Eight Ingredients of Infrastructure: A Systematic and Comprehensive Framework for Enhancing Network Reliability and Security Karl F. Rauscher, Richard E. Krock, and James P. Runyon Controlled improvement in the reliability and security of any system requires a comprehensive analysis. This requires the systematic identification of the fundamental underlying components of the system using a rigorous discipline. If successful, this process will illuminate areas for concern and identify areas for potential system enhancements. Such comprehensive analysis can be conducted for communications infrastructure using a framework of eight ingredients. This paper will explore these eight ingredients and identify their usage in vulnerability analysis and best practice identification for enhancing the reliability and security of communications infrastructure. 2006 Lucent Technologies Inc. Introduction The communications infrastructure is now recognized as the key infrastructure upon which all other critical infrastructures depend [11]. These other critical infrastructures include: transportation, banking and finance, public health, law enforcement, energy, water, agriculture, government, and others (Figure 1). The reliability and security of the communications infrastructure are vital for the ongoing operation, control, and support for these other infrastructures on which our national security, economy, and our way of life depend. In the early 1990s, the FCC chartered the Network Reliability and Interoperability Council (NRIC) [5], an industry-based FCC advisory group chartered under the FACA (Federal Advisory Committee Act), to address the reliability and interoperability of the national communications network. Biannually, the FCC has re-chartered NRIC to focus on various areas of concern, beginning with network reliability and subsequently on network signaling reliability, Y2K preparedness, packet-switched networks, homeland security, and emergency. This is shown in Figure 2. Network reliability, interoperability, and security recommendations in the form of NRIC best practices (BPs) have been developed by communications experts for use within the industry. Prior to NRIC V, best practices were developed from an historic analogy perspective. Analysis of previous network outages by industry experts was used to identify best practices to address these past events (i.e., network outages). Starting with NRIC V, development of BPs has been refined and extended, based on the NRIC charter, by leveraging a systematic and rigorous process that analyzes not only past events, but includes looking at Bell Labs Technical Journal 11(3), 73 81 (2006) 2006 Lucent Technologies Inc. Published by Wiley Periodicals, Inc. Published online in Wiley InterScience (www.interscience.wiley.com). DOI: 10.1002/bltj.20179
possible problems that may not yet have happened based on knowledge of the inherent vulnerabilities [10]. This required developing a systematic way of categorizing the communications infrastructure. The eight ingredient framework shown in Figure 3 has been proved to be thorough and comprehensive in the description of communications infrastructure. These eight ingredients are the following: 1. Human. Humans operate the network and present one of the most complex vulnerabilities to analyze. The human ingredient includes intentional and unintentional behaviors, physical and mental limitations, education and training, humanmachine interfaces, and personal ethics [2]. 2. Policy. Policies include any agreed or anticipated behavior between entities, such as companies or governments. They include agreements, standards, policies, and regulations (ASPR) and provide a framework that defines the expected interaction between government and the communications industry. 3. Hardware. The electronic and physical components that compose the network nodes include the hardware frames, electronics circuit packs and cards, metallic and fiber optic transmission cables, and semiconductor chips. 4. Software. Today s complex communications networks gain their power and flexibility from the computer code that controls the equipment. This category covers all aspects of creating, maintaining, and protecting that code, including physical storage, development and testing of code, version control, and control of code delivery. 5. Networks. Networks include the various topological configurations of nodes, synchronization, redundancy, and physical and logical diversity. 6. Payload. The purpose of a communications network is to deliver some form of communications, be it voice, data, or multimedia. The payload category includes the information transported across the infrastructure, traffic patterns and statistics, information interception, and information corruption. 