Emergency Services Safety Article
Key words and phrases: emergency services, safety article, terrorist acts, TETRA, security, fraud prevention, encryption, threat balance
This article, written by Steve Ayres and David White of Lockheed Martin UK - Integrated Systems & Solutions, in conjunction with Nick Edwards of Sedgewell Communications, was published in the November/December 2002 edition of the British Association of Public Safety Communication Officers (BAPCO) Journal
Is it SAFE,
is it SECURE?
As we are all by now aware, the attacks on the United States of America last year have heightened public awareness to the threat to our homeland of similar terrorist acts. One of the lessons learned from the American experience is the need for the first responders to have a co-ordinated communication system that is both reliable and secure.
Similarly, it has also been the case that criminal and other anti social elements have been deploying emergency services communication systems to gather intelligence and disrupt or frustrate the work of the support forces.
With TETRA being the system of choice for our police services, it may well eventually be adopted by a wide variety of our other emergency and infrastructure support services. Given the clearly defined threats to these users, it is therefore wise to consider the robustness of this national asset – to ask ‘is it safe and is it secure?’
To give perspective to any such analysis, it is important to ask such questions as "safe and secure from what sort of attacks?" "Safe and secure compared with what?" Or, "who is doing the defending?" Similarly, as system integration and commonality become more prevalent, the security/cost trade-off must be considered by the collaborating user groups, each of whom has widely differing threat perspectives. Only then are best value initiatives are to be fulfilled.
The level of threat could vary from the casual opportunist through to sophisticated and well resourced groups capable of mounting a diversity of attacks. Regardless of the attackers, the threats they pose can be broken down into three distinct areas of:
- Confidentiality,
- Availability
- Integrity
Taking these in turn the strengths and weaknesses of the TETRA system can be quantified.
Confidentiality threats target both the system messages and the users. If voice and (increasingly) data messages can be intercepted, then the system will be vulnerable. Similarly, at a lower threat level, if it is possible to analyse who is using the system, for how long and from where, then useful intelligence may be gathered, even if it is not possible to have access to their messages.
Availability threats centre on denial of service and can exploit system design weaknesses. These can focus on exploiting the legitimate challenge-response mechanisms designed into the system or can take the form of physical denial caused by swamping the RF spectrum or by damage to the network infrastructure either locally or at key points.
Integrity threats are possibly the most insidious as they undermine the user’s faith in the system. They focus on the unauthorised use of resources and manifest themselves in masquerading, replaying and manipulation of data.
The Lessons Learned
In defending against these threats the TETRA system benefits from the lessons learned in the prior development of commercial cellular systems, where loss of revenue has been the driving factor in strengthening security features. From early in the conception of such systems interested groups have worked towards defining and implementing security. The standardisation of security features as covered by ETSI Working Group 6 and their implementation as detailed by the TETRA MoU Security and Fraud Prevention Group provide a firm foundation on which to develop and enhance the system security features.
Confidentiality and integrity attacks at the air interface are countered by a robust system of authentication and air interface encryption, which together protect both user and control traffic, with support provided for end-to-end encryption for the specialist users. Both the terminal and the network can seek mutual authentication to prevent mobile terminals from being deceived by false base stations.
Underpinning these processes are unique key codes stored but not transmitted by both the terminals and the network. As these keys are vital to system integrity they represent an obvious point of attack. With the migration to the use of SIM cards for terminals and the subsequent possible storage of both the secret key K and the individual terminal subscriber identity ITSI on the SIM for complete mobility potential for cloning or K derivation may exist.
Similarly, the increased functionality offered by the system in possibly providing dynamic group number assignment and direct mode operation (DMO) adds to the complexity of security problems as the levels of air interface security are reduced in DMO.
Given the enhanced air interface security features present within the system it
is quite likely that, as with the analogue cellular service, the casual
eavesdropper will disappear. No longer will it be easily possible to monitor
emergency services channels either to gain access to the messages or to check on
user traffic. This represents a significant improvement over existing analogue
radio systems.
With the air interface presenting a significant challenge it is likely that the focus of any potential attack will move towards the physical network. With the continuing migration of all services, both military and civilian, towards managed networks, the bulk of security policy design and implementation could rest with the network provider. This clearly presents an area of concern, as the TETRA standards do not define the infrastructure, and allow many varied solutions to fit differing market needs.
Depending on their construction networks may be exposed as they may use public voice or data networks or microwave links or private lines, where fewer specific protection mechanisms might be required.
It is clear that the establishment of a national network, possibly allowing interoperability between a variety of emergency and infrastructure support services, each with their own perceived security and confidentiality requirements will present a target-rich environment unless significant emphasis is given to threat analysis during the design and roll-out stages of the network.
