Hendon Publishing - Article Archive Details
Establishing secure, reliable LMR communications
In December of 2009, President Barack Obama issued a proclamation declaring December “Critical Infrastructure Protection Month,” “underscoring the vital importance of the ongoing work and achievements of all in protecting and ensuring the resilience of our nation’s critical infrastructure and key resources.”
The Department of Homeland Security is leading a coordinated national program to reduce risks and improve national preparedness, timely response and rapid recovery in the event of an attack, natural disaster or other emergency. The department, in collaboration with other federal stakeholders, state, local and tribal governments, and private sector partners developed the National Infrastructure Protection Plan (NIPP) to establish a framework for securing resources and maintaining their resilience from all hazards during an event or emergency.
“Critical infrastructure” refers to the physical assets, systems and networks of the nation, including the power grid, cellular towers and the water supply. It also includes the virtual assets, such as computer systems or data networks, that are so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, public health or safety.
Everyone in public safety agrees that protecting the nation’s infrastructure is important, and it only took a few tough lessons from 9/11 and Hurricane Katrina to drive home the importance of interoperability and having reliable, secure communications.
Currently, public safety communications are in a major transition, one that is far more significant than just a switch from analog to digital radio equipment. Land mobile radios and public safety communication systems are evolving at a rapid pace as many agencies switch from conventional analog voice LMR systems to advanced, multi-functional communication platforms that can process voice, data and imagery through cellular phones, satellites, high-speed wireless and Ethernet.
A strong push from the government toward interoperable communications in recent years, backed by grant monies and the recent recommitment by the Obama administration, has helped many agencies upgrade their old equipment to new, state-of-the-art technology. These new interconnected and interoperable communication systems are the wave of the future for public safety and first responders. But despite some successes around the country with individual agencies and regions, many hurdles have to be overcome before all of the nation’s first responders can take advantage of the new technology.
“Fifteen years ago, digital technology didn’t even exist,” said Fred Palidor, the principal consultant and president of Palidor Radio Communications Consultants Ltd. in North Vancouver, BC, Canada. “In those days, they used what were called ‘scramblers.’ Because of the way it was done, it impacted the performance. Radio range was reduced.”
Stuart Palidor, the senior staff consultant at Palidor, said one of the best things about the new digital technology is that it allows for secure transmissions in a reliable format. “It’s looking more hopeful for the future to have encryption,” Stuart said. “Before, there were technological limitations that made it impractical or impossible. With newer technology, it’s a lot easier to do.”
As is the case with most technological advances, one of the biggest hurdles for public safety agencies wanting to upgrade is a lack of funding. That is why a large number of agencies, especially small- and medium-sized agencies, have still not converted to the new technology. Palidor said the government’s mandates are “a little bit idealistic” because while everyone agrees that interoperability and security are important, it is difficult and expensive to execute.
Stuart said within the procurement of the new LMR technology lies a catch-22. The manufacturers need more agencies to convert to digital so the production volume goes up and the costs can go down, but the agencies need the costs to go down before they can convert. But he predicts that in the next five to 10 years, most agencies will have upgraded to the high-tech radio communication systems.
After the Upgrade
Establishing new security measures should be one of the top priorities for any agency that is switching from conventional LMR to multi-functional digital radio. This technological evolution has resulted in systems that rely heavily on computer-based technologies, thereby transforming security concerns from those associated with a traditional radio system into those more commonly associated with large, distributed automated information systems (AIS). These developing systems introduce new services and connectivity options that create a more complex communications environment and new areas for possible threats. The degree of risk associated with a system depends on the likelihood of a threat being carried out and the severity of associated vulnerabilities.
Establishing security guidelines for all types of communication is a critical first step in ensuring the incorporation of adequate security controls and best security practices in public safety LMR systems. New LMR security controls are being looked at by many agencies and various government panels; yet many do not address minimizing the vulnerability of radio systems to computer-based threats.
