Transcript: P25 Phase II Security
P25 Phase II Roundtable Theme 6, recorded in Scottsdale, AZ, USA. October 19, 2011
The P25 Phase II Roundtable was a moderated open discussion. Several themes reoccurred through the day.
This transcript pulls together the phases of the discussion that centered on the theme “Security”.
Member: One thing we've run across is encryption. A freebie.
Moderator: The free one.
Member: What I do as a network administrator, I tell the end users, okay, this is the caveat for using that. Our standard on the network is AES, but if you want to use this, then that will preclude you from buying any other type of vendor radio. So as long as you understand that up front, you know, we recommend you use AES, but, you know, it is your system. It is your talk groups. However you want to manage that is okay, as long as you understand what you are getting into. And that is how we try to address that, is to make the user aware that if you are going to use this feature that is non-P25 standard, this is the caveat. And that is how we address that within our network.
Moderator: Do you have interoperability requirements on the people getting their own system?
Member: We do not allow encryption on our interoperability talk groups. I manage the system by talk groups. So if you do it by talk groups, you can allow encrypts that are not allowed encryption. So none of the interoperability talk groups allow encryption, so it doesn't matter if they try to use encryption. It is going to bonk them, and they are not going to be able to use the radio if it is turned off.
Member: Let's not even talk about key management.
Moderator: We could go on for a long time. One last word from Craig.
Member: I just want to point out encryption is a sensitive issue, because one manufacturer does provide it for free. But AES is in the standard, because the federal government, and in particular OMD [Office of Managing Director – part of FCC] said, DES is no longer valid, so you've got to go to AES. Project 25 adopted AES as a standard, and the federal government just buys whatever they want, including the free encryption. They are no longer restricted to DES/AES despite the OMD mandate. So when you try to talk to a consumer, it is pretty tough for a statewide agency to enforce AES.
Moderator: When the federal government doesn’t either…
Member: When the federal government doesn't do it and when a guy comes around, and let me give you this scrambler thing for free.
Member: And what a benevolent company that is looking out for you.
Moderator: Gentlemen, thank you very much.
At this point the roundtable discussion went onto another topic for a time. The conversation then returned to “Security” as follows:
Member: Every time there is a critical event, the public network goes to its knees every time. We need a private network, a walled garden. We know who the players are. Who is allowed to access it, and during critical events, you can even narrow it down to, okay, the guys that do XYZ, they are not allowed to be on it during this particular event. It is managed better.
It is there when you need it at the worst possible times, and it is engineered and designed around worst-case scenarios.
Moderator: There are a lot of reliability issues. There is also the one that we touched on earlier about, you know, when we were mentioning encryption about the whole security of the system. Security of the system is more than just encryption. It is the whole business of managing secured communications. And one of the strengths of P25 is that it actually built at least in several aspects management of secured communications into the heart of the standard.
Member: Unfortunately, there is an Achilles heel when it comes to that . On the control channel, everything is in the clear. You can pick everything off you need. You can clone radios. You can actually break the encryption. It is not…when it comes to security, P25 has got a few Achilles heels to it. It is not as secure as we would like it to be.
Moderator: Any comment on that?
Member: I want to comment on two things. Actually, the encryption task group and TR86, been looking at that for over nine months, since the first Pittsburgh study came out. And we are going to respond to it, because it was still over there. We didn't. The second Pittsburgh study came out, and a group of federal people went down and discussed what they were doing with them. There is some validity in what they say, but there is also a lot of misinformation. In the European standard, they do have an encryption control, encrypted control channel. But it is both at a cost of spectrum and a cost of money.
With respect to standards as a whole, public safety standards and regardless of what many people may or may not think, were designed to protect the people in the field. Our first and last point of contention was to make sure he or she was protected with the best viable communication system possible. And when you start adding things that take away from protecting a police officer or a firefighter, you're demolishing everything it is set up to do. That is the only thing we have a responsibility to do, to protect them. You may need to market something, but that is not what we need. We need to make damn sure that person lives for whatever event they are going through and they have the highest quality communications possible.
Moderator: What I'm not clear about is whether, as he says, the fact that the control channel is clear actually leaves the officers on the ground vulnerable or not. Is that just an error, or is that something else?
Member: Let's go back in history in Tetrapol, in Germany. A couple of guys put together some jamming devices, they were on frequency, they turned them up, and they shut down Tetrapol in Germany. Had nothing to do with encryption, nothing to do with anything except they had two frequencies. They opened the receivers, and they shut them down. So you can't encrypt against that.
