This page contains a Flash digital edition of a book.
 Protecting electronic information from leaking across enemy lines is vitally important in military operation, left; Tempest testing applies to whole vehicles and systems, below; as well as sub-systems and even wearables, inset


interprets SDIP-27 for UK national use. GPG14 assists anyone involved in


managing risks and accrediting ICT systems, as well as those involved in their design and installation, tomanage emissions security. GPG14 supportsHer Majesty’s Government’s Security Policy Framework, which states that departments and agenciesmust follow specific government procedures tomanage the risk posed by eavesdropping and electromagnetic emanations. The IA Busy Reader’s Guide No 17 aims


to help readers achieve amore pragmatic approach tomanaging risks associated with electromagnetic vulnerabilities. It does this by clarifying riskmanagement considerations for electromagnetic vulnerabilities and how these support technical risk assessment and treatment processes outlined in the supplement to HMG IA Standard Nos 1 & 2 (Supplement), Technical Risk Assessment and Risk Treatment.


NCSC CERTIFICATION According to test and certification body TÜV SÜD Product Service, Tempest certification enables manufacturers of electronic equipment which handles classified information to supply the military and secure government organisations throughout NATO and Europe. This equipment can be anything such as IT, communications systems, crypto products, worn/personal systems and even printers, as well as entire platforms such as ships, aeroplanes and land vehicles. Tempest certification is based on


testing which demonstrates conformity with verifiable and repeatable standards specified by NCSC, which represents NATO in the UK. The Tempest testing service therefore enables manufacturers of electronic products intended to handle classified information to be added to the UK approved products list. The Tempest Certification Scheme


relates to the NCSC implementation of the NATO standard SDIP-55 and seeks to achieve assurance based on compliance at every stage of a product’s life, from its initial design onwards. It supports the UK government’s cyber strategy, also ensuring that Tempest services comply with the EU’s IASG4-04 standard. Manufacturers wishing to have their


product or mobile platform (such as military vehicle or ship) certified must work with an NCSC accredited test facility, such as TÜV SÜD Product


Service, which can issue Tempest product certificates on behalf of NCSC. The NCSC Tempest Platform


Accreditation Scheme has been developed to provide comprehensive, but not exhaustive, Tempest testing for first-of-type military platforms (ships, land vehicles and aircraft), to ensure Tempest risks are identified in order to enable correction or mitigation of that risk prior to entering service. The first-of-type test plans and reports are scrutinised by NCSC before accreditation is awarded. In order to be accredited, and to verify


its performance, a test facilitymust submit a facility qualification report to NCSC every three years. Test engineersmust also have their qualifications revalidated by NCSC every three years.


TEMPEST SUPPORT There are three CESG (NCSC) documents which relate to Tempest and electromagnetic security (EMS), which can be referenced by both test laboratories and manufacturers to support themin their work. The IA Implementation Guide No 14


(IG14) gives practical guidance to support users with understanding the CESG Good Practice Guide No 14 (GPG14), as well as the NATOMilitary Committee Communication and Information Systems Security and Evaluation Agency (SECAN) document and information publications policy for testers (specifically SDIP-27 testing of equipment and SDIP-29 installation of equipment). IG14 also


CERTIFICATION PROCESS Broadly speaking, the tests consider how close people can get to the equipment in question and how it will be used. For example, is it held within a secure room, or an embassy to whichmembers of the public can get quite close? If it is the latter, theremay be a risk that an individual could use an antenna outside the embassy to pick-up what is on a laptop screen within the building. NCSC qualified engineers will examine a


manufacturer’s product against the Tempest standard, using NCSC accredited equipment.However, while Formal Tempest Certification Scheme (CFTCS) testing ensures that a new product is tested thoroughly for Tempest emanations, it is only performed on one product sample. Consequently, to ensure that the build standard remains consistent throughout the product’s production, Tempest Production Assurance Testing (TPAT) is carried out on samples fromthe product’s production run to ensure Tempest integrity ismaintained. As well as submitting products for testing


by an accredited laboratory,manufacturers must also undergo regularNCSC Tempest production audits tomaintain certification for their equipment.  Based on material contributed by Jean-Louis Evans, managing director of TÜV SÜD Product Service


EE


 To readmore on this story online at EEOnline scan the QR code or visit https://goo.gl/e8kXZ1


October 2017 /// Environmental Engineering /// 43


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60