Creating Trust in Critical Network Infrastructures

The Canadian case study

Extracts*

Canada is a vast country with a highly developed technological and communications infrastructure, a richness of natural resources and varied terrain: mountains, ridges, rugged plateaux, deep valleys, plains and rugged coastlines. The country’s population had reached over 31 million in 2001 (see Table 1). Industry, government and the population as a whole are highly dependent on the traditional communications infrastructure and there is a growing dependence on the Internet in all areas.

The national telecommunication infrastructure

Critical elements

The diversified nature of the elements of the telecommunications infrastructure (telephone, data lines, cellular and PCS systems, pagers, satellite, cable, wireless broadband, radio and television) means that total failure is virtually inconceivable. What is more likely is that one or two elements (e.g. voice and data lines) could fail, but the other elements would be unaffected. The most critical elements of the traditional telephone network are the switches, of which there are around 3600 in Canada, some of them very large. Catastrophic failure of a single switch due, for example, to an earthquake or fire, could disable 100 000 telephone lines and 3000 data lines.

Mitigation strategies

While full restoration of a switch could take about one week, a mobile switch can be used as standby. Depending on the severity of the incident, individual carriers can also invoke their mutual aid provisions.

In the event of power failure, all switches have battery backup, and major central offices have generators with fuel to last several days.

Laws and policies that address network security

The ten provinces and three territories that form the Canadian federation each have their own elected legislatures and governments.

Legal issues relating to network and data security in Canada are, for the most part, addressed not in individual laws drafted specifically to deal with network and data abuse, but under provisions of the Canadian Criminal Code.

Responsibility for emergency measures in Canada is shared among three levels of government, though the federal government is now leading and coordinating the overall effort towards critical infrastructure protection. Individual industries have working groups and committees examining protection of their own infrastructures and there is close liaison with the government agencies responsible for infrastructure protection.

Canada signed the Council of Europe Convention on Cyber-Crime on 23 November 2001 and continues to be active in the G8 Lyons Group on High-Tech Crime. The Canadian Government is now examining what changes to current criminal law might be required in order to implement the Council of Europe Convention. Of particular relevance to the protection of networks, Canada is looking at what changes will be needed to current criminal law provisions against virus dissemination.

In response to the attacks of 11 September 2001 in the United States, the Canadian Government has introduced a number of legislative proposals to counter the threat of terrorism. The most comprehensive proposals, and those that most directly affect network security and infrastructure protection, are contained in Bill C42.

More general issues of emergency preparedness are addressed by the “Emergency Preparedness Act of 1985”. The Act assigns responsibilities for coordination among government institutions and for cooperation with provincial governments, foreign governments and international organizations in the development and implementation of civil emergency plans.

In addition to being very important to all sectors of the Canadian economy, the telecommunications service industry is itself a key sector of the economy, employing 116 000 people in the year 2000 and generating revenues of CAD 32.6 billion. The sector covers all aspects of public communications services — wireline services, wireless, cable, and satellite as well as Internet services and private research networks.

The federal government’s convergence policy announced in 1996 to encourage, among other things, interconnection, interoperability, unbundling of network facilities, and competition, has resulted in significant convergence of the broadcasting, telecommunications and publishing sectors.

Federal government network security initiatives

All federal departments are heavy network users. Regardless of the option chosen, all departments are ultimately responsible for ensuring their own security (according to the Government Security Policy).

The federal government has embarked on two very significant network security initiatives that are expected to have a major impact on internal network security and on the security of service delivery. First of all, the Government of Canada Public Key Infrastructure (GoC/PKI), which has been in development since 1996, offers protection to all desktop systems in the federal government. Several provinces are following the lead of the federal government and adopting both the GoC/PKI technology and the certificate policies of the federal government. The second major initiative in this area is the development of a Secure Channel, which will offer network services, security services (access control, authentication, authorization, confidentiality, data integrity and non-repudiation), Directory services, and support for common applications. The Secure Channel will be a major infrastructure component for the Government Online project.

