Do Not Dig Here

Apr 1, 2007 12:00 PM, By Sandra Kay Miller

Communications have become dependent upon fiber-optic networks traversing the globe. Whether it's billions of dollars worth of business or government and public agencies, fiber-optic networks have become the technological workhorse of modern society. Security concerns related to fiber-optic networks are less with a hacker's ability to breach the optical networks than with the practical side of physical vulnerabilities of the country's fiber infrastructure, and with the prospect of carrier bandwidth outpacing the security effectiveness of existing technologies.

Despite their critical importance, security concerns and measures are only beginning to be publicly addressed in both best practices and commercially available security products designed to protect optical infrastructure.

“I think the commercial market is starting to recognize the requirement for securing fiber-optic networks,” says Andy Solterbeck, vice president of the Data Protection Business Unit at SafeNet, a Belcamp, Md.-based security vendor who has witnessed an increase of activity in the effort to secure fiber-optic networks.

According to Solterbeck, large-scale enterprises have been the early adopters of fiber security solutions, but he is noticing a contrast starting to occur between the bandwidth capabilities supplied by the carriers and the ability to actually secure it. “Our first 40GB units are going to be shipped by the end of this year, but we're already talking about 100GB environments at the middle to the end of next year. Right now, there's no way of securing that,” he explained.

There is also plenty of evidence that fiber-optic infrastructure security is largely ignored.

Take for instance the Federal Plan for Cyber Security and Information Assurance, which was published in April 2006 by the Interagency Working Group (IWG) on Cyber Security and Information Assurance (CSIA), an organization under the National Science and Technology Council (NSTC). Science Advisor to President Bush and NSTC Director John H. Marburger III commended the plan for addressing the country's cyber-security priorities. Although the plan states, “Media accounts of cyber misbehavior and crime have had a positive impact, in that they have raised public awareness of security issues and useful protective measures and have spurred vendors of software and Internet services to improve their products,” nowhere in the 140-page document is the security of the nation's fiber-optic infrastructure addressed.

Likewise, the U.S. Cyber Consequences Unit (US-CCU), an independent research group that delivers information about the consequences of cyber-attacks and evaluations regarding the cost-effectiveness of countermeasures to the Department of Homeland Security excluded fiber-optic infrastructure from its proposed 478-question checklist of cyber-security that covered six major categories including hardware, software, networks, automation, suppliers and people. Scott Borg, director of the US-CCU, has not excluded the option to add fiber infrastructure security issues to the checklist in future drafts.

Why does it appear there is no significant effort being made to secure the nation's fiber infrastructure? One person with an answer is Bernard K. Skoch, Brigadier General, USAF (Retired) and Executive Vice President with Suss Consulting Inc. Skoch has more than two decades' experience developing, managing and deploying communications and information systems for the United States Air Force and the Defense Information Systems Agency (DISA). During his service with the USAF, he served as Director of Mission Systems, Director of Communications Operations, and Director of Chief Information Officer Support where he was responsible for aligning information technology systems with business process improvements.

Skoch boiled it all down to money and risk. “What businesses and government have to do is look at what kind of return they get on investments they make. Clearly, if the requirement is strong enough, the budget will flow. If the requirement is not as strong, the budget doesn't flow. So if there were unlimited budget — and there never is — they would do everything they want to and clearly, fiber security would be increased. But as every enterprise operates in a budget-constrained environment, they have to make the trade, they have to make the tough choices and they address the problems that present the greatest risk.”

With all the high-profile attacks and vulnerabilities such as wireless security, password management, internal theft of data, unsecured portable storage devices and malware, organizations are faced with a finite amount of money on which to fend off legitimate threats. “The question becomes: Is that where the greatest risk is? I think that's what people have to decide and it's not an easy choice,” says Skoch.

What worries Skoch more than someone tapping into an optical cable and trying to steal data is the move to convert everything to IP-based networks running over fiber. “Once you start shipping that volume of data over one medium, are you not exposing billions and I suspect now trillions on a global scale, of dollars a day on a global economy to one coordinated attack?” he questions.

By an attack, Skoch means an actual physical attack upon the fiber infrastructure. “There are signs along the highway that say, ‘Do Not Dig Here: Fiber Optic Cable’. Someone doesn't have to have the need or desire to exploit the information to do harm. They could drive down the highway, see the signs, go get a backhoe and wreak havoc. To me, that is the vulnerability.”

Skoch likened the interruption in the fiber-optic network to that of the airlines' ripple effect when there are delays — one event can create a huge impact throughout the entire system. As an information-dependent society, any interruption in the flow of information becomes a serious issue. “It's not that someone wants to exploit that information and learn what we're doing, but they know that we are an information-enabled world and the bad actors in the world — those who are seeking to wage some asymmetric war on us — they're not going to come at us with a direct attack. They know that we are dependent on information and that's what I worry about. I'm not worried about someone sniffing traffic or learning about what someone else is doing at the core layer of the network. But I worry about someone shutting down the core layer of the network by finding and coordinating an opportunity to go and dig up a bunch of fiber-optic cables,” said Skoch.

To mitigate an interruption in the fiber infrastructure, much of the fiber in the United States is configured for redundancy. According to Ron Martin, vice president of service provider development for optical networking at Cisco Systems, if there is a break in a cable or hardware failure, communications are rerouted instantaneously through an alternate path with only milliseconds of disruption. However, there are still a number of places throughout the country left with fiber-optic choke points due to carriers' failure to follow through on installing redundancy in their networks when the dot-com bubble left them in bankruptcy.

This brings us right back to the financial constraints. Carriers' business models have become extremely lean due to slim profit margins, which means there is little capital being allocated for items viewed as discretionary. “Securing the core backbone for any particular vendor to the degree that would satisfy anyone who has a sensitivity to risk would require a significant investment,” said Skoch, “It's competing with what needs to be done to best fulfill the needs of the shareholders. Carriers need to make difficult decisions in order to provide a credible return to investors.”

However, until a calamitous event or a high-profile attack against the fiber system occurs, budgetary allocations are going to be directed toward what provides the best bang for the buck. Right now, that does not include proactive security for the nation's fiber-optic infrastructure.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue