Fri Apr 8 06:51:39 PDT 2016
Zones: Physical separation: How are zones and subzones physically separated and controlled?
Options:
Basis:
Option A: The design basis threat.
Option B:The operating environment.
Option C: Duties to protect.
Option D: Revisit design basis threat as it changes over time.
Option E: Follow applicable elements of applicable standards and requirements.
Option F: Due diligence requirements.
Deter:
Option Q: Use proper signage to warn against inappropriate actions.
Option R: Provide periodic (at rate) training and suitable education relating to physical security requirements.
Option S: Provide obvious presence of (or don't seek to conceal) some security measures and response forces.
Prevent:
Option 1: Physically separate {zones / subzones / components} by adequate {distance / shielding / insulation / isolation}.
Option 2: Use different {colors / markings / connector types / media types / cable runs / wire closets / physical spaces / frequency ranges / signaling methods / routing and switching hardware} for different {zones / subzones}.
Option 3: {Associate / label / mark} unique {serial numbers and/or device codes} to each physical item and map them to their respective {zone / subzone / location / connection point}.
Option 4: Map each connector to a specific receptacle and number and label them as a readily apparent matched set.
Option 5: Limit interfaces so that none are unused.
Option 6: Physically secure, label, and seal each connection.
Option 7: Use only point to point (dedicated end-to-end) connections.
Option 8: Use active countermeasures to identified weaknesses.
Detect, react, and adapt:
Option V: Place physical {tamper / access / presence} {alarms / detectors} on {devices / connections / cables / spaces / entries and exits}.
Option W: Surveil physical {access / presence / emanations} to/from {devices / connections / cables / spaces / entries and exits}.
Option X: Perform regular physical inspections for detection and verification of implementation of protective measures with frequency based on the design basis threat.
Option Y: Implement response regimens and actions to event sequences per a systems analysis based on the design-basis threat.
Option Z: Follow incidents up with investigative and adaptation processes to identify and mitigate root causes of incidents and improve performance.
Decision:
Typical controls for different risk levels are identified here:
For high consequence situations:
Basis:
Base all specifics on the design basis threat, duties to protect, and the environment.
Revisit design basis threat as it changes over time.
Follow applicable elements of applicable standards and requirements.
Deter:
Use proper signage to warn against inappropriate actions.
Provide periodic (4 times per year) training and suitable education relating to physical security requirements.
Provide obvious presence of some security measures and response forces.
Prevent:
Physically separate {zones / subzones / components} by adequate {distance / shielding / insulation / isolation}.
Use different {colors / markings / connector types / media types / cable runs / wire closets / physical spaces / frequency ranges /
signaling methods / routing and switching hardware} for different {zones / subzones}.
{Associate / label / mark} unique {serial numbers and/or device codes} to each physical item
and map them to their respective {zone / subzone / location / connection point}.
Map each connector to a specific receptacle and number and label them as a readily apparent matched set.
Limit interfaces so that none are unused.
Physically secure, label, and seal each connection.
Use only point to point (dedicated end-to-end) connections.
Use active countermeasures to identified weaknesses.
Detect, react, and adapt:
Place physical {tamper / access / presence} {alarms / detectors} on {devices / connections / cables / spaces / entries and exits}.
Surveil physical {access / presence / emanations } to/from {devices / connections / cables / spaces / entries and exits}.
Perform regular physical inspections for detection and verification of implementation of protective measures with frequency based on the design basis threat.
Implement response regimens and actions to event sequences per a systems analysis based on the design-basis threat.
Follow incidents up with investigative and adaptation processes to identify and mitigate root causes of incidents and improve performance.
|
Physical separation requirements for high consequence zone and subzones
For medium consequence situations:
Basis:
Base all specifics on applicable standards and defined duties to protect.
Deter:
Use proper signage to warn against inappropriate actions.
Provide periodic (at least annual) training and suitable education relating to physical security requirements.
Don't conceal presence of some security measures and response forces.
Prevent:
Use different {colors / markings} for different {zones / subzones}.
Map each connector to a specific receptacle and number and label them as a readily apparent matched set.
{Associate / label / mark} unique {serial numbers and/or device codes} to each physical item and map them to their respective {zone / subzone / location / connection point}.
Detect, react, and adapt:
Place physical {tamper / access / presence} {alarms / detectors} on high-valued {devices / spaces / entries and exits}.
Surveil physical {access / presence} to {spaces / entries and exits}.
