume II Findings Menlo Park CA January 1993 Client Private Prepared for OWCS Arlington VA not be distributed without the consent of the Government and NSTAC Network Security information Exchanges SR1 International i993 Research on the Vulnerabilities of the PEN Volume I Conclusions and Reeonrnrerarbtions Menlo Park CA March 1994 Client Private Prepared for OMNCS Arlington VA may not be distributed without the consent of the Government and NSTAC Network Seairi'ty lnfonnation Exchanges SR1 lmemational 993 Research on the Vulnerabilities of the PSN Volume Detailed Printing-s Worhng Notes oor the Field and Remote interviews Hallo Park CA March 1994 Client Private Prepared for OMNCS Arlington VA may not be disuibuted without the consent of the Government and NSTAC Network Seanity Information Exchanges Other Rogue's Routing Scienti c American May 1995 page 31 Bellovin Steve Security Problems in the Protocol Suite Computer CM llf tC - Revrew Vol 19 No 2 April 1989 pegs 32 - 43 linroir William J oratr'Alhert Ger-e Jr Tedrmlogy rr America's Ecamrc Growth A News Direction to Build Ecmrc Strength February 12 I993 Monis Robert T Wealoiess in the 4 213513 Ule Software Computing Scrence Technical Report No Bell Laboratories Murray Hill NJ I985 National Research Council Growrng Vulnerability of the Public Switched Nehru-arias lmphootronsfor National Security Err-reigqu Preparedness Washington DC National Academy Press Spring 1939 REFERENCES Concluded Natl-anal Research Council Computer or Rtsk So - Compartng I'll the Informnort Age Washington DC National Academy Press 1991 Future Branch Exchange Securrg Gutdefme National Institute of Standards and Technology Computer Symems Labomory Open Teteeonununiceoons Security Projectt Integrated 051 ISBN and Security Program NIST Gavernmem Contractor Reportt NISTIGCR-93-635 September 1993 The Infomenon Ju ortrucmre Agenda for Amen September 15 1993 US O ice of Assesmnent Informant Security and Protect tn Newark Hartman Washington DC U S Gommtent Printing O lce September 1994 ll Proprirtary In mmn inn SYSTEM SECURITY AND INFORMATION WARFARE NETWORKS AT RISK TED PHILLIPS BOOZ-ALLEN HAMILTON INC April 1997 Booz- Allen 8 Hamilton Inc Introduction System Secu Network - Today s Agenda rity Issues -- Understanding The Risks Telecommunications Industry Trends Vulnerabilities - Threats And Case Histories - Strategies To Reduce Your Risk Exposure E Booz- Allen 3 Hamilton im Va Proprietary infommtian This Brie ng Is Based On Entirely 0n Unclassi ed And Open Source Information SYSTEM SECURITY ISSUES UNDERSTANDING THE RISKS Proprietary Understanding the Risks Electronic Intruders Are Targeting Core Communications Technologies Networks Are Highly Interconnected And International They Are Very Attractive Targets or Etectronic Intruders Booz- Allen Hamilton Inc if Understanding the Risks Financial Gain 8 A Strong Motivator Many groups have a high level of Organized Crime interest in Terrorist Organizations eiegtromcp mtrusmn skin's Foreign Intelligence Services lndustriai Espionage Agents Private Investigators Information Brokers 011001110001 Proprietary Information Understanding the Risks During The Past 3 Years Network Attacks Have Increased Significantly I i Intruders Have Attacked I Intruders Have Attacked A Wide Variety Of End User Systems All Major Categories OfNetwork Elements Intruders Have Attacked Ali Major US Telecommunications Carriers Intruders Have Attacked Many Major International PTT Networks Intruders Have Attacked All Major Internet erviee Providers Bnnzo Alien 8 Hamilton Inc Telecommunications Industry Trends - - 1 i a Understanding the - Industry Trends Will Increase Risk I Architectural Trends Technology Trends fill- Understanding the Risks Industry Competitive lssues - Financial Pressures Reduce Security s Priority - Metrics To Conduct Security Cost Bene t Analyses Not Fully Developed - Downsizing Reduces Worker Loyalty And Creates Disgruntled Ex-Employees A 4 Booz- Allen Hamilton no 10 -I Proprietary Infommtion Understanding the Risks Privacy And Con dentiality Trends - Sensitive Customer and Network Information Is Created And Stored On Network Elements - Sensitive Information Is Openly Exchanged Among Network Elements - End User Systems Are Directly Connected To Public Networks Booz- Allen a Hamilton Inc Proprietary Infommtion Understanding the Risks Architectural Trends Network Administration ls Increasingly Shared Between Carriers Service Providers And Users Customer Premise Equipment CPE Is More Interconnected With Public Network Elements Public Network Elements Are Richly Interconnected Creating Extremely Complex Network Structures The Communications Industry Is Moving Toward A Cell-Switched Architecture Boozv Allen S Hamillon lnc Understanding the Risks Technology Trends Public Network Elements Are Virtually All Computerized And Software-Controlled Network elements are increasingly complex and dif cult to securely administer Wireless Technology Will Be Important For End User Network Access Booz- Allen 3 Hamilton rm VG Proprietary I foer ti on Understanding the Risks New Technologies Will Increase Risk Optical Networks SONET Transfer Mode ATM Networks Internet Protocol version 6 Digital Subscriber Line Technologies Advanced Intelligent Networks AIN Integrated Services Digital Network ISDN Wireless Local Loop Technologies Wireless Data Networks CDPD PCS 9 Electronic Intruders Are Developing Techniques To Attack Each These Technologies Booz- Allen S Hamilton Inc 14 Network Vulnerabilities - 4 i rupm'mm Understanding the Risks - Network Vulnerabilities All Systems In This Diagram lime Been Peneiruietl At Least Once In The Past 3 Years Local Exchange Carrier Inter-Exchange Carrier I- r ml lzl ljr nff L4 r PIP arm 1 I - - 1 WHIRAlma fra- Junta R 15-min 1 a Ii d- 1 1 - d I ea-H ELEnullSystem - -II vuI- tm hnginttr Hun-m i I tend Ill-l 4mm l - rim lld I'mm HIP - ran-tin i i mrirmrw Understanding the Risks Network Vulnerabilities cont rm nri Service mm Animer 1 'Ii'lthk Monitoring I 'nnrmiKin- dIan 3 1 - Irulihle - Mime 4mm 1 i I sus s Lu n I E 1 Hg lla l_rl _rlLI - an - rlnehlnm Tm I ritit mum Hi um Kl Hmum r I Ntt' lCE h nuc liElkN- H Ii Engln -rml In r'JnIM-u- Hulr h-lu II- 'I'lI-Il-nn- i I rdl-l-I nu-II null-Inn- 11 Nun Uni-t- I I a - ulunum Imr lulu-'le -- i if Iii'T Irulgr run-l Fhf'm-fll If Inne- 133 HI tntre I ir- 1 run It Ill an ruurr I I I Linn I nm1uI1-r qr II- ramr n1 Il lfi ltr h H lth nt-n I ujnu Ill-If lint ch lili lldt' I dc I h'li Inf-nu- lu-Hlmr rnm Hi ur-ut IriHIrHu-n 1 i Huh- Lil run Milli In lumen-4 M r Ir luvlqn I run amusing Hun-nun