Fri Apr 8 06:47:17 PDT 2016

Zones: Physical separation: How are zones and subzones physically separated and controlled?


Options:

Basis:
Option A: The design basis threat.
Option B:The operating environment.
Option C: Duties to protect.
Option D: Revisit design basis threat as it changes over time.
Option E: Follow applicable elements of applicable standards and requirements.
Option F: Due diligence requirements.

Deter:
Option Q: Use proper signage to warn against inappropriate actions.
Option R: Provide periodic (at rate) training and suitable education relating to physical security requirements.
Option S: Provide obvious presence of (or don't seek to conceal) some security measures and response forces.

Prevent:
Option 1: Physically separate {zones / subzones / components} by adequate {distance / shielding / insulation / isolation}.
Option 2: Use different {colors / markings / connector types / media types / cable runs / wire closets / physical spaces / frequency ranges / signaling methods / routing and switching hardware} for different {zones / subzones}.
Option 3: {Associate / label / mark} unique {serial numbers and/or device codes} to each physical item and map them to their respective {zone / subzone / location / connection point}.
Option 4: Map each connector to a specific receptacle and number and label them as a readily apparent matched set.
Option 5: Limit interfaces so that none are unused.
Option 6: Physically secure, label, and seal each connection.
Option 7: Use only point to point (dedicated end-to-end) connections.
Option 8: Use active countermeasures to identified weaknesses.

Detect, react, and adapt:
Option V: Place physical {tamper / access / presence} {alarms / detectors} on {devices / connections / cables / spaces / entries and exits}.
Option W: Surveil physical {access / presence / emanations} to/from {devices / connections / cables / spaces / entries and exits}.
Option X: Perform regular physical inspections for detection and verification of implementation of protective measures with frequency based on the design basis threat.
Option Y: Implement response regimens and actions to event sequences per a systems analysis based on the design-basis threat.
Option Z: Follow incidents up with investigative and adaptation processes to identify and mitigate root causes of incidents and improve performance.


Basis:

