ZONE PROGRAM

An Alternate TEMPEST Countermeasure

Information Bulletin
July 1994
Introduction
With recent changes to security in the U.S. Government, a testing
method that was established many years ago is now finding new life.
The security changes being implemented in the U.S. and other
international governments are driven by the need to reduce expenses.
ZONE products were created to provide a cost-effective alternative to
full TEMPEST implementation and will also provide industry with
broader security alternatives. ZONE products and their physical
locations are matched to ensure complete information security.
Normally under the Government program, this would mean that an
individual would purchase a product that was measured to meet the
design of their facility. The new ZONE Program is designed to meet
Government as well as non-government users needs to ensure the
security of their computer created information in an affordable
manner.

Historical Perspective
Around 1984-1985, several U.S. Government agencies, including the Air
Force and NSA, identified a method of measuring and verifying a
facility's ability to suppress Radio Frequency (RF) signals. This was
not the first time this method was used but now the coordination of a
facility's inherent ability to attenuate RF was being coupled with a
product's emanation (RF Radiation) profile. The rationale behind
Zoning was based on the fact that many facilities have large areas of
controlled space where either the organization or the Government
provides appropriate protection from intrusion. This coupled with the
increasing requirement to reduce costs provided the impetus to develop
an alternative to full TEMPEST compliance. It was the Government's
opinion that a reduced emission product would cost less to produce
than a full TEMPEST compliant reduced emission product. A
sub-committee of the NSA TEMPEST Blue Ribbon Commission (including
industry participants) found that ZONE products produced under the
current TEMPEST program would still require a substantial premium to
develop, test, and produce. This premium was still greater than the
cost savings the Government was willing to accept. The new ZONE
Program was created by the successor group of the Blue Ribbon
Commission, the Government Industry TEMPEST Advisory Panel (GITAP).
The new ZONE program was independent of the TEMPEST Endorsement
Program (TEP) and was given more latitude which provided for
substantial cost savings.
Risky Business
Risk Management as compared to Risk Avoidance is a common thread in
today's Information Security arena. However, risk management need not
be risky, but must be the management of security issues in a cost
effective manner. A well implemented Information Security Program
measures; the (intrinsic) value of the data, identifies the actual
threat, measures the vulnerability of the current system (including
physical attributes) and provides cost effective countermeasures that
appropriately prevents improper access to the information. The formula
used by some government organizations to assess Risk Management is R =
T x V x V2. Where: R is the Risk T is the Threat based on accumulated
information and known issues V is Vulnerability concerning the
product, place, or program V2 is the Value of the information As can
be seen in the formula, if the Threat has been reduced and you have
not changed the Vulnerability or the Value of the information, then
some protection is needed but to a lesser degree. It is more than
apparent that adversaries are closely reviewing the changes occurring
in government and industry security programs. It is equally apparent
that they will identify a specific vulnerability and compromise the
information. There are people who feel that since the Threat has "gone
away", there is no need to protect the devices. In this formula as in
life, there is a possibility that you may reduce the value of the
components of the formula, but never to zero. There will always exist
a need for some level of protection. The ZONE Equipment Program (ZEP)
is the first rung on the ladder of computer security protection.
ZONE Defined
All Electronic/Electrical devices absorb, utilize, and dissipate
energy. Some of this energy dissipates as heat, radio frequency (RF),
and electro-magnetic energy. The radiated RF energy is mostly noise.
This noise can be sensed by other electronic devices like radios and
TVs. This can best be described by the noise received on your radio in
the den every time you turn on the blender in the kitchen. This same
type of noise is generated by your computer each time you use it.
However, included in this noise is the information you generate on the
computer. With every key button you push on the keyboard, any
displayed information on the monitor, and all information read or
written to your disk drives. All of these activities create an
information transmission radiated from your computer. If the
conditions are right, this information can be received and recreated
on another device as much as a mile away. TEMPEST technology is the
method used to suppress this information transmission. The ZONE
program was conceived to provide a cost effective alternative to a
full TEMPEST countermeasure. TEMPEST products are commercial products
designed and modified to meet a rigorous Government emanation
specification. These TEMPEST tests are extensive and the modifications
are expensive. ZONE products are commercial products (not modified),
tested against a reduced emanation specification. The U.S. Government
program encompasses both a product test and facility test. The
facility test is a physical measurement of an area's inherent ability
to attenuate (reduce) RF energy to an acceptable level, measured at a
particular distance from the Zone (target area). Once completed, the
building is divided into Zones and then products that are tested to
these zones are matched to the appropriate area. With or without a
facility measurement, a Zone tested product can be utilized in an area
where the limits of control are known. The configuration and the
choice of components of the Zone system are critical to the success of
the test. The ZONE product thus affords the user with a true sense of
it's emanation profile. Guided with this information the user will