One risk assessment by the Public Safety Wireless Network found LMR security standards deficient in a number of areas, including authentication, access control and accountability. These deficiencies result in a host of potential problems. The assessment revealed heavy reliance on encryption for confidentiality of communications, rather than the use of AIS-based security features for total system security.
Before an agency begins to rewrite a security policy, a risk assessment must be conducted. It is important that the degree of sensitivity of information be assessed by considering the requirements for availability, integrity and confidentiality of the information. Through this analysis, the value of the system can be determined. This value is one of the first major factors to be determined in risk management.
Palidor said the risk assessment is important because an agency can pay for different levels of encryption. If something is extremely confidential, the encryption must be high. If information is not as important to keep secure, an agency need not spend the money for the very best encryption technology. The assessment should also determine the strengths and weaknesses of the system in place. Once that has been done, a policy can be formulated.
The Security Policy
A security program must include security plans, procedures and other documented security safeguards to meet the set of regulations, rules and practices that direct how an agency manages, protects and distributes sensitive information and communications.
The written policy must include user regulations, expectations and responsibilities, as well as a protocol to be implemented in the case of a system incident. A system incident could be any adverse event threatening the confidentiality, integrity or availability of the LMR information assets, information systems and supporting networks. This could include malicious code (Trojan horses, viruses or backdoors), unauthorized scans or data mining, intrusion and insider attacks.
The standards should address areas of administrative security, physical security, computer security, communications security, radio security, and mobile computer terminals (MCT) and mobile data terminals (MDT) as they relate to LMR systems.
The policy should also include the following: the purpose of the policy, the roles and responsibilities of various players, the role of the security manager or system management office, definitions of the various levels of data classification, and the consequences of breaking said policy. To ensure understanding of the policy, each member should undergo security awareness training and provide proof of completion to the system management office and the user’s immediate supervisor.
The policy itself should cover a variety of issues including the most basic security measures, such as not writing passwords down, to the most complex issues of encryption and AIS-based security. The following policy outline is based on recommendations of the Public Safety Wireless Network and other government panels and experts. Administrative Security Administrative security should ensure the confidentiality, integrity and availability of the LMR system. A security manager or security officer needs to be established to manage the day-to-day security activities of the agency. The chosen person needs to undergo a thorough background check before being put in charge of sensitive information.
Administrative security is important regardless of the technology employed. Existing analog LMR systems as well as evolving computer-based LMR systems should have solid administrative security programs.
Administrative security policy consists of policy statements about security documentation, security training, system development lifecycle controls and personnel security.
System Development and Maintenance
The system development and maintenance policy ensures integrity throughout the system lifecycle. The system development and maintenance should include:
Software should be developed in a controlled, secure environment and delivered using authorized carriers.
No one should alter, change, configure or use the operating systems, programs or information systems except as specifically authorized by the security officer.
No outside, personally owned hardware, software, shareware or public domain software should be installed or used on the agency network. Furthermore, users should not change, configure or use operating systems, programs or information systems except as specifically authorized by the network administrators or their supervisors.
All agency members are required to report any suspicious output, files, shortcuts or system problems and notify the system manager when access to the ALMR System is no longer needed due to mission completion, project transfer, retirement or resignation.
Security Awareness Training
Security awareness and training is a continual process that educates all individuals in an agency about its security policy, including best security practices and procedures. This is one of the simplest measures to be taken to keep your agency from accidental breaches in security, but in other ways, it can be challenging to implement due to budget restraints and time.
Ideally, the security awareness and training should be provided to all agency employees and contractors who will use or manage the system. The training should include radio- and system-related threats and emergency operations. Periodic refresher training should be provided for each group of users, and an ongoing awareness program should be created to ensure that all users are kept aware of both old and new threats to the system.
Training is important so that users know which radio channels are secure and what type of information should be handled on which channels. Especially when interoperability is concerned, users need to know how they may operate in “clear mode” when talking to another agency and when it is appropriate. Some agencies may opt not to have a “clear mode” on their radios at all because they are concerned that secure information might accidentally get transmitted on the wrong channel, according to Palidor, which can then affect interoperability with other agencies. Training certainly needs to address this issue.
One relatively inexpensive way to conduct the security training is to set up do-it-yourself training in a secure online environment. This could include reviews of written security materials, video demonstrations, briefings, tests and more. This way, individuals can do the training at a convenient time, and overtime can be minimized for the agency.
All agency employees and contractors should undergo a screening before hiring. The personnel security policy ensures that all personnel, including employees and contractors, with access to the system have the proper “need to know” for information to which they have access. Users with special privileges such as system administrators should be properly investigated before they are given access to the system. People placed in sensitive positions or authorized to bypass significant technical and security controls on the system should also undergo a background check.
All routine, on-site maintenance functions should be performed by hardware and systems software specialists who have been cleared to the highest level of information processed by the system. Office cleaning personnel should not be overlooked in the background checks as they often have unsupervised contact with equipment after hours.
Users should have proper need-to-know information to which they have access and should not attempt to access or process data exceeding user/system classification levels. All the data created, copied, stored or disseminated from the systems should be safeguarded and marked with the appropriate classification level so there is no confusion as to what a person is allowed to access or not. Access levels also apply to control information, software, hardware and firmware.
Information from the system should not be disseminated to anyone without a specific need to know as verified by the security manager or assigned agent. And it goes without saying that users should be prohibited from using any of the equipment or information for personal or financial gain, illegal or otherwise. Make sure users know they will not only lose access privileges if the policy is broken, but they will also be subject to all U.S. criminal, civil and administrative laws regulating appropriate use of government information systems.
Software and Data
Radio system managers need to ensure the integrity, confidentiality and availability of the software that controls their systems’ operations and the data the systems process. Therefore, procedural safeguards should be established to protect the software and data from accidental or deliberate modification, destruction or disclosure. To do this, the object and source code for system software should be securely stored when not in use by the developer. All the software development activities should take place in a controlled facility, and sensitive data stored on removable media should be placed in an appropriately controlled container or facility. Critical data should be backed up regularly and the backup media (e.g., hard drives, DVDs) need to be stored in a secure, alternative location.
The physical security policy addresses the protection of communications equipment and facilities that house the equipment. Facilities may include buildings housing communications centers, network management systems, remote tower sites, dispatch centers and maintenance and backup facilities. Physical security controls should be implemented at all sites, including the following: access controls for facilities such as electronic access devices, keys, guards and alarm systems; fenced perimeters and surveillance cameras; proper visual identification of employees and visitors (i.e., badges); a visitor’s log and an escort for all visitors; and additional access controls for rooms that house file servers.
Furthermore, proper environmental controls such as air conditioning, smoke alarms, fire extinguishers, emergency lighting and uninterruptible power supplies should be provided and periodically tested at each facility.
As previously mentioned, a significant feature of evolving LMR systems is the increasing extent to which the radio systems are managed by computerized means. Interfaces between system components are also increasingly likely to occur via network connections.
“The key here is that it doesn’t start and end with radio users,” Palidor said. “The encryption has to be throughout the entire network, from the original inputting source all the way to the outputting source. You have to make sure the entire network is secure.”
Computer security focuses on authentication, access control, auditing and object reuse. The proper controls should be in place to authenticate the identity of users in accord with any access control policies and to validate each user’s authorization before allowing the user to access information or services on the system. This can include unique user IDs, passwords, security questions or any biometric devices that allow access such as a fingerprint scan. On the management end, authentication data needs to have the utmost protection from unauthorized access.
An ongoing audit and periodic analysis ensures that all users are held accountable for their actions and that attempted and actual security violations are detected. The system needs to track an audit trail of security-related events, such as when users log on and off the system and when the administrator functions are utilized. The security-related events should be traceable to the user or process responsible for initiating the event.