Basis:
  • The design basis threat: A design basis threat should be defined and applied in making decisions about physical separations associated with zones. While insiders should always be part of the threat considered, specific capabilities associated with specific needs of the design must also be taken into account.
  • The operating environment: The operating environment poses specific requirements for separation, such as effects on cabling, connectors, and seals. Since zones are often associated with physical spaces, the zone separation may also be effected by electromagnetic, temperature, and related effects on cabling.
  • Duties to protect as defined by the management process may also add physical separation requirements, for example, associated with contractors vs. employees or different access requirements for different companies in joint ventures.
  • Revisit design basis threat as it changes over time: As threats change, so should protective measures. However, in the complex system space, implementation changes are costly and operations tend to be over periods of many years. For this reason, it is usually worthwhile to design for the worst anticipated threats with the understanding that as threats change, adaptation may be required.
  • Follow applicable elements of applicable standards and requirements. For example, classified information has specific separation requirements that are very different from interference requirements associated with hostile environmental conditions. Similarly, building codes and related standards apply to physical separation mechanisms.
  • Due diligence requirements. In the absence of other guidance, due diligence requirements should always be followed. These are generally driven by industry standards or common usage and process. For example, wire closets should generally be locked so that accidental or malicious destruction is limited.
Deter:
  • Use proper signage to warn against inappropriate actions. Warning signs associated with zones are often associated with physical spaces in environments. However, signs indicating authorized access only will effectively deter many from entering areas or opening devices that cross zones, and warnings such as lock-out tag-out tags are important to warning others from changing high consequence cabling and settings.
  • Provide periodic (at rate) training and suitable education relating to physical security requirements. People have to know what they are and are not allowed and/or supposed to do in order to do their jobs well and appropriately. This should be applied to deter damage from zone violations, such as cross-connects and other undocumented or unauthorized changes.
  • Provide obvious presence of (or don't seek to conceal) some security measures and response forces. To the extent that obvious security measures cause people to recognize that they are about to do something that they should not do and/or that could be detected and/or punished, this helps to deter their actions. To the extent that some such measures are less obvious or concealed, this also provides assurance against intentional threats who may knowingly bypass obvious protective measures. For example nightly checks of wiring for color mismatches are obvious, while automated checks of cable marking matches to inventory may be less obvious. Response force exercises may be concealed in some cases and demonstrated in other cases to support deterrence.
Prevent:
  • Physically separate {zones / subzones / components} by adequate {distance / shielding / insulation / isolation}. Separation requirements for distance, shielding, insulation, and isolation generally have to do with leakage and/or mishandling issues, but may also be affected by things like environmental conditions (e.g., temperature differences, radiation, electromagnetic interference, etc.) that could effect operations across zones/subzones/components when they are separated and associated with common physical spaces.
  • Use different {colors / markings / connector types / media types / cable runs / wire closets / physical spaces / frequency ranges / signaling methods / routing and switching hardware} for different {zones / subzones}. Colors and markings provide protection against accidental cross-connects and related faults and make such changes or errors more obvious. Color blindness means that color-independent markings should be used along with colors. Different connector types (e.g., RJ45 vs. RJ11, Fiber vs. RJ45 vs. Coaxial, etc.) also provide for effective differentiate between zones and subzones. Different media types brings similar clarity and makes cross-connect impossible without added or altered hardware. Different frequency ranges and signaling methods make physical cross-connect ineffective except for disruption, and make detection of such cross-connects more obvious. Separate cable runs, wire closets, and physical spaces provide for isolation except in identified cross-connect areas, reducing the need for physical inspection and further increasing surety of separation. Separate routing and switching hardware prevents weaknesses, physical subversion, and supply chain attacks from directly affecting separation between networks.
  • {Associate / label / mark} unique {serial numbers and/or device codes} to each physical item and map them to their respective {zone / subzone / location / connection point}. Identifying all components with unique identifiers allows every component in every zone and subzone to be uniquely identified with its place in the environment and allows verification there is a place for everything and that everything is in its place.
  • Map each connector to a specific receptacle and number and label them as a readily apparent matched set. To the extent that the component identification and labeling scheme includes an obvious components (i.e., building, floor, area, zone, subzone, device, port all explicitly marked) this can be immediately examined for correctness. To the extent that there is also an inobvious component, such as a cryptographic checksum based on these and the manufacture date, physical forgery and alteration is less easily accomplished except by one-for-one replacement with proper labeling (e.g., two cables with mismatched ends used to create cross-connect that appears to match).
  • Limit interfaces so that none are unused. This prevents the use of otherwise unused interfaces and makes it easy to detect misuse of interfaces by detecting the lack of operation of an interface removed for replacement. Bypassing this requires a replacement that is transparent to normal operation.
  • Physically secure, label, and seal each connection. By securing, labeling, and sealing each connection, disconnects and replacements become harder because of the need to break the seal and securing mechanism, obvious from the broken seal, and thus harder to forge and easier to detect.
  • Use only point to point (dedicated end-to-end) connections. Eliminating shared components and connections makes interference more difficult and allows (but doesn't force) the connection between components to have fully predictable (i.e., deterministic) behavior over time during normal operation.
  • Use active countermeasures to identified weaknesses. Specific weaknesses, such as electromagnetic emanations not adequately protected by other means, may be countered by active defenses, such as electromagnetic noise generation.
Detect, react, and adapt:
  • Place physical {tamper / access / presence} {alarms / detectors} on {devices / connections / cables / spaces / entries and exits}. Detectors allow for detection of tampering (changes), access (entry, exit, use), or presence (in a location). Alarms use sensor data to inform an analysis and response process. For example, tamper detection tape has no alarm capability and as such is a passive sensor, with response normally coming from inspection acting to inform a response process (i.e., an alarm). A tamper detection tape which also generates a change in signals detected in near-real time by an automated scanning mechanism, such as a camera looking at the tape periodically and identifying the change in pattern, can be used to trigger a near-real-time alarm system. Timeliness of alarms and response depends on the need for timely response to mitigate potentially serious negative consequences. Since devices, connections, cables, spaces, and entries and exits (of information in physical form, people, and things) can effect zone separation, these mechanisms can act to detect the potential for or reality of zone/subzone separation violation.
  • Surveil physical {access / presence / emanations} to/from {devices / connections / cables / spaces / entries and exits}. Surveillance provides a form of sensor that can record and/or display physical access (entry and exit), presence, or emanations (sonic, electromagnetic, gravitational, radioactive, etc.) from or to devices, connections, cables, spaces, entries, and exits that might anticipate or realize zone/subzone separation violation. For example sounds emanating from video displays may be used to leak information being displayed, and sound detection may be used to detect these effects.
  • Perform regular physical inspections for detection and verification of implementation of protective measures with frequency based on the design basis threat. Inspections are typically used to verify physical security measures. For example, even though real-time detection may show that seals are unbroken, a physical inspection may show that the seal was actually cut and reconnected or that the detector is improperly oriented or being subverted. Timeliness depends on threat and consequence, so that inspection times of several times a day might apply to building security as a whole, while verification of closed areas may be at the end of work days or shifts.
  • Implement response regimens and actions to event sequences per a systems analysis based on the design-basis threat. Response regimens typically depend on how quickly how much force has to get to what location in order to mitigate what harm and how many such responses are needed per unit of time. This calls for analysis of event sequences, typically based on the threat and their capabilities and intents, and the nature of the protective system.
  • Follow incidents up with investigative and adaptation processes to identify and mitigate root causes of incidents and improve performance. A long-term approach to protection involves not only detecting and responding to incidents, but also ongoing improvements so that the proximate and root causes of failures are identified and the architecture is changes or operations enhanced to reduce the number and severity of events over the long term.
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved