CTB Panel of Experts: critical communications

With the help of our first Panel of Experts, Jackson White, Richard Russell and Simon Hill, Counter Terror Business takes a looks at the stability and flexibility of mission critical communications and how organisations can ensure that mission critical communications remain secure and ‘hack proof’

Back in 2014, Ruben Santamarta, principal security consultant at penetration testing firm IOActive, published a white paper, entitled A Wake-up Call for SATCOM Security, in which he warned of the susceptibility of mission critical communications to interception, tampering or blocking. Amongst its findings, the paper reported malicious activity in providing false emergencies or misleading geographic locations of ships, planes, or ground crews, as well as suppressing reports of actual emergencies. The security of mission critical communications belonging to utilities, energy suppliers or transport networks is also key. Confronted with myriad possible attacks, which appear to vary each year, precautionary measures are integral to sustainability, functions and safety. Maintaining the ability to transfer data and communicate seamlessly between emergency organisations is just the beginning of their unique needs.

If an incident does occur, whether terrorist-related or not, governments are often not fully equipped to respond as quickly or suitably as necessary. Therefore, organisations need broadband communication networks, known as mission critical communications, to enable instant group communications with a high degree of reliability, availability, and security. When three suicide bombers coordinated detonations across Brussels in March 2016, emergency services were able to rely on the Belgian public safety network to communicate and coordinate their activities successfully, despite the inundated traffic caused by public networks.

Emergency services will always require mission critical communication, with the emergency button pressed every six seconds in the UK. Like most other industries, the growing availability of rich information is required to drive front line decision making, and support efficiency, effectiveness and transformation. Within the emergency services, communications has traditionally been very voice-centric but now that that there is far more data, video and voice communications available to a commander, there is also a much better way of responding. Simon Hill, technical director at Excelerate Group, says that additional information carries additional risk ‘in terms of how fast that data is communicated and how fast it can be exploited’. The company’s hosted cloud services are ISO27001 accredited, meaning that security is up-to-date and that flaws in the system are identified before a possible penetration of the network, through continuous penetration testing, a process he refers to as essentially ‘hacking ourselves’. This limits any potential ‘back door’ or ‘open door’ attacks.

Alongside self-testing, for high security organisations, it may be critical to layer additional, more robust security measures into the chosen device. Windows 10 for example, also includes Windows Hello biometric recognition, Microsoft Passport and Credential Guard for additional protection. Jackson White, business development director at Getac UK, describes this as ‘data encryption software that guards against unauthorised use or shredding technology that renders data completely unusable by unauthorised parties’.

Multiple devices, multiple threats
The world in which we live is far more connected than it has been at any other point in its history. In the home, Wi-Fi and an influx of wireless devices have created a smarter, more integrated way of living. Further afield, the Internet of Things, 4G technology and improved software have enabled differing networks to communicate with each other and information to seamlessly pass between each with little or no disruption.

However, as seen through various cyber attacks over the last few years, most exemplified in the UK during the WannaCry attack on the NHS, the availability of information online and the smooth transition in which it can be transferred, accessed and integrated makes it easier for criminals, sometimes terrorists, to undertake malicious activities. Jackson White comments that ’the danger of a data breach is multiplied when devices are used in the mobile environment, where connectivity is vital but security is harder to maintain’. It is often the case that ‘one compromised device can expose an organisations whole infrastructure and may even put lives at risk’. Simon Hill points out that ‘when we talk about a system that is stable, reliable and flexible it’s important to ensure that the security that we apply to those systems or communications is at the right level for the data that is being transmitted’. This means that it is important that we acknowledge that ‘over-securing’ a network can affect its flexibility. However, Simon also points out that he doesn’t think ‘you can be too over-cautious’ as the benefits outweigh the risks.

When looking at two-way radios, as provided by Roadphone NRB, clients expect to receive an ultra-secure product that can effectively mitigate against the threats of cyber attacks, tampering and hacking. However, the benefits extend further than this. Richard Russell explains that communications are secured using AES 256-bit encryption to stop unauthorised eves-dropping, while you can remotely kill a radio if its gets stolen. When ensuring the security, integrity and safety of high value CNI and corporate facilities, products, such as the Hytera handset, offer clear guidance for resilient and secure digital mobile radio infrastructure providing essential life safety critical communications.