The financial services industry and its use of networks

Both government and the financial services industry are highly dependent on public and private telecommunication facilities for internal operations as well as for service delivery. Both sectors use private networks extensively and are also increasingly dependent on the public Internet for service delivery. Any operations failure on the part of the financial services industry would have a serious impact on the rest of industry and on the economy. As the Bank for International Settlements stated in its 1994 Annual Report: “Payment and settlement systems are to economic activity what roads are to traffic — necessary but typically taken for granted unless they cause an accident or bottlenecks to develop.” Given that most of Canada’s banking transactions are settled via an electronic process, the disruption that could be caused by a serious network failure is potentially immense.

An indication of the magnitude and importance of financial transactions can be deduced from some of the more visible transactions. For example, in 1999, the value of inter-bank settlements was more than 30 times Canada’s gross domestic product. Canadians are also world leaders in the use of direct debit cards with the number of transactions in 2001, exceeding 2 billion, which represented CAD 94.9 billion in sales. On the busiest single day in 2001, some 10.8 million direct debit transactions were posted.

The electricity industry

In the case of the electricity industry, there is such a degree of interdependence that the effect of serious electrical failure on critical telecommunications infrastructure cannot be ignored.

The telecommunications infrastructure is dependent on power, though mitigation strategies using back-up batteries and generators are routine and successful in all but the most extreme instances. Further, since telephones are powered from the local office, rather than from the subscriber’s premises, power failures per se do not generally affect the basic telephone service. During the Ice Storm that occurred in Eastern Canada in 1998, some rural communities were without power for as long as three weeks but able to use the telephones during that period.

For citizens and businesses relying on data communications services, however, a severe electricity failure would render many of the computers unusable with the result that no transactions (whether dependent on telecommunications or not) could be processed for the duration of the power failure. An even worse scenario is that of “brown-outs”, where power is reduced to the point where only low-demand devices operate and power spikes occur when the power is restored, with the risk that equipment is damaged by the surge. During the ice storm, both of these scenarios were fairly frequent occurrences. Brown-outs prevented the proper operation of computers and their displays while power spikes (which occurred frequently within short spaces of time as attempts were made to restore power) caused equipment to burn out.

A further risk is that data becomes corrupted or that the storage devices suffer physical damage. Where third party service providers, for example, Internet service providers (ISP) suffer power failures, all users of that ISP are impacted by loss of service and there is a risk that data and messages could be lost.

Thus, electrical failure has a very severe effect on data services at the subscriber level and even reduced power levels can have a serious and lasting impact.

From the electricity supplier standpoint, telecommunications failure would impact the process control systems and the communications between control centres, generation facilities and local facilities (transformers, substations and switches).

Critical elements in electricity supply

The electricity supply components most dependent on telecommunications are the process control systems. Communication between the system control centres and the generating stations, transformers, switching stations and substations must be reliable and secure. Electricity supply operations depend on a very precise “just-in-time” delivery. Any communications failure that disrupts the network monitoring or control jeopardizes that reliability.

Mitigation strategies

Most electricity companies protect against possible communications failure by using both their own communication facilities and those supplied externally. Back-up facilities, including satellite links are in place to assume critical communication functions in the event of failure of the normal systems.

Mitigation strategies for telecommunication users who would be affected by electrical failure include back-up power supplies (battery for short periods, generators where prolonged outages are unacceptable) and surge protectors to safeguard equipment from power fluctuations.

Internet services

In general, because of the robust design and built-in redundancy of routing, the Internet backbones are not vulnerable to major failures of equipment or communication links on individual legs of the network. A major failure in one leg would simply result in re-routing of messages to alternative routes. The greatest risk of hardware and/or communications failure is between the subscriber and his/her Internet service provider — or in the case of large users who interface directly to the Internet, a failure at the user’s premises. If an ISP suffers a hardware failure, restoration capability generally depends on the individual ISP, with some being more robust than others (for example in being able to switch quickly to a backup server). If the ISP suffers a major failure such as an electricity blackout, fire or other major disaster, restoration could take hours, days or weeks, subscribers forcing to seek alternative ISP services.

For users with dial-up Internet access, the communication links between the subscriber and the ISP are as robust as the telephone service and local communications redundancy is built into the service. For users of cable or digital subscriber line (DSL) services, communications failure could result in a prolonged outage and in the event of a failure of the ISP, establishing service with an alternate ISP would be less easy than for a dial-up service user.

