A protective distribution system (PDS), also called protected distribution system, is a US government term for wireline or fiber-optic telecommunication system that includes terminals and adequate acoustical, electrical, electromagnetic, and physical safeguards to permit its use for the unencrypted transmission of classified information. At one time these systems were called "approved circuits".
A complete protected distribution system includes the subscriber and terminal equipment and the interconnecting lines.
The purpose of a PDS is to deter, detect and/or make difficult physical access to the communication lines carrying national security information. A specification called the National Security Telecommunications and Information Systems Security Instruction (NSTISSI) 7003 was issued in December 1996 by the Committee on National Security Systems. [1] Approval authority, standards, and guidance for the design, installation, and maintenance for PDS are provided by NSTISSI 7003 to U.S. government departments and agencies and their contractors and vendors. This instruction describes the requirements for all PDS installations within the U.S. and for low and medium threat locations outside the U.S. PDS is commonly used to protect SIPRNet and JWICS networks. The document superseded one numbered NASCI 4009 on Protected Distribution Systems, dated December 30, 1981, and part of a document called NACSEM 5203, that covered guidelines for facility design, using the designations "red" and "black". [1]
There are two types of PDS: hardened distribution systems and simple distribution systems.
Hardened distribution PDSs provide significant physical protection and can be implemented in three forms: hardened carrier PDSs, alarmed carrier PDSs and continuously viewed carrier PDSs.
In a hardened carrier PDS, the data cables are installed in a carrier constructed of electrical metallic tubing (EMT), ferrous conduit or pipe, or rigid sheet steel ducting. All of the connections in a Hardened Carrier System are permanently sealed completely around all surfaces with welds, epoxy or other such sealants. If the hardened carrier is buried under ground, to secure cables running between buildings for example, the carrier containing the cables is encased in concrete.
With a hardened carrier system, detection is accomplished via human inspections that are required to be performed periodically. Therefore, hardened carriers are installed below ceilings or above flooring so they can be visually inspected to ensure that no intrusions have occurred. These periodic visual inspections (PVIs) occur at a frequency dependent upon the level of threat to the environment, the security classification of the data, and the access control to the area.
As an alternative to conducting human visual inspections, an alarmed carrier PDS may be constructed to automate the inspection process through electronic monitoring with an alarm system. In an Alarmed Carrier PDS, the carrier system is “alarmed” with specialized optical fibers deployed within the conduit for the purpose of sensing acoustic vibrations that usually occur when an intrusion is being attempted on the conduit in order to gain access to the cables.
Alarmed carrier PDS offers several advantages over hardened carrier PDS:
Legacy alarmed carrier systems monitor the carrier containing the cables being protected. More advanced systems monitor the fibers within, or intrinsic to, the cables being protected to turn those cables into sensors, which detect intrusion attempts.
Depending on the government organization, utilizing an alarmed carrier PDS in conjunction with interlocking armored cable may, in some cases, allow for the elimination of the carrier systems altogether. In these instances, the cables being protected can be installed in existing conveyance (wire basket, ladder rack) or suspended cabling (on D-rings, J-Hooks, etc.).
A Continuously Viewed Carrier PDS is one that is under continuous observation, 24 hours per day (including when operational). Such circuits may be grouped together, but should be separated from all non-continuously viewed circuits ensuring an open field of view. Standing orders should include the requirement to investigate any attempt to disturb the PDS. Appropriate security personnel should investigate the area of attempted penetration within 15 minutes of discovery. This type of hardened carrier is not used for Top Secret or special category information for non-U.S. UAA.[ clarification needed ] UAA is an Uncontrolled Access Area (UAA). Like definitions include Controlled Access Area (CAA) and Restricted Access Area (RAA). A Secure Room (SR) offers the highest degree of protection.
Therefore, from the least protected (least secure) to the most protected is as follows:
UAA RAA CAA SR
Simple distribution PDSs are afforded a reduced level of physical security protection as compared to a hardened distribution PDS. They use a simple carrier system and the following means are acceptable under NSTISSI 7003:
In physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization.
Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment, and resources and to protect personnel and property from damage or harm. Physical security involves the use of multiple layers of interdependent systems that can include CCTV surveillance, security guards, protective barriers, locks, access control, perimeter intrusion detection, deterrent systems, fire protection, and other systems designed to protect persons and property.
SCADA is a control system architecture comprising computers, networked data communications and graphical user interfaces for high-level supervision of machines and processes. It also covers sensors and other devices, such as programmable logic controllers, which interface with process plant or machinery.
The last mile, or last kilometer, in the telecommunications, cable television and internet industries refers to the final leg of a telecommunications network that delivers telecommunication services to retail end-users (customers). More specifically, last mile describes the portion of the telecommunications network chain that physically reaches the end-user's premises. Examples are the copper wire subscriber lines connecting landline telephones to the local telephone exchange; coaxial cable service drops carrying cable television signals from utility poles to subscribers' homes, and cell towers linking local cell phones to the cellular network. The word "mile" is used metaphorically; the length of the last mile link may be more or less than a mile. Because the last mile of a network to the user is conversely the first mile from the user's premises to the outside world when the user is sending data, the term first mile is also alternatively used.