Hardware security
Beyond the hand-held product, ‘purchasing reliable and robust hardware can also reduce the risk to vulnerabilities or data theft’. If devices, such as rugged mobile devices, are out of the organisation’s control, perhaps for repair or maintenance work, several touchpoints can be added to the device where data could be compromised - a point that Jackson White agrees on when he emphasises that the ‘best approach to protect against an attack is to layer security technology within the hardware itself’. Mobile rugged devices that have security measures inherently built in are ‘more effective at protecting against ransomware attacks and data interception than if security technology was added later on’. For example, specialist inbuilt protection against ransomware attacks can ensure files and other data are kept safe even if a device is infected by malware trying to encrypt or manipulate protected files.

He says: “Both hardware and software have to be encrypted, and extends to system hardening, peripheral control and centralised management, all of which significantly improves the ability to control devices, enforce security policies, and provide audit trails and reporting, while reducing support and maintenance overheads. This also gives administrators complete control and the ability to create separate encrypted user accounts or personas, enforce strong authentication, and manage different application and device policies.”

Russell also notes that ‘bespoke system design must take into consideration the system’s functionality’, essentially having control over who can and who can’t access the radio system. Stressing that authentication is essential to successfully managing and mitigating security risks, such a risk control, measure can help protect both data and devices while allowing workers to ‘safely access, process and manipulate sensitive and mission critical data’ as required by their job. Ever increasing threats drive security policy makers to take measures such as elimination of vital IP connection to critical systems, which are intended to provide legitimate maintenance and fault diagnostic services. The immediate knock-on effects of eliminating these connections in the name of security make systems less resilient. It’s possible to lock down digital radio systems, but at what price?

Jackson White, Getac UK
Jackson White is business development director at Getac UK where he is responsible for growing the organisation’s defence, security and first responder customer base. After joining the Royal Corps of Signals at 16, where he looked after general communication systems, Jackson supported Special Forces operations for 10 years. He then moved into the corporate world where he oversaw future technologies and innovation for video surveillance and communications systems organisations.

Final thoughts: “Implementing effective governance processes and activities to support accountability, authority, risk management and assurance are imperative to control risks. Yet, for most organisations, some form of attack is inevitable, so its ability to rapidly respond, report and resolve is paramount to damage limitation. From a technology standpoint, this means protecting data and devices from the ground up, choosing devices that are inherently secure through layered security at manufacture. And this can provide the necessary supporting evidence in a court of law that demonstrates security has been taken seriously.”

Richard Russell, Roadphone NRB
In 2017, Richard Russell joined Roadphone NRB as BDM to grow their Endurance Technology® portfolio for CNI, corporate and high value facilities. Richard’s telecoms career spans 36 years, including 25 years at Motorola, gaining expertise of MPT1327, DMR, TETRA and LTE. He has experience of service organisation and EMEA product management, and was a Global Business Development and EMEA Go-To-Market product specialist. He is also an advisor to many partners across Europe of multi million dollar awards.

Final thoughts: “Is real due diligence shown when selecting your next communications solution? Threats to critical communications must be understood, solutions are available. There are no blank cheques, commercial and technical considerations influence choices and outcomes – there is no one-size-fits-all solution. Choosing the correct supplier and delivering the appropriate solution should deliver the desired outcome.”

Simon Hill, Excelerate Technology Limited
Simon Hill is an experienced technical director at Excelerate Technology Ltd, with a demonstrated history of working in the telecommunications industry. Simon is skilled in service delivery, technical support, mobile communications, Radio Frequency (RF) and VSAT.

Final thoughts: “I’m certain that the security of our own data, the security of our customers data and the security methods of transmission is one of the highest priorities for us. It’s very easy to ‘over secure’ something. Over‑securing a network can influence its flexibility, reliability or stability – especially when we’re talking about networks for out in the field vehicles that are connected by a cellular network or a satellite network. It needs to be fit for purpose for that particular set of objectives. It’s very important to ensure that the data that all covers integrity is there, risk of any interference with external parties is non-existent or extremely low so that the vehicles or pods or devices still do their jobs.”