7. Environment. systems are in the physical universe and, as such, operate in various Panel 1. Abbreviations, Acronyms, and Terms ASPR Agreements, standards, policy, and regulations ATIS Alliance for Telecommunications Industry Solutions BP Best practice CQR Quality and Reliability FACA Federal Advisory Committee Act FCC Federal Commission IEEE Institute of Electrical and Electronics Engineers NGN Next-generation network NRIC Network Reliability and Interoperability Council NRSC Network Reliability Steering Committee NSTAC National Security Telecommunications Advisory Committee Y2K Year 2000 environments. These environments range from temperature-controlled buildings to installations exposed to harsh conditions such as outside terminals and cell towers that are exposed to inclement weather, trenches where cables are buried, space where satellites orbit, and the ocean where submarine cables reside. FINANCIAL PUBLIC HEALTH COMMUNICATIONS INFRASTRUCTURE TRANSPORTATION Other infrastructures Figure 1. Other infrastructures dependency on the communications infrastructure. LAW ENFORCEMENT ENERGY 74 Bell Labs Technical Journal DOI: 10.1002/bltj
Reliability Interoperability (Telecom Act of 96) Y2K Packet switching Homeland security Emergency NRC I 1992 NRC II NRIC III NRIC IV NRIC V NRIC VI NRIC VII 2005 Systematic vulnerability assessment Historic analogy NRC National Reliability Council NRIC Network Reliability and Interoperability Council Y2K Year 2000 Figure 2. Historical overview of NRIC charters. Human Hardware Networks Environment Policy Software Payload Power Figure 3. Eight ingredients of communications infrastructure. 8. Power. Without electrical power, electronic systems simply don t work. The power required for communications networks includes the internal power infrastructure, batteries, grounding, cabling, fuses, back-up emergency generators and fuel, and commercial power. This eight ingredient framework has been proven to be very useful by key industry-government-academic fora. First used by the IEEE Technical Committee on Quality and Reliability (CQR) to anticipate the challenges of emerging technologies, it has been used by the FCC Network Reliability and Interoperability Council (NRIC) toward the development of vulnerability-based best practices, by the ATIS Network Reliability Steering Committee (NRSC) to identify possible influencing factors driving observed improvements, and by the President s National Security Telecommunications Advisory Committee (NSTAC) [4] to prepare for next-generation networks. The framework has enabled subject matter experts to conduct complete analyses, assessments, and reviews, despite an enormous and very complex scope. The very challenging and critical missions of these and other groups were greatly assisted by the comprehensive attributes of the framework. Further, the framework of eight ingredients has been shown to extend beyond current legacy networks, to be equally effective in understanding future networks (i.e., next-generation networks) and other infrastructures (e.g., energy). Vulnerability Analysis Using the Eight Ingredients Vulnerability analysis is a distinct approach to protect a system from unknown threats. This is in contrast to the most commonly used threat-based approaches, which are based on reacting to previously seen or anticipated new attacks. A vulnerability is a characteristic of the communications infrastructure that renders it, or some portion of it, susceptible to damage or compromise. A threat is an exploitation of one or more vulnerabilities that results in damage to DOI: 10.1002/bltj Bell Labs Technical Journal 75
or compromise of the communication network or some portion of it [6 10]. Vulnerability While the communications industry may be surprised by the particular method of a future attack (either by terrorists or nature), it should not be surprised by a threat exploiting vulnerabilities to damage communications. The people who design, build, and maintain these communication systems and networks know the nuances of their systems and the points at which they are vulnerable. By systematically addressing these vulnerabilities, the communications industry can directly prepare for any number of unknown threats attempting to exploit those vulnerabilities. Figure 4 illustrates a vulnerability within one of the ingredients. The rectangular box represents one of the ingredients essential to the operation of the communications infrastructure. The finite number of vulnerabilities in each ingredient is illustrated with the circular hole(s) in the box. The vulnerability-based approach has fundamental distinctions from the traditional threat-based protection methods, and is vital for optimally protecting the reliability and security of the network. For example, prior to the September 11, 2001, event, the airline industry knew of the cockpit door access vulnerability, but had not previously seen that vulnerability being exploited as it was that day when the airplane was used as a missile. Similarly, the communications industry must identify and effectively address its vulnerabilities to protect itself from some yet unenvisioned forms of attack or exploitation that would compromise the reliability and security of the network. For example, cyber security vulnerabilities could be used in an attack on the communications infrastructure and compromise the reliability of the system. The primary objectives in assessing vulnerabilities are: 1. Be complete: do not overlook anything. 