gural im - 1 Mlnahnl laymen-Mfr-nun 11 ll All Inn-puny hunn nuhml I _r In I Ink Ida w II -I-u-Ialnm id-mnlu n at il Milan- lull-nu - 4 2 3002' I5 Hamilt n 3 I i a the l Data Network Vulnerabilities Attack Scenario l'uhlic at lulu Attack Origination 1 New York l rih ate Hula New an Hug-put Mi nurl q ax a Ithnli l Nun- It k I catchI'x Hum a r m upporl 1 t 4 inn-a3 I wn Mtan 1 Much 1 a I i I l- tum-H '51 an art-mu SHIT Sullthing dminmratinn Ill 4 3002- Allen 3 Hamilton lm g Understanding the Risks Proprietary Information Computer Networks Have A Long History Of Intrusions The Computer Emergency Response Team CERT And Other Similar Bodies Have Averaged 3 Advisories A Month For he Past 3 Years Vulnornbilition Ina-ad ch 01mm osn l Vulnuabineiu CA-il 12 Sondmlil Vulnerabilitios Nov-11 Uhir oro Vulnorabilitiol 5C0 Byltan Vhlnorohilitios 1-07 Now i R-vilod HP Bullotin Sncuritf Patch-s 93-29 Sondmnil Exploitation Altar-d Erato Binnrio 92-07 Att-lpto to Stool Password 92 09 Automatod Probes 92-53 UNIX Slourity Problem 92-70 Cinco Acct-a Lint Eoyntroko Logging Bonn-r VHS Monitor vulnerability ULTRII 3 D BREAK-1H Ch-91 11 SCI vulnornbility C921 A11 BIID Daemon A l TFTP Attacks 1'22 Attack Booz- Allen 3 Hamilton Inc ll l'nderstanding the Risks - Proprietor lotion-ratio The Internet Security Dirty Dozen 1 Trusted Host Relationships Network File System Xwindows Vulnerabilities lleseez Reseed FTP Servers A nonymous FTP Ybind Ypserv Default Legins l eakJ Null Passwords Script Vulnerabilities Sendmail Jl in hostequiv le World readable ritable Keystroke capture Remote execution without authentication Access without authentication Default loginipassword on PCs Macs Nmell Check for writable areas password le Domain name sers'er weaknesses bin lp guest sysadm demo ftp root t'iehl Easily guessahle null passwords Web server vulnerabilities A new vulnerability every week Boer Allen 8 Hamilton Ma a Understanding the Risks Exploitation Of Trusted Relationships Over 60% of machines could be vulnerable to software attacks By exploiting trusted relationships approximately 85 in i of machines could be II at risk from a single intrusion I Thg igla'f 'm 4 I l nulumu I x Jam -l fucker a - - Allen 8 Hamilton Inc 5 Understanding the Risks The IP Spoo ng Attack A Hacker Cumpmmised In valid I Addre I 7 s i X- Terminu - I a The Internet Ff gm hwy we Ffrg ruurge Packet Sun-m I i II Sequence Number Query Assume Identity Server - Bnnz- Allen 8 Hamilton fru irr irmrt rm Understanding the Risks Network Con guration Issues I a Internet Servnee Provider we Dual-Up I Connection i Corporate Authorized I Fire a Network I-rj I 1f onneetion I Internal Corporate 2 x NetworkL J man H qu 1300 Alien 8 Hamilton int 4 l'nl m'trrm Understanding the Risks Outsourcing And Vendor Issues Maintenance 1Vendor IP Network Internal Corporate 8 11 Network - rt Imill l I I Authorized Connections if The orporare - - Firewall I1 I- Outsourcing Contractor ll Network Booz- Allen ll n1illunll1t% 4 I'll Understanding the Risks SONET Vulnerabilities i'nmpan I linla Facilily I nag A nmpany A Ileadqllarien E egg Cnmpany i Engineering Building E31 lfua npa exerj Ring Remnre a Company inrerne Gateway A Hack Origination _ Buoz- Allen Hamilten Inc - mm -' Understanding the Risks I- Signaling System 7 SS7 And Intelligent Network Vulnerabilities Public ruin Hum Nun-an Dill 1p bdrm I k A 7 Bnnz- Alli-3n S Hamilton Infummtiun r Understanding the Risks Financial Systems Are Completely Dependent On Networks JHFORMATIDN PROVIDERS I car Maria sup amp a I lrkl'l Emil And ll-arch THUITHI NIARKYT Fl A I - Bran-m A I I L m fin-user I I Emu-nut I Fr if I r3 PHI Hauler I Int-mat I MM Hunrch Rm I ELIENTS Tudlng Trading Group Group 5 FJa'e-i Gall-r mama MS Him he News Hij 5' F3 F5 Intonation IJM MM Hdb Ind Riu th MICE M5 M5 Hales f Rana In1ernil Punrch author a Pesl agrq Fu' 11 I 5' 1 1 I CLIENTS Servers PC Sen-en 3r Samar I %3002- Allen 81 Hamillnn Intry THREATS AND CASE HISTORIES K Threats And Case Histories The Primary Threats To Network Technologies Unauthorized Disclosure 01' Data Disruption Or Denial Of Service Unauthorized Modification Of Data Fraud And Financial Loss BOOZ- Allen Threats And Case Histories Include Highly targeted custom scripted attacks Automated attack tools Sophisticated surveillance data gathering - Hacker Toolkits q tools Offensive use of network management tools Complex stealth evasion techniques Password cracking tools Network element attack techniques Allen 81 Hamilton mprir mrlr Fatima-1 er a Threats And Case Histories Case Histories - Masters Of Deception MOD - Kevin Poulsen - Kevin Mitnick - Legion Of Doom LOD The Posse And Internet Attacks - Shadowhawk Countries With Signi cant Hacker Activity Booz- Allen 8 Hamilton lnr i Jill I ruprlu'hlry 'I'hreats And Case Histories Masters Of Deception MOD Developed And Unleashed Programmed Attacks On Telephone Company Computers Monitored Data Transmissions On Packet Data Networks Created New Telephone Circuits And Add Services With No Billing Records Changed An Adversary s Long Distance Carrier To Illegally Obtain Calling Records Sold Passwords Access Codes and Other Illegally Obtained Information Destroyed Data In Computer Systems Booz- IIan1i tnn I Threats Anti Case Histories Kevin Poulsen aka Dark Dante AIIegedly lacked lnto Phone Company Computers Hundreds Of Times Used Stolen Access Codes To Access Government Information And Sold Access Codes For Money Compromised Several Ongoing Law Enforcement Investigations 5 35 nsnu Fill On Telephone Company Investigators Sold Untraceable Unbillcd Circuits To Criminals Illegally Entered Telephone Company Of ces And Stole Data And Equipment 3007' Allen S qul'rliltun lm' 1 1 1 1 Threats And Case Histories 1 Kevin Mitnick aka Condor Allegedly Attacked Telephone Central Of ces - Stole Telco Equipment Manuals - Attacked Software Development ComputerAnd COpied Preprietary Source Code Programs For The Operating System - Modi ed This Stolen Source Code To Introduce A Trap Door - Compromised Cellular Telephone Network Equipment Implemented Spoo ng Attack 1111111111111 111111111 1 1 Boo Allen Hamilton 1 11111 1 1 1 1 1 - Threats And ase Histories Legion Of Doom LOD - Planted Software Time Bombs ln Telephone e i -- 1 Centers t 2r 3 - Corrupted Pomter I Tables In Signaling 15 Switches - Changed Circuit Routing Tables In Traf c Switches - Electronically Eavesdropped 0n Telephone Conversations Traded Stolen Credit Card Numbers Calling Card Numbers And Computer System Information 3002- Allen 8 Hamilton inc Threats And Case Histories The Posse And Internet Attacks Allegedly - Attacked