on Information
Technology to
Operate
Commercially Available
Information Technologies
Are Widely Deployed
Chapter 2: Cybersecurity Requirements of Critical Infrastructure Sectors
networks and the Internet), as well as radio and satellite. These products are typically used in a networked environment to allow groups of
individuals to share data, printers, communications systems, electronic mail, and other resources. These resources are provided by servers, which are computers that run specialized software to provide access to a
resource or a part of the network. The network communication links between servers and devices such as printers and modems can be wired or wireless (using radio waves).
For the purposes of this assessment, we define a network as an interconnected collection of computers and networks. A network in a relatively small geographical area is known as a local area network (LAN). Most entities have one or more LANs at each of their offices; a LAN can be as small as two networked PCs, or it may support hundreds of users and multiple servers. Larger entities also have wide area networks (WAN) that connect the various LANs the organization has that are dispersed over a wide geographical location. Devices such as bridges, routers, and switches move packets (blocks of data packaged with the information necessary for their delivery) within and between networks, offering different levels of data-handling capability, depending on the origin and destination of the packets. Networks use predefined sets of rules known as protocols to communicate with each other. For example, the Transmission Control Protocol/Internet Protocol (TCP/IP) suite is the set of protocols used to communicate over the Internet.14
In a TCP/IP network, each server or hardware device is assigned an IP address—a unique numeric location based on the IP addressing scheme. Every computer or device with an IP address is considered a connection point, or node, of the network. Each node can run network services such as the World Wide Web, electronic mail, and file transfer, storage, and retrieval. Each network service uses specific protocols and is identified by a port number that enables other nodes to locate and connect to the service. As seen in figure 3, computer servers and devices are interconnected into networks, which in turn are often connected to the Internet.
14
The Internet refers to the specific interconnected global network of TCP/IP-based systems that began with the Department of Defense’s network known as ARPANET.
Chapter 2: Cybersecurity Requirements of Critical Infrastructure Sectors
Figure 3: An Example of Typical Networked Systems
Internet services and their underlying network protocols are used in the operation of infrastructures such as electric power, transportation, banking, and many more. According to infrastructure sector
representatives, entities within their infrastructures use IP- and non-IP- based networks, LANs, WANs, the Internet, and other information
technology. Entities also utilize a variety of operating systems and off-the- shelf and proprietary applications. In addition, they use a variety of communications methods, including satellites, radio, the public switched network, leased lines, private fiber optics, and wireless networks. Sector representatives reported the following:
• The banking and finance sector entities use all forms of information technology—client/server, Internet and non-Internet connected, proprietary, and mainframe networks. The sector’s communications
Firewall Switch Router External servers Remote access server Dial-in users Remote users Interorganization Business partners
Desktop PCs Printers Internalservers
Intraorganization Local Area Networks
Internet
Wide Area Network
Chapter 2: Cybersecurity Requirements of Critical Infrastructure Sectors
are split between private (dedicated, leased, and private fiber optics) and public (public switched network, Internet). According to an industry representative, the banking and finance infrastructure sector cannot operate in the absence of information technology. The
criticality of a function depends on the business context—in one context, ATMs and online banking (bill payments) are critical to customers; in another, wholesale operations are important to support infrastructure operations such as payroll and personnel. As we discuss later, the most critical systems are not controlled by the individual financial institutions but are centrally controlled by government and other entities.
• The chemical sector entities use LANs, WANs, the Internet, other IP- based networks, wireless networks, and other (non-IP-based) proprietary networks. According to industry representatives, the business processes that are most critical to sector performance are manufacturing and engineering, environmental, health and safety, supply chain and logistics, financial, and personnel.
• The defense industrial base sector uses all types of information technology to perform business functions (accounting, finance, payroll) and operational functions that could instantly affect national security operations. Two critical areas that rely on information technology are the supply chain for manufacturing and the IT infrastructure that is owned and operated by the defense industrial base for DoD.
• Within the energy sector, the electricity industry uses a combination of information technologies, including LAN, WAN, Internet, wireless networks, satellite, and radio. According to industry representatives, information technology is used for a variety of business functions and operational processes, including control functions and marketing of power to consumers. Some of these processes, such as payroll, are important to the entities but not necessarily essential from a CIP perspective.
• Also within the energy sector, the oil and natural gas industry uses a combination of information technologies, including LAN, WAN, Internet, virtual private networks, wireless networks, satellite, and radio. In addition, representatives stated that in the pipeline environment, 80 to 90 percent of the applications purchased from vendors are TCP/IP, UNIX, or Windows NT-based. The remainder are based on older or proprietary protocols, such as SNA, DECnet, Appletalk, and IPX. The sector is also reliant on specialized control
Chapter 2: Cybersecurity Requirements of Critical Infrastructure Sectors
systems. The sector is highly dependent on technology for its communications and operations.
• Within the transportation sector, the rail segment relies on information technology and modern communications for rail operations and
customer service. Business systems are isolated, physically separated from the control and dispatching centers. The control and dispatching systems15
are typically the responsibility of railroads’ operations officers, not the chief information officer’s staff. Control systems, i.e., signal systems located in the field (not central office based), are used to monitor train location. Signaling systems typically use both private and public networks, wired and wireless. These communications networks allow the dispatch system to set train routes and provide train location in return. Wayside sensors are used to monitor such things as wheel bearing condition and whether rock slides have impeded the track.
• Also within the transportation sector, the freight transportation industry, which includes trucking, air, rail, and waterborne
transportation, uses general purpose business applications to manage internal processes and to link them with internal and external entities, mobile communications and tracking to maintain control over assets, and the Internet for electronic commerce and to link various systems.
• The telecommunications sector uses all forms of information technology, including some specialized systems, for business operations (pay/personnel), infrastructure (providing service to customers), and operational support (monitoring of
telecommunications traffic). In addition, entities within this sector provide information technology and IT services to its customers.
Entities within certain critical infrastructures, such as banking and finance, transportation, chemical, telecommunications, and energy, use technologies that provide them with unique capabilities to perform critical functions. For example, there are centrally and federally controlled
systems that allow entities to complete financial transactions, expedite
15
Dispatching systems provide time slots for trains to enter the rail network. These systems are critical to the operation of the rail network. The dispatching process can no longer be performed manually because the level of operation needed to maintain the flow of the trains, and thus of the goods, is too high to perform without the computers. The first priority of dispatching operators is to maintain safety.