Given the vast number of users, and the number and variety of distinct ISP services, it is impossible to estimate the likely impact of any particular type of failure. However, a recent example of a server failure at one Canadian cable company provides some insight into what could happen. The company has 300 000 subscribers to its cable Internet service. It operates 10 servers and typically handles 2.5 million e-mails per day. On 19 March 2002, during the peak traffic period of 8 p.m. to 10 p.m., one of the servers crashed due to overload. During the 30 minutes the system was down, an estimated 10 000 to 12 500 e-mails were lost and irrecoverable.

The application of cyber-crime laws

Canada has a reasonably effective set of legislative measures that can be used in the fight against cybercrime. However, given the ubiquity of the Internet, strong international cooperation and action is required. Not only is there a lack of consistency in the cyber-crime laws from country-to-country, but there are also varying degrees of enthusiasm on the part of national administrations in the fight against cybercrime. As a result, some regions of the world have effectively become sanctuaries for hackers and Internet fraud artists. There is an urgent need for consistent laws dealing with Internet use, and consistent and vigorous application of those laws. It is in recognition of this need that Canada signed the Council of Europe Convention on Cyber-Crime and is active in the G8 Lyons Group on High-Tech Crime.

The oil and gas industry

Canadians are highly dependent on natural gas and oil for home heating and for industrial use. The largest production areas are in the western provinces, though there is some production in Ontario, the northern parts of the country and off the eastern coast. Large volumes of oil and gas are shipped across the country and to the United States by pipeline. Failure of any of the collection or delivery pipelines would have a major impact.

Dependence on telecommunications

Voice and data telecommunications are used by the oil and gas industries to manage distribution and delivery of the products. Customer deliveries of oil at the retail level, and re-supply of local oil depots and notification of problems (e.g. gas leaks) are coordinated by telephone or e-mail. Oil and gas pipelines use telecommunication links between the control centres and remote pumping stations. Remote gas compressor stations are centrally controlled via telecommunications. The National Energy Board requires that all suppliers have business resumption plans in place.

Marine and ferry services

Marine services in Canada include shipping (ocean and inland), ports, navigation, St Lawrence Seaway services and icebreaker services. Ferries operate on the Atlantic and Pacific coasts as well as on the Great Lakes and some rivers.

All shipping is highly dependent on communications between vessel and shore to exchange information on weather conditions, positions and status, to coordinate movements with suppliers and clients, and to serve in case of medical emergency or potential disaster.

Seaway traffic is dependent on voice and data for business transactions between freight forwarders, shipping owners, agents, government agencies and private industry. Seaway business transactions make heavy use of electronic data interchange.

Icebreakers require constant communications to ensure safe movement in shipping lanes and safe and speedy operation of the Coast Guard fleet.

Marine navigation relies on dedicated transmitters, antenna farms and coastal radar sites and there is a heavy dependency on local telecommunications infrastructure.

Passenger ferries are increasingly using on-line services for passenger information and reservations.

Health care

The health care sector includes services at all levels of government in addition to primary health care delivery (hospitals, clinics and doctor’s offices).

Totally reliable telecommunications are essential for coordinating emergency responses (e.g. ambulance and related services) and for communicating information relating to emergency situations (e.g. outbreaks of disease and biological, chemical and other contamination).

Health care delivery systems (doctors, hospitals and private clinics) rely on on-line services to validate patient health cards with the province providing the medicare coverage.

Doctors and hospitals rely primarily on voice communications to transmit patient prescription information to pharmacies. Doctors are also increasingly relying on on-line databases for patient information.

Hospital services use broadband transmission to permit remote monitoring of patient conditions and surgery. Hospital staff are increasingly using videoconferencing systems to communicate with remote locations. Detailed patient information, including X-ray and other diagnostic materials, is routinely exchanged using broadband services.

Conclusion

Although the information and experiences reflected in the case study are those of Canada, for the most part the conclusions and lessons learned are applicable in a much broader context. It is hoped that the information presented here will provide valuable input to the international discussions on this important topic.