North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: The Backhoe: A Real Cyberthreat? [ & Re: cyber-redundancy ]

  • From: Frank Coluccio
  • Date: Fri Jan 20 18:42:40 2006

Responding to both Sean Gorman's and Sean Donelan's posts:

---

Sean Gorman, 

In your earlier reply you stated that Verizon will tell me that a cable is
diversely placed, when in reality it is only 2mm away from the original path.
Then you proceed to describe the considerations and the makeup of a data base
that Verizon (using them as an example here) should use to document cable
placements in order to give me the information that would be .... what? Which is
it? I'm either naive to ask for a route statement, so I shouldn't bother. OR, I
trust that they're going to be straightforward and wind up getting whacked with
bogus information in the end, anyway? 

We've written numerous asset-tracking systems that list dozens of attributes,
starting with geo-referenced path information at Layer Zero (spaces, pathways,
roads, etc.) that is integrated parametrically with CAD software, and ending with
the fire ratings of the sleeves and innerducts entering buildings, and
everything, including all media attributes, in between. This is not a trivial
undertaking when done to the demands of the craft (in addition to those that
might be of interest to someone flying at 30,000 ft), but every cable pulling
service provider/carrier/entity worth its salt has or should have one. Whether
they are kept up to date or not is another story, entirely. To this point, some
systems I've seen possess information that is so out of date and in such disarray
that they actual represent a primary reason (shame) why an SP would not want to
make them vieaable to end customers for viewing. But that's another story all its
own. 

---

Sean Donelan., you make a good point by comparing financial institutions with
carriers with respect to holding back information from one another, and sometimes
to the customer, as well. You'll note in my earlier post I made allowances for a
third party ("or agents") for this very reason, although I didn't elaborate on
that point at the time. I've seen instances when trusted third parties, usually a
then- big six CPA firm, would be mutually agreed to as the party of choice to
hold and confirm route information for a client. I’ve seen this done for tower
righs of way and for fiber optic paths, but nothing like this that I am aware of
ever became widely available as a broking service to the general public, although
I think it should. Have you come across this sort of arrangement in the past? Anyone?

I've also been blessed with having to work through both of these industry groups
on a single project. For example, I once orchestrated the client-side design and
buildout of two IRU facilities (called optical fiber services, of OFS) back in
1987 for a financial institution across the street and down the block from the
NYSE to the Teleport on Staten Island. Since Teleport (and TCG) was partially
owned by Merrill Lynch back then, along with WU, NYCity and the Port Authority of
NJ/NY, and the entrance point to the site was in Merrill's own building, I had to
arrange for alternate penetration points and trenching from the perimeter of the
park to a new building that was designed and constructed simply to circumvent the
sharing of space and duct facilities with the client's chief competitor. 

To make this story more interesting, the two routes on the NJ side (which the
routes traversed in order to get back to the Holland and PATH Tunnels on their
way to 60 Hudson and the WTC, respectively) had a single cross-over point (single
point of failure) in a large PSE&G vault in Journal Sq., which I refused to sign
off on. I never would have detected this fault, except for my personal
inspections of the physical route constructions against the design documents I
was given by all parties concerned. It wound up costing seven digits to trench a
path to an agreed upon distance from the vault before an order to commence
pulling cable through those sections received a final go ahead. And so it went ...

Frank





=========================================================================

On Fri Jan 20 18:11 , [email protected] sent:



    The difference being the financial system can use the knowledge to make
themselves more resilient.

    How does the bank customer use the information you listed to make themselves
more resilient?

    Further, the banks are a fairly trusted and well regulated group.

    There are a good number of bank customers that are not good guys.

    Is there a fear the banks will use provider information for malicious ends?

    Is that the reason the providers will not give the information?

    Could it be they do not want customers to know most of their SONET rings are
collapsed?




    ----- Original Message -----
    From: Sean Donelan <[email protected]>
    Date: Friday, January 20, 2006 4:44 pm
    Subject: Re: The Backhoe: A Real Cyberthreat? [ & Re: cyber-redundancy ]

    >
    > On Fri, 20 Jan 2006, Frank Coluccio wrote:
    > > To answer Sean Donelan's question, yes, enterprise customers
    > and/or their agents
    > > _do _need to have specific information on the routes in which
    > their leased
    > > facilities (and even dark fiber builds) are placed, ephemeral as
    > those data might
    > > be at times due to SP outside plant churn. They need this data
    > in order to ensure
    > > that they're not only getting the diversity/redundancy/separacy
    > that they're
    > > paying for, but because of the more fundamental reason being
    > that it is the only
    > > way they have to provide maximal assurances to stakeholders of
    > the organization's
    > > survivability.
    >
    > Is the same thing also true for customers of financial
    > institutions? Why
    > are financial institutions so reluctant to give details about the
    > locations of their data centers, processing offices, money transport
    > routes and security procedures to their customers? Don't
    > customers of
    > financial institutions have the same concerns about the survivability
    > of the financial institutions as the financial institutions have about
    > their suppliers?
    >
    > Doesn't this just turn into Y2K all over again with every organization
    > demanding guarantees and copies of data from every other organization?