Internet With Sniffer Programs Designed To Record Login IDs and Passwords - Penetrated The Primary Internet Backbone Networks - In First 6 Months Sniffer Programs Were Discovered On Over 500 000 Internet Hosts The Number May Now Be Over 1 Million - Individual Sniffer Programs Have Captured Over 40 000 Passwords Per Day - The Sniffer Is Now Part Of The Standard Hacker Toolkit Along With Scanner Programs And The Rootkit Software Booz- Allen 48 Hamilton Inc Threats And Case Histories Shadowhawk - Illegally Copied The SESS Switching System Source Code Valued Between $28 000 And $40 000 - Illegally Copied Source Code Files Worth Over $1 Million I - Attacked A Telephone Carrier s I Computers And Installed A Trap Door Password Allowing SysAdmin Access Accessed A Military Computer And I estroyed Diagnostic Files Re ecting The Operation Of The h'lilitaiy Base s Communication System - Published Entry Codes To 27 Computers As Well As Legitimate Names Telephone Numbers Account Names And Passwords - - - - - - Booz- Allen 8 Hamilton Ina 3 Threats And Case Histories Countries With Signi cant Hacker Activity Netherlands United States Hungary England Canada Czech Republic Germany Brazil Bulgaria Belgium Israel Russia France Australia Belarus Austria Italy Turkmenistan Sweden Greece South Africa Switzerland Korea Spain Malaysia PRC Philippines South Africa Japan Argentina Based On Unclassified Open Source Information Booz- Allen 8 Hamilton Inc a STRATEGIES TO REDUCE YOUR RISK EXPOSURE Conclusions All Aspects 01' Worldwide Communications Networks Are At Risk From Electronic Intruders Electronic Intrusions Are Escalating In Frequency Severity New Technologies And Other Industry Trends Are Increasing Risks To Both End Users And System Operators Booz- Allen 8 Hamilton Inc Pf II Risk Management I - Risk Can Not Be Eliminated Entirely But It Can Be Effectively Managed Your Risk Exposure Can Be Dramatically Reduced By Developing and Implementing An Organizational Security Strategy Organizational Security Policy System Speci c Security Policies Detailed Security Procedures - Your Security Posture Should Reflect Management s Position On Security Costs and Benefits i - a Boor- Allen 8 Hamilton Tm- Risk Can Be Reduced By Implementing New Procedures Establish Security Awareness Programs Improve Security Staff Skills A Less Complex Perform Regular Security Audits Control Proprietary In formation Use Existing Security Features 11 Equipment Implement Dial Access Control More Complex Bnuz- Allen If Hamilton Identify and Close Security Holes Design Implement A Security Architecture ll Implement Advanced Security Technologies Inventing an Experimental System for National Level Indications and Warning for Information Warfare Presented By LT Sean Heritage USN 8 April 1997 we 1 UNCLASSIFIED UNCLASSIFIED A Notional System I 44 The following is an editorial program The opinions expressed herein are not necessarily those ofJ2 DIA or the Joint Staff The following broadcast is not to be used for commercial purposes without the express written permission of the Baltimore Orioles and Major League Baseball 4mg 2 UNCLASSIFIED UNCLASSIFIED CON OPS for War Gam g I I II I - Identi ed as shortcoming for ES-96 Requested by for ES-97 - Must cover all areas of Network Attack CZW PSYOP Deception OPSEC EW Kill - Neither nor - Indications of Attack Piecemeal After-the-fact 4mg 3 UNCLASSIFIED UNCLASSIFIED -- I Sources Models I I I I I I OSD for Study DSB Study NSR Study for NCS Interviews with existing agencies Terrorism desk in JCS Alert Center NORAD USSPACECOM SPADOC were 4 UNCLASSIFIED for Attack 'l - Ex erimental Construct for EW-97 I I NSA NSUC 8 indieamrs Ieeh analyse of an 1w attack vs the US Lufme FBI Lead FBI Field Of ces Dept of Trans DUE Secret Service Alert Center DIA DISA US Mi 8 bus watch Desk HUMINT I 1W 1mm me indium at In Assesses Disseminules muck vs the Warnings NCS EM i irnu Elm-I A ln1 I'm Irr All Feedback to reaction center linen-lu- Wan-h linkl indicators nf an 1W attack vs the NCAICINC 4 219 5 UNCLASSIFIED UNCLASSIFIED for Products I II titty Pram 3 - 1W Indicators List Country 8 threat speci c A tickler list based on threat nation capabilities - Threatcons - Estimate of foreign-based threat Uses six classes of attack Modeled after Terrorism and Lists Country Specific Threat Library 6 UNCLASSIFIED 0 UNCLASSIFIED ElimiiwSummary of key events Status of the infrastructure - Fusion of pieces Disparate Inner-look sources from CONUS Outer-look sources from military intelligence Threatcons Advanced warning Evaluate size 8 intent Evaluate country of origin were 7' UNCLASSIFIED Information Warfare - Defense Incident Classi cations and Watch Conditions WATCHCONS UNCLASSIFIED ll 111111 1 UNCLASSIFIED lass incidents - Privacv invasion Class I incidents are characterized by computer intrusions and attempted mtrusrons from a variety of sources which essentially invade the privacy of individual or organizational computer users of non-classi ed networks Ciass incidents do not include any evidence ofintent to cause damage to the data or networks accessed This could also be characterized as low-level computer hacking These incidents could come from either domestic or foreign sources Class ll 1W Incidents - Espionage Class II incidents are characterized by concerted attempts or actual penetrations of commercial computer systems to gain unauthorized access to speci cally targeted or sensitive information for the purposes of obtaining that information Class II incidents do not include any evidence of intent to cause damage to the data or nenvorlts accessed These incidents could come from either domestic or foreign sources Class Ill 1W Incidents - Milimrthovemment Espionage Class 111 NE incidents are characterized by concerted attempts to penetrate or acrual penetrations of military or government computer systems to gain acceSs to andfor steal clasm cd information Class ll incidents do not include any evidence of intent to cause damage to the data or nenvorks accessed These incidean could come from either domestic or foreign sources Intrusions into unciassi ed govemment networks containing sensitive data falls under this category when evidence of foreign Involvement or speci c targeting is present Class Ni Incidents - Low Level PSYOPfDeception Programs Class IV 1W incidents are characterized by persistent long term low level PSYOP or Deception programs which occur at times of mildly increased tension between the United States and an adversary Typically they include the increase in news items which are favorable to the adversary nations The