Preserving information security at data centres
01 March 2013
Governments, armed forces, municipal authorities and companies share the concern that electrical and electronic equipment such as computers and peripherals give off electromagnetic emanations which can be reconstructed
The TEMPEST threat to information security was first recognised by the US National Security Agency (NSA) and GCHQ in the 1960s. Governments, armed forces, municipal authorities and companies now share this concern that electrical and electronic equipment such as computers and peripherals give off unintended electromagnetic emanations which can then be reconstructed beyond the building boundary as intelligible data.
TEMPEST was originally a military codeword, subsequently rationalised as an acronym for terms such as “Transmitted ElectroMagnetic Pulse Emission Standard” or “Telecommunications Electronics Material Protected from Emanating Spurious Transmissions”. In defence parlance, the countermeasures applied to prevent intelligence interception are known as hardening, and TEMPEST hardening represents one aspect of total facility protection from electromagnetic threats in theatre.
The evidence in the 21st Century is that TEMPEST countermeasures are becoming as important for information security in the civilian world as in the military arena. In particular, electronically secure data centres are nowadays commonplace, processing and storing vast amounts of information for Government offices, local authorities, the armed forces and police, public utilities, banks, healthcare providers, insurance companies and online retailers. There would be serious repercussions on many levels if any such organisations should allow entrusted information to be compromised.
Information-bearing signals pass through red & black zones
Confidential data – or devices containing or processing such data – are usually referred to as “red”. This implies merely that you don’t want the data to escape. Conversely, non-confidential data and equipment are termed “black”. Sensitive or classified data that has been suitably encrypted is also regarded as black. A device processing red data, yet incorporating adequate protection to contain emissions, can be black too. Meanwhile a cable carrying black data that passes close to red equipment, and thus has the potential to pick up red data, can be considered red.
The main types of TEMPEST leakage path are as follows :
1. Unintentional radiation from red equipment, strong enough to be picked up directly.
2. Coupling onto black equipment or cables. Red emissions can be picked up by black wires or equipment and propagated. The unwanted red data is described as parasitic. As black equipment and cables do not need to be protected, the parasitic red data can escape.
3. By coupling onto an intentional emitter. A secure data storage device may be located close to an insecure radio transmitter. Secure data coupled on to the radio may be amplified and transmitted for all to hear.
4. By conduction. As your computer generates its ones and zeros, it will create tiny surges and glitches in the mains current supplying it. Given sensitive enough equipment, these could be interpreted by reading the mains cable from several miles away.
One solution is to create around the at-risk IT facility a hardened, “red” secured area or full Faraday cage lined with steel, aluminium or copper, backed up by the suppression of any conducted EMI which may contain intelligible information by filtering.
Where a cable has to pass through a red/black boundary, a filter can be inserted as an intended countermeasure to filter out all frequencies except the desired signal. It is normally a low-pass filter that blocks everything above a given frequency, on the basis that any parasitic red signal is likely to be of high frequency. This solution has obvious limitations, since any parasitic signals within the passband will still get through, and a low-pass filter cannot be used if the desired signal is itself of high frequency. A proper TEMPEST-grade filter must also prevent bypass coupling, where a radiated red signal bypasses the filter and couples onto the black side.
Because the propagation of unintentionally radiated emanations is relatively inefficient over distance, most red zones are situated in the normal building fabric, where potential eavesdroppers are denied opportunity by physical security measures.
The coupling of electromagnetic emanations onto cables and wires travelling into the black zone represents a more critical threat. This coupling and subsequent transmission down line can be very efficient, and information-bearing signals can be carried far beyond the building boundary, where they may be intercepted, analysed and reconstructed.
Electrical filters at the red / black boundary diminish the risk
The electrical infrastructure of any data centre will include power cables, telephone and data lines, and building management services wires. All of these can represent very efficient receptors of those emanations and signals circulating within the red zone. When these signals are carried far from the building boundary and beyond the physical security measures, then they can be readily decoupled from the cables and wires, without the host being aware that his facility has been compromised. The solution to mitigate the risk is to install appropriate electrical filters at the architectural boundary of the red and black zones.
The filters selected must be verified as being effective across the full spectrum up to Super High Frequency. Commercial EMI filters will not support a performance at these high frequencies, and it is essential that professional TEMPEST filters utilising feedthrough suppression capacitors are installed. MPE of Liverpool is one of the World’s foremost suppliers of TEMPEST filters for infrastructure hardening and has been supporting government and military establishments for over 25 years.
Passbands, stopbands & integrated hardening
The filters will have passbands which will allow those wanted frequencies to pass through with minimum attenuation, for example 0-50Hz passband for cables carrying AC power across the building boundary. The stopbands of the filters will be maximal across that frequency spectrum, constituting maximum risk of signal eavesdropping, that is 10kHz/100kHz to 1GHz/10GHz, depending upon a facility’s at-risk classification.
MPE offers a comprehensive range of TEMPEST power line filters of alternative performance specifications. These extend from 6A to 16A filters, which might be used to treat individual power inlets, up to 2400A filters for the hardening of a main building power supply. When specifying filters, data centre managers must also take into account the electrical loading that TEMPEST filters will impose on their power supplies.
TEMPEST hardening comes at a cost – filters cause leakage currents and power dissipation, and take up space. On the plus side, the installation of TEMPEST filters supports the protection of equipment within the protected area from incoming mains-borne EMI and transients, which could otherwise pass unimpeded and cause damage and disruption to susceptible pieces of equipment. The TEMPEST filters will also contribute to the attenuation of secondary lightning effects not suppressed by primary building lightning protection devices.
When electrical filters can combine the multiple benefits of TEMPEST hardening, EMI suppression and transient attenuation, this is known as “integrated hardening”.
The long-term reliability of installed filters
Now a critical consideration of any data centre manager is that installed TEMPEST filters will be reliable over time. The undiminished long-term performance of installed filters becomes highly significant when most cannot be accessed easily to survey or replace – having been installed deep within building infrastructure.
So, having been originally designed to support mission-critical military applications, MPE’s EMI, EMP and TEMPEST filters apply the most liberal design margins to ensure maximum in-service reliability. MPE has also long supplied TEMPEST products which adhere to the onerous specifications of CESG (the Communications Electronics Security Group at GCHQ) and of the US NSA and more recently NATO SDIP-27 Standards.
Filters contain reactive and resistive elements, which are all at risk of in-service failure. Although the electrical supply may be expected to be fused to cope with the possibility of a filter failing from a short circuit, it is the prospective loss of service that is of most concern to the data centre manager. The filter component at greatest risk of in-service failure is the capacitor. However, a filter such as MPE’s incorporating capacitors manufactured from self-healing, high-reliability, metallised plastic film would generally be expected to remain in service for the intended lifetime of a building.
Low insertion loss up to very high frequencies
MPE manufactures power line filters which support the highest level of TEMPEST hardening, providing low insertion loss performance (dB against frequency in Hz) across the whole spectrum from Very Low Frequency (VLF) to above SHF. Hence the performance of MPE filters comfortably exceeds the industry benchmarks for mains supply applications – 100dB in a frequency range from 10kHz to 10GHz – and for individual pieces of equipment – 60dB from 100kHz to 1GHz. Housed in electroplated steel cases, TEMPEST filters from MPE are of compact size for easy, flexible, bulkhead or chassis mounting into the rack systems of data centres, and include product options where low earth leakage is critical.
Contact Details and Archive...