Moderator: No-that is accepted. If you want to be a military radio, that is a different thing, but the question still remains, is there a hole right now in the P25 security management that would affect officers on the ground?
Member: Well, I wouldn't want to defend what they are doing, because that is not my responsibility. But I will say, I received… when I let P25 in, I received three calls from the press.
I referred them all to the acting chairman, and I referred them to Mr. Pagones [Bill Pagones – Director of Project 25 Technology Interest Group] at PTIG. They chose, for whatever reason, not to respond to them. That is their prerogative.
Are there holes? Absolutely. There are going to be holes. I don't know of any foolproof encryption system, including the White House's. But the fact of the matter is, it is not a hole that you can drive a truck through. It is a hole that somebody can be smart enough to get into. If anybody believes any different, they are nuts.
Member: I've been following this a little bit with the work that U Penn [University of Pennsylvania] did. And it is - there are vulnerabilities in any radio system.
Moderator: Of course.
Member: I think P25 is no different. Like you said, it is not something you can drive a truck through, but, yeah, it is something you can probably put a rifle shot through. I don't want to be answering for P25 or PTIG.
At this point the roundtable discussion went onto another topic for a time. The conversation then returned to “Security” as follows:
Member: The encryption issue, too, the steering committee is meeting today, probably already has, given the time change, with the people from the University of Pittsburgh to discuss their study to learn from that. The steering committee has met twice with NTIS [National Technical Information Service agency in Dept. of Commerce] and…not NTIS, NTIA people about encryption issues. They are not deaf to this issue.
And sometimes the media, (no offense, Sandy, wherever you are) but sometimes the media likes to hype it up. The reality is, they are very sensitive to it, too. They are very conscious of it, but they are also very conscious to something you all like to deal with - Steve brought up earlier - price point. And they recognize that everything they add into that that the little guy has to pay for, and the big guy wants, rolls into the price point for the little guy.
Like broadband, everything becomes a compromise. What are we willing to give up and how much are we willing to give up and how much is it going to cost us? I wish it were as simple as your statement wants to make it. It just isn't that simple.
Member: The security issue, it comes down to - because a lot of the security features that are on the radio - the user has responsibility.
Member: If you go back to look at the Enigma machine in World War II, the only reason we broke that code is they stopped following the procedures of changing everything every day. And that is how the code was broken. That is what the fallback or the fault of our security in our radio systems are going to be, remembering to change your encryption keys and upgrading and doing all that stuff.
Again, the user in the field, depending on, are you encrypting the channel or encrypting each individual radio, and then that officer doesn't switch to the encrypted channel and gives out sensitive information in the clear. Those are the errors that are going to happen. It is because humans are involved in it, it is going to be human error that opens the breaches in security.
Moderator: It is good that we have actually widened that from just talk of encryption to everything that is involved in security in communications, because that is absolutely essential. Encryption is only one element of it. It is also managing the radios, the asset management, is it not?
Would you like to comment on a wider picture of security requirements for even rural police now? Because a lot has changed in the picture: having to, you know, protect assets such as utilities. You know, they are nearby and may be vulnerable. The business of everybody is connected through IP now. Are you vulnerable there? The whole security picture is more than just using radios, is it not?
Member: It is even authentication, right.
Member: I mean, most systems out there today, authentication is not really a P25 feature – it’s not ratified yet?
Member: And the way the, quote, unquote, bad guys are getting more sophisticated, more technological astute, because they know one of their edges over the public safety people is having better doodads than the public safety people have. And when you have a tremendous amount of your information that goes over the control channel that allows you to join in on their conversation, you can listen to their conversations if you want to readily. In fact, there are a couple of sites on the Internet where you can listen to trunked radio systems live as they are going.
So I think that they are definitely aware of the situation. I think they are going to try to figure something out. But this does have a couple of entry points that I see as a little too easy.
Member: One aspect we run into, you know, in Lakewood, maybe some of the majors, but how many people have smart phones and turn on on the application for police radio?
Member: For the local police radio, right.
Member: There is a big piece of security in the backhaul networks as they move to IP. You know, it is easy to mix it with your business network and the security holes that that opens, where in the past it was never an issue. It was a closed network. Now it is easy for a technician to make one mistake in a router or switch and open your network to the world.