2. Master knowledge: understand the nature of each susceptibility fully. 3. Recognize distribution: capture all instances of a vulnerabilities presence. 4. Understand dependencies: anticipate the impact and consider coordinated and blended attacks [1]. When completed properly, this analysis will result in the identification of a complete and finite number of vulnerabilities for each of the eight ingredients, and therefore for the system as a whole. Figure 5 illustrates the eight ingredients of a communications network, each with a finite number of vulnerabilites. Environment Hardware Human Network Software Payload Vulnerabilities Figure 4. Vulnerabilities of the communications networks. Power Policy Figure 5. Vulnerabilities in the eight ingredients of network reliability and security. 76 Bell Labs Technical Journal DOI: 10.1002/bltj
Threats As stated earlier, threats are attempts to exploit one or more vulnerabilities that can result in damage to communications, but threats are not limited to terrorism or other intentional attacks. Natural disasters (e.g., hurricanes) [3, 14] as well as unintentional human errors continue to attack networks in unforeseen ways. Figure 6 provides a schematic illustration of the relationship of vulnerabilities to threats and the resulting damage. It shows how a threat can be constructed by someone wishing to attack the communications network by leveraging one or more vulnerabilities. Damage to communications takes place when a threat successfully exploits one or more of these vulnerabilities. Figure 7 illustrates how an infinite number of threats, many not currently known, can attempt to exploit a single vulnerability. Figure 8, which follows, illustrates how threats can exploit one or more vulnerabilities of each of the eight ingredients resulting in damage to communications. A blended attack occurs when a single threat exploits multiple vulnerabilities. As an example, Threat 1 is based on exercising a single environmental vulnerability of a system (e.g., unauthorized equipment access). Threat 3 is a blended attack that leverages a combination of network and payload vulnerabilities (e.g., cyber attack). Historically, threat analysis supports decisions involving setting Threat 1 Vulnerability exploited Threat 2 Vulnerabilities exploited Figure 6. Threats, vulnerabilities, and damage. Figure 7. Multiple threats exploiting one vulnerability. DOI: 10.1002/bltj Bell Labs Technical Journal 77
Threat-1 Threat-2 Environment Hardware Threat-3... Human Payload Network Policy Threat-n Power Software Figure 8. Threats leveraging vulnerabilities. defense priorities based on the likelihood of a specific threat occurring. Because of the large number of combinations and permutations of variables, developing an effective security plan based on threats varies in effectiveness it is very efficient when the likelihood of having a commanding knowledge of the only possible threats is high. On the other hand, it is very ineffective if the knowledge of possible threats is less certain. Depending on the risks and consequences, it may be appropriate. The threat-only based approach has as its fundamental weakness the fact that it is either based on hard to obtain intelligence or on a reactive response to previously seen attacks. It is limited in its effectiveness by leaving its user vulnerable to being surprised by an attacker or by being one step behind the creative attacker. The next section discusses an alternative approach, which uses pre-emptive vulnerability analysis in addition to basing response modeling on previously seen threats. Vulnerability Analysis Using the Eight Ingredients As cited earlier, the communications industry utilizes the framework of eight ingredients to provide a structure with which to systematically and rigorously manage the identification of vulnerabilities within the communications industry. Teams of industry experts brainstorm areas of concern and system failures. The outputs of these sessions are categorized into one of the eight ingredients. These outputs are then analyzed by individuals with expertise within each of the specific ingredients 78 Bell Labs Technical Journal DOI: 10.1002/bltj
to develop a finite but comprehensive list of vulnerabilities [8]. The major benefit of systematically addressing the vulnerabilities of a system is that protection is provided for general classes of problems, independent of knowing what the specific threat may be. While the fundamental vulnerabilities of the communications infrastructure can be enumerated in a controlled manner, the number of threats that can exercise those vulnerabilities are infinite and are constantly changing. As noted well in [13], One fact dominates all homeland security assessments: terrorists are strategic actors. They choose their targets deliberately based on the weaknesses they observe in our defenses and our preparedness. We must defend ourselves against a wide range of means and methods of attack. Our enemies are working to obtain chemical, biological, radiological, and