original source of these news items may be very dif cult to determine Class IW Incidents - Commercial Terrorism Ciass Ni incidents are characterized by penetrations or concened attempts to penetrate the computer systems of commercial businesses in an attempt to electronically destroy or degrade those systems or to threaten to destroy computer systems in order to extort money These Inctdents could come from either domestic or foreign sources UNCLASSIFIED UNCLASSIFIED Class k'l 1W Incrdents - Civilian and Govemmental Infrastructure Terrorism and Attack Class VI incidents usually occur during a time of impending or ongoing crisis With a foreign DOWEI They can include foreign state-sponsored Deception Electronic Warfare against and physical sabmage destruction of non-military US government information systems lass incrdents may also Include attacks against the computer systems of key civilian or non-DoD governmental organizations which operate critical elements of the U S infrastructure Those computer attacks may include destructive or degrading electronic codes and viruses or the insertion of false data Class 1W - Militag Infrastructure Terrorism ill Attack Class VII incidents usually occur during a time ofimpending or ongoing crisis with a foreign power They can include confirmed foreign state-sponsored PSYOP Deception Electronic Warfare against and physical attack or sabotage ldeslructronl of US military information systems Class incidents also may include attacks against the computer systems of military organizations which operate critical elements ofthe US military support structure Those computer attacks may include destructive or degrading electronic codes and viruses or the insertion of false data WATCHCON 5 - Operations Normal No signi ch IW events No signi cant rise in the numbers of small isolated IW events May be characterized by a normal level of lass 1 events WATCHCON 4 - Slight Rise In Events A larger than normal number of IW events have occurred No significant events which cause major system damage outages or losses No correlation of events to foreign governments haractenzed by a statistically significant rise in the Overall number of lass 1 events May also be characterized by suspected Class IV PSYOP or deception events OR A signi canth event has occurred but purposeful intent vioe accidental happenstance cannot be con rmed May be characterized by a Class 11 event or events UNCLASSIFIED UNCLASSIFIED 3 - Signi cant Increase In I t'i Events A Signi cant con rmed It t' event has occurred which causes or has the potential to cause major damage outages or losses to the U S government military or business May or may not be accompanied by a slight Increase in the number ole events No correlation ofthis 1W event to foreign governments May be characterized by a rise tn the number ofClass II Class Class IV or Class events WATCHCON 2 - Significant Increase In Attributable Events A signi cant confirmed 1W event s hasfhave occurred which causes or has the potential to cause major damage outages or losses to the U S government military or business This event or events are possibly or probably correlated to the purposeful activity ofa foreign government The overall number of attributable and non attnbutable IW events have increased by an increase in the number of Class 11 Class IV and Class events Also characterized by the con rmation ofinittal Class VI andfot Class VII events being launched by a foreign power May also be characterized by an increase in the number of Class and Class IV events WATCHCON - Broad Scale Attributable IW Attacks Signi cant con nned IW events have occurred and are occurring A number of the events are attributable to a hostile foreign power The foreign power initiating the events is also involved in hostilities or crisis confrontation with the United States in other political intemattonal or military arenas Characterized by a large number ofClass IV Class V Class VI and-'or Class CVCDIS UNCLASSIFIED UNCLASSIFIED Key Definitions Command and Control Warfare The integrated use of operations security OPSECI military deception operations electronic warfare and physical destruction mutually supported by intelligence to deny information to influence degrade or destroy adversary command and control capabilities while protecting friendly command and control capabilities against such actions Command and control warfare applies across the operational continuum and all levels of con ict C2 Attack Prevent effective C2 of adversary forces by denying information to in uencing degrading or destroying the adversary C2 system Protect Maintain effective command and control of own forces by turning to friendly advantage or negating adversary efforts to deny information to influence degrade or destroy the friendly C2 system Command and Control The exercise of authority and direction by a properly designated commander over assigned forces in the accomplishment of the mission Computer Network Attack CNN Operations to disrupt deny degrade or destroy information resident in computers and computer netWOrks or the computers and networks themselves Counterinformation Action dedicated to controlling the information realm Defense Information Infrastructure Dill Is the shared or intErconnected system of computers communications data applications security people training and other support structures serving DOD's local national and world-wide information needs The DH connects DOD mission support C2 and intelligence computers through voice telecommunications imagery video-and multi-media services Defensive Counterinformation Actions protecting our military information functions from the adversary Global Information Infrastructure tGll An interconnection of communications networks computers databases and consumer electronics that makes vast amounts of information available to users it encompasses a wide range of equipment including cameras scanners keyboards fax machines computers switches compact disks video and audio tape cable wire satellites optical fiber transmission lines microwave nets switches televisions monitors printers etc The 311 includes more than the physical facilities used to store process and Ema-Allen 5 Hamilton Inc UNCLASSIFIED lW Key Definitions 1 1 Jill I ll UNCLASSIFIED display voice data it also includes the personnel who operate and consume the transmitted data Information Facts data or instructions in any medium or form Information Assurance ID that protect and defend information and information systems by ensuring their availability integrity authentication confidentiality