The Communications Security, Reliability and Interoperability Council (CSRIC), a group of industry leaders selected by the FCC to make recommendations that will promote the security, reliability and resiliency of the nation’s communications systems, issued a report in June that identified methods communications providers can take to improve the security of their infrastructure and the network management system supply chain.
NTCA CEO Shirley Bloomfield, NTCA Regulatory Counsel Tamber Ray and Chief Technology Officer for S&T Telephone (Brewster, Kan.) Josh Cech participated in the working group.
The report found that small and mid-sized providers are equally susceptible to supply chain attacks as large providers and identified two phases typically seen in supply chain attacks: (1) a threat is inserted into a component within the supply chain of an operational system and (2) the vulnerability is then exploited in the operational environment.
The report further identified specific vulnerabilities that have affected network management systems and recommended specific actions providers can take to mitigate those vulnerabilities. These recommendations included the following:
| Vulnerabilities |
Recommended Mitigation |
| Unpatched User Equipment and Devices and Network Infrastructure Devices |
- Patch vulnerable devices whenever possible to reduce exposure risks across the organization.
- Use device discovery and classification to identify devices with vulnerable components by enabling vulnerability assessments, which identifies unpatched devices in organizational networks; set workflows for initiating appropriate patch processes.
- Ensure robust device update and patching capabilities; never require physical access to a device for recovery (unless there is physical damage to the device).
|
| Operating Legacy Applications |
- Extend vulnerability and threat detection beyond the firewall to identify Internet-exposed infrastructure running legacy applications.
- Respond to threats and increase visibility in order to detect and alert when devices with legacy software, such as Boa, are used as an entry point to a network.
|
| Superfluous Internet Connectivity |
- Reduce the attack surface by eliminating unnecessary Internet connections to the user equipment (UE) devices, network infrastructure, and network management systems in the network. If a device is compromised in the supply chain then it could attempt to communicate with Internet based command and control servers that are controlled by the threat actor.
|
| Lack of Network Segmentation |
- Apply network segmentation to prevent an attacker from moving laterally and compromising other network assets after intrusion. For example, IoT devices and network management platforms should be isolated with firewalls.
|
| Lax Intrusion Detection Rules |
- Implement effective intrusion detection and prevention solutions to protect critical network infrastructure and network management systems.
- Configure thorough detection rules to identify malicious activities.
|
| Poor Access Security |
- Apply more stringent access controls to critical management networks and network services including multi-factor authentication.
- Apply the principle of least privileged access.
- Monitor network and UE device logs for anomalous or suspicious activity.
- Provide the ability to audit system configuration changes and flag anomalous activities.
- Set a baseline for normal network traffic and monitor for aberrations.
- Implement improved security monitoring at ingress and egress points of the provider’s network and at any network interconnection boundary.
|
| Poor Response and Recovery Plans |
- Review and ensure the effectiveness of incident response and recovery plans.
|
| Weak/Insufficient Data Privacy Protections |
- Implement access controls and encryption protocols to protect sensitive data.
- Implement mechanisms that allow individuals to control access to their personal data to prevent unauthorized access to sensitive information.
|