Perform regular physical inspections for detection and verification of implementation of protective measures with frequency based on health and safety and property protection needs.
Implement response regimens and actions to event sequences.
Follow incidents up with investigative and adaptation processes to improve performance.
|
Physical separation requirements for medium consequence zone and subzones
For low consequence situations:
Basis:
Base all specifics on due diligence requirements.
Deter:
Use proper signage to warn against inappropriate actions.
Provide periodic (annual) training and suitable education relating to physical security requirements.
Prevent:
Use different {colors / marking} for different {zones}.
Detect, react, and adapt:
Perform regular physical inspections with frequency based on health and safety needs.
Follow incidents up with adaptation to reduce costs of future incidents.
|
Physical separation requirements for low consequence zone and subzones
Basis:
Basis:
- The design basis threat: A design basis threat
should be defined and applied in making decisions about physical
separations associated with zones. While insiders should always be
part of the threat considered, specific capabilities associated with
specific needs of the design must also be taken into account.
- The operating environment: The
operating environment poses specific requirements for separation, such
as effects on cabling, connectors, and seals. Since zones are often
associated with physical spaces, the zone separation may also be
effected by electromagnetic, temperature, and related effects on
cabling.
- Duties to protect as defined by the
management process may also add physical separation requirements, for
example, associated with contractors vs. employees or different
access requirements for different companies in joint ventures.
- Revisit design basis threat as it changes over
time: As threats change, so should protective measures. However, in
the complex system space, implementation changes are costly and operations tend
to be over periods of many years. For this reason, it is usually
worthwhile to design for the worst anticipated threats with the
understanding that as threats change, adaptation may be required.
- Follow applicable elements of applicable
standards and requirements. For example, classified information
has specific separation requirements that are very different from
interference requirements associated with hostile environmental
conditions. Similarly, building codes and related standards apply to
physical separation mechanisms.
- Due diligence requirements. In the absence
of other guidance, due diligence requirements should always be
followed. These are generally driven by industry standards or common
usage and process. For example, wire closets should generally be
locked so that accidental or malicious destruction is limited.
Deter:
- Use proper signage to warn against inappropriate
actions. Warning signs associated with zones are often associated
with physical spaces in environments. However, signs indicating
authorized access only will effectively deter many from entering areas
or opening devices that cross zones, and warnings such as lock-out
tag-out tags are important to warning others from changing high
consequence cabling and settings.
- Provide periodic (at rate) training and suitable
education relating to physical security requirements. People have
to know what they are and are not allowed and/or supposed to do in
order to do their jobs well and appropriately. This should be applied
to deter damage from zone violations, such as cross-connects and
other undocumented or unauthorized changes.
- Provide obvious presence of (or don't seek to
conceal) some security measures and response forces. To the
extent that obvious security measures cause people to recognize that
they are about to do something that they should not do and/or that
could be detected and/or punished, this helps to deter their
actions. To the extent that some such measures are less obvious or
concealed, this also provides assurance against intentional threats
who may knowingly bypass obvious protective measures. For example
nightly checks of wiring for color mismatches are obvious, while
automated checks of cable marking matches to inventory may be less
obvious. Response force exercises may be concealed in some cases and
demonstrated in other cases to support deterrence.
Prevent:
- Physically separate {zones / subzones /
components} by adequate {distance / shielding / insulation /
isolation}. Separation requirements for distance, shielding,
insulation, and isolation generally have to do with leakage and/or
mishandling issues, but may also be affected by things like
environmental conditions (e.g., temperature differences, radiation,
electromagnetic interference, etc.) that could effect operations
across zones/subzones/components when they are separated and
associated with common physical spaces.
- Use different {colors / markings / connector
types / media types / cable runs / wire closets / physical spaces /
frequency ranges / signaling methods / routing and switching hardware}
for different {zones / subzones}. Colors and markings provide
protection against accidental cross-connects and related faults and
make such changes or errors more obvious. Color blindness means that
color-independent markings should be used along with colors. Different
connector types (e.g., RJ45 vs. RJ11, Fiber vs. RJ45 vs. Coaxial,
etc.) also provide for effective differentiate between zones and
subzones. Different media types brings similar clarity and makes
cross-connect impossible without added or altered hardware. Different
frequency ranges and signaling methods make physical cross-connect
ineffective except for disruption, and make detection of such
cross-connects more obvious. Separate cable runs, wire closets, and
physical spaces provide for isolation except in identified
cross-connect areas, reducing the need for physical inspection and
further increasing surety of separation. Separate routing and
switching hardware prevents weaknesses, physical subversion, and
supply chain attacks from directly affecting separation between
networks.