One often overlooked security measure for computers is to disable inactive user accounts. It is much easier for a threat to go unnoticed if the account is no longer on anyone’s radar. And finally, having an object reuse policy safeguards the confidentiality of information stored in the LMR system and protects it from unauthorized access. Thus, storage media containing sensitive information, including computers themselves, hard drives, flash drives, CDs and DVDs, need to be completely empty before reassigning that medium to a different user. If they are no longer needed, the information needs to be erased or the device needs to be destroyed.
Some of the radio security part of the policy should be easy to configure as it is likely already in place in some form with the older generation of radios. However, the new policy needs to take into account the new technology. Authentication procedures should be established to ensure the authenticity of radio transmissions and to ensure only authorized radios are used for communications.
Radio management controls should be in place throughout the radio lifecycle (i.e., inventory control, lost and stolen radio controls, and disposal or destruction of unused radios). All of the radios must be checked and maintained to make sure communication from car to car and car to dispatch center are available 24 hours a day.
Transmission Security and Encryption
The transmission security policy goal is to ensure the confidentiality and integrity of information transmitted among the LMR system components and to prevent interception and exploitation by means other than cryptoanalysis and from jamming.
Adding encryption to radios can be costly—around $500 to $700 extra per radio. So depending on how many radios are being deployed, that could be thousands or even millions of dollars. But Fred and Stuart Palidor said having a secure network is one of the highest priorities of agencies and probably even more important than being interoperable.
“If we think about the individual agencies, interoperability is important,” Fred Palidor said. “But when you think about it on a daily basis, it’s a miniscule part of their operations.”
But wherever interoperability falls on an agency’s priority list, in order to get grant money for encryption or added radio security, an agency may have to fold it into a larger grant application about interoperability because that is where the funding is, Fred Palidor said. Once funding has been secured, end-to-end encryption should be implemented to ensure secure communications, and all encryption devices should be physically secured when unattended or not in use. The key management custodian is in charge of keying materials security.
According to the APCO P25 SoR, over-the-air-reprogramming (OTAP) messages should be encrypted with a FIPS-approved encryption algorithm to provide confidentiality for message contents. In addition, the following security services should be applied to OTAP messages: authentication, integrity and replay protection. Beyond encryption, controls such as frequency-hopping, intentional radio channel interference and spread spectrum should be in place to provide communications transmissions with adequate protection from the threats of interception, exploitation, and both intentional and unintentional interference. Over-the-air-rekeying (OTAR) of encryption devices should also be supported by the system.
Contingency and disaster recovery plans should be developed that provide for continuity of operations and alternative-site arrangements. These plans need to consider possible and likely natural disasters, weather phenomena and terrorist activity. Arrangements need to be made for an alternative operations center; backup equipment with available communication paths; off-site storage facilities; and copies of all standard operating procedures, emergency procedures and contact information for personnel and contractors.
The contingency plans need to be updated regularly to ensure they provide continuity of operations for the agency at all times, including all new and old technology being used.
Having an alternative site and backup communication systems can be another one of the most costly parts of the security plan, but it is an essential part of security. Many agencies are finding that establishing an alternative site for backup communications and data systems is more cost effective if done in concert with a partner or multiple surrounding agencies. This can reduce the costs per agency and may assist in regional communications and interoperability goals as well.
Once the emergency operation plans are in place, they should be tested periodically with the alternative power sources, paths and equipment. Conclusion If your agency has secured the money and go-ahead to upgrade to a digital LMR communications system, the biggest challenge has been overcome. But agencies that have procured new equipment shouldn’t rest on their laurels before establishing and implementing a sound security policy. It only takes one security breach to endanger the lives of your officers or the public. Not to mention, fixing a security issue after the fact can be extremely costly, embarrassing and can lead to untold amounts of downtime for your equipment. Officials should take a close look at their LMR security policies now and make sure they cover the most updated technology to ensure the integrity, availability and confidentiality of their communications and data.
Candy Phelps is a freelance writer and the former managing editor of Public Safety IT Magazine.
Published in Public Safety IT, Jan/Feb 2010
Rating : 9.0
Click to enlarge images.