mailing list archives
Re: Points of Failure (was Re: National infrastructure asset)
From: George William Herbert <gherbert () retro com>
Date: Tue, 25 Sep 2001 13:20:25 -0700
I know it's difficult to refrain from comment, but let's try to remember
that the bad guys read this list too. While they may not have the knowledge
of critical communication infrastructure points, they can certainly find and
target them if we point them in the right direction.
I'd actually argue the opposite. It's difficult to face this, but we know
we ARE vulnerable. The important long term solution is that we need to
address our weaknesses. By acknowleding where the critical points are,
AND PLANNING TO DEAL WITH THEIR LOSS, we make the system that much harder to
Exactly. The short term situation is we're vulnerable; how do we deal
with those vulnerabilities being exploited (or accidentally exposed).
The long term situation is how to we reduce or eliminate as many of
those as possible.
Part of the insidiousness of all this is that currently there is
insufficient information available to a telco line end user to properly
plan for that sort of loss. Right now, it is nigh-on impossible to
get, verify, and keep on a permanent basis truly widely separated
leased lines / bandwidth from point A to point B. Because of the
increasing cooperation, shared facilities, etc. in the telco and
fiber arenas, with many providers you're really getting someone
else's service for part of the connection. Recall the train tunnel
fire from not that long ago, now seemingly trivial, but at the time
a huge disaster...
On top of that, none of these facilities are sufficiently hardened.
What takes a backhoe operator ten minutes by accident would be no more
than an hours work by hand of a sufficiently educated attacker.
None of these telco buildings are hardened in the traditional
anti-terrorist sense of the word. There are still co-loc facilities
in buildings shared with offices of unrelated companies, etc.,
there are still co-loc facilities in buildings with windows into
server rooms, etc. I could go on but will stop now. The situation
is hopeless in many areas.
What we have learned and need to deal with is that we are, and will
remain for the forseeable future, vulnerable to large chunks of
"stuff" dropping away, possibly permanently. Be that buildings,
bandwidth, higher level protocols, the immediate response has to
be to be prepared to replace or route around something. And by that
I mean *anything*. If your NOC burns down or is blown up (or hit by
a tornado, knock on wood...) do you have adequate personel and facilities
elsewhere to recover your network management? Eliminate all fiber links
from city A to city B, and can your network still function? If all your
facilities in metropolitan area Z all go completely offline, what are
you able to do about it?
Longer term, we all need to think about multi-level hardening of facilities
and connectivity to avoid "cheap kills" due to accident or malicious attack.
This gets into traditional datacenter design issues and beyond, into building
hardening (the new standards for Federal buildings, for example, or even
better the new standards for US Embassies...). This is a bad time for people
who run fiber, but maybe it's a good time for them to consider how they run
that fiber and should run it in the future. Raw cable in shallow trenches
may be in the long term more expensive (if we include accidents, and in
particular vulnerability to intentional attack) than deeper and/or better
protected cables. Using random rights-of-way may be a mistake; it may make
more sense to use ROW which are known and controlled or patrolled to some
degree already. I had brought up the idea of using modern oil-well drilling
technology to go horizontally deep under rivers and city centers a month or
so ago; that also introduces structural hardening against intentional or
accidental attack on the fibers.
The key here is *think* about it. There is probably some bad guy out
there who already is, though he may never decide to execute on those
thoughts on you (or anyone). Try and get to any conclusion he might
first, and at the very least list our your known vulnerabilities at
every level you can think of, so that you can work on reducing them
over time and conceptually be prepared to deal with them even if you
can't afford to do detailed plans for everything that might go wrong.
-george william herbert
gherbert () retro com