May is for mothers, mudders (go Justify!), and mesh. What?
Wireless mesh networking is—increasingly—our digital connection to the critical infrastructures that gird up (grid up?) our 21st century commercial, political, and social life. This pervasive interconnected mesh is composed of a broad range of devices that enable capabilities like virtualization, Software as a Service (SaaS), cloud computing, and Internet of Things (IoT). May 14 through 21 has been designated as Infrastructure Week (a national week of educational and advocacy events first launched in 2011). Manufacturing is one of the 16 critical infrastructures identified by the US Government, so a look at recent regulatory advice with respect to communications-related infrastructure components seems timely.
Wireless mesh networking is often ad hoc and unplanned: a convenient, cost-effective, and decentralized solution for building connections within and between manufacturing facilities, production equipment, personnel, supply chain, and customers. Cybersecurity improvement plans focus on how to secure those connections with recommended better practices about passwords, firewalls, segmented systems and credentials, selective encryption, and end-user device protection. We check the box that we’ve changed default account settings and patched the software on routers and other telecommunication systems devices. We are mindful about protecting our mobile devices from risky connections through unknown hot spots.
But what do we know about the internal, as-built, unadvertised functionality of that broad range of internetworking devices? (A: More than we knew in 2017.) What is happening at the bill of materials (BOM) level? (A: Troubling data leakage capabilities.) What steps are the US Government and technology companies taking to help manufacturers mitigate potential risks built into trusted infrastructure? Some recent steps are outline below:
- In February, the heads of six security-related agencies (including NSA, FBI, CIA) recommended to the US Senate Intelligence Committee that US citizens not use devices made by Chinese manufacturers Huawei and ZTE.
- In March, the Federal Communications Commission (FCC) announced proposed legislation to restrict telecoms operators (including ISPs) from using the FCC’s $8 billion Universal Service Fund (USF) money to purchase equipment from banned vendors like Huawei and ZTE. This will affect smaller telecoms providers; AT&T, Sprint, T-Mobile, and Verizon—the big four—are already banned from using this equipment. Vulnerabilities include hidden backdoors that can allow malware injection and data exfiltration.
- In April, Cisco recommended that its “set and forget” networking perimeter devices, such as routers and switches, be scanned to identify and remove instances of the Cisco Smart Install Client. This software protocol “can be abused to modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands,” and has been associated with attacks in various countries involving critical infrastructure. Some 168,000 systems worldwide are potentially vulnerable.
- In early May, the Department of Defense “banned all Huawei and ZTE cellphones, personal mobile internet modems and related products from [military base exchange] locations worldwide” due to concerns about data exfiltration functionality. Mobile phones already owned by service personnel have not yet been banned, however.
The convergence of operational technologies (e.g., SCADA, CNCS, PLCs) and information technologies (e.g., routers, switches, mobile devices) across the manufacturing sector creates opportunities for efficiency—and mischief. Vulnerabilities introduced through virtual connections can compromise plant operations—more than data is at risk. The revised NIST guidelines Framework for Improving Critical Infrastructure Security describes these and other recommendations for mitigating risk within your wireless mesh network and other infrastructure components:
- Validate supply chain partners. Make sure that supply chain partners are playing by acceptable rules. Beware of counterfeit or poorly manufactured products that can degrade or compromise your network.
- Limit product add-on features. Make sure that actual product performance matches assumed product performance. Consider including cybersecurity requirements when developing your vendor selection criteria.
- Evaluate trade-offs between convenience and risk. The easy way (e.g., Cisco’s Smart Install, accepting default features) may not be prudent, especially for systems that are stable and often relied on for background, almost invisible, functionality.
Using reasonable care in selecting, deploying, and using your infrastructure components will help you build a more secure platform on which your (probably increasing) wireless mesh traffic plays. Secure your mesh—reduce potential mess!