Securing Ethernet networks has not received the interest that wireless LANs have gotten, for a variety of reasons.
Physical layer security is viewed by most IT professionals as a low-priority problem because cables are run behind walls or in ceilings, beyond the accessibility of most people. Wiring closets and data centers often are locked, and anyway, there are easier ways to subvert a network than by recabling it.
With all those open RJ47 Ethernet jacks everywhere, it would seem to me that someone interested in data would just plug in, rather than recabling anything. The aforementioned security is done with encryption, and the standards are 802.1AE and 802.1X-REV. The first standard ensures the integrity and privacy of data between peers at Layer 2 (switches and NICs). The second standard, 802.1X-REV is currently being revised to automate the authentication and key management requirements for 802.1AE. If you’re a networking rocket scientist, you can read more about the potential implications for these revised standards here.
With their concerns about security and HIPAA, will health care enterprises move to encrypt the physical layer? Such an option will be increasingly possible, according to this Information Week story from last week (emphasis mine):
You’ll be answering that question in the next few years as two new network security protocols come to a switch near you. Together, these two protocols–IEEE 802.1AE-2006, Media Access Control Security, known as MACsec; and an update to 802.1X called 802.1X-REV–will help secure Layer 2 traffic on the wire. 802.1AE is a completed standard and will be appearing soon in hardware. 802.1X-REV could be ratified as early as the first quarter of next year.
How much of a vulnerability unencrypted layer 2 data represents in hospital’s security risk analysis remains to be seen. But this standard is one more example of the changing network environment and the challenges it represents to medical device vendors (not to mention providers).
Applying this level of security to medical devices will be problematic. The very long life cycle of medical devices means it will take years before embedded NICs support these new standards become widely available. A few initial risk analysis will have to be done on implementations of these standards to determine how much effort will be required to include this capability into regulated medical devices. If medical device vendors can base their regulatory strategy on the standards, irrespective of individual network vendor’s implementations, adoption should be relatively easy. If there is too much variablity between network vendors’ implementations, device vendors might have to verify their implementation with each infrastructure vendor individually. Ouch.
Certainly the one constant in connectivity is change.