Protective distribution system

Last updated

A protective distribution system (PDS), also called protected distribution system, is a US government term for wireline or fiber-optics telecommunication system that includes terminals and adequate acoustical, electrical, electromagnetic, and physical safeguards to permit its use for the unencrypted transmission of classified information. At one time these systems were called "approved circuits".

Contents

A complete protected distribution system includes the subscriber and terminal equipment and the interconnecting lines.

Description

The purpose of a PDS is to deter, detect and/or make difficult physical access to the communication lines carrying national security information. A specification called the National Security Telecommunications and Information Systems Security Instruction (NSTISSI) 7003 was issued in December 1996 by the Committee on National Security Systems. [1] Approval authority, standards, and guidance for the design, installation, and maintenance for PDS are provided by NSTISSI 7003 to U.S. government departments and agencies and their contractors and vendors. This instruction describes the requirements for all PDS installations within the U.S. and for low and medium threat locations outside the U.S. PDS is commonly used to protect SIPRNet and JWICS networks. The document superseded one numbered NASCI 4009 on Protected Distribution Systems, dated December 30, 1981, and part of a document called NACSEM 5203, that covered guidelines for facility design, using the designations "red" and "black". [1]

There are two types of PDS: hardened distribution systems and simple distribution systems.

Hardened distribution

Hardened distribution PDSs provide significant physical protection and can be implemented in three forms: hardened carrier PDSs, alarmed carrier PDSs and continuously viewed carrier PDSs.

Hardened carrier

In a hardened carrier PDS, the data cables are installed in a carrier constructed of electrical metallic tubing (EMT), ferrous conduit or pipe, or rigid sheet steel ducting. All of the connections in a Hardened Carrier System are permanently sealed completely around all surfaces with welds, epoxy or other such sealants. If the hardened carrier is buried under ground, to secure cables running between buildings for example, the carrier containing the cables is encased in concrete.

With a hardened carrier system, detection is accomplished via human inspections that are required to be performed periodically. Therefore, hardened carriers are installed below ceilings or above flooring so they can be visually inspected to ensure that no intrusions have occurred. These periodic visual inspections (PVIs) occur at a frequency dependent upon the level of threat to the environment, the security classification of the data, and the access control to the area.

Alarmed carrier

As an alternative to conducting human visual inspections, an alarmed carrier PDS may be constructed to automate the inspection process through electronic monitoring with an alarm system. In an Alarmed Carrier PDS, the carrier system is “alarmed” with specialized optical fibers deployed within the conduit for the purpose of sensing acoustic vibrations that usually occur when an intrusion is being attempted on the conduit in order to gain access to the cables.

Alarmed carrier PDS offers several advantages over hardened carrier PDS:

  1. Provides continuous monitoring 24/7/365
  2. Eliminates the requirement for periodic visual inspections
  3. Allows the carrier to be hidden above the ceiling or below the floor, since periodic visual inspections are not required
  4. Eliminates the need for the welding and epoxying of the connections
  5. Eliminates the requirement for concrete encasement outdoors
  6. Eliminates the need to lock down manhole covers
  7. Enables rapid redeployment for evolving network arrangements

Legacy alarmed carrier systems monitor the carrier containing the cables being protected. More advanced systems monitor the fibers within, or intrinsic to, the cables being protected to turn those cables into sensors, which detect intrusion attempts.

Depending on the government organization, utilizing an alarmed carrier PDS in conjunction with interlocking armored cable may, in some cases, allow for the elimination of the carrier systems altogether. In these instances, the cables being protected can be installed in existing conveyance (wire basket, ladder rack) or suspended cabling (on D-rings, J-Hooks, etc.).

Continuously viewed carrier

A Continuously Viewed Carrier PDS is one that is under continuous observation, 24 hours per day (including when operational). Such circuits may be grouped together, but should be separated from all non-continuously viewed circuits ensuring an open field of view. Standing orders should include the requirement to investigate any attempt to disturb the PDS. Appropriate security personnel should investigate the area of attempted penetration within 15 minutes of discovery. This type of hardened carrier is not used for Top Secret or special category information for non-U.S. UAA.[ clarification needed ] UAA is an Uncontrolled Access Area (UAA). Like definitions include Controlled Access Area (CAA) and Restricted Access Area (RAA). A Secure Room (SR) offers the highest degree of protection.

