ZONE PROGRAM An Alternate TEMPEST Countermeasure Information Bulletin July 1994 Introduction With recent changes to security in the U.S. Government, a testing method that was established many years ago is now finding new life. The security changes being implemented in the U.S. and other international governments are driven by the need to reduce expenses. ZONE products were created to provide a cost-effective alternative to full TEMPEST implementation and will also provide industry with broader security alternatives. ZONE products and their physical locations are matched to ensure complete information security. Normally under the Government program, this would mean that an individual would purchase a product that was measured to meet the design of their facility. The new ZONE Program is designed to meet Government as well as non-government users needs to ensure the security of their computer created information in an affordable manner. Historical Perspective Around 1984-1985, several U.S. Government agencies, including the Air Force and NSA, identified a method of measuring and verifying a facility's ability to suppress Radio Frequency (RF) signals. This was not the first time this method was used but now the coordination of a facility's inherent ability to attenuate RF was being coupled with a product's emanation (RF Radiation) profile. The rationale behind Zoning was based on the fact that many facilities have large areas of controlled space where either the organization or the Government provides appropriate protection from intrusion. This coupled with the increasing requirement to reduce costs provided the impetus to develop an alternative to full TEMPEST compliance. It was the Government's opinion that a reduced emission product would cost less to produce than a full TEMPEST compliant reduced emission product. A sub-committee of the NSA TEMPEST Blue Ribbon Commission (including industry participants) found that ZONE products produced under the current TEMPEST program would still require a substantial premium to develop, test, and produce. This premium was still greater than the cost savings the Government was willing to accept. The new ZONE Program was created by the successor group of the Blue Ribbon Commission, the Government Industry TEMPEST Advisory Panel (GITAP). The new ZONE program was independent of the TEMPEST Endorsement Program (TEP) and was given more latitude which provided for substantial cost savings. Risky Business Risk Management as compared to Risk Avoidance is a common thread in today's Information Security arena. However, risk management need not be risky, but must be the management of security issues in a cost effective manner. A well implemented Information Security Program measures; the (intrinsic) value of the data, identifies the actual threat, measures the vulnerability of the current system (including physical attributes) and provides cost effective countermeasures that appropriately prevents improper access to the information. The formula used by some government organizations to assess Risk Management is R = T x V x V2. Where: R is the Risk T is the Threat based on accumulated information and known issues V is Vulnerability concerning the product, place, or program V2 is the Value of the information As can be seen in the formula, if the Threat has been reduced and you have not changed the Vulnerability or the Value of the information, then some protection is needed but to a lesser degree. It is more than apparent that adversaries are closely reviewing the changes occurring in government and industry security programs. It is equally apparent that they will identify a specific vulnerability and compromise the information. There are people who feel that since the Threat has "gone away", there is no need to protect the devices. In this formula as in life, there is a possibility that you may reduce the value of the components of the formula, but never to zero. There will always exist a need for some level of protection. The ZONE Equipment Program (ZEP) is the first rung on the ladder of computer security protection. ZONE Defined All Electronic/Electrical devices absorb, utilize, and dissipate energy. Some of this energy dissipates as heat, radio frequency (RF), and electro-magnetic energy. The radiated RF energy is mostly noise. This noise can be sensed by other electronic devices like radios and TVs. This can best be described by the noise received on your radio in the den every time you turn on the blender in the kitchen. This same type of noise is generated by your computer each time you use it. However, included in this noise is the information you generate on the computer. With every key button you push on the keyboard, any displayed information on the monitor, and all information read or written to your disk drives. All of these activities create an information transmission radiated from your computer. If the conditions are right, this information can be received and recreated on another device as much as a mile away. TEMPEST technology is the method used to suppress this information transmission. The ZONE program was conceived to provide a cost effective alternative to a full TEMPEST countermeasure. TEMPEST products are commercial products designed and modified to meet a rigorous Government emanation specification. These TEMPEST tests are extensive and the modifications are expensive. ZONE products are commercial products (not modified), tested against a reduced emanation specification. The U.S. Government program encompasses both a product test and facility test. The facility test is a physical measurement of an area's inherent ability to attenuate (reduce) RF energy to an acceptable level, measured at a particular distance from the Zone (target area). Once completed, the building is divided into Zones and then products that are tested to these zones are matched to the appropriate area. With or without a facility measurement, a Zone tested product can be utilized in an area where the limits of control are known. The configuration and the choice of components of the Zone system are critical to the success of the test. The ZONE product thus affords the user with a true sense of it's emanation profile. Guided with this information the user will understand the