and non-repudiation This includes providing for restoration of information systems by incorporating protection detection and reaction capabilities Information Attack Directly corrupting information without visibly changing the physical entity within which it resides Information Environment The aggregate of individuals organizations or systems that collect process or disseminate information also included is the information itself Information Function Any activity involving the acquisition transmission storage or transformation of information Information Operations Actions taken to affect adversary information and information systems while defending one's own information and information systems Information Superiority The capability to collect process and disseminate an uninterrupted flow of information while exploiting or denying an adversary's ability to do the same Information System The entire infrastructure organization personnel and components that collect process store transmit display disseminate and act on information Information Warfare Information Operations IO conducted during time of crisis or conflict to achieve or promote Specific objectives against a specific adversary or adversaries Information Warfare - Defense Protecting the National Information Infrastructure and the Defense Information Infrastructure and interrelated CONUS infrastructures against physical and electronic attacks and ensuring the availability of those infrastructures for commercial and military use Military Information Function Any information function supporting and enhancing the employment of military forces National Information Infrastructure NIH The NH mirrors the CH but is focused on national instead of global networks and systems Booz-Allen 8 Hamilton Inc UNCLASSIFIED IW Key Definitions UNCLASSIFIED Offensive Counterinformation functions Actions against the adversary's information Special Information Operations SID Information Operations that by their nature due to their potential effect or impact security requirements or risk to the national security of the U S require a special review and approval process Hour-Allen 5i Hamilton Inc Key Definitions INFORMATION SECURITY TECHNOLOGY AND TRENDS presented to The Nation Commluion on Restructuring the Internal Revenue Service North 13 199' Prepared by Joseph Mnhl 'ee Edward Rothenheber BoorAllen J Hamilton Inc Booz'Allen J Hamilton Inc 8283 Greensboro Drive 8233 Greensboro Drive McLean VA 22102 McLean VA 22102 Mata Special thanks to Armando Gomez and Chuck laeijan for providing Booz-Allen 8 Hamilton Inc the opportunity to brief The National Commission on Keen-actunng the Internal Revenue Service Melissa Hathawayr for establishing contact with the information security staff at Benz-Allen Hamilton Inc and facilitating the opportunity for the authors to present their views on information security technology r and trends Deborah Banning Rich Dean Jotuuie Evans Dale Hapeman Stuart Moore Mike Otten and Tom Russell for their technical contributions 1 Jill ill 111 INFORLIATIDN SECURITY TECHNOLOGY AND TRENDS BACHGRO QED More than ever the national security departments and agencies are being challenged to provide affordable interoperable and evolutionary network security solutions in a timely manner Over the last few years they have recognized the dramatic bene ts offered by the highly interconnected information systems as illustrated by our nation's dependence on them in all facets of society However they also recognize that these systems have the effect of exposing our national information systems to the borderless threat of Information Warfare So while changes in the politioal clit'rtate have reduced some mission threats new threats are emerging within the networked world Over the past year it has become a weekly or even daily routine to hear about successful attempts of hackers to break into networks 'oro around the world with the intent of eavesdropping modifying spoo ng or disrupting the information sysrerns andt'or the that they process and store Of course for any Department of Defense DOD Federal or commercial security system the ultimate objective is to prevent unauthorized disclosure or undetected modi cation of user information and system resources while ensuring the availability of the system to authorized users Typically the national security departments and agencies use six security services as shown below to achieve this objective - Con dentiality - Ensures the privacy of the information and prevents an unauthorized third party 'orn reading the data - Integrity - Ensures that the system con guration application software and associated data have not be modi ed or deatroyed - Authentication - Ensures that the person or system with whom you are exchanging information is in fact the person or system they claimed to be - Non repudiation - Provides positive con rmation that an action took place - Access control - Limits access to the system and its data to those who are authorized - Availability - Ensures the system or information is available when needed Any of these services may be implemented by physical administrative procedural or electronic mechanisms Often a combination is cinployed From a practical perspective many of the security services can be implemented with products In fact the same product can be used to the data authenticate the user maintain data integrity with digital signatures and support system availability- Trusted security products can also support many of the security services except for con dentiality However trusted security products are more expensive and hosted technology is relatively immature Given products are more readily available and inexpensive than trusted products they appear to offer a more reasonable set of solutions for the IRS and other Federal communities The assurance provided by any of the security services previously mentioned can be ascertained by determining the strength and correctness ofthe mechanism that provides the service For physical administrative and procedural mechanisms the assurance level is determined by reviewing the processes that are implemented For electronic mechanisms empirical or exhaustive techniques are generally used In recent weeks the news media reported that a high school student required only three hours to successfully break a 40 bit code algorithm For devices the assurance level or strength is largely dependent on the length of the codes used in the algorithm In national security applications where classi ed information is processed or in Federal and Commercial applications where