Securing Humanitarian Connectivity

Securing Humanitarian Connectivity
Rakesh Bharania
Cisco Tactical Operations
www.cisco.com/go/tacops
@CiscoTACOPS
November 2015
Cybersecurity for Disaster Relief and Emergency Response Field Operations.

Agenda:
Introductions
Recent Humanitarian Security
Incidents
Managing Cybersecurity in
Humanitarian Field Operations

Cisco Public 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Introductions

Emergency Response – Cisco TACOPS
Dedicated crisis response team that establishes emergency networks after a disaster
TacOps personnel skills include:
Technical Expertise
Planning, Logistics and Operations
Trained First Responders (Fire, EMS)
Military Service

Cisco Tactical Operations: Emergency Responses
• 2005 – Hurricane Katrina (LA)
• 2007 – Harris Fire (San Diego, CA) *
• 2008 – Evans Road Fire (NC) *
• 2008 – Cedar Rapids Floods (IA) *
• 2008 – Hurricane Gustav (LA) *
• 2008 – Hurricane Ike (TX) *
• 2009 – Morgan Hill Fiber Cut (CA) *
• 2010 – Earthquake (Haiti)
• 2010 – Plane Crash (Palo Alto, CA) *
• 2010 – Four Mile Canyon Fire (CO)
• 2010 – Operation Verdict (Oakland, CA) *
• 2010 – Earthquake (Christchurch, NZ)
• 2010 – Gas Pipeline Explosion (San Bruno, CA) *
• 2011 – Flooding (Queensland, AU)
• 2011 – Tornados (Raleigh, NC) *
• 2011 – Tornados (AL) *
• 2011 – Tornado (Joplin, MO)
• 2011 – Tornado (Goderich, Ontario)
• 2011 – Flooding (Brazil)
• 2011 – Earthquake and Tsunami (Japan)
• 2012 – Dadaab Refugee Camp (Kenya)
• 2012 – Waldo Canyon Fire (CO) *
• 2012 – Hurricane Sandy (NY / NJ) *
• 2013 – Boston Marathon Explosion (MA)
• 2013 – Fertilizer Plant Explosion (West, TX) *
• 2013 – Tornado (Moore, OK) *
• 2013 – St. Mary’s College Fire (Leyland, UK)
• 2013 – Navy Yard Shooting (Washington, DC)
• 2013 – Typhoon Haiyan / Yolanda (Philippines)
• 2014 – Carlton Complex Fire (WA) *
• 2014 – King Fire (CA)
• 2014 – Ebola virus crisis (West Africa)
• 2015 – Cyclone Pam (Vanuatu)
• 2015 – Earthquake (Nepal)
* = NERV / ECU Deployed

Recent Humanitarian
Security Incidents

Record breaking fire in Washington State, USA.
Deployed emergency networks with security management
to protect firefighters and other emergency workers.
Across our networks, we supported over 673 unique
devices, transferred 60+ GB of data. This was the first
time where we deployed active cyber protections for
responders.
We were able to detect and mitigate 30+ “high
risk attacks” against first responders over the course
of one week.
Example 1: Carlton Complex Fire
United States - 2014

FEMA: “This was the first documented cyberattack against a first responder attack surface”
Cyberattacks against responders: practical realities
Carlton Complex Fire, WA 2014
Supported 673 devices on a mesh network supporting fire operations.

Cisco participated in the ERCI partnership, but also
provided direct cybersecurity support to a NetHope
VSAT network providing connectivity to 20 ETUs etc, in
Sierra Leone and Liberia.
Primary concern was inappropriate use of the network
by workers in the field. BitTorrent, other high b/w apps
consuming donated VSAT b/w, resulting in high cost to
NetHope and members.
Malware and other sites also of concern.
Example 2: Ebola Virus Crisis
West Africa – 2014-15

Example: 2014-2015 Ebola Crisis
Deploying cloud-managed security at the satellite hub in Europe created effective
security without having local infosec in remote areas!
Hundreds of unmanaged, poorly patched hosts, risks mitigated (BYODD)
20x Remote
locations…
Sierra Leone
Liberia
(ETUs, clinics, etc)
Primary
Secondary
Meraki MX80
Internet
Upstream HSRP
Juniper FW

Cybersecurity Implementation: NetHope Ebola Response Network

Example 3: Gorkha Earthquake
Nepal - 2015
NetHope deployed Cisco RRK at the
Humanitarian Staging Area in
Kathmandu
Detected & isolated compromised
responder laptops (confirmed
malware) – disrupted botnet C2
channels
Attacks included: Win32/Mudrop,
Win32/Dyre, several Adobe flash
buffer overflows, DNS based attacks.

