1.

Secure Optical Transport: Not All Solutions Are Equal

Historically, cyber security meant use of perimeter protection -- firewalls and passwords, intended to
keep bad guys from entering the enterprise domain. This is no longer sufficient. What’s needed are
countermeasures that provide multiple layers of protection against a variety of threats. This defense-in-
depth concept must now be applied to securing optical networks.

Mar 19th, 2017

Current events reveal many reasons why cybersecurity threats are
troubling. Any user of modern data systems should be concerned about
the safety of their personal, business, or government data whether at rest
in a data center or in-flight across a network.
Compromised data is costly and disruptive, resulting in lost revenue,
reduced market share, and damaged credibility for those affected. Lloyds
reported in 2015 that cyber-attacks cost companies $400 billion per
year. The cost has increased since and the threat has spread throughout
society, even the democratic process, affecting public confidence.
Historically, cyber security meant use of perimeter protection -- firewalls
and passwords, intended to keep bad guys from entering the enterprise
domain. This is no longer sufficient. What’s needed are countermeasures
that provide multiple layers of protection against a variety of threats.
This defense-in-depth concept must now be applied to securing optical
networks.

What is secure optical transport?

In-flight data faces two primary threats: theft and destruction. Theft is
when financial value or intelligence is stolen from the data’s rightful
owner. Destruction is where an enemy simply prevents data from
reaching its destination, thereby paralyzing commerce, critical
infrastructure, or defense forces. Protecting against both threats to in-
flight data should be a primary goal for optical networks.
Secure optical transport protects cyber threats through:
Strong data encryption and keys: Layer 1 encryption using the AES-256
(Advanced Encryption Standard- 256-bit key length) forms the
foundation. The AES-256 cipher provides excellent protection against
brute-force attacks, and a successful analytical attack has yet to be found.
Efficient to implement in both hardware and software, AES-256 is likely
to remain relevant for decades. However, use of the AES-256 cipher
must be complemented with strong, quality keys. Key negotiation and
management must be designed to avoid a reduction in effective strength.
Resilient network design: Such design involves trusted equipment
design, redundant systems, and fault isolation. Resiliency is a common
goal in communications networks; its importance relative to security
should not be overlooked.
Independent certification: Standards bodies such as NIST, Common
Criteria, and others have established methods for confirming the security
of a network. Certification by an independent body gives the end user
assurance that a security approach is verified and trustworthy.