Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing the Hastily Formed Network: Infosec for Disaster Relief and Emergency Response

927 views

Published on

Effectively responding to modern disasters and humanitarian emergencies requires a substantial amount of connectivity. Whether for cloud, social media, GIS, or other critical access, emergency managers increasingly rely upon Internet access as a key service alongside traditional emergency and humanitarian support, such as search and rescue and medical support. "Hastily Formed Networks" are the networks that are created in the immediate aftermath of a disaster. While they perform vital services, most HFN deployments are significantly lacking in security management and oversight. This talk discussed HFNs, and the evolution of security on these networks using examples from Hurricane Katrina to the ongoing Ebola Virus crisis in West Africa.

Published in: Technology
  • Be the first to comment

Securing the Hastily Formed Network: Infosec for Disaster Relief and Emergency Response

  1. 1. Securing the Hastily Formed Network Cisco Tactical Operations www.cisco.com/go/tacops @CiscoTACOPS April 2015 Infosec for Disaster Relief and Emergency Response
  2. 2. Agenda: Introductions The Hastily Formed Network HFN Examples Infosec and HFNs Cyberattacks and Countermeasures Conclusion…
  3. 3. Cisco Public 3© 2013-2014 Cisco and/or its affiliates. All rights reserved. Introductions
  4. 4. Cisco Public 44© 2013-2014 Cisco and/or its affiliates. All rights reserved. Emergency Response – Cisco TACOPS Dedicated crisis response team that establishes emergency networks after a disaster TacOps personnel skills include: Technical Expertise Planning, Logistics and Operations Trained First Responders (Fire, EMS) Military Service
  5. 5. Cisco Public 55© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Tactical Operations: Emergency Responses • 2005 – Hurricane Katrina (LA) • 2007 – Harris Fire (San Diego, CA) * • 2008 – Evans Road Fire (NC) * • 2008 – Cedar Rapids Floods (IA) * • 2008 – Hurricane Gustav (LA) * • 2008 – Hurricane Ike (TX) * • 2009 – Morgan Hill Fiber Cut (CA) * • 2010 – Earthquake (Haiti) • 2010 – Plane Crash (Palo Alto, CA) * • 2010 – Four Mile Canyon Fire (CO) • 2010 – Operation Verdict (Oakland, CA) * • 2010 – Earthquake (Christchurch, NZ) • 2010 – Gas Pipeline Explosion (San Bruno, CA) * • 2011 – Flooding (Queensland, AU) • 2011 – Tornados (Raleigh, NC) * • 2011 – Tornados (AL) * • 2011 – Tornado (Joplin, MO) • 2011 – Tornado (Goderich, Ontario) • 2011 – Flooding (Brazil) • 2011 – Earthquake and Tsunami (Japan) • 2012 – Dadaab Refugee Camp (Kenya) • 2012 – Waldo Canyon Fire (CO) * • 2012 – Hurricane Sandy (NY / NJ) * • 2013 – Boston Marathon Explosion (MA) • 2013 – Fertilizer Plant Explosion (West, TX) * • 2013 – Tornado (Moore, OK) * • 2013 – St. Mary’s College Fire (Leyland, UK) • 2013 – Navy Yard Shooting (Washington, DC) • 2013 – Typhoon Haiyan / Yolanda (Philippines) • 2014 – Carlton Complex Fire (WA) * • 2014 – King Fire (CA) • 2014 – Ebola virus crisis (West Africa) • 2015 – Cyclone Pam (Vanuatu) * = NERV / ECU Deployed
  6. 6. Cisco Public 6© 2013-2014 Cisco and/or its affiliates. All rights reserved. The Hastily Formed Network
  7. 7. Cisco Public 77© 2013-2014 Cisco and/or its affiliates. All rights reserved. All Crisis Responders Share the Same Problem Public Safety 7 How to deliver the right information in the right format to the right person at the right time on the right device? Defense National, State & Local Government HealthcareCritical Infrastructure Transportation NGOs/VOADs/ International Orgs
  8. 8. Cisco Public 88© 2013-2014 Cisco and/or its affiliates. All rights reserved. Radio, phone Radio + Integrated Data Single device Any Device (BYOD) Voice only Voice, Video, Data Closed teams Open collaboration Command centric In the field, social media, everyone Fixed locations Deployable anywhere The Need for Technology in Disaster is Increasing Goal: Mission workflow and productivity benefits to save lives and speed recovery.