Therefore, from the least protected (least secure) to the most protected is as follows:

UAA RAA CAA SR

Simple distribution

Simple distribution PDSs are afforded a reduced level of physical security protection as compared to a hardened distribution PDS. They use a simple carrier system and the following means are acceptable under NSTISSI 7003:

  1. The data cables should be installed in a carrier
  2. The carrier can be constructed of any material (e.g., wood, PVT, EMT, ferrous conduit)
  3. The joints and access points should be secured and be controlled by personnel cleared to the highest level of data handled by the PDS
  4. The carrier is to be inspected in accordance with the requirements of NSTISSI 7003

See also

Related Research Articles

<span class="mw-page-title-main">Access control</span> Selective restriction of access to a place or other resource, allowing only authorized users

In physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization.

<span class="mw-page-title-main">Physical security</span> Measures designed to deny unauthorized access

Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment, and resources and to protect personnel and property from damage or harm. Physical security involves the use of multiple layers of interdependent systems that can include CCTV surveillance, security guards, protective barriers, locks, access control, perimeter intrusion detection, deterrent systems, fire protection, and other systems designed to protect persons and property.

Supervisory control and data acquisition (SCADA) is a control system architecture comprising computers, networked data communications and graphical user interfaces for high-level supervision of machines and processes. It also covers sensors and other devices, such as programmable logic controllers, which interface with process plant or machinery.

The last mile or last kilometer is a phrase widely used in the telecommunications, cable television and internet industries to refer to the final leg of the telecommunications networks that deliver telecommunication services to retail end-users (customers). More specifically, the last mile describes the portion of the telecommunications network chain that physically reaches the end-user's premises. Examples are the copper wire subscriber lines connecting landline telephones to the local telephone exchange; coaxial cable service drops carrying cable television signals from utility poles to subscribers' homes, and cell towers linking local cell phones to the cellular network. The word "mile" is used metaphorically; the length of the last mile link may be more or less than a mile. Because the last mile of a network to the user is conversely the first mile from the user's premises to the outside world when the user is sending data, the term first mile is also alternatively used.

<span class="mw-page-title-main">National Electrical Code</span> Electrical wiring standard

The National Electrical Code (NEC), or NFPA 70, is a regionally adoptable standard for the safe installation of electrical wiring and equipment in the United States. It is part of the National Fire Code series published by the National Fire Protection Association (NFPA), a private trade association. Despite the use of the term "national", it is not a Federal law. It is typically adopted by states and municipalities in an effort to standardize their enforcement of safe electrical practices. In some cases, the NEC is amended, altered and may even be rejected in lieu of regional regulations as voted on by local governing bodies.

<span class="mw-page-title-main">Security alarm</span> System that detects unauthorised entry

A security alarm is a system designed to detect intrusion, such as unauthorized entry, into a building or other areas such as a home or school. Security alarms used in residential, commercial, industrial, and military properties protect against burglary (theft) or property damage, as well as personal protection against intruders. Security alerts in neighborhoods show a connection with diminished robbery. Car alarms likewise help protect vehicles and their contents. Prisons also use security systems for the control of inmates.

<span class="mw-page-title-main">Passive optical network</span> Technology used to provide broadband to the end consumer via fiber

A passive optical network (PON) is a fiber-optic telecommunications technology for delivering broadband network access to end-customers. Its architecture implements a point-to-multipoint topology in which a single optical fiber serves multiple endpoints by using unpowered (passive) fiber optic splitters to divide the fiber bandwidth among the endpoints. Passive optical networks are often referred to as the last mile between an Internet service provider (ISP) and its customers.

A network tap is a system that monitors events on a local network. A tap is typically a dedicated hardware device, which provides a way to access the data flowing across a computer network.

A mainframe audit is a comprehensive inspection of computer processes, security, and procedures,with recommendations for improvement.

<span class="mw-page-title-main">Raised floor</span> Elevated floor above a solid substrate to create a void for mechanical and electrical services

A raised floor provides an elevated structural floor above a solid substrate to create a hidden void for the passage of mechanical and electrical services. Raised floors are widely used in modern office buildings, and in specialized areas such as command centers, Information technology data centers and computer rooms, where there is a requirement to route mechanical services and cables, wiring, and electrical supply. Such flooring can be installed at varying heights from 2 inches (51 mm) to heights above 4 feet (1.2 m) to suit services that may be accommodated beneath. Additional structural support and lighting are often provided when a floor is raised enough for a person to crawl or even walk beneath.

