Critical communications require robust protection from physical or cyber attack, eavesdropping and equipment failure.
Physical security – protecting your sites
Ideally, your site equipment is housed in your own building, surrounded by secure fencing which only your organization can access. However, that is not the reality for most system operators, who must choose a combination of cameras, fencing, controlled access, monitoring and inspection, while sharing sites with other organizations.
Restricting and protecting access to sites will reduce the risk of accidental or deliberate damage to your equipment. Here are some guidelines.
- Within the fenced compound, your own building should be double-locked and alarmed.
- Provide unique access and security of compound and gate locks.
- If sites and enclosures must be shared, provide locked cabinets and shelters, and gated equipment cells.
- Equipment room doors, air- conditioning and grounding must be monitored 24/7.
- Site equipment access should be limited to key personnel only.
Theft and vandalism
For some organizations, this is a greater risk than cybersecurity. Air conditioning units are frequent targets – monitor them by camera, and protect them with secure fencing and access control.
Copper from grounding and lightning protection is also targeted. Innovative deterrents include concealing the copper by painting it, or enclosing it in plastic pipe.
Connectivity between your radio communications and the outside world is perceived as a threat by some, but it has become inevitable, with devices such as smart phones now used in the field. Anything beyond your firewall is open to a breach.
How do you assess your security needs? It is difficult to find a formal process, and the decision is a management one rather than a technical one. But it is crucial that RF and IT engineers need to understand the implications of their own, and each other’s disciplines.
Communications security largely depends on the integrity of your backbone, switch and backhaul. Most secure is all microwave, with fiber for routing and fiber backup.You will most likely need to consult with a security expert on the subject, but the following approaches could be considered:
- Factor in risk associated with remote access – for your people, vendors and contractors.
- Vendor equipment may require higher security.
- Remote monitoring via IP is dependent on the internet and remote servers.
- Equipment brought in by visitors (cell phones, portable memory devices, laptops, cameras etc) can compromise security.
- Encrypting communications
While encryption is an essential item on most organizations’ security list, it is expensive to purchase and expensive to manage. However, you should resist the temptation to accept cheaper, non- standard (proprietary) encryption. As well as reliability issues, you will seriously compromise your ability to interoperate with partners, and limit your radio purchasing options in the future.
Encryption can also be resource hungry, and you may need to factor in degradation on your system. However, these costs are offset against the very real benefits of being able to communicate securely, keeping your workers safe and vital information protected.
Common approaches to encryption include:
- encrypting channels rather than users, so long as everyone can access the encrypted channel,
- a single encryption key for users,
- no interoperable channels encrypted
- to avoid communication issues,
- emergency-only encryption, with a clear, well understood code of practice.
Who needs encryption?
Encryption was designed for high risk situations, rather than business-as-usual, so most conversations don’t require encryption. It is probably not necessary for all radios to be encrypted, but the most critical factor is ongoing dialog with partners that you share communications with. You need to agree on approach, access and purpose to develop a fully transparent process. Don’t underestimate the training required to have everyone up to speed. Without this, encryption can actually inhibit communications for mutual aid.
Encryption-related SOPs benefit from periodic reviews. For example, your system may have started with everyone using it, but two years later, some groups barely use it, others have never changed the key, and new groups need encryption but do not know how to manage it.
Managing encryption keys
Maintaining encryption keys is a major challenge, but it is essential to encryption management. When keys are compromised, your system integrity is challenged, and once a breach or loss is identified, you must change the entire group. A single lost radio means new keys for everyone.
Plan to change all keys regularly. How frequently you change keys depends upon how much security is required by the various groups in your organization. Groups that need high security should change keys more frequently. Keys that are never changed will compromise your security and provide an opportunity for unauthorized parties to access your communications.
Over-the-air rekeying (OTAR) will reduce the overhead of key management considerably. Current offerings are proprietary, but including OTAR in LMR standards will simplify programming, especially for operators of mixed-vendor fleets.
Alternative access for dispatchers is critical, when there is disruption at the control centre, such as a forced evacuation due to a fire alarm or bomb alert. Radio-based access, via portables or control station mobiles, is a cost- effective and reliable way to maintain communications with workers in the field.
Control station mobiles may have a handset and in some cases a reduced- feature console. Mobiles with extended remote control heads – and even dual remote control heads – can be installed in buildings to position the radio body and antenna in the least vulnerable place, while still providing a full mobile user interface inside an office or control center.
You can also use the control stations for off-air monitoring.
This article is taken from the 10 part guide to Tougher LMR Systems.
If you would like to download this article and the other articles in the series you can do that on the Tait website.