  9. 9. Cisco Public 99© 2013-2014 Cisco and/or its affiliates. All rights reserved. Typical ICT Challenges In Disaster  Information and Computing Technologies (ICT) are needed but overwhelmed… – Lack of power – Degraded telephony infrastructure – Degraded Push-to-Talk Radio, Lack of interoperability – Oversubscribed services – Limited Internet access – Few IT resources – Lack of trained staff – Lack of Information security & management
  10. 10. Cisco Public 1010© 2013-2014 Cisco and/or its affiliates. All rights reserved. Solution: Hastily Formed Networks (HFN)  “Instant Emergency Networks”  HFNs are portable, IP-based networks that are deployed in emergencies when normal communications has been disabled or destroyed.  Enable on-scene and remote responders to share situational awareness, coordinate operations, establish command and control.  Communicate within the affected area as well as to the outside world.
  11. 11. Cisco Public 1111© 2013-2014 Cisco and/or its affiliates. All rights reserved. Portable: mobile, rolling kit, easily moved with few personnel Rapidly deployable: pre-configured, set up with minimal training Interim: Once pre-event communications is restored typically decommissioned. Based on: WiFi/VSAT/WiMAX/etc. HFNs: What They Are
  12. 12. Cisco Public 12© 2013-2014 Cisco and/or its affiliates. All rights reserved. HFN Examples
  13. 13. Cisco Public 1313© 2013-2014 Cisco and/or its affiliates. All rights reserved. HFN Example: 2010 Haiti Quake USNS COMFORT Airport VSAT/BGAN Satellite WiMAX Point-to-Point WiFi Mesh NPS HFN TEAM HAITI NETWORK WiFi Access Point
  14. 14. Cisco Public 1414© 2013-2014 Cisco and/or its affiliates. All rights reserved. DMVPN/F W Router 3925 Core Router 3945 Wireless Controller IPICS HF UHF VHF IP Phone 7970/9971 Video Conferencing (C40) Wireless Mesh APs 1550 Inside Wireless AP 3600 Wireless IP Phone Video Surveillance Cameras Internet Cisco San Jose, CA Raleigh, NC Ku- band VSAT Satellite Modem Access Switch Cisco NERV Architecture Ironport WSA
  15. 15. Cisco Public 1515© 2013-2014 Cisco and/or its affiliates. All rights reserved. HFN Example: 2014-2015 Ebola Crisis Deploying cloud-managed security at the satellite hub in Europe created effective security without having local infosec in remote areas! Hundreds of unmanaged, poorly patched hosts, risks mitigated (BYODD) 20x Remote locations… Sierra Leone Liberia (ETUs, clinics, etc) Primary Secondary Meraki MX80 Internet Upstream HSRP Juniper FW
  16. 16. Cisco Public 16© 2013-2014 Cisco and/or its affiliates. All rights reserved. Infosec and HFNs
  17. 17. Cisco Public 1717© 2013-2014 Cisco and/or its affiliates. All rights reserved. Protect the mission Keep bad things out. Keep critical services running Know what’s happening on the network and devices Balance security and access Get it right every time. Security: What are We Really Trying to Do? Inside Outside
  18. 18. Cisco Public 1818© 2013-2014 Cisco and/or its affiliates. All rights reserved. Assumption: “In a crisis network, I need to get deployed quickly. I don’t have time or the resources to secure the network!” Reality: All HFN networks should be pre-planned – plan and build your security into your infrastructure! Myth Busting: Information Security in a Disaster
  19. 19. Cisco Public 1919© 2013-2014 Cisco and/or its affiliates. All rights reserved. Least-privilege access: Users, devices, systems are given minimal access given the crisis environment (advanced AAA solutions, etc. may not be available!) Threats may come from anywhere in the network. Simplicity: Once initially configured, the security architecture should establish itself without requiring any additional work from personnel who already have too much to do. Defense-in-Depth: No single security feature or technology can mitigate the range of possible threats. On-scene staff may have little/no security background. Acceptable Use Policies, Incident Response may be undefined. HFNs Use the Same Basic Infosec Assumptions
  20. 20. Cisco Public 2020© 2013-2014 Cisco and/or its affiliates. All rights reserved. Hastily formed networks (HFN) often overlook security – no such thing as a CSO in a disaster. A huge risk for first responders. TACOPS capabilities have integrated security at multiple levels to protect supported orgs: firewall, VPN, IDS/IPS, etc. Important to have buy in from COML/agency support! Managing Infosec In Emergencies