limits of the product's vulnerability. The Threat There are many people that question the threat to computer products. These are the same people that purchase disaster recovery service after a disaster and implement a virus scan policy after replacing volumes of data lost to malicious code. These are the same individuals that never back-up data until their disk drive crashes, then they fervently believe in conscientious daily back-up. Organizations that have maintained a concerted TEMPEST program have boasted that they have never lost information to a emanation assault. They have reasoned that this is because no adversary is actively pursuing this method. The emanation threat to computer information is more malicious than other threats because it leaves no trail and allows the perpetrator to acquire the information completely without the user's knowledge. The eavesdropper does not even have to be in the building with the computer. The individual could be sitting in an inconspicuous van across the street from your facility. Furthermore, it is legal (in some countries) to monitor data related Electro-magnetic Radiation's (RF). According to Ernst & Young (National Corporate Auditors), computer crime costs the U.S. economy from three (3) to five (5) billion dollars each year! Comparing FCC and ZONE There appears to be some confusion between a product meeting the Federal Communications Commission (FCC) radiation requirement (in the U.S.) and the ability of this (FCC compliant) product to suppress data related emanations. FCC tests are performed to evaluate a products electrical noise generation, principally done to measure if the product will interfere with other electronic devices. ZONE and TEMPEST tests evaluate the product's data related emanations. Utilizing the FCC test as a ZONE/TEMPEST measurement would be like using a throat culture to determine if you have a broken leg. How Vulnerable In this bulletin you have read about 'risk' and 'threat'. The two other values in the information security formula are 'vulnerability' and 'value of information'. The value you place on your information is not necessarily an arbitrary figure. There are guidelines that will help you evaluate the impact and influence of this information. Even in the Government where documents are categorized, the classification level and the type of information are only part of the evaluation. The impact of the information and how it can be subverted are part of the decision on the valuation of the item. Once a value is placed on the information you then have an idea to what extent you need to go to protect that data. The Vulnerability then becomes a pivotal segment of the formula. As described in a preceding section, all electronic devices radiate RF energy, the extent of this radiated energy (including radiated information) defines the vulnerability of the product. This radiation pattern is product specific but can be enhanced or reduced based upon the interconnection of components. This means in a computer system you can have a monitor and a CPU both of which exhibit a particular radiation pattern but when coupled together the result may be worse than either of the products individually. The reason for this is technically based on frequencies, bandwidth, grounding techniques, and impedance of the independent products/components. NSA Zone Program Status NSA introduced the formal ZONE program November 1993. The first listing occurred in the April 1994 Information Security Product and Services Catalogue. Products listed will be tested based on NSTISSAM TEMPEST/2-92 and 1-92 specifications. Comparing US and NATO Zone Specifications Comparing US and NATO Zone Specifications Although the U.S. has only one document providing standards for laboratory TEMPEST testing to NATO's three, these standards and test procedures are actually equivalent. The NATO TEMPEST specification AMSG-720B is equivalent to the U.S. Government NSTISSAM TEMPEST/1-92 Level I standard. Likewise, NATO specifications AMSG-788A and AMSG-784B are equivalent to the U.S. Government NSTISSAM TEMPEST/1-92 Level II and Level III standard, respectively. The U.S. TEMPEST Zones A-D defined in NSTISSAM TEMPEST 2/93 are not equivalent to, but are compatible with the NATO TEMPEST Zones 0-3 defined in AMSG-799A. The Security of Zone As with any product or program, ZONE products are not a panacea for a total computer security implementation. The user should be ensuring all vulnerabilities are reviewed and an appropriate (cost effective) countermeasure is utilized for each. ZONE products are commercial computer products and with the fast paced technology changes occurring in the PC market it is essential that the zone user be aware of some of the volatility's of this program. The requirement for this program is to test and pass a (single) product/system. Changes in the product after the initial test can affect the Zone profile of a product. The user should choose a vendor that has a product platform that is stable, understands the needs of a security conscious user and can respond to the ensuing manufacturing changes. The standard ZONE program offers no guarantees as to the continued ZONE product integrity. The user should choose a provider (like Wang) that offers additional features including ZONE warranties, Logistics compatibility's (consistent components/parts across product lines), integration capability, and custom configurations so that the product/system can be tailored to the user needs. The quality of the manufacturing process is critical to continual product (Zone) integrity. Therefore, the user should select a vendor with a track record and an effective manufacturing quality program implementation (like ISO-9000). Security products like the Zone Program are an ever evolving process. For additional information on the Wang Zone Program and how we can help protect your information, call Wang Laboratories, Inc. today. The material presented here is summary in nature, subject to change and intended for general information only. Additional details and specifications concerning the operation and use of Wang equipment and software are available in the applicable technical literature. 1994, Wang Federal, Inc. _________________________________________________________________