Re: RFC 2527 Physical Security Controls Question

["Bob Jueneman" <BJUENEMAN@xxxxxxxxxx>]

There are certainly a number of commercial applications where the use 
an armed, lethal, and strong response to a forcible intrusion or attack would 
be both prudent and justifiable.  I am thinking about a nuclear reactor, a 
control center that administers regional gas or electrical power supplies,
a major banking facility, a printing company that prints Traveler's Checks,
etc.

However, in all of those cases the justification would be to protect human life,
and only secondarily to protect property and major financial assets.  Unlike 
a government that could conceivably deploy automatic, lethal defenses to 
protect nuclear missiles, US law strongly frowns on people who set up deadfall 
devices or shotguns triggered to go off if someone attempts to open a door.  
(Having said that, some states allow the use of deadly force to prevent arson, 
and a few allow deadly force to protect against theft, but not unattended force.)

In the case of a CA that is only protecting signing keys and not encryption keys, 
such defenses would be "overkill".  Instead, various trip-guards could and perhaps 
should be deployed to cause key zeroization in the event of an attack, in order 
to prevent compulsion of personnel.  This should be in addition to the 
tamper-detecting circuitry contained within a FIPS 140-1 level 3 or 4 device, for
unless they have been disarmed they will sign what they are told to.

To go back to the original request, I would suggest that the physical security 
requirements outlined in the Industrial Security Manual have stood the test of time, 
and are defensible as a reasonable and prudent set of precautions.

I no longer have a copy of the ISM, but I would suggest that the requirements for a 
Closed Area would be the minimum for a CA.  If I were doing it, I would tend to 
make the outer peripheral area a Closed Area, to be used for administrative and 
technical office space.

The next level up would be a Strong Room or Vault, one that is suitable for the storage
of Top Secret documents in the open.  This would be where I would put the firewalls,
servers, etc. -- everything but the crypto devices that actually sign the most important 
certificates.

The inner sanctum might very well deserve SCIF treatment, including Red/Black power 
separation, but would presumably not require the attention to acoustic controls, assuming
the personnel don't sit around reading off the content of the keys!  

But what is more important than the physical strength and the ability to withstand an overt 
penetration is the degree to which the area would withstand a covert attack.  Sheet rock 
walls can be penetrated, repaired, and repainted very easily within a shift, and maybe even 
within an hour or so, so it is important to have appropriate infrared or microwave area 
alarm systems that cover the walls, floor, and ceiling.

Another problem is how to deal with the conflicting demands of the fire codes and security.

When I was with GTE Laboratories, we set up a closed area for cellular fraud investigations
that was built to Strong Room specifications.  The main access was controlled by a fingerprint
reader which was under my control (with a backup person in my group).  The rear door had a 
strong three-position combination lock on it.

The combination to that lock was sealed in plastic in an envelope that was kept for emergency 
response purposes by the building guards, so they could gain entry in case of fire. The rear door was 
always alarmed, and the front door was alarmed after hours. More importantly, however, there were
TWO sets of alarms -- one of which was wired to the building alarm system, and one of which was 
internal to and controlled within our area, and physically protected.  So in the event of an emergency
the building guards could get in, but they couldn't get in undetected, even if they turned off the 
building alarm system.

In addition, the most sensitive inner area should be designated a Two Man No Lone Zone. 
Two people should be required to enter the area together, preferably using two fingerprint readers 
or at least two physical keys, and those people should also be required to use a fingerprint 
reader to exit the facility.  The interior alarm should be activated shortly after the first person 
exits, to make sure someone doesn't stay behind unsupervised.

Finally, it must be recognized that the most devastating security compromises have not been caused
by external attacks, but by authorized insiders.  All of the physical security in the world won't 
help if your people can be compromised by say an offer of $100,000. So you need personnel 
investigations, bonding, etc., etc. The problem is typically getting your HR department to accept 
those requirements.

Bob


>>> <TMetzinger@aol.com> 12/14/99 06:22PM >>>
John Kennedy and Lynn Wheeler both made excellent points about the potential 
need for absolute top-grade physical security in a commercial CA operation.  
It all seems to come down (as always) to risk assessment and balancing the 
cost of security against it's benefits.

In the commercial world, especially in the financial and medical sectors, the 
potential liability for a CA operator could be enormous, easily justifying 
the cost of physical security measures rivalling that found around weapons of 
mass destruction.

This brings up an interesting question though...  For a government, it's very 
easy to designate a resourse as being sufficiently valuable to authorize the 
use of deadly force to protect it - try to get close to a stealth aircraft 
sometime. For commercial applications, however, even where billions of 
dollars may be at stake, it's harder (if not impossible) to implement that 
final line of security.  

So for you non-government types, would your CA physical security include 
lethal defenses?  Can anyone think of any application for a non-government CA 
that would require such defenses?  I'm not talking about just armed guards 
here...  I'm talking about defenses that would kill an unauthorized 
individual who entered protected space BEFORE they did any damage besides 
entering that space. 

Timothy M. Metzinger
Technical Director
Drug Enforcement Administration
Office of Information Systems
(202) 307-9884
(888) 385-0705