  21. 21. Cisco Public 2121© 2013-2014 Cisco and/or its affiliates. All rights reserved. You’re going into a disaster zone! “Force Protection” Physical security of equipment Logistics Intelligence Health and Safety HFN Security Starts With the Physical
  22. 22. Cisco Public 2222© 2013-2014 Cisco and/or its affiliates. All rights reserved. Ironport or Meraki for Layer 7 inspection, blacklisting/whitelisting, QoS, b/w management Enhances BYODD security, preserves satellite bandwidth. “Enable Facebook (because social media is important in a disaster!) but not P2P.” Throttle software updates! Layer 7 Inspection / Deep Packet Inspection For Granular Control
  23. 23. Cisco Public 2323© 2013-2014 Cisco and/or its affiliates. All rights reserved. Satellite is often the only way to get broadband data in a disaster. The “thin sippy straw” – b/w from 128kbps – 5mbps (typical Ku VSAT system) Protect your satellite bandwidth at all costs! Malicious traffic • Botnets, Zombies, proxies, DDoS flooding traffic. Inappropriate use …? • YouTube • BitTorrent / P2P • Adult content DoS is the Primary Security Concern with Satellite
  24. 24. Cisco Public 2424© 2013-2014 Cisco and/or its affiliates. All rights reserved. Example: NetHope Ebola Response Network
  25. 25. Cisco Public 2525© 2013-2014 Cisco and/or its affiliates. All rights reserved. Once upon a time… the NERV had a flat, open network. Evans Road Fire in North Carolina. Firefighter’s laptop came onto the NERV pre-infected – DDoS zombie w/spoofed SRC IP. Created DoS condition on the satellite uplink. A Real World Security Incident…
  26. 26. Cisco Public 2626© 2013-2014 Cisco and/or its affiliates. All rights reserved. Designed for differentiated access in a easy-to-deploy fashion. “Untrusted” VLANs: open WiFi, certain networks such as those external to the NERV or kits (patch panel) – access to the Internet only. “Trusted” VLANs have open access to servers, vehicle-based resources, etc. Requires you to have physical access to vehicle/kit …Had Us Reevaluate Access. Optical & Copper patch panel allow only limited access
  27. 27. Cisco Public 2727© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  28. 28. Cisco Public 2828© 2013-2014 Cisco and/or its affiliates. All rights reserved. Each “unit” is responsible for its own firewall Each policy is the same Inbound IOS firewall, BOGON filters Egress Internet-only from “untrusted” networks Egress “sanity checking” filters for spoofed outbound traffic Layer 7 inspection + Layer 3 Our HFN Firewall Strategy – One Policy, Everywhere Internet ASA Firewall ASA Firewall Field Units San Jose, CA Raleigh, NC
  29. 29. Cisco Public 2929© 2013-2014 Cisco and/or its affiliates. All rights reserved. FEMA: “This was the first documented cyberattack against a first responder attack surface” Real-time reporting enables real-time response Carlton Complex Fire, WA 2014 Supported 673 devices on a mesh network supporting fire operations.
  30. 30. Cisco Public 30© 2013-2014 Cisco and/or its affiliates. All rights reserved. Wrapping up…
  31. 31. Cisco Public 3131© 2013-2014 Cisco and/or its affiliates. All rights reserved. You will be (or already have been!) attacked. (Not a surprise to security people, but responders) We’ve not yet seen targeted attacks, but certainly possible (see Missouri State Hwy Patrol Command truck incident, Ferguson MO, 2014, Syrian Electronic Army etc.) Infosec in disaster relief and humanitarian operations is underappreciated. If you use data, you must consider security. Best practice recommendations submitted to FEMA and United Nations Who establishes infosec policies, investigates incidents, etc? What about mutual aid scenarios where you have multiple agencies sharing the same network? It can be done. This is a responder safety issue. Failing to secure HFNs leaves already vulnerable people exposed. Security and HFNs Aren’t Mutually Exclusive
  32. 32. Cisco Public 3232© 2013-2014 Cisco and/or its affiliates. All rights reserved. On Cisco.com – www.cisco.com/go/tacops Cisco CSR Reporting: csr.cisco.com -> “Critical human needs” Facebook: facebook.com/cisco.tacops Slideshare: slideshare.net/CiscoTACOPS Twitter: @CiscoTACOPS Connect With Us!

×