Understand how compromising emanations can impact the security of your SCIF or SAPF
When constructing a SCIF or SAPF, there are numerous security concerns you need to address. On top of the more obvious physical and acoustic considerations, you also need to deal with mitigations related to unintentional emanations that could escape your SCIF. These emanations are unintended data-related or intelligence-bearing radio frequency signals which, if intercepted, can disclose information related to national security. TEMPEST is the study, investigation and mitigation of these compromising emanations.
Emanations can come from any electronic equipment, whether it’s a personal laptop or a commercial server. Whatever data these pieces of equipment process electronically can potentially be picked up and analyzed. When those data hold national security-related information, the disclosure of it can be potentially dangerous.
Specialized equipment that can capture these radio frequencies and exploit the unintended transmission of data is available commercially. This means anyone with the knowledge could potentially pick up compromising emanations that escape your facility.
Every piece of electronic equipment that processes information has what’s known as a TEMPEST profile or footprint, which is the point from your processing equipment to the farthest point where emanations could be picked up or exploited. The TEMPEST footprint emanates in every direction from the equipment like a sphere. Generally, the more power this equipment uses, the larger the TEMPEST footprint will be.
TEMPEST is a major concern when constructing secure facilities, and there are a variety of ways to keep those unintended emanations from escaping and being picked up by adversaries.
When figuring out what TEMPEST mitigations your facility needs, you’ll be relying on guidance from a government Certified TEMPEST Technical Authority (CTTA). The CTTA will work with your Site Security Manager (SSM) and Accrediting Official (AO) to let you know what your facility’s TEMPEST mitigation requirements are.
Contact your CTTA early on in the construction process so they can make an evaluation of your needs. They’ll look at information including the volume of national security information your program will handle, the TEMPEST profile of your equipment, and any locally known threats in your facility location. TEMPEST measures are not to be implemented unless the CTTA recommends them.
There are a few common mitigations to address compromising emanations. Data-bearing signals are able to travel through the air or couple onto any metallic object, like pipes, and travel down them in your facility. They then escape through perimeter penetrations if there is no grounding or non-conductive sections in the pipes. The non-conductive section disrupts this pathway out. When pipes are grounded, a path is created to the ground that the majority of RF signals will take rather than continuing down the pipe or other conductor.
You can also add foil or even sheet metal into your perimeter walls as a way to prevent compromising emanations from escaping the facility. When using these materials, you create what’s known as a “six-sided box” around your perimeter, making sure the walls, ceiling and floors are covered. This creates a shield that blocks the signal and keeps the radio frequencies from escaping.
There are a range of other mitigations your CTTA may recommend. They will suggest these mitigations based on the performance level, measured in RF decibels (Db) and the width or path of frequency ranges, that your facility needs to prevent compromising emanations from being picked up. TEMPEST mitigation needs can vary significantly from project to project.
The CTTA often has a very large case load, so getting the TEMPEST review done can be a bit of a hurdle in your facility construction. However, it’s an important one, and something that you can’t be accredited without. TEMPEST is a complex issue, and it’s critical to get the right information and proper approvals in place before starting construction on your facility.
When it comes to meeting TEMPEST and other requirements for your facility, there’s no room for error. When you need security expertise to get your facility done right, you can trust Adamo’s consulting services. Contact us today to learn how our experts can partner with your team.