privacy rs a major concern higher assurances levels are required which necessitat the use of longer codes The success ll application of security services and mechanisms requires security management support for the overall operatiOnal environment Speci cally security management includes the distribution collection and analysis of management information keys audit data registration data for the security services and mechanisms One of the primary issues noted with the implementation of security management functions concerns the distribution of security management responsibilities across multiple security administrators For example one person may be responsible for monitoring the rewall and a second may be responsible for administering the web site Case studies have shown that hackers often attempt to penetrate multiple points in a network Unfortunately news of a potential attack at one point is not always communicated to the other system administrators wbose systems may also be under attack This example highlights the need for the and all defense civil and commercial organizations to implement a coordinated security management approach TRENDS AND TEQHNOLOQIES From the perspective of the national security departments and agencies it IS obvious that the groundndes have changed dramatically over the past decade with respect to defining and elding security solutions These changes are being driven by several major paradigm shifts in the public and private networking world and within the and Intelligence communities as shown below Rapid evolution of information technology and systems Explosive growth of the Internet Evolution 'orn stovepipe to open integrated multimedia systems Increasing public and conunercia awareness and concern over network and information security I- lncreasing availability and compatibility of commercial network products and solutions Ir Transformation om requirements driven to market driven solutions - Evolution from risk avoidance absolute security to risk management adequate or appropriate security Migration from standalone Black Boxes to integrated system security solutions Transfomiation from product development to customer service orientation Migration from stand-alone systems connected by point-to-point links to networked systems - New emphasis on security for sensitive but unclassi ed applications in addition to classi ed applications 0 Unprecedented dewnsizing staff turnover and budget reduction Two obvious challenges that the national security departments and agencies are facing as a result ofthese paradigm shifts are I keeping pace with rapidly evolving technology and a rapidly emerging network security market in which future directions are sometimes unclear and 2 continuing to improve security processes and procedures that re ect more of a commercial orientation In general the national security and agencies are responding to these changes by placing more emphasis on I Establishing new policies procedures and criteria that will adequately address the changing threat environment and yield consistent and reliable security solutions 0 Developing security architecntres and genetic security solutions that may be tailored to meet speci c applications 0 Defining security standards and protocols that can be integrated into comm ercial standards and protocols - Fielding currently available security products and tools that will help them close the front doors to their networks and optimize system performance - Evaluating and using commercial o -the-shelf COTS products and systems In the following paragraphs We will discuss the efforts being pursued and law they may be applied to the IRS applications DEFINING POLICIES PROCEDURES AND CRITERIA In the post-cold war environment defense budgets have continued to decline As such the notion of perfect security is being replaced with that of affordable security and user assumed risk This change more than any other is driving the security to develop and apply improved security analysis procedures tools and methodologies that can effectively deal with the complexity of modem information systems and provide balanced cost-effective security solutions One of the biggest challenges for the defense civi and commercial communities is to develop and implement policies and business processes that are in many ways equivalent or better than existing processes in general security technology is available or will be available in the very near future The real challenge is to integrate those technologies in the contest of the business processes To do this most effectively the IRS will have to examine their current policies and processes from an infon'nation perspective de ne a set of security policies and requirements based on the information content develop a security strategy that takes into accOunt their existing system architecture and their desired system capabilities and de ne a migration plan given the current and future availability of security technology Achieving a common view on security as it relates to the IRS business processes will be paramount particularly when considering taxpayer trust and acceptance Information engineering will be the key for successful integration of security services into any information system In this process it is most important for the owners of the information to establish the system requirements including general requirements for security The security analyst can then work with the system designers and administrators to de ne the appropriate security solutions based on information content and business practices DEVELOPING SECURITY ARCHITECTURES A system security architecture is a means for describing the structure and organization of the security aspects of an information technology system or application It provides a conceptual means to grasp how a large complex system will be made secure without unduly constraining the actual inrplementation By de ning the security services and functions that must be provided and the relationship between these security services and functions the system security architecture provides a foundation for designing and building systems within corms-ion structures using consistent standards This approach promotes interoperability commonality of security solutions and a thorough understanding of how system security is being provided The has successfully applied this approach in the development of their security architectures Defense Message Symun and the Defense Information System Network As the IRS Systems and networks continue to evolve it will be important that a comprehensive