Transportation Management Center Information Technology Security

Chapter 7. Guidelines for Controlling Network Connectivity

Tying back to the ability to prevent, alert, and respond to attacks on an agency's systems, this section of the report focuses on aspects pertaining to network connectivity and ways to manage connections with various subsystems (internally and externally) as well as recommendations for monitoring the network for unusual activity along with the ability to strategically respond in such a situation. The following are considered Foundational controls, as they build upon the basics identified above for establishing control of hardware and software components residing on the network. Once an organization has baselined its normal "ordinary" network, the next step is to strategically isolate critical infrastructure devices/systems, to limit risk exposure. Center for Internet Security (CIS) Control 9: Limitation and Control of Network Ports, Protocols, and Services, discusses separate ways in which agencies can limit and control access to certain devices and network segments. Devices that do not support these standards should be isolated to minimize risks of outside entities leveraging devices with weaker security features, which can be used to gain access to other parts of the network. Examples of ways to limit access are:

• Utilize port-filtering¹⁵ (sub-control 9.4) to manage the type of network traffic allowed on the network. Some vendors have even registered their preferred ports with the Internet Assigned Numbers Authority (IANA) such as Schneider Electric using port 5481, and GE using port 10212 for their respective Supervisory Control and Data Acquisition (SCADA) applications. The important consideration here is that when opening a port with access to the Internet, it is a recommended practice to limit the associated protocols that can use that port to prevent adversaries from using those ports as an attack vector. Also, this type of attack vector, and ways to circumvent it during an incident (e.g., configuring systems to use an alternate port number if possible), should be covered in an agency's risk management plan.
• Utilize a next-generation application firewall (sub-control 9.5) to provide application awareness, user identification, and content filtering. Allows administrators to define policy for users that are authorized to access specific applications and to ensure the content being passed is clear of exploits. While this is listed for implementation group 3, it is strongly recommended for group 2 as well since Traffic Management Centers (TMC) have a higher tendency to import/export data and applications with other entities.
• Client Certificates to authenticate computer assets connecting with the trusted network.
• Monitor/Address unauthorized assets for removal, quarantine, or not allowing access to begin with.
• Manage network devices using multi-factor authentication (MFA) and encrypted sessions.

It is important to not only consider restricting traffic from certain domain names, and certain ranges of IP addresses, but also disabling the ports that are not needed to support the mission (i.e., port-filtering). However, it is important to note that in some cases, even ports that an organization believes are necessary for operation may be too dangerous. For example, password attacks against exposed remote desktop protocol (RDP) services (e.g., Port 3389) are now extremely common. If an organization needs remote desktop services, another solution should be considered first, such as requiring Virtual Private Network (VPN) to reduce risk with connections outside of the network.

Understanding the network baseline is fundamental to the security plan, and managing configuration changes over time is covered by CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches. Attackers look for vulnerabilities, particularly in default settings, to gain access to the network and related systems. Control 11 outlines the Identifying, Detecting, and Protecting of the TMC network. For instance, sub-control 11.2 calls for identifying/documenting the reasons why a configuration rule is in place to allow certain traffic to flow through the network. As business needs change, the documentation will be incredibly helpful to purge configuration rules that are no longer needed and prevent unnecessary impacts on those that are needed (when documentation does not exist). It is common for TMCs to share information with other TMCs as well as to gather information from others. Documenting how this data gets into or leaves from the network is particularly important for TMCs that use Internet-based gateway portals to other systems such as:

• Remote access to a signal system or an adjacent agency's systems (e.g., 511).
• Dashboarding of public information used in transit/transportation systems.
• Digital video sharing access/controls.

Data categorization, loss prevention, and privacy considerations are discussed in more detail at the end of this chapter and should also be considered.

Further, sub-control 11.3 focuses on detection and the use of automated tools to compare network device configurations with known/approved configuration settings and to alert when deviations are found. As a final example, sub-control 11.4, which is crucial to all 3 implementation groups, is focused on protection by ensuring that stable security updates are rolled out on all network devices. Further, network separation (sub-control 11.7) is a key strategy for isolating at-risk systems from core/enterprise systems.

Much of what TMCs previously managed consisted of low-speed field devices with a variety of proprietary communication protocols. Field equipment today now includes mostly standards-based networkable appliances/devices. While there are separate initiatives focused on securing the field cabinet/network environment, the TMC Information Technology (IT) environment needs to consider these as a risk/threat vector and apply controls mentioned above to limit the types of ports and protocols traversing into the "enterprise" network from the field. As such, the TMC IT environment needs to take into consideration these basic informational components of the field networks and their impact on configuration rules at boundaries (i.e., firewalls, routers, VPN devices, etc.):

• Inventory tracking to include operating system (OS) and patch level plus firmware.
• Password management practices for technicians and devices (as appropriate); length, multi-character, and multi-factor authentication usage.
• Allocation of network segmentation via Virtual Local Access Network (VLAN) in the field and the associated impact on firewall/network configuration rules, as well as the isolation of copiers/printers and security system cameras/components.
• Securing and encrypting wireless technologies with access to the field and enterprise network.

Additionally, if the TMC is subject to controls associated with credit card processing back-end systems, beyond CIS Control 11, network separation guidelines from Payment Card Industry Data Security Standards (PCI‑DSS) also should be referenced: Information Supplement: Guidance for PCI‑DSS Scoping and Network Segmentation. December 2016.¹⁶ PCI‑DSS is only required for handling credit card transactions.

Building upon configuration and policy controls associated with traffic passing through network devices is next supplemented by incorporating elements of CIS Control 12: Boundary Defense, to manage the trust levels and information flowing between networks. Similar to CIS Control 11, Control 12 covers a wide range of strategies for identifying, detecting, and protecting the network. Two of the most relevant to all organizations are sub-controls 12.3 and 12.4, which call for denying communications with known malicious Internet Protocol (IP) addresses (i.e., ranges, domain names, and/or foreign countries) as well as unauthorized Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports at each network boundary point. It should be noted, however, that when rolled too aggressively IP address range filtering can cause some applications to break, particularly in a "poll" and "response" system that requires openings both going out and coming back in to the network from the field.

At this point within the CIS Top 20 controls, more advanced/sophisticated strategies are more apparent, such as intrusion detection systems (sub-control 12.6) and scanning enterprise devices remotely logged in for adherence to security policies (sub-control 12.12). More sophisticated strategies will need to be prioritized for the organization based on self-assessment of areas of the greatest risks/threats. Many of these strategies will require more data collection and analysis using industry available protocols like NetFlow to collect and log data, and tools to quickly filter the data and alert on deviations from accepted standards.

Controlling physical access to wiring closets, network switches, and unused ports is primarily addressed by the aforementioned CIS Controls, but wireless access presents its own challenges warranting CIS Control 15: Wireless Access Controls. Control 15 covers securing use of wireless LANs, access points, and end-user client systems. Additionally, it covers elements such as scanning for unauthorized wireless access points connected to the network (sub-control 15.2). These are devices that are not setup according to the agency's security guidelines and represent an elevated risk for unauthorized access that bypasses back-end network authentication systems. Enforcing encryption of wireless data transmissions is a foundational control (sub-control 15.7) that applies to all implementation groups to further protect data even if the wireless signal is intercepted. Similarly, in the age of bring-your-own-device (BYOD) into the TMC environment, sub-control 15.10 is highly recommended to create a separate wireless network for untrusted devices that are primarily granted access to the Internet, but not the enterprise network.

You may need the Adobe® Reader® to view the PDFs on this page.