nuclear weapons for the purpose of wreaking unprecedented damage on America. Terrorism depends on surprise. With it, a terrorist attack has the potential to do massive damage to an unwitting and unprepared target. By addressing classes of problems with the identification of best practices, these new threats, regardless of the source, are eliminated. As shown in Figure 9, the implementation of best practices eliminates or disables the vulnerability, thereby rendering ineffective the threats attempting to exercise that vulnerability. Threat Network Software Figure 9. Vulnerability removal prevents damage. The vulnerability-based approach is not an exclusive strategy. This approach is intended to be used in addition to traditional threat-based approaches, and is consistent with the President s National Strategy for Homeland Security [12, 13]. The primary lesson learned is that threats and their probability of being exercised continue to change and evolve. The industry s response to these changes should take place in a timely fashion, but such responses are no substitute for proactive, systematic coverage of vulnerabilities within the communications infrastructure as we cannot predict how threats will evolve. The need to proactively address vulnerabilities rather than just focusing on previously seen attacks is clearly demonstrated in security, a unique area of reliability. While reliability was once only measured in terms of the availability of the network and the ability of information to traverse the network successfully, the openness of today s network puts even the reliability of the transmitted information at risk. This has made security of the network an inseparable component of overall reliability. Security is difficult to measure since network administrators may not even be aware that an attack is under way or has occurred previously. Undetected attacks may steal information or gain access to networks. Protecting against only previously seen attacks would not help protect against undetected attacks. Analyzing and addressing system vulnerabilities would close holes that undetected attacks may be exploiting. Conclusion The systematic identification of the vulnerabilities within the communications infrastructure was an historic undertaking and accomplishment. While it is essential to utilize multiple approaches to protect communications infrastructure, the vulnerability analysis approach is fundamentally distinct from the traditional threat-based protection methods. A threat-based approach is based on knowledge of the things or people that threaten the network and what drives them. While engineers do not know what drives a terrorist, they do know the equipment DOI: 10.1002/bltj Bell Labs Technical Journal 79
that composes the network and what vulnerabilities it may have. Vulnerability analysis utilizes that knowledge to protect against unimagined and unknown attacks. By identifying the finite number of vulnerabilities within a system, we can effectively protect the communications network from threats we have already seen, and from those that we have not yet seen. The eight ingredients of communications infrastructure have been successfully used over the past several years by various corporations, and national and government advisory groups. These groups were chartered to analyze the performance of the network and provide guidance on improving network reliability and performance. Hundreds of best practices have been developed with this method. They now stand as the most authoritative collection of guidance for the industry, developed by the industry, in the areas of reliability, interoperability, physical security, cyber security, and emergency. These best practices have been recognized both domestically and internationally as a cornerstone in the reliable and secure operation of communications networks. The development of these best practices has its foundation in the use of the eight ingredients and has affirmed that the eight ingredients provide comprehensive coverage of the nation s most critical infrastructure. Acknowledgements The authors wish to thank all of the dedicated participants of numerous industry-government fora for dedicated contributions to the advancing the reliability and security of public communications networks. References [1] Federal Commission, Report and Order and Further Notice of Proposed Rulemaking, Revision of the Commission s Rules to Ensure Compatibility With Enhanced 911 Emergency Calling Systems, FCC 96-264, adopted June 12, 1996, p. 8. [2] A. Macwan, Approach for Identification and Analysis of Human Vulnerabilities in Protecting Telecommunications Infrastructure, Bell Labs Tech. J., 9:2 (2004), 85 89. [3] B. L. Malone III, Wireless Search and Rescue: Concepts for Improved Capabilities, Bell Labs Tech. J., 9:2 (2004), 34 49. [4] National Security Telecommunications Advisory Committee, Next Generation Networks Task Force Report, 2006, <http://www.ncs.gov/ nstac/reports/2006/nstac%20next% 20Generation%20Networks%20Task% 20Force%20Report.pdf>. [5] Network Reliability and Interoperability