    ------

    On Fri Jan 20 15:05 , [email protected] sent:


        What data went into the system would depend on what questions you were
looking to answer. I spend most of my time looking at the geographic diversity of
fiber routes, so I'll use that as a very simple example.

        To answer that particular set of questions you would need the fiber
routes for each provider, and they would need to be georeferenced. Other useful
data would be the buildings lit by those fiber routes and lease costs. Users
would then enter the buildings they want connectivity for. The system would find
all the providers that could service that combination of buildings then calculate
what the diversity of each provider is for that set of buildings, or what the
diversity was if the user wanted to use more than one provider. Each provider
would be given a score for that particular connectivity combination and a price,
or the scores for each combination of providers. The user would then have a
market indicator for diversity. You could have a vairety of metrics - the total
distance between network paths, average distance, the variance, the number of
times paths come with 100 feet of each other, the number of routes that are
colocated etc.

        The providers do not give up any proprietary data and the customers have
a set of indicators to make a more informed choice. Not the ideal solution, but
the game was to come up with something that would be palatable to the providers.
Companies like Last Mile Connections already keep provider supplied databases of
lit buildings and prices to run auctions. This would just be another indicator
for customers that also value diversity and resiliency. Protecting the master
database would be important, but there are lots of mechanisms to do that
effectively. The metrics are the key, and that of course is my angle on the game.


        ----- Original Message -----
        From: Frank Coluccio <[email protected]>
        Date: Friday, January 20, 2006 1:53 pm
        Subject: Re: The Backhoe: A Real Cyberthreat?

        >
        > >My argument simply is if this kind of awareness
        >
        > >can be made more broadly available you end up with
        >
        > >a more resilient infrastructure overall.
        >
        >
        >
        > Sean, would you care to list the route, facility, ownership and
        > customer
        > attributes of the data base that you'd make public, and briefly
        > explain the
        >
        > access controls you would impose on same?
        >
        >
        >
        > If this is not what you originally intended, then please show me
        > the way ... thanks.
        >
        >
        >
        >
        >
        > Frank
        >
        >
        >
        > On Fri Jan 20 9:19 , [email protected] sent:
        >
        >
        >
        >
        >
        >
        >
        > As you mentioned before this is largely because the customer
        > (SIAC) was savvy
        >
        > enough to set the reuirements and had the money to do it. A lot of
        > that saviness
        >
        > came from lessons learned from 9/11 and fund transfer. Similar
        > measures were
        >
        > taken with DoD's GIG-BE, again because the customer was
        > knowlegable and had the
        >
        > financial clout to enforce the requirements and demand the
        > information. An
        >
        > anonymous data pool is just one suggestion of a market based
        > mechanism to do it.
        >
        >
        >
        > ----- Original Message -----
        >
        > From: [email protected]
        >
        > Date: Friday, January 20, 2006 5:37 am
        >
        > Subject:
        >
        >
        >
        > >
        >
        > > > Imagine if 60 Hudson and 111 8th
        >
        > > > were to go down at the same time? Finding means to
        > mitigate this
        >
        > > > threat is not frivolously spending the taxpayer's money, IMO;
        >
        > > > although perhaps removing fiber maps is not the best way to
        >
        > > > address this.
        >
        > >
        >
        > > No, removing fiber maps will not address this problem
        >
        > > now that you have pinpointed the addresses that they
        >
        > > should attack.
        >
        > >
        >
        > > Separacy is the key to addressing this problem. Separate
        >
        > > circuits along separate routes connecting separate routers
        >
        > > in separate PoPs. Separacy should be the mantra, not
        >
        > > obscurity.
        >
        > >
        >
        > > End-to-end separation of circuits is how SFTI and other
        >
        > > financial industry networks deal with the issue of continuity
        >
        > > in the face of terrorism and other disasters. In fact, now
        >
        > > that trading is mediated by networked computers, the physical
        >
        > > location of the exchange is less vulnerable to terrorists
        > because
        > > the real action takes place in redundant data centers connected
        >
        > > by diverse separate networks. Since 9-11 was a direct attack on
        >
        > > the financial services industry, people within the industry
        >
        > > worldwide, have been applying the lessons learned in New York.
        >
        > > Another 9-11 is simply not possible today.
        >
        > >
        >
        > > --Michael Dillon
        >
        > >
        >
        > >
        >
        > >
        >
        > >
        >
        > Frank A. Coluccio
    DTI Consulting Inc.
    212-587-8150 Office
    347-526-6788 Mobile



    > 

=================

Frank A. Coluccio
DTI Consulting Inc.
212-587-8150 Office
347-526-6788 Mobile