preserving information security at data centres · applications, mpe’s emi, emp and tempest...

The TEMPEST threat to informationsecurity was first recognised by theUS National Security Agency (NSA)

and GCHQ in the 1960s. Governments,armed forces, municipal authorities andcompanies now share this concern thatelectrical and electronic equipment such ascomputers and peripherals give offunintended electromagnetic emanationswhich can then be reconstructed beyondthe building boundary as intelligible data.Countermeasures are aimed at

preventing eavesdropping on data radiatedas signals via conducting lines such aspower, telephone or control line cables.

The evidence is that TEMPESTcountermeasures are becoming asimportant for information security in thecivilian world as in the military arena.Examples of sites at risk would beWestern embassies in hostile parts of theworld, and data centres handling sensitivepersonal and financial information, wherepower line cables are vulnerable toelectronic eavesdropping.

Confidential data – or devicescontaining or processing such data – areusually referred to as “red”. This impliesmerely that you don’t want the data toescape. Conversely, non-confidential dataand equipment are termed “black”.Sensitive or classified data that has beensuitably encrypted is also regarded asblack. A device processing red data, yetincorporating adequate protection tocontain emissions, can be black too.Meanwhile a cable carrying black data thatpasses close to red equipment, and thushas the potential to pick up red data, canbe considered red.

Where a cable has to pass through ared/black boundary, a filter can be insertedas an intended countermeasure to filterout all frequencies except the desired

signal. It is normally alow-pass filter that blockseverything above a givenfrequency, on the basisthat any parasitic redsignal is likely to be ofhigh frequency. Thissolution has obviouslimitations, since anyparasitic signals withinthe passband will stillget through, and a low-pass filter cannot beused if the desiredsignal is itself of highfrequency. A properTEMPEST-grade filtermust also preventbypass coupling, wherea radiated red signalbypasses the filter andcouples onto theblack side.

Paul Currie, the salesand marketing directorof MPE, explains:“High-speedinformation-bearingsignals are the ones

most likely to couple onto the lowimpedance, copper power cables trailingthrough a data centre, and then be mostvulnerable to interception beyond thebuilding boundary. Accordingly, to beeffective, the electrical filters designed forTEMPEST anti-eavesdropping applicationshave to perform across the full frequencyspectrum to Super High Frequency (SHF)(3GHz to 30GHz), and above.

“MPE filters with incorporatedfeedthrough suppression capacitors do justthat. Commercial grade equipment filters,employing two-terminal capacitors anddesigned for suppression of EMI up totypically 30MHz, will fall into resonancewell before the SHF band, and aretherefore unsuitable for TEMPEST uses.”

MPE offers a comprehensive range ofTEMPEST power line filters of alternativeperformance specifications. These extendfrom 6A to 16A filters, which might beused to treat individual power inlets, up to2400A filters for the hardening of a mainbuilding power supply. When specifyingfilters, data centre managers must alsotake into account the electrical loadingthat TEMPEST filters will impose on theirpower supplies.

TEMPEST hardening comes at a cost –filters cause leakage currents and powerdissipation, and take up space. On the plusside, the installation of TEMPEST filterssupports the protection of equipmentwithin the protected area from incomingmains-borne EMI and transients, whichcould otherwise pass unimpeded andcause damage and disruption tosusceptible pieces of equipment. TheTEMPEST filters will also contribute to theattenuation of secondary lightning effectsnot suppressed by primary buildinglightning protection devices.

When electrical filters can combine themultiple benefits of TEMPEST hardening,EMI suppression and transient attenuation,this is known as “integrated hardening”.

Now a critical consideration of any datacentre manager is that installed TEMPESTfilters will be reliable over time. The

undiminished long-term performance ofinstalled filters becomes highly significantwhen most cannot be accessed easily tosurvey or replace – having been installeddeep within building infrastructure.

So, having been originally designed tosupport mission-critical militaryapplications, MPE’s EMI, EMP and TEMPESTfilters apply the most liberal design marginsto ensure maximum in-service reliability.MPE has also long supplied TEMPESTproducts which adhere to the onerousspecifications of CESG (theCommunications Electronics SecurityGroup at GCHQ) and of the US NSA andmore recently NATO SDIP-27 Standards.

Filters contain reactive and resistiveelements which are all at risk of in-servicefailure. Although the electrical supply maybe expected to be fused to cope with thepossibility of a filter failing from a shortcircuit, it is the prospective loss of servicethat is of most concern to the data centremanager. The filter component at greatestrisk of in-service failure is the capacitor.However, filters such as MPE’sincorporating capacitors manufacturedfrom self-healing, high-reliability, metallisedplastic film would generally be expected tobe fully reliable for the intended lifetime ofan installation.

MPE manufactures power line filterswhich support the highest level ofTEMPEST hardening, providing lowinsertion loss performance (dB againstfrequency in Hz) across the wholespectrum from Very Low Frequency (VLF)to above SHF. Hence the performance ofMPE filters comfortably exceeds theindustry benchmarks for mains supplyapplications, which can b as high as 100dBin a frequency range across 10kHz to10GHz. Housed in electroplated steelcases, TEMPEST filters from MPE are ofcompact size for easy, flexible, bulkhead orchassis mounting into the rack systems ofdata centres, and include product optionswhere low earth leakage is critical.

www.mpe.co.uk

John Parsons of MPE Ltd talks about the dangers ofleaking confidential data from data centres and howMPE’s TEMPEST filters can help prevent it

John Parsons

28 December 2016/January 2017 Components in Electronics www.cieonline.co.uk

Communications Technology

250V AC, 50/60Hz, 16A MPE TEMPEST power line filter forinformation security at data centres

Preserving informationsecurity at data centres

Typical 5A to 100A MPE TEMPEST power line filters for data centres

CIE_Dec-Jan_p28_CIE 06/01/2017 09:32 Page 28