- {Associate / label / mark} unique {serial
numbers and/or device codes} to each physical item and map them to
their respective {zone / subzone / location / connection point}.
Identifying all components with unique identifiers allows every
component in every zone and subzone to be uniquely identified with
its place in the environment and allows verification there is a place
for everything and that everything is in its place.
- Map each connector to a specific receptacle and
number and label them as a readily apparent matched set. To the
extent that the component identification and labeling scheme includes
an obvious components (i.e., building, floor, area, zone, subzone,
device, port all explicitly marked) this can be immediately examined
for correctness. To the extent that there is also an inobvious
component, such as a cryptographic checksum based on these and the
manufacture date, physical forgery and alteration is less easily
accomplished except by one-for-one replacement with proper labeling
(e.g., two cables with mismatched ends used to create cross-connect
that appears to match).
- Limit interfaces so that none are unused.
This prevents the use of otherwise unused interfaces and makes it easy
to detect misuse of interfaces by detecting the lack of operation of
an interface removed for replacement. Bypassing this requires a
replacement that is transparent to normal operation.
- Physically secure, label, and seal each
connection. By securing, labeling, and sealing each connection,
disconnects and replacements become harder because of the need to
break the seal and securing mechanism, obvious from the broken seal,
and thus harder to forge and easier to detect.
- Use only point to point (dedicated end-to-end)
connections. Eliminating shared components and connections makes
interference more difficult and allows (but doesn't force) the
connection between components to have fully predictable (i.e.,
deterministic) behavior over time during normal operation.
- Use active countermeasures to identified
weaknesses. Specific weaknesses, such as electromagnetic
emanations not adequately protected by other means, may be countered
by active defenses, such as electromagnetic noise generation.
Detect, react, and adapt:
- Place physical {tamper / access / presence}
{alarms / detectors} on {devices / connections / cables / spaces /
entries and exits}. Detectors allow for detection of tampering
(changes), access (entry, exit, use), or presence (in a location).
Alarms use sensor data to inform an analysis and response process.
For example, tamper detection tape has no alarm capability and as such
is a passive sensor, with response normally coming from inspection
acting to inform a response process (i.e., an alarm). A tamper
detection tape which also generates a change in signals detected in
near-real time by an automated scanning mechanism, such as a camera
looking at the tape periodically and identifying the change in
pattern, can be used to trigger a near-real-time alarm system.
Timeliness of alarms and response depends on the need for timely
response to mitigate potentially serious negative consequences. Since
devices, connections, cables, spaces, and entries and exits (of
information in physical form, people, and things) can effect zone
separation, these mechanisms can act to detect the potential for or
reality of zone/subzone separation violation.
- Surveil physical {access / presence /
emanations} to/from {devices / connections / cables / spaces / entries
and exits}. Surveillance provides a form of sensor that can
record and/or display physical access (entry and exit), presence, or
emanations (sonic, electromagnetic, gravitational, radioactive, etc.)
from or to devices, connections, cables, spaces, entries, and exits
that might anticipate or realize zone/subzone separation
violation. For example sounds emanating from video displays may be
used to leak information being displayed, and sound detection may be
used to detect these effects.
- Perform regular physical inspections for
detection and verification of implementation of protective measures
with frequency based on the design basis threat. Inspections are
typically used to verify physical security measures. For example, even
though real-time detection may show that seals are unbroken, a
physical inspection may show that the seal was actually cut and
reconnected or that the detector is improperly oriented or being
subverted. Timeliness depends on threat and consequence, so that
inspection times of several times a day might apply to building
security as a whole, while verification of closed areas may be at the
end of work days or shifts.
- Implement response regimens and actions to event
sequences per a systems analysis based on the design-basis
threat. Response regimens typically depend on how quickly how
much force has to get to what location in order to mitigate what harm
and how many such responses are needed per unit of time. This calls
for analysis of event sequences, typically based on the threat and
their capabilities and intents, and the nature of the protective
system.
- Follow incidents up with investigative and
adaptation processes to identify and mitigate root causes of incidents
and improve performance. A long-term approach to protection
involves not only detecting and responding to incidents, but also
ongoing improvements so that the proximate and root causes of failures
are identified and the architecture is changes or operations enhanced
to reduce the number and severity of events over the long term.
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
|