The UL enterprise is a global private safety company headquartered in Northbrook, Illinois, composed of three organizations, UL Research Institutes, UL Standards & Engagement and UL Solutions.
A security alarm is a system designed to detect intrusions, such as unauthorized entry, into a building or other areas, such as a home or school. Security alarms protect against burglary (theft) or property damage, as well as against intruders. Examples include personal systems, neighborhood security alerts, car alarms, and prison alarms.
A passive optical network (PON) is a fiber-optic telecommunications network that uses only unpowered devices to carry signals, as opposed to electronic equipment. In practice, PONs are typically used for the last mile between Internet service providers (ISP) and their customers. In this use, a PON has a point-to-multipoint topology in which an ISP uses a single device to serve many end-user sites using a system such as 10G-PON or GPON. In this one-to-many topology, a single fiber serving many sites branches into multiple fibers through a passive splitter, and those fibers can each serve multiple sites through further splitters. The light from the ISP is divided through the splitters to reach all the customer sites, and light from the customer sites is combined into the single fiber. Many fiber ISPs prefer this system.
A network tap is a system that monitors events on a local network. A tap is typically a dedicated hardware device, which provides a way to access the data flowing across a computer network.
A mainframe audit is a comprehensive inspection of computer processes, security, and procedures,with recommendations for improvement.
Database security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural or administrative, and physical.
Fiber tapping uses a network tap method that extracts signal from an optical fiber without breaking the connection. Tapping of optical fiber allows diverting some of the signal being transmitted in the core of the fiber into another fiber or a detector. Fiber to the home (FTTH) systems use beam splitters to allow many users to share one backbone fiber connecting to a central office, cutting the cost of each connection to the home. Test equipment can simply put a bend in the fiber and extract sufficient light to identify a fiber or determine if a signal is present.
A fiber-optic cable, also known as an optical-fiber cable, is an assembly similar to an electrical cable but containing one or more optical fibers that are used to carry light. The optical fiber elements are typically individually coated with plastic layers and contained in a protective tube suitable for the environment where the cable is used. Different types of cable are used for fiber-optic communication in different applications, for example long-distance telecommunication or providing a high-speed data connection between different parts of a building.
A virtual security appliance is a computer appliance that runs inside virtual environments. It is called an appliance because it is pre-packaged with a hardened operating system and a security application and runs on a virtualized hardware. The hardware is virtualized using hypervisor technology delivered by companies such as VMware, Citrix and Microsoft. The security application may vary depending on the particular network security vendor. Some vendors such as Reflex Systems have chosen to deliver Intrusion Prevention technology as a Virtualized Appliance, or as a multifunctional server vulnerability shield delivered by Blue Lane. The type of security technology is irrelevant when it comes to the definition of a Virtual Security Appliance and is more relevant when it comes to the performance levels achieved when deploying various types of security as a virtual security appliance. Other issues include visibility into the hypervisor and the virtual network that runs inside.
A managed facilities-based voice network (MFVN) is a communications network managed, operated, and maintained by a voice service provider that delivers traditional telephone service via a loop start analog telephone interface. MFVNs are interconnected with the public switched telephone network (PSTN) or other MFVNs and provide dialtone to end users. Historically, this was provided by equipment at Bell company central offices, however today's MFVNs can include a combination of access network, battery-backed customer premises equipment (CPE), network switches and routers, network management systems, voice call servers, and gateways to the broader PSTN.
Homes typically have several kinds of home wiring, including electrical wiring for lighting and power distribution, permanently installed and portable appliances, telephone systems, heating or ventilation system control, and increasingly for home theatre and computer networks.
An electrical conduit is a tube used to protect and route electrical wiring in a building or structure. Electrical conduit may be made of metal, plastic, fiber, or fired clay. Most conduit is rigid, but flexible conduit is used for some purposes.
Data-centric security is an approach to security that emphasizes the dependability of the data itself rather than the security of networks, servers, or applications. Data-centric security is evolving rapidly as enterprises increasingly rely on digital information to run their business and big data projects become mainstream. It involves the separation of data and digital rights management that assign encrypted files to pre-defined access control lists, ensuring access rights to critical and confidential data are aligned with documented business needs and job requirements that are attached to user identities.
IPFire is a hardened open source Linux distribution that primarily performs as a router and a firewall; a standalone firewall system with a web-based management console for configuration.
Senstar Corporation develops and manufactures perimeter intrusion detection systems, video management software, security lighting, personal duress systems, and access control software for the physical security and video surveillance industries. Its headquarters are located in Ottawa, Ontario. Senstar products protect facilities around the world, including critical infrastructure sites, military bases, nuclear power plants, airports, personal estates, borders, and correctional facilities.
Standards for alarm systems, installation and monitoring, are standards critical for ensuring safety, reliability, and interoperability. Various standards organizations, both international and regional, develop these guidelines and best practices. Globally recognized bodies such as ISO and IEC provide comprehensive frameworks applicable worldwide, while regional standards may cater to specific local requirements, enhancing the applicability and effectiveness of alarm systems in different environments.