Council, <http://www.nric.org>. [6] Network Reliability and Interoperability Council VI, Homeland Security Physical Security (Focus Group 1A) Prevention Report, Issue 1, Dec. 2002, p. 27, <http://www.nric.org/ fg/nricvifg.html>. [7] Network Reliability and Interoperability Council VI, Homeland Security Physical Security (Focus Group 1A) Prevention and Restoration Report, Issue 2, Mar. 2003, pp. 27, 41, <http:// www.nric.org/fg/nricvifg.html>. [8] Network Reliability and Interoperability Council VI, Homeland Security Physical Security (Focus Group 1A) Final Report, Issue 3, Dec. 2003, <http://www.nric.org/fg/nricvifg.html>. [9] Network Reliability and Interoperability Council VII, Focus Group 3A Wireless Network Reliability Final Report, Issue 3, Sept. 2005, <http://www.nric.org/fg/index.html>. [10] Network Reliability and Interoperability Council VII, Focus Group 3B Public Data Network Reliability Final Report, Issue 3, Sept. 2005, <http://www.nric.org/fg/index.html>. [11] K. F. Rauscher, Protecting Infrastructure, Bell Labs Tech. J., 9:2 (2004), 1 4. [12] United States, Department of Homeland Security, Strategic Plan, Feb. 23, 2004, <http://www.dhs.gov/interweb/assetlibrary/ DHS_StratPlan_FINAL_spread.pdf>. [13] United States, Office of Homeland Security, National Strategy for Homeland Security, July 2002, <http://www.dhs.gov/interweb/ assetlibrary/nat_strat_hls.pdf>. [14] United States, Office of Homeland Security, National Strategy for Homeland Security, July 2002, pp. vii viii, <http://www.dhs.gov/ interweb/assetlibrary/nat_strat_hls.pdf>. [15] Wireless Emergency Response Team, Wireless Emergency Response Team (WERT) Final Report for the September 11, 2001 New York City World Trade Center Terrorist Attack, WERT, Oct. 2001, <http://www.werthelp.org/wert-final-report.pdf>. (Manuscript approved May 2006) 80 Bell Labs Technical Journal DOI: 10.1002/bltj
KARL F. RAUSCHER, a Bell Labs Fellow and executive director of the Bell Labs Network Reliability and Security Office in Washington, D.C., has provided leadership for numerous critical government-industry fora, including the IEEE Quality and Reliability (CQR) Council, the Network Reliability Steering Committee (NRSC), the Network Reliability and Interoperability Council (NRIC), and the National Security Telecommunications Advisory Committee (NSTAC). He has been an adviser for network reliability issues on five continents and has served as an expert witness for the U.S. Congress Select Committee on Homeland Security regarding the Power Blackout of 2004. He is also the president of the non-profit Wireless Emergency Response Team (WERT) that conducts search and rescue efforts using advanced wireless technology. He holds a bachelor of science degree in electrical engineering from Penn State University in University Park, Pennsylvania, a master s degree in electrical engineering from Rutgers University in New Brunswick, New Jersey; and a Master s degree in biblical studies from the Dallas Theological Seminary in Texas. manager, he was a distinguished member of technical staff in software feature development, systems engineering, and network architecture for communications systems, and for 10 years he served as an architecture manager for Lucent s ADSL, cable TV, and fiber-to-the-home broadband platforms. He has been awarded four U.S. patents and has multiple publications in the Bell Labs Technical Journal and other industry forums. In the last few years, Mr. Runyon has been an active participant in a number of FCCchartered federal advisory committees. As a member of the Network Reliability Steering Committee (NRSC), he has provided leadership in five significant studies on network outages. Mr. Runyon is a member of IEEE, a member and administrator for several Network Reliability and Interoperability Council (NRIC) focus groups, and serves as manager for the NRIC Best Practice Web site. RICHARD E. KROCK is a member of technical staff in the Services Technology department at Lucent Worldwide Services in Lisle, Illinois. His responsibilities include the analysis of network outages and the identification and implementation of countermeasures. He has been an active member of the past two Network Reliability and Interpretability Councils and has led various sub-teams related to power. He has provided consulting on emergency preparedness/disaster recovery both domestically and internationally, and also represents Lucent at the Telecom Information Sharing and Analysis Center, part of the National Coordinating Center for Telecommunications. Mr. Krock holds a B.S. degree in electrical engineering from Valparaiso University in Indiana and an M.B.A in telecommunications from Illinois Institute of Technology in Chicago. He is also a licensed professional engineer. JAMES P. RUNYON is a technical manager in the Network Reliability Office at Bell Labs in Naperville, Illinois. He holds a B.S. degree in chemistry from Taylor University in Upland, Indiana, and an M.S. degree in computer science from the University of Wisconsin in Milwaukee. Prior to becoming technical DOI: 10.1002/bltj Bell Labs Technical Journal 81