Consumer Electronics Daily was a Warren News publication.
Last Meeting

CSRIC OKs Reports on Network Security Challenges

March 11, 2021 by Howard Buskirk|Top News

The FCC Communications Security, Reliability and Interoperability Council approved a report Wednesday with recommendations on measuring risks and remediation costs in 911 and next-generation 911 networks. During its virtual meeting, CSRIC also OK'd reports on making standalone 5G networks more reliable and addressing session initiation protocol (SIP) security challenges. The meeting was the last under the group’s current charter and the first under President Joe Biden's administration.

In a transitional network, we have a very broad attack surface in 911, where we are operating legacy systems alongside next-generation systems,” said Brandon Abley, National Emergency Number Association director-technical issues, presenting the report by the 911 Security Vulnerabilities Working Group. “In NG-911, the attack surface is broader than we are used to in legacy 911,” he said: “We have a lot of cybersecurity mechanisms that are new and protect the network, but there's more stuff that is vulnerable to more things.”

The report recommends state 911 fees be considered an investment in the systems, and “there should be no distinction between the two,” the NENA representative said. Every agency should have cyber insurance or cyber event coverage, he said. “We try to provide” guidance so agencies with a “very poor cybersecurity posture” can “reduce their risks and improve their position.” Some steps are easy, he said: Preventing ransomware attacks “often comes down to basic stuff like passwords or training.”

The Managing Security Risk in Emerging 5G WG raised issues yet to be fully addressed by the 3rd Generation Partnership Project that's setting 5G standards, said WG Chair Farrokh Khatibi, Qualcomm director-engineering. The FCC and CSRIC need to closely monitor 3GPP’s work on releases 17 and 18, he said. The report recommends that user data integrity be considered mandatory for U.S. deployments, he said: That’s a “really important recommendation for making sure of the security of U.S. deployment.” The document allows for some flexibility during the transition to 5G, he said. It says industry should follow earlier recommendations from past CSRICs and urges more work in the next iteration, Khatibi said.

The SIP Security Vulnerabilities WG report said improving security will be challenging, recapped Neustar Vice President Jon Peterson. “Unfortunately, there is such a large, installed base of UDP [user datagram protocol], which was favored by the kind of '90s origins of SIP … that upgrading systems is not a small ask.” Anything that promotes transport layer security over UDP is helpful, he said: “That would have a huge impact on many of our issues.”

Patches are difficult for old systems, Peterson said: “This is old tech that we’ve had sitting around that we simply need to figure out a way to get updated.” Replacement is hard because of cost, he said. “If we don’t do it, we’re going to be stuck.” There aren’t “widely established and agreed upon security frameworks” for operators, causing “tremendous diversity in the operation of SIP,” he said: “We should certainly support operators adopting, ratifying and agreeing upon” best practices.