Moderator: So what does the average sort of police or fire agency do in order to discover what their security needs are? Where do they make a start. I mean, again, a decade ago, it might not have been an issue, but now all of these things have turned into issues. Funding, security, third-party packages, data applications. Where do you go? Anybody?
Member: Yes, I think there are a couple of simple points. Number (1), since we are a public society, what Steve calls the bad guys have probably more information available to them than any one of us on any given day about what we do and about the systems we own and about those systems. Number (2), Neil is right on track that one of the best security elements you can build into a system is to plan and design the system so you have not only redundancy, but you have fallback to other frequencies that aren't necessarily a part of your day-to-day use and other zones that aren't necessarily part of your day-to-day use, because they are not going to be smart enough to know what you intuitively have in your system unless you provided a gateway into your processor to give them that and into your control units. I think system design is almost a critical element. It is unfortunate, because the smaller communities can't afford that. But if they are that small, they probably don't need it. But the bigger ones do. Phoenix, Mesa, they do need that. They need that kind of design capability built into their structure, built into that system. It has to be something that from time to time they test.
Moderator: Isn't security more than just worried about bad guys and worrying about inadvertent mistakes? You brought up cloning, for example. Even the people who provide support, knowing what you got out in the field, isn't security actually, you know, a big topic that on the one hand covers, you know, malicious intrusive things, but it also covers protection of the information, the data you've got there, making sure that everything runs. Doesn't that have to be part of it? How do people deal with that now? Asset management must be part of it?
Member: Well, the asset management, you have to know every radio has a unique hexadecimal key to it that is in its personality and that defines it. And you have to know who is assigned to that radio and when they use it. And that information needs to be kept by a person of trust, and that individual is the one that is responsible, but he has got to have a backup, and that is an organizational process that has to be cognized and put into place and thought out very, very clearly. And maintained very closely.
And also, I think that is why most trunking management people do not like to give out their system key. That system key is critical to making your system as secure as you can make it. And that is why having those roaming agreements, sharing system keys gives you another point of vulnerability in a regional network where you are trying to share system keys. It becomes problematic. It becomes a very arduous task. Because once you lose control of that, trying to get it back is a very arduous situation. You almost have to kind of reformat the hard drive.
Moderator: And this raises a really interesting point. In Phase II we are talking, essentially, about a trunking system. An awful lot of the people out there have non-trunked systems, whether they are analog or Phase I. So it is learning a whole new lot of things to worry about, like system keys, like asset management, like authentication, which you brought up. How do people get advice on how to do that? Vince.
Member: Talking about conventional systems, I hate to say it, but we kind of learn as we go, because they are so new. Things that haven't existed before as concerns now are big concerns. I will give you an example. Traditional radio system. You have a repeater, you have phone lines tying it all together. There was a voting system. So traditionally we have a repeater, we have some receivers, and some phone lines tying all the sites together, and all you have to worry about is that site is locked. That is about as far as security goes in the radio system.
Now, a conventional system that has an IP backbone, that has all of these nice features, introduces a whole new set of rules that need to be followed, and concerns that need to be addressed.
For example, we have, you mentioned, wireless broadband network. We need to make sure that is encrypted, because data is sent back. Not just that somebody can just listen in. Can somebody log in and mess with the network? Site access is no longer if somebody can go to the site and unplug the repeater. Now you can just plug into the network and get access to the network. We do encryption. Where does the encryption end? It has got to end somewhere. So now that is a concern. Now we have a future of being able to remotely log into the system for service. Who has access to that? Who has…okay it is encrypted. Who has a password for remote access? The radio shop. Well, who in the radio shop? Can somebody at radio shop acquire the password and get into the system? That is a concern.
Now we have the ability to be notified if there is a problem with the system through e-mail. Okay. Who gets notified? Radio shop. What if the radio shop doesn't respond. What is the backup plan? So there is a lot of things that now we have to consider and worry about that really never even existed before. So it is all this new features and benefit that we've introduced. But along with those benefits and features, we bring in new concerns that have to be addressed.
Moderator: That have complicated the whole decision-making process. Is that right?
Member: Yes, complicates. Well, see, it kind of falls back to the vendor. Now integrating the system to go over all of this with the client and address all of these issues. It is very difficult. I would say it is impossible for the end user to be aware of all of these ahead, because the system is so new being deployed. These issues are just being kind of discovered on-the-go as the new features are being introduced.
This document is the sixth transcript in a series of theme-focused videos of the P25 Phase 2 discussion.