Just how safe is our National Telecommunications Infrastructure?
Can we trust any networking equipment?
Alongside the relentless stream of attacks by cybercriminals lies the threat from hostile nations. Rogue governments may be less of a threat to your personal privacy and security but the threat to national security is critical. My ‘Somewhere Under The Sea’ blog in December discussed the threat to our undersea cables. A similar level of risk applies to land-based communications infrastructure. The nature and accessibility of connected devices may make an attack on our land-based public telecommunications network infrastructure a much easier and potentially less costly proposition.
My first apprenticeship placement was on Telephone Exchange Maintenance. During my first tour of Brixton Telephone Exchange I was shown some switches that I was told must never be touched other than in times of national emergency. These switches prevented call initiation from all but the emergency services. This was a failsafe to prevent intense demand on the telephone network causing our telephone exchanges to grind to halt. I was told (in 1973) the last time these switches had been used was in 1952 when King George VI died.
Our latter day national telecommunications network designers had catered for what was in effect a distributed denial of service attack, albeit an innocent one and something that would have been impossible to recreate to order. The critical national infrastructure must be protected, that is a given. The telecommunications sector is identified by the government as one of the top ten sectors and, is therefore, officially part of the Critical National Infrastructure (CNI). If our national telecommunications network fails, partially fails or is compromised we stand to lose all network services such as fixed and mobile telephony, TV, radio, the internet and more. It is deemed critical because it meets all four of the governments criteria for the CNI: could cause large scale loss of life, could have a serious detrimental effect on the national economy, could have other grave social consequences and is of immediate concern to the national government.
In the event of a national disaster the ability to communicate is vital. Without the ability to communicate other sectors of the Critical National Infrastructure could also be disrupted including: water, sewage, gas and electricity. Roads would come to a standstill and there will be no deliveries to shops. All of this is likely to descend the UK into anarchy within a few days.
There is so much at stake on a national scale but just how vulnerable is our national telecommunications infrastructure? We would certainly hope the telecommunications giants are robust when it comes to their security policies and procedures, but mistakes can be and are made. One of the greatest vulnerabilities could be a lack of diversity in the underlying technical solution.
When the telecommunications infrastructure comprised independent local telephone exchanges served by a hierarchy of trunk switching centres, each exchange and centre was its own entity with minimal common points of failure. There were critical elements that could render the entire trunk network down such as the central timing source for the network. These timing sources were fixed hardware components with no external access so any attack on the heart of the network meant the attacker had to be in the building and in the same room having first learned the building and location of the room, so the risk was very low.
The current telecommunications infrastructure is significantly different. Many years ago I was involved in a legal battle between a very large building society and two very large vendors. The customer was suffering with intermittent problems across 1,500 sites. The network depended on the equipment from the two manufacturers but there was a suspected interaction problem an neither vendor would accept responsibility. As a result, the two vendors were finger pointing at each other and the customer was caught in the middle. After several days I discovered a design fault with one of the items of equipment that in certain conditions, one of the facility modules on the equipment inserted two additional bytes into the data stream causing the error check mechanism to fail. The problem was confined to one of the manufacturers and on this occasion the other manufacturer had a clean sheet.
When presented with the evidence the manufacturer with the faulty equipment accepted liability and applied appropriate resource to resolve the problem to the customer’s satisfaction. This entire process took several months and cost the customer dearly. It highlighted the age-old problem of having all our eggs in one basket. A lack of diversity in the network meant that a single problem was multiplied across the 1,500 sites causing widespread disruption. With this in mind, could a lack of technology diversity (or vendor diversity) be the greatest vulnerability in our national telecommunications infrastructure?
Why would we not deploy standard equipment from a single manufacturer across an entire network? Having a single source of equipment has many obvious benefits for the ongoing maintenance and support of the network. However, if a vulnerability is found in one piece of equipment there is a strong probability the vulnerability will exist across the network.
Software vulnerabilities are being identified and patched at an alarming rate. Our national telecommunications providers will also be using very sophisticated security monitoring to detect and protect their network from constant attacks. But, how do we know for sure the silicon has not been compromised at source?
There have been reports in the past of equipment sold and deployed on a grand scale with back doors configured in the software to create an intentional security bypass. More sophisticated intentional security flaws might include a means of covertly forwarding data. I remember a research report published in 2014 showing how a light beam could be manipulated to insert data that was invisible or ’cloaked’. In effect the system created a gap or hole in time to allow data to be dropped into the gap and the gap closed behind it. Cloaking may not have made it out of the research laboratories, but four years is a long time so can we be sure? It also begs the question, what manufacturer would want this in their product?
Sophisticated spying technology such as this may not be of interest to manufacturers or even cybercriminals, but it would to hostile nations. What if an intercept of this kind was built into the silicon design of every switch, router and firewall or maybe just the fibre optic interfaces? Is it really that inconceivable? Our government’s own Telecoms Resilience document advises business to “Ensure diversity of your technology”. As I discussed in my “Somewhere Under The Sea” blog, when the defence (or successful attack) of a nation is at stake the ability to proactively eavesdrop, influence or take out your opponent’s telecommunications infrastructure yields significant advantages.
Software Defined Networks have the potential to reduce this risk to some extent as it is possible, albeit not in every case, to source hardware from one manufacturer and source the software from another. But, the legacy (but still relatively new) equipment within the critical telecommunications infrastructure may still pose a risk. Fortunately, this equipment is reaching end of life significantly faster than the previous generation of equipment.
I think it appropriate to end with the words of the Greek philosopher Heraclitus which ring very true in relation to the security of not only our critical telecommunications infrastructure, but also our own business infrastructure: