Country needs a comprehensive telecom security policy
In the last two years the department of telecom (DoT) has taken various steps to ensure that telecom equipment imported from abroad does not pose a threat to the country?s security.
The department had taken an informal decision in 2010 to ban import of telecom equipment from Chinese equipment manufacturers. To ensure that the imported equipment does not contain hidden malware that could be used for anti-national purposes, the ministry of home affairs had stipulated that the source code of telecommunication systems running into millions of lines, particularly of core network elements, such as the mobile switching centre (MSC) be deposited in an escrow account. Only the Chinese MNCs (Huawei/ZTE) agreed to meet this stringent requirement. Other MNCs (mainly US/Europe) refused to comply, on the plea that it involved revealing proprietary software technology, which takes at least 1,000 man years to develop, at enormous cost.
Such a stipulation lacks a true appreciation of the complexity of telecom software, which is one of the most complex ever developed for industrial application. In the 1980s, it used to be compared with the real time software being developed in the US, under the ?star war program?, to counter the threat of Soviet missiles.
The Chinese companies had agreed to make their software available, secure in the knowledge that it is almost impossible to detect a few lines of malicious source code (malware) written in low level programming language, in such a voluminous real time software. Keeping the initial version of the software in the escrow account does not solve the problem as the software is never frozen, and it keeps on evolving. ?Patches? for system upgradation are routinely received by telecommunication operators. They can always contain hidden malware. Mainly due to the protest of European MNCs, and also due to representations received from the US department of commerce, this stringent requirement has now been removed.
According to the latest reports, the Chinese companies have also been allowed to supply their equipment to Indian telecommunication service providers, including BSNL & MTNL. They also operate and maintain the systems, after supply & installation, including patch management.
In the telecommunication security policy that is being finalised by the DoT, it is proposed to set up a certification centre to test imported telecommunication systems, from the security angle. Of concern is the move to set up a certification centre with the assistance of Huawei of China at the Indian Institute of Science (IISc), Bangalore.
Technically, it is not possible for a specific firm such as Huawei to setup a generic Testing and Certification Centre to test all equipment imported from various sources, as different telecom systems employ their own specific software development environment (SDE), consisting of an operating system, and software tools such as debuggers. Huawei Software Centre can perhaps be used to debug the system supplied by their principals in China, provided full training is given to Indian engineers. It may be very difficult to adopt such a policy for an educational institution like the IISc.
Already, the country has imported a large volume of telecom switching and transmission equipment from ZTE/Huawei. What is really dangerous is that many private licensed operators have, under the so-called ?managed model?, outsourced to MNCs (including Chinese MNCs) the functions of operations & maintenance.
Telecom systems are operated through hundreds of man-machine commands. It is learnt that sensitive man-machine commands are also being given by foreign engineers from remote terminals. Hidden malware can easily be activated by these commands or by an internal process, triggered by a time stamp. They could be inputted in a working system as part of a patch. The licensed telecommunication operators treat the telecommunication systems (2G/3G etc.) as ?black boxes? and depend totally on equipment vendors for technical problem solving.
Countries like the USA and Australia, which were in the forefront of the WTO agreements to remove all trade barriers, have recently imposed a ban on import of equipment from Huawei, on security concerns, although unlike India these countries do not have any border dispute with China. These security concerns relate to the discovery of ?Stuxnet?, a malware in 2010, which has started an era of cyber warfare.
Cyber security experts believe ?Stuxnet? was meant to sabotage the uranium enrichment facility at Natanz (Iran), deploying the industrial Supervisory control & data acquisition (Scada) system imported from Siemens of Germany. The Stuxnet attack disrupted the functioning of programmable logic controllers (PLCs), the speeds of thousands of centrifuges were dramatically changed at the uranium enrichment facilities in Iran, thereby damaging them. With Stuxnet attack, their operational capacity dropped by 30%.
Even the Iranian President Mahmoud Ahmadinejad had to admit that a computer virus has caused problems, with the controllers handling the centrifuge at Iranian Natanz facilities. He acknowledged that a large number of centrifuges were infected, with the ?software they had installed in electronic parts?.
It is also speculated that Stuxnet was developed by active participation of Siemens, the original supplier of Scada to Iran, in collaboration with US/Israel spy agencies. It is reported that Israel tested the effectiveness of Stuxnet in the famous Dimona complex in the Negev desert, in centrifuges similar to what Iran has at Natanz. Trozonized source code similar to Stuxnet have even caused explosions in pipelines, by increasing the pipeline pressure beyond its capacity.
Malwares (virus, worm, trojan horse etc.) generally spread through the public Internet i.e cyberspace, and try to attack network elements having an IP address. They generally do not affect telecom systems, which are largely isolated from the public Internet; since their controllers do not have any IP address of the public Internet, it is difficult to launch an attack from the cyberspace. However, there is always the possibility of malware being embedded in the systems being imported from potential enemy states.
There are many other instances of sabotage of industrial plants and other high value infrastructure such as power plants, nuclear installation and even defence equipment. Our security experts should draw the right lesson from Stuxnet and other industrial sabotage malwares so as to prevent controller system security incidents, such as the one Iranians faced in 2010-11. While it is relatively easy to detect computer worms which spread through the public Internet, exploiting the vulnerabilities of Windows operating system, it is very difficult to detect malware hidden in large volume of software/ firmware, designed for industrial control systems such as telecommunication systems, which do not employ well-known operating systems, or programming languages.
During the last decade anti-malware researchers, such as the famous anti-virus firm Kaspersky Lab, have identified thousands of virus/ malware present on the cyberspace. Latest is a malware called ?Flame? designed by a nation state for cyber espionage, which is even more complex than Stuxnet. According to Iranian computer emergency response team (MAHER), Flame might be responsible for recent data loss incidents in Iran. There is no big anti-malware reverse engineering effort even in the USA to detect malware in telecommunication systems due to the complexities involved.
It is generally agreed by virus researchers that to prevent attacks like the one Iranians faced last year, a multi-layered approach called ‘defence-in-depth’ needs to be adopted. The layers include policies & procedures, awareness & training, network segmentation, access control measures, physical security measures, system hardening e.g, patch management and system monitoring.
Policy makers and analysts should start with a risk analysis and a control system security assessment, particularly relating to telecommunication systems. The telecom security policy document, which is under preparation in Sanchar Bhawan, should examine all the aspects of ?defence-in-depth?, particularly related to control system security, and come out with comprehensive recommendations so as that the country?s security is fully safeguarded from industrial sabotage and spying.
The author is former member, Trai/Telecom Commission