Hardening fiber networks for high-security applications

Cyber resilience is essential for critical infrastructure, governmental organizations and defense. But public networks are considered untrustworthy and therefore are frequently not an option for interconnecting their sites and locations. As a result, many mission-critical operations rely instead on self-provided fiber infrastructure. These optical networks easily meet their essential requirements, such as speed, scalability and distance. However, the high capacity of these fiber networks presents a potential security risk. If a fiber link experiences an outage or is subject to eavesdropping, vast quantities of sensitive data could be compromised. This situation poses a crucial question: how can you fortify your fiber infrastructure for high-security applications?

Encryption assures privacy and integrity

Sensitive data traveling over large distances provides many opportunities for eavesdropping, threatening the integrity of the communication. Robust encryption in combination with strong authentication is a proven way to prevent data on the move from exfiltration, misuse, repudiation and manipulation. To address speed and latency demands, this security technology should be a hardware implementation on the datapath of network layer 1 or 2. And for uncompromised long-term security, the adoption of quantum-safe key exchanges is mandatory. Multi-layer encryption is another efficient strategy for protecting user, management and control traffic across end-points and intermediate sites throughout all aggregation levels. In addition, network segmentation technologies such as VLANs with Ethernet, ODUx with OTN or MPLS-based IP-VPNs offer extra security controls, separating network traffic and isolating user and application domains against each other.

Network protection and restoration maximize service availability

Many reasons could cause a link to go down: an interface might have failed, the wrong optical connector could have been unintentionally unplugged at a patch panel or a fiber might have been cut. Networks need to be designed in a highly resilient way to ensure immediate recovery from link failures. Automated hardware protection switching plays a key role here, as it enables rapid replacement of failed network resources with a pre-assigned backup. Furthermore, restoration mechanisms can apply central intelligence to move traffic from a failed route to a backup one. 

Protection and restoration minimize downtime in case of network failures and disturbances. Those resilience mechanisms require sophisticated network devices featuring card, link and equipment protection as well as advanced network control for rapid service recovery. Designing a network like this is no simple task. It calls for expertise, preferably enriched by experience with critical infrastructure or other high-security operations.

Fiber monitoring deters potential attackers

While network protection and restoration provide a way to recover from a failure or malicious attack, additional measures for deterring potential attackers are necessary. Operators of fiber infrastructure need the ability to immediately detect, identify and locate hostile action at any point in their large area network. As fibers are either buried underground or run along the ground wire of a high-voltage line, heavy equipment is required to physically compromise the infrastructure. An operator with real-time fiber monitoring can immediately alert the authorities. The likelihood of being caught increases significantly as the attacker might not be able to remove their heavy equipment fast enough. Furthermore, liability can be clarified if accidental disruption occurs due to routine civil works. 

A fiber monitor can also identify the insertion of tapping devices into a fiber link, so it can help thwart even planned eavesdropping attacks in their early stages.

Summary

There are different ways to prevent, detect and respond to threats against fiber infrastructure. Fiber monitoring can prevent malicious attacks by deterring potential attackers. This technology also provides real-time detection of the location of fiber breaks.

Network protection and restoration technologies are responsive are effective ways to re-establish operations quickly and seamlessly by utilizing redundant network resources and disjoint fiber paths.

In the event of a successful eavesdropping attack, encryption serves as the last line of defense, rendering any information accessed useless to the attacker. Any attempt to manipulate data on the move can also be identified. Hence, the integrity of the communication is also protected.

The foundation of a communication infrastructure is its fiber network. Given the significant investment involved in its construction, no compromises on information security can be tolerated. That’s why Adva Network Security has augmented the FSP 3000 fiber transport solution from Adtran with robust and quantum-safe ConnectGuard™ encryption technology. This security control has been approved by the German federal agency of information security (Bundesamt für Sicherheit in der Informationstechnik, BSI). With our security-enhancement solutions, an operator of a critical infrastructure or governmental network can have confidence in the robustness and resilience of its fiber network.  

The comprehensive fiber solution portfolio of Adva Network Security and Adtran enables immediate detection of failures and attacks as well as provision for immediate service restoration. The real-time identification of sabotage locations amplifies the risk for potential attackers, acting as a powerful deterrent. The comprehensiveness of our approach to information security significantly improves the privacy, integrity and availability of mission-critical networks. Moreover, our experienced services team at Adva Network Security supports mission-critical operations by designing, implementing and operating high-security fiber networks.