information technology and security strategy be developed from which a system security architecture could be de ned Additionally it will be increasingly important to model the system architecture in an effort to predict performance issues associated with integrating security services into the network and scaling the network size to meet user the taxpayer demands Developing and modeling the sccUrtty architecture will allow the to focus on the information content and consistently implement security solutions throughout the networks and systems The should leverage the results of current security architectures Target Security Architecture for the Defense Information infrastructure 011 developed for the DoDr as appropriate Doing so will promote compatibility bcrween the Defense lnforrnation Infrastructure and the National Information Infrastructure DEFINING SECURITY STANDARDS AND PROTOCOLS The national security organizations have made a conscious decision to limit the development of custom products and systems in favor of using commercial off-the-shelftCOTS hardware and software To ensure the COTS products incorporate appropriate security services that meet their needs the Goven'tment is placing a siglu cant amount of energy into the de nition and development of security standards and protocols Speci cally the is working directly with the national and international standards bodies Such as the Internet Engineering Task Force IETF to influence future standards and protocols with respect to key management and other security services Additionally they are working with several product vendors and service providers such as REA Netscape and Microsoft to name but a few to collaborate on the deveIOpment of security protocols that will be implemented in their respective offerings By doing so they have taken the burden off the Government to supply their customers with speci c security products Instead they have created a market that will promote interoperability and competition for security products and services that may be employed in and other Federal applications FIELDING PRODUCTS AND TOOLS Many security products have been developed to provide security services and to meet threats to information systems and data These products range from those narrowly designed to provide a speci c service such as to more general products such as rewalls which can be con gured to provide a variety of services The products themselves can be loosely grouped into the following classes II Firewall A rewall is used to protect a network 'om another untrusted network lntemet Its main purpose is to control access to or from a protected network Firewalls shield a neutron from protocols and application services that can be abused from hosts outside the shielded network Firewalls can generally be con gured to meet a user's speci c requirements For example many re th maintain access control lists to identify users who are allowed to enter or exit through the rewall The range ofeapabilities of rewalls varies by product and user needs so care must be taken to select a rewall that meets the operational requirements Organizations throughout the Department of Defense are deploying rewalls to protect their enclaves from attacks launched from the Lnternet and even from their connections to the Defense information System Network DISH For applications Where users and third parties login and access the Web site it may be appropriate to consider implementing multiple rewalls or a single rew l with multiple ports that will permit the establishment of public and private IRS information domains Most organizations implement a single rewall which provides some inherent protection However if a hacker is able to penetrate the rewall the hacker in this scenario would have access to the private information - Secure Application Packages Many software developers are including security features directly into their applications c-mail web browsers database For sample every computer user is familiar with being prompted to enter a password Tltese application packages make good use ofthc network environment by distributing information repositories and allowing multiple users to access and share information These very capabilities raise speci c sccuniy concerns with respect to maintaining the con dentiality and integrity of information as it moves through the network and ensuring ortly authorized users have access to the information Additionally with recent developments in the web environment users are dot-vrtloading and executing so ware onto their machines without any assurance in the source or integrity of the software This capability while facilitating the transfer of information creates additional security concerns vinises trojan horses The security being integrated into these application packages presumably addresses these concerns but the degree of protectiOn varies from product to product As subsequently discussed the section concerning Evaluating COTS Products it would be bene cial to have an independent agent similar to Underwriters Laboratory evaluate and disseminate information regarding the security actually provided by a given product in a speci c environment- Public Key Infrastructure The public key infrastructure PIG supports public key Public key is a special class of algorithms that rely on the exchange of private and public keys between two users on a network The private and public keys are used to generate the secret code that in tum is used to the data exchanges between the two netivork users These algoritlu'ns provide inherent bene ts associated with minimizing the logistical burden of having to physically distribute keys to all potential users prior to them being used With the exception of a few secure voice applications must of the algorithms used in national security applications today do not make use of public key simply because the technology was not available when the systems were developed However public key is clearly the preferred choice for future security applications particularly given newer versions of public key algorithms will support higher transmission speeds provide greater protection and be more ef cient Certi cate Authority The certi cate authority supports public key The certi cate authority is responsible for registenng end users de ning their security privileges and providing thetn with certi cates that are used to support mctions- In many ways an analogy can be drawn between the and acquiring a driver's license Speci cally a driver's license is the certi cate a user presents to authenticate his right