Shifting the Threat Balance
Vulnerability of any network infrastructure, either circuit or packet switched, is however not a new phenomenon created by the TETRA system. Significant amounts of voice and data traffic have traditionally been carried by service providers and users have generally relied upon them to preserve the confidentiality and integrity of traffic. The enhanced security of the TETRA air interface may however change the threat balance, forcing the more determined attacker to consider the more defended network infrastructure rather than the traditional easily breached radio interface. There is a well-established threat to those using the internet or world-wide-web for business or pleasure.
As modern telecommunication systems become more of a fusion of both wireless and computer network technologies it is quite possible that attack techniques used in the network domain will migrate to the modern telecommunications sector. Whilst it is prudent to concentrate on the radio section of the TETRA system it is also important to consider the system in its entirety if a full threat analysis is to be valid.
The TETRA inter-symbol interface used to connect to other TETRA networks, and
possibly the gateways provided to a variety of alternative systems, may provide
a route into the system for hacker type attacks. Certainly, authentication
procedures should be followed when joining Switching and Management
Infrastructures (SwMIs) together, but again it becomes the responsibility of the
network operators to satisfy themselves as to the security of potential
connected SwMIs.
The TETRA systems detailed so far demonstrate significant robustness against confidentiality and integrity attacks but what about availability attacks? To date, it is mainly the military who have been concerned with denial of service attacks caused by jamming. A typical military countermeasure is to use a frequency hopping system requiring the attacker either to track the channel across the frequency spectrum or to barrage-jam across a wide spectrum band. Neither task is simple to do. The inherent frequency re-assignment available in the 25KHz channel blocks used by TETRA would initially indicate a mirroring of some of the military countermeasures used against jamming.
However, given equipment costs, it is unlikely that the network provider will supply more than the minimum number of transceivers per base station necessary to meet projected traffic capacity requirements. As such, base stations in low traffic density areas are likely to be limited to a single frequency range of 25KHz. This relatively reduced spectral width, when coupled with the possible ease of access to remote base stations, would enable an attacker to mount an availability attack using a relatively low power unsophisticated jammer.
First indications seem to suggest that TETRA systems may be vulnerable to these availability attacks. However, further analysis leads to a more qualified conclusion. Given the cellular nature of the system, any denial of service is likely to occur over a relatively restricted geographical area where traffic density is low. More critical metropolitan areas with higher traffic density, would of necessity occupy a wider frequency range presenting a more difficult target.
The impact to the complete system of any availability attack owing to jamming is therefore likely to be mitigated especially when considering the fall-back direct mode operation provided by the mobile units. The cellular nature of TETRA presents significant advantages over traditional wide area analogue systems, where denial of a single site would have a significant impact over a much wider geographical area.
Other availability attacks may be mounted using features inherent in the system. By its very nature, the Emergency Call facility should have a high call priority and might be pre-emptive. As such, stolen handsets repeatedly using this facility may lead to a large drain on system resources, thus degrading performance. A fine balance must be drawn between the security and safety concerns for these services and similar facilities such as the stun, kill and DGNA, but given the authentication procedures inherent in the system such a balance can be determined.
Comparative Advantages of TETRA
A direct comparison of TETRA with existing wide area analogue radio systems from a security perspective shows significant advantages. Consideration has been given from the outset to the production of robust mechanisms to counter a wide variety of threats. Provided that similar measures are taken throughout the network infrastructure then the TETRA system will present significant security advantages over traditional analogue systems and existing GSM cellular technologies.
No system should be considered fully secure, for a determined attack by well resourced individuals will eventually succeed, regardless of security measures. However given the deterrence aspects available within the TETRA system, the qualified use of the word secure is fully justified.
To determine a system as ‘safe’ requires even further qualification. Do we mean safe to use in itself, or safe compared with a more dangerous alternative, or do we mean the use of the system strengthens the safety of the working environment in general? If more robust, reliable communications, with better coverage than analogue radio schemes, increase the safety of users who may be in hostile situations, then the TETRA system could be said to be safe. This very valid perspective is the one taken by the suppliers of the Airwave TETRA system. However a fair and independent analysis should also consider the other aspects of safety.
There will be risks associated with any system likely to be considered as a viable alternative to TETRA. Some of these risks are quantifiable, others less so. Exposure to electro-magnetic (EM) radiation of sufficient energy can present a health hazard, but TETRA and its alternatives radiate at power levels generally accepted to be safe, and at frequency levels far removed from the contentious microwave bands.
The TETRA system, in its use of time division multiplexing, does produce a low frequency component unlike its main rival. When exposed to EM radiation of similar frequencies, under laboratory conditions, cell samples exhibit measurable and reproducible physiological changes. Whether similar changes occur in living human tissues under operational conditions, and, if so, how significant these changes might be, has yet to be determined.
As with security, no system should be considered completely safe, the concept of absolute safety is probably purely abstract. In an operational environment it is relative safety that is the dominant factor. Relative to existing analogue radio systems, the communication improvements that the TETRA system is designed to produce should reduce operator vulnerability in a hostile environment. From this perspective the qualified use of safe is well justified.
Further information is available from:
Email:
Tel: +44 (0)1252 732555