Example: Nepal Earthquake (Humanitarian Staging Area,
Kathmandu)

TeamSpy in Nepal: Targeted cyberattack against
humanitarians?
Evidence of TeamSpy Malware
detected by Cisco RRK at HSA
in Nepal.
Low Infection rate, targeted victims
based on geopolitical motive.
In our case, C2 hosts in Germany
(but doesn’t mean attackers are
in or from Germany)
Reinforces immediate need for
advanced malware protection for field
responders.

Right Now: Syrian Refugee Crisis
Middle East / Europe – 2011-2015
Since outbreak of conflict, humanitarian
organizations have been one of the primary
victims of a complex cyberwarfare
campaign.
Fatalities resulting from cyber incidents
have been documented by FireEye /
CitizenLab / University of Toronto
The ongoing threat is advanced, persistent
and unlike anything most NH members
have dealt with to date.

“Just because you’re doing good for the world
doesn’t mean the bad guys are going to leave
you alone.”
Consider: Humanitarian organizations may have
security functions and process that work back
in the home office, but rarely work in the field.
Obvious weak point for attack.
Security and Humanitarians

Cybersecurity In
Humanitarian Field
Operations

Typical ICT Challenges In Disaster/Humanitarian Ops
 Information and Computing Technologies (ICT) are
needed but overwhelmed…
– Lack of power
– Degraded telephony infrastructure
– Degraded Push-to-Talk Radio,
Lack of interoperability
– Oversubscribed services
– Limited Internet access
– Few IT resources
– Lack of trained staff
– Lack of Information security & management

Protect the mission
Protect the vulnerable
Keep bad things out.
Keep critical services running
Know what’s happening
on the network and devices
Balance security and access
Get it right every time.
Security: What are We Really Trying to Do?
Inside Outside

Assumption: “In a crisis network, I need to get deployed
quickly. I don’t have time or the
resources to secure the network!”
Reality: All field networks
should be pre-planned! Plan
and build your security and process
into your infrastructure!
Myth Busting: Information Security in a Crisis

Dumb Pipes
 Most field ICT deployments have a VSAT or other ISP
connected to a network.
 Network is typically unmanaged at that point.
– Firewall Logs not reviewed
– Software updates not managed
– QoS/Traffic Shaping not applied
– “I have a firewall, so I’m secure, right?”

Cybersecurity is a lifecycle problem
Challenge: How can this work in the field, where you are most vulnerable?

Least-privilege access: Users, devices, systems are given minimal
access given the crisis environment (advanced AAA solutions, etc.
may not be available!)
Threats may come from anywhere in the network.
Simplicity: Once initially configured, the security architecture should
establish itself without requiring any additional work from personnel
who already have too much to do.
Defense-in-Depth: No single security feature or technology can
mitigate the range of possible threats.
On-scene staff may have little/no security background.
Acceptable Use Policies, Incident Response may be undefined.
HFNs Use the Same Basic Infosec Assumptions

You’re going into a disaster zone!
“Force Protection”
Physical security of equipment
Logistics
Intelligence
Health and Safety
HFN Security Starts With the Physical

Hastily formed networks (HFN) often overlook security –
no such thing as a CSO in a disaster.
A huge risk for first responders.
TACOPS capabilities have integrated security at
multiple levels to protect supported orgs:
firewall, VPN, IDS/IPS, etc.
Important to have buy in from agency support!
First steps: assess risks, determine policy and posture
Managing Infosec In Emergencies

