Working Group10:LegacySystems and Services Risk ReductionStatusUpdate
September 14, 2016John Kimmins, Co-Chair, iconectivDanny McPherson, Co-Chair, VerisignFCC Liaison:Steven McKinnon
2
WG10Objectives
WorkingGroup Description:In the Technology Transitions Order of August 2015, the Commission notes that “communications are rapidly transitioning away from” TDM-based technologies to “new, all-IP multimedia networks.” The intermingling of legacy communications technologies with advanced communications technologies introduces new threat vectors and cyber risk. Recently, this issue has gained greater attention in light of the security threats to Signaling System 7 (SS7) and its IP based version SIGTRAN, a signaling protocol supporting call setup, routing, exchange, and billing functions in communications networks by sending messages between fixed and mobile communications service providers. The scale of SS7, which is used by carriers all over the world, means that every network subscriber could be vulnerable to these security risks.As part of a series of requests to CSRIC, the Commission asked CSRIC to examine vulnerabilities associated with the SS7 protocol and other key communications protocols (e.g., Diameter). CSRIC Working Group 10 will assess existing and potential threats and current defensive mechanisms and make recommendations to the FCC on how to overcome security challenges present in SS7 and other communications protocols used between communications networks and their impact on the transition to next generation networks. The first step is the development of a Risk Assessment and Summary Report asdescribed herein.Deliverables:RiskAssessmentby December 2016 and Risk Mitigation Strategies SummaryReportand Recommendations by March 2017.
3
WG10Members
John Kimmins,Co-chair(iconectiv)Danny McPherson, Co-chair (Verisign)JohnMarinho, Technology & Cybersecurity, CTIAPhilipLinse, Director, Public Policy, CenturyLinkXiaomeiWang, TechnicalLead, Verizon WirelessKevinBriggs, Chiefof Continuity Assessment andResilience, DHS\NCCICMartin Dolly, ATISMark Easley, AT&TNileshRanjan, MTS/DirectorSystems Design and StrategyEngineering, T-MobileDrew Morin, Director,T-MobileTimLorello, President& CEOSeculoreSolutions LLCTravisRussell, Director,OracleKathyBlasco, CommunicationsAssessment Lead,DHS\NCCICMohammadKhaled, NokiaDavid Nolan, Electronics Engineer, DHSJohn Gallagher, SprintKathyWhitbeck, Director,Nsight
FCC Liaison:Steven McKinnon
4
Assessment Outline – September 2016Risk Assessment ReportInitial Draft - October 2016Final Draft - December 2016Summary Report & RecommendationsMarch 2017
WG10 Deliverables
5
Industry Subject Matter Experts - OutreachSilkeHoltmanns, Nokia-Bell Labs – Aug. 18thKarstenNohl, SR Labs– October 13thJames Moran, GSMA – OctoberSummaryCurrent EnvironmentStandardsGlobal perspectiveThreat landscapeMitigation & Counter Measures
Expert Outreach
6
Overviewof SS7 – Background &HistoryApplication to WirelineNetworksGeneric Architectural OverviewRelevant Standards & ProtocolsTransitionto NewTechnologyApplication to Mobile NetworkGeneric Architectural OverviewRelevant Standards & ProtocolsTransitionto New Technology (e.g. DIAMETER) and interworking between SS7 andDIAMETERReported Threats and RisksUnauthorized Access (e.g. masquerading as a Carrier)WirelineMobilityUse of commercially available interception and tracking technologiesExample Use Cases Impact CISectorsAssessment of Reported Threats and RisksDefinition of TermsTargeted Assets (e.g. network nodes, network information)
Risk Assessment Outline
7
Assessment of Reported Threats and Risks (Continued)Threat Vectors & Threat ModelsNetwork ImpactServices and Information ImpactEnd-User ImpactCaller ID spoofingIMSI CatchersUse of commercially available interception and trackingPrioritization/Likelihood/Scope of ThreatsCurrent Security Capabilities & Risk Mitigation ScenariosProtections, Detection & DefensesStandards & PracticesTools (e.g. SS7 Firewalls, Gateway Screening, Data Analytics, Network Assessment, Penetration Testing, Reported Security Maps/Services)Network Interconnection – Carriers, AggregatorsGlobal Inter-Carrier RoamingGlobal AssessmentSummary ConclusionsItems to consider for Risk Mitigation Recommendations
Risk Assessment Outline (cont)
8
Next Steps and Activities
Continue documenting initial Risk Assessment draftContinueweeklyconference callsSME Presentations hostedContinue to gather specific threat analysis, current practices and assess risksLeverage industry expertise & standards/forums relevant materialProvideupdatesto Steering Committee and Council
0
Embed
Upload