Database security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural/administrative and physical.

<span class="mw-page-title-main">Fiber tapping</span> Network tap method that extracts signal from an optical fiber without breaking the connection

Fiber tapping uses a network tap method that extracts signal from an optical fiber without breaking the connection. Tapping of optical fiber allows diverting some of the signal being transmitted in the core of the fiber into another fiber or a detector. Fiber to the home (FTTH) systems use beam splitters to allow many users to share one backbone fiber connecting to a central office, cutting the cost of each connection to the home. Test equipment can simply put a bend in the fiber and extract sufficient light to identify a fiber or determine if a signal is present.

<span class="mw-page-title-main">Fiber-optic cable</span> Cable assembly containing one or more optical fibers that are used to carry light

A fiber-optic cable, also known as an optical-fiber cable, is an assembly similar to an electrical cable but containing one or more optical fibers that are used to carry light. The optical fiber elements are typically individually coated with plastic layers and contained in a protective tube suitable for the environment where the cable is used. Different types of cable are used for different applications, for example, long-distance telecommunication or providing a high-speed data connection between different parts of a building.

A virtual security appliance is a computer appliance that runs inside virtual environments. It is called an appliance because it is pre-packaged with a hardened operating system and a security application and runs on a virtualized hardware. The hardware is virtualized using hypervisor technology delivered by companies such as VMware, Citrix and Microsoft. The security application may vary depending on the particular network security vendor. Some vendors such as Reflex Systems have chosen to deliver Intrusion Prevention technology as a Virtualized Appliance, or as a multifunctional server vulnerability shield delivered by Blue Lane. The type of security technology is irrelevant when it comes to the definition of a Virtual Security Appliance and is more relevant when it comes to the performance levels achieved when deploying various types of security as a virtual security appliance. Other issues include visibility into the hypervisor and the virtual network that runs inside.

A managed facilities-based voice network (MFVN) is a communications network managed, operated, and maintained by a voice service provider that delivers traditional telephone service via a loop start analog telephone interface. MFVNs are interconnected with the public switched telephone network (PSTN) or other MFVNs and provide dialtone to end users. Historically, this was provided by equipment at Bell company central offices, however today's MFVNs can include a combination of access network, battery-backed customer premises equipment (CPE), network switches and routers, network management systems, voice call servers, and gateways to the broader PSTN.

Homes typically have several kinds of home wiring, including electrical wiring for lighting and power distribution, permanently installed and portable appliances, telephone, heating or ventilation system control, and increasingly for home theatre and computer networks.

<span class="mw-page-title-main">Electrical conduit</span> Tube used to protect and route electrical wiring in a building or structure

An electrical conduit is a tube used to protect and route electrical wiring in a building or structure. Electrical conduit may be made of metal, plastic, fiber, or fired clay. Most conduit is rigid, but flexible conduit is used for some purposes.

<span class="mw-page-title-main">Data-centric security</span> Approach to security that focuses on the data itself rather than of networks

Data-centric security is an approach to security that emphasizes the dependability of the data itself rather than the security of networks, servers, or applications. Data-centric security is evolving rapidly as enterprises increasingly rely on digital information to run their business and big data projects become mainstream. It involves the separation of data and digital rights management that assign encrypted files to pre-defined access control lists, ensuring access rights to critical and confidential data are aligned with documented business needs and job requirements that are attached to user identities.

<span class="mw-page-title-main">IPFire</span> Linux distribution

IPFire is a hardened open source Linux distribution that primarily performs as a router and a firewall; a standalone firewall system with a web-based management console for configuration.

Senstar Corporation develops and manufactures perimeter intrusion detection systems, video management software, security lighting, personal duress systems, and access control software for the physical security and video surveillance industries. Its headquarters are located in Ottawa, Ontario. Senstar products protect facilities around the world, including critical infrastructure sites, military bases, nuclear power plants, airports, personal estates, borders, and correctional facilities.

References

  1. 1 2 "Protective distribution system" (PDF). National Security Telecommunications and Information Systems Security Instruction number 7003. Committee on National Security Systems. December 13, 1996. Archived from the original (PDF) on July 13, 2006. Retrieved October 2, 2013.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.