understand the limits of the product's vulnerability.
The Threat
There are many people that question the threat to computer products.
These are the same people that purchase disaster recovery service
after a disaster and implement a virus scan policy after replacing
volumes of data lost to malicious code. These are the same individuals
that never back-up data until their disk drive crashes, then they
fervently believe in conscientious daily back-up.
Organizations that have maintained a concerted TEMPEST program have
boasted that they have never lost information to a emanation assault.
They have reasoned that this is because no adversary is actively
pursuing this method. The emanation threat to computer information is
more malicious than other threats because it leaves no trail and
allows the perpetrator to acquire the information completely without
the user's knowledge. The eavesdropper does not even have to be in the
building with the computer. The individual could be sitting in an
inconspicuous van across the street from your facility. Furthermore,
it is legal (in some countries) to monitor data related
Electro-magnetic Radiation's (RF). According to Ernst & Young
(National Corporate Auditors), computer crime costs the U.S. economy
from three (3) to five (5) billion dollars each year!
Comparing FCC and ZONE
There appears to be some confusion between a product meeting the
Federal Communications Commission (FCC) radiation requirement (in the
U.S.) and the ability of this (FCC compliant) product to suppress data
related emanations. FCC tests are performed to evaluate a products
electrical noise generation, principally done to measure if the
product will interfere with other electronic devices. ZONE and TEMPEST
tests evaluate the product's data related emanations. Utilizing the
FCC test as a ZONE/TEMPEST measurement would be like using a throat
culture to determine if you have a broken leg.
How Vulnerable
In this bulletin you have read about 'risk' and 'threat'. The two
other values in the information security formula are 'vulnerability'
and 'value of information'. The value you place on your information is
not necessarily an arbitrary figure. There are guidelines that will
help you evaluate the impact and influence of this information. Even
in the Government where documents are categorized, the classification
level and the type of information are only part of the evaluation. The
impact of the information and how it can be subverted are part of the
decision on the valuation of the item. Once a value is placed on the
information you then have an idea to what extent you need to go to
protect that data. The Vulnerability then becomes a pivotal segment of
the formula. As described in a preceding section, all electronic
devices radiate RF energy, the extent of this radiated energy
(including radiated information) defines the vulnerability of the
product. This radiation pattern is product specific but can be
enhanced or reduced based upon the interconnection of components. This
means in a computer system you can have a monitor and a CPU both of
which exhibit a particular radiation pattern but when coupled together
the result may be worse than either of the products individually. The
reason for this is technically based on frequencies, bandwidth,
grounding techniques, and impedance of the independent
products/components.
NSA Zone Program Status
NSA introduced the formal ZONE program November 1993. The first
listing occurred in the April 1994 Information Security Product and
Services Catalogue. Products listed will be tested based on NSTISSAM
TEMPEST/2-92 and 1-92 specifications. Comparing US and NATO Zone
Specifications
Comparing US and NATO Zone Specifications
Although the U.S. has only one document providing standards for
laboratory TEMPEST testing to NATO's three, these standards and test
procedures are actually equivalent. The NATO TEMPEST specification
AMSG-720B is equivalent to the U.S. Government NSTISSAM TEMPEST/1-92
Level I standard. Likewise, NATO specifications AMSG-788A and
AMSG-784B are equivalent to the U.S. Government NSTISSAM TEMPEST/1-92
Level II and Level III standard, respectively. The U.S. TEMPEST Zones
A-D defined in NSTISSAM TEMPEST 2/93 are not equivalent to, but are
compatible with the NATO TEMPEST Zones 0-3 defined in AMSG-799A.
The Security of Zone
As with any product or program, ZONE products are not a panacea for a
total computer security implementation. The user should be ensuring
all vulnerabilities are reviewed and an appropriate (cost effective)
countermeasure is utilized for each. ZONE products are commercial
computer products and with the fast paced technology changes occurring
in the PC market it is essential that the zone user be aware of some
of the volatility's of this program. The requirement for this program
is to test and pass a (single) product/system. Changes in the product
after the initial test can affect the Zone profile of a product. The
user should choose a vendor that has a product platform that is
stable, understands the needs of a security conscious user and can
respond to the ensuing manufacturing changes. The standard ZONE
program offers no guarantees as to the continued ZONE product
integrity. The user should choose a provider (like Wang) that offers
additional features including ZONE warranties, Logistics
compatibility's (consistent components/parts across product lines),
integration capability, and custom configurations so that the
product/system can be tailored to the user needs. The quality of the
manufacturing process is critical to continual product (Zone)
integrity. Therefore, the user should select a vendor with a track
record and an effective manufacturing quality program implementation
(like ISO-9000).
Security products like the Zone Program are an ever evolving process.
For additional information on the Wang Zone Program and how we can
help protect your information, call Wang Laboratories, Inc. today.
The material presented here is summary in nature, subject to change
and intended for general information only. Additional details and
specifications concerning the operation and use of Wang equipment and
software are available in the applicable technical literature.
1994, Wang Federal, Inc.
_________________________________________________________________