to operate a car and a certi cate is a mechanism that can be used to authenticate a user to access and operate a remote computer Carrying the analogy one step further the Motor Vehicle Administration is responsible for verifying a driver's information determining hisnier rights to operate different vehicles cars or tractor trailers and issuing the license The certi cate authority performs a similar operation for the user's PKJ certi cate 1111 111 Ill 1 in general the technology associated with the certi cate authority is available today but the speci c policies and procedures are still being de ned and implemented by industry Potential organizations being con51dered as the certi cate authorities include the US Postal Service and banking institutions Assuming the IRS moves forward with a plan to implement a public key infrastructure decisions will have to be made as to whether the IRS should use the Federal-wide certi cate authority or one unique to the IRS - Secure Tokens The most common means of identi cating and authenticating a source is to use passwords However signi cant vulnerabilities have been identi ed with the use of passwords Secure tokens have been developed to combat this vulnerability and to provide a more secure means ofidentifying and authenticating users The most common form ofa token is a card that contains information speci c to a user For example the card can contain the user s private key which in public key allows the user to authenticate themselves or establish a protected communication connection across the network The private sector and the national securin communities have developed secure token systems These systems are expected to be used more frequently for commercial and Gotenmient applications Howey er the IRS will have to decide if a common token may be used for multiple applications te g ling tax returns trading Stock or it an 1R5 unique token would be tequrred - Network Intrusion Devices Network intrusion devices monitor the operation of the user s networks For example a network intrusion device will look at the unsuccessful login attempts These attempts could sigrufy that a hacker is trying to penetrate the network Additionally these devices can monitor the flow of information and compare it to normal operations to detect unusual activities State-of-the-art intrusion detection devices us smart technology to analyze information exchanges in real-time and cut off the communications link when unusual activity is detected EVALUATING COTS PRODUCTS With the Government emphasizing the use of COTS products to satisfy the majority of their turure needs it is eaLreniely important to have an understanding of all the products that are on the market and determine ifthe products perform as advertised Unfortunately most users of information technology products are unable to keep up With the multitude of securit products hitting the market each day Furthermore the users generally do not understand the technical details with respect to how the products are con gured and operated They can only rely on information they read in brochures and Journals which often advertise the individual product capabilities as opposed to examining the product in a system context Evaluating security produces from a system perspective is yer dif cult particularly when conSidenng the way systems and networks are customized to meet business objectives The national security community has established programs and initiatives to monitor the availability products evaluate their and make smart decisions relative to their potential system applications A similar effort to evaluate COTS products for a broader community He Federal and commercial would be bene cial gammy Once again the basic set of securityr products and technologies are availalile or ml be available in the very near future to support most known information applications The real challenges lie in the areas ot'de nmg the policies and the busmess processes to take advantage ofthe security products and services As appropriate the business processes will have to change to accommodate the technologies or in some cases it may be necessary to develop a whole new set ofprocesses However as with an r system that attempts to automate existing business processes the real success will be determined by the degree of trust and comfort established with the end users taxpayers I Jill I 111 Hm Min-r I mu nun-nunun hurle MILIIEly Ranngr luau-Inch n leHi Ann 44 'iu 'Lc hTtl-l- Mum MD 2075 am 145 tail-d any M Be my mm 21 50 Ell R I Di lulu- MILL Pent-7015 sun can Jar-um FBI 191 19 115 yum am m um 20515 1 13 3235375 mg gau- gl my ume mum H 1536 mug MM mg J 2m 1 Hail imam-LT zz-1a 3 Dust-nu In ml umJ Hm gum - 1 was x 52m 11-930 $921131 um-twill P m Ting-11 1 1n HISI I m L'l fm Tm Hi 03 Emu gum in uh 11 3mm 02 Hme EEVEL Tom mi FurI u hm vn my nu 32gianst lgm or mwim maintain hunt 51 Ml qlnl'l'ilru M Palm Dun th ltJ-I lhiLI lurch VA 191' lining Sun PennyIn than th uun Jr slum Tnhmul I r1m1cn hu w l_Hi_41 a 1911-45 w mii sum Km HI 3915 cm Rd- A 31211-119 ag ELLE Mr Emu uaam ullml mug 31395100 Ltd Mr 4E5 gm Sum Hold Fl Mud IUTES MIL-neg Sm Fabian 3mm Uh uh x 2mm Pm tmxislimz Milan Hut M an Egg 25 WM 11 1050- m it Maplihmkg Fill uh LI mu hnneLTu n Mr ma-PA Ml Ann Ziggy qu pm ham-mun V4 22245 5200 m'a an arm Plum Mnan L1 Pan Rum 231m um DC 2min man Tm an 1129 Ml DISAPI Infra Auunmc hum-n 1 ch3 Flt Sum Pull Tlu h VA Ebb-rm 5m 59 All DIU MINI-IQ Farce Win 1 20344 1 Lu qupn Elm 1595 II 30110 1 1m m1 ET #190 Ron 0 Thelma 'onluilunllm EDNA i101 lim'ullun 5 l1 Enid kjl vcm MD 3m-m-m r punman-1n 701 Mm aws Scull NHL 15 34 Pent-IE Run-m it NIELELW l3 4 Hus sclL Hank-I- M Mum Room 51 3 5 7m m om 5 19m 5mm 139 Fistful a de v 1 mm m rag-swan Sui-ck 1mm Hr it __1ms Frunulg no 4 Mum '35 mum-505 Ensign-l nan-491m 40 mt ILII Sum AFB I_l_ 233 515-39553 agged Imam Hamil-1392b Wu Jnu Mun-um H ing-m mgLirum Av rum up in warm Hun u Immigli nut UL mu ugg may 51m M1 gamma Hamlin-shin 1234 Humming yum L3 1 2 13 'mwmm er Du Mr 59 All I I'll-mm In 1254 0mg u i HIE mum nu rm am NE a 1th In 35 9mm Md can g5 70 #01 mo 4 Ht HEM lug In Frau-m Dnuc Hal can Hull ll Hm Hut Hr Hm All-L11 Ilumlvm In Lit tmmun um rum an I A HIE 5113 Jun me Mm Mr Hum MEI I Nun lki'l In inmm mu P-M an In 7019023-1 30 Jun am a mum Tn 12 gaunt-m m Md cm mg Phrli l hlwd Hum I Millie th RIM rearm Dnh lI-hl an Ml 33102 T01 901-51 Hull 4mm Hum n mm 1 03 no mo Shard-u Luna Mr Bun ail-gillmulum In 323 - Dru Md gul 1m 12 02 Will Ml ME Him I Illm lm Int 3111 Uni-c Md A 701 W 5-1 If Propnrurr Pl- l' I Ml'l lil I Ellf'LlM l'l'lil