Ironport or Meraki for Layer 7 inspection,
blacklisting/whitelisting, QoS, b/w management
Enhances BYODD security, preserves
satellite bandwidth.
“Enable Facebook (because social media
is important in a disaster!) but not P2P.”
Throttle software updates!
Layer 7 Inspection / Deep Packet
Inspection For Granular Control

Satellite is often the only way to get
broadband data in a disaster.
Protect your satellite bandwidth at all costs!
Numerous reports of vulnerabilities in satellite HW/SW.
Malicious traffic
• Botnets, Zombies, proxies, DDoS flooding traffic.
Inappropriate use …?
• YouTube
• BitTorrent / P2P
• Adult content
• GVF Security Baselines released in 2014 – 2015.
Demand compliance by your vendors.
Satellite Cybersecurity – Underappreciated Vulnerability

Once upon a time… the NERV had a
flat, open network.
Evans Road Fire in North Carolina.
Firefighter’s laptop came onto
the NERV pre-infected – DDoS
zombie w/spoofed SRC IP.
Created DoS condition on the satellite
uplink.
A Real World Security Incident…

Designed for differentiated access in a
easy-to-deploy fashion.
“Untrusted” VLANs: open WiFi,
certain networks such as those
external to the NERV or kits
(patch panel) – access to the
Internet only.
“Trusted” VLANs have open access to
servers, vehicle-based resources, etc.
Requires you to have physical access to vehicle/kit
…Had Us Reevaluate Access.
Optical & Copper
patch panel allow
only limited access

Each “unit” is responsible
for its own firewall
Each policy is the same
Inbound IOS firewall,
BOGON filters
Egress Internet-only from
“untrusted” networks
Egress “sanity checking”
filters for spoofed outbound
traffic
Layer 7 inspection + Layer 3
Our HFN Firewall Strategy – One Policy, Everywhere
Internet
ASA Firewall
ASA Firewall
Field
Units
San Jose,
CA
Raleigh, NC

Security Needs to Exist Throughout The Stack
ICT and Network Security is only one part of the problem.
Data Collection and Dissemination: scrutinize data collected to ensure only minimal data for
operations is taken into systems. How is that data protected at rest and in use?
Operational Security Controls (OPSEC): protect information related to logistics, personnel,
planning, and other critical activities. Consider impact of social media and communicating to
donors.
Connecting With Communities (CwC): CwC (ETC 2020) requires “outside the compound
connectivity” – absolutely need to consider security impacts not just to humanitarians, but to
beneficiary populations (exploitation, trafficking, etc?). Mass deployment of open wifi for refugees
without due consideration for protecting them sets a bad precedent.

Wrapping up…

“A humanitarian crisis can create a
justification for waiving concerns
about how information is collected and
used, even as cyber-warfare, digital
crime and government surveillance
rises, particularly in unstable contexts.”
- Humanitarianism in the Age of Cyber-warfare (UN OCHA, 2014)

You will be (or already have been!) attacked. (Not a surprise to security people, but responders)
We’ve documented evidence of targeted cyberattacks against crisis responders, not just random
infections.
Infosec in disaster relief and humanitarian operations is underappreciated.
Who establishes infosec policies, investigates incidents, etc in the field?
Do we need a Humanitarian CERT?
What about mutual aid scenarios where you have multiple agencies sharing the same network?
This is a responder safety issue.
Failing to secure crisis ICT leaves already vulnerable people exposed.
This is your reality. Right now.

On Cisco.com – www.cisco.com/go/tacops
Cisco CSR Reporting: csr.cisco.com ->
“Critical human needs”
Facebook: facebook.com/cisco.tacops
Slideshare: slideshare.net/CiscoTACOPS
Twitter: @CiscoTACOPS
Connect With Us!

Securing Humanitarian Connectivity

Recommended

Recommended

More Related Content

Similar to Securing Humanitarian Connectivity

Similar to Securing Humanitarian Connectivity (20)

More from Cisco Crisis Response

More from Cisco Crisis Response (6)

Recently uploaded

Recently uploaded (20)

Securing Humanitarian Connectivity