The TEMPEST threat to information security was first recognised by the US National Security Agency (NSA) and GCHQ in the 1960s.
Governments, armed forces, municipal authorities and companies now share this concern that electrical and electronic equipment such as computers and peripherals give off unintended electromagnetic emanations which can then be reconstructed beyond the building boundary as intelligible data. Countermeasures are aimed at preventing eavesdropping on data radiated as signals via conducting lines such as power, telephone or control line cables.
TEMPEST was originally a military codeword, subsequently rationalised as an acronym for terms such as ‘Transmitted ElectroMagnetic Pulse Emission Standard’ or ‘Telecommunications Electronics Material Protected from Emanating Spurious Transmissions’. In defence parlance, the countermeasures applied to prevent intelligence interception are known as hardening, and TEMPEST hardening represents one aspect of total facility protection from electromagnetic threats in theatre.
The evidence in the 21st century is that TEMPEST countermeasures are becoming as important for information security in the civilian world as in the military arena. Examples of sites at risk would be Western embassies in hostile parts of the world, and data centres handling sensitive personal and financial information, where power line cables are vulnerable to electronic eavesdropping.
In particular, electronically secure data centres are nowadays commonplace, processing and storing vast amounts of information for Government offices, local authorities, the armed forces and police, public utilities, banks, healthcare providers, insurance companies and online retailers. There would be serious repercussions on many levels if any such organisations should allow entrusted information to be compromised.
Information-bearing signals pass through red & black zones
Confidential data – or devices containing or processing such data – are usually referred to as ‘red’. This implies merely that you don’t want the data to escape. Conversely, non-confidential data and equipment are termed ‘black’. Sensitive or classified data that has been suitably encrypted is also regarded as black. A device processing red data, yet incorporating adequate protection to contain emissions, can be black too. Meanwhile a cable carrying black data that passes close to red equipment, and thus has the potential to pick up red data, can be considered red.
The main types of TEMPEST leakage path are as follows:
1. Unintentional radiation from red equipment, strong enough to be picked up directly.
2. Coupling onto black equipment or cables. Red emissions can be picked up by black wires or equipment and propagated. The unwanted red data is described as parasitic. As black equipment and cables do not need to be protected, the parasitic red data can escape.
3. By coupling onto an intentional emitter. A secure data storage device may be located close to an insecure radio transmitter. Secure data coupled on to the radio may be amplified and transmitted for all to hear.
4. By conduction. As your computer generates its ones and zeros, it will create tiny surges and glitches in the mains current supplying it. Given sensitive enough equipment, these could be interpreted by reading the mains cable from several miles away.
One solution is to create around the at-risk IT facility a hardened, ‘red’ secured area or full Faraday cage lined with steel, aluminium or copper, backed up by the suppression of any conducted EMI which may contain intelligible information by filtering.
Where a cable has to pass through a red/black boundary, a filter can be inserted as an intended countermeasure to filter out all frequencies except the desired signal. It is normally a low-pass filter that blocks everything above a given frequency, on the basis that any parasitic red signal is likely to be of high frequency. This solution has obvious limitations, since any parasitic signals within the passband will still get through, and a low-pass filter cannot be used if the desired signal is itself of high frequency. A proper TEMPEST-grade filter must also prevent bypass coupling, where a radiated red signal bypasses the filter and couples onto the black side.
Because the propagation of unintentionally radiated emanations is relatively inefficient over distance, most red zones are situated in the normal building fabric, where potential eavesdroppers are denied opportunity by physical security measures.
The coupling of electromagnetic emanations onto cables and wires travelling into the black zone represents a more critical threat. This coupling and subsequent transmission down line can be very efficient, and information-bearing signals can be carried far beyond the building boundary, where they may be intercepted, analysed and reconstructed.
Electrical filters at the red/black boundary diminish the risk
The electrical infrastructure of any data centre will include power cables, telephone and data lines, and building management services wires. All of these can represent very efficient receptors of those emanations and signals circulating within the red zone. When these signals are carried far from the building boundary and beyond the physical security measures, then they can be readily decoupled from the cables and wires, without the host being aware that his facility has been compromised. The solution to mitigate the risk is to install appropriate electrical filters at the architectural boundary of the red and black zones.
The filters selected must be verified as being effective across the full spectrum up to Super High Frequency. Commercial EMI filters will not support a performance at these high frequencies, and it is essential that professional TEMPEST filters utilising feedthrough suppression capacitors are installed.
High-speed information-bearing signals are the ones most likely to couple onto the low impedance, copper power cables trailing through a data centre, and then be most vulnerable to interception beyond the building boundary. Accordingly, to be effective, the electrical filters designed for TEMPEST anti-eavesdropping applications have to perform across the full frequency spectrum to Super High Frequency or SHF (3GHz to 30GHz), and above. MPE filters with incorporated feedthrough suppression capacitors do just that. Commercial grade equipment filters, employing two-terminal capacitors and designed for suppression of EMI up to typically 30MHz, will fall into resonance well before the SHF band, and are therefore unsuitable for TEMPEST uses.
Passbands, stopbands & integrated hardening
The filters will have passbands which will allow those wanted frequencies to pass through with minimum attenuation, for example 0-50Hz passband for cables carrying AC power across the building boundary. The stopbands of the filters will be maximal across that frequency spectrum, constituting maximum risk of signal eavesdropping, that is 10kHz/100kHz to 1GHz/10GHz, depending upon a facility’s at-risk classification.
When specifying filters, data centre managers must also take into account the electrical loading that TEMPEST filters will impose on their power supplies.
TEMPEST hardening comes at a cost – filters cause leakage currents and power dissipation, and take up space. On the plus side, the installation of TEMPEST filters supports the protection of equipment within the protected area from incoming mains-borne EMI and transients, which could otherwise pass unimpeded and cause damage and disruption to susceptible pieces of equipment. The TEMPEST filters will also contribute to the attenuation of secondary lightning effects not suppressed by primary building lightning protection devices.
When electrical filters can combine the multiple benefits of TEMPEST hardening, EMI suppression and transient attenuation, this is known as ‘integrated hardening’.
The long-term reliability of installed filters
Now a critical consideration of any data centre manager is that installed TEMPEST filters will be reliable over time. The undiminished long-term performance of installed filters becomes highly significant when most cannot be accessed easily to survey or replace – having been installed deep within building infrastructure.
Filters contain reactive and resistive elements which are all at risk of in-service failure. Although the electrical supply may be expected to be fused to cope with the possibility of a filter failing from a short circuit, it is the prospective loss of service that is of most concern to the data centre manager. The filter component at greatest risk of in-service failure is the capacitor. However, a filter such as MPE’s incorporating capacitors manufactured from self-healing, high-reliability, metallised plastic film would generally be expected to remain in service for the intended lifetime of a building.