TEMPEST 101: Usage In Secured Spaces

TEMPEST has almost become slang in the facilities design and construction world. The technical definition is Telecommunications Electronics Material Protected from Emanating Spurious Transmissions. With some serving in or for the Top Secret, High Security, COMSEC, and OPSEC arenas, its use has become generic, like how the word theory in the scientific community means far more than simply a guess. Still, the word theory has incorrectly become a synonym for a hypothesis in common usage. TEMPEST is a goal with various methods to achieve the goal, not simply a design, material, or method to get to the goal. In the last ten years especially, I have heard it used to indicate that a space (usually a secured space like a SCIF) will require radio frequency/electromagnetic barrier foil or other RF/EM barriers. While this isn’t always incorrect, it misses the fact that TEMPEST can be achieved in many ways. I’ve had defense industry experts and in-house facilities management or security personnel show significant confusion about their spaces regarding TEMPEST countermeasure requirements. For example, many people assume that if a space does not show a need for RF foil or RF-rated doors, it is not a TEMPEST space simply due to that observation.

Let’s talk about what TEMPEST actually means.

The foundation of TEMPEST requirements comes from the National Communications Security Committee Directive 4, Document NACSIM 5100A, the National Security Administration and NATO. The term technically covers the methods of electronically spying on others and the methods of defense against this spying. However, we’ll utilize it from a facilities, design, renovation, and construction standpoint.

While we may look at it from this angle, understanding some of the history is vital. Bell Systems company, working with the United States in World War II, demonstrated that they could intercept and decrypt (in plain text) electromagnetic spikes emanating, at a distance, from their own encrypted message devices supplied to the Signal Corps. Three issues were found to be the cause: radiated signals, signals conducted via wires penetrating the facility, and magnetic fields. They also found that shielding specific pieces of equipment was expensive and impractical. This created the idea to control a 100’ (30m) radius around sensitive communication equipment. In 1958, the NSA created standards that included the Red/Black Concept of keeping sensitive wires and equipment at a distance from non-sensitive cables or equipment and controlled distances for radiation dispersion. Later, in 1966, the NSA formalized TEMPEST standards.

Let’s fast forward to today. When designing and constructing a space to meet TEMPEST requirements, the use case and location of the space or device are paramount considerations. While most TEMPEST documents are classified, we know that understanding security in depth is a critical component to meeting the goal of TEMPEST. I must note again that TEMPEST is a goal that requires variable methods to achieve based on the use case. It is not a rigid or singular descriptor in facilities. Distances from uncontrolled space, equipment distances from walls, measured radiation emanations, “read-in” or security status of nearby personnel, and many other factors will determine if a space can be seen as having TEMPEST protection. A use case example is that if a device, say a supercomputer, needs to be used near a battlefront, a Faraday Cage and filtered power supply could be all that is required. This could even be an RF/EM-preventing tent structure. In this instance we are likely looking at a scenario where the area around the device can be easily controlled by military forces, creating additional security in depth.? A more common use case in the facilities world is that a SCIF space may need to be built to allow human occupancy, larger pieces of classified equipment, verbal communications, etc. In this instance, the TEMPEST requirements amalgamate with Sound Transmission Ratings and barrier protections. You can read about these concerns in my article titled SCIF 101: Understanding Sensitive Compartmented Information Facilities. For now, we’ll focus on the TEMPEST component alone. If this space is installed where people without clearances, foreign nationals, or other unrelated spaces are nearby, the distance and security in-depth requirements to meet TEMPEST concerns will likely not be met. This will trigger other countermeasures like installing RF/EM foil shielding, grounding studs, grounding conduit, HVAC and pipe penetrations, equipment distance considerations, etc.

It's notable, though, that not all spaces that are occupiable or have other structures nearby need countermeasures like RF/EM foil shielding or even RF-rated door systems. This will depend on the surrounding spaces, distance from uncontrolled areas, distance from foreign nationals, program requirements, the classification requirements of nearby personnel, and other factors.

In short, it is best to refrain from using countermeasures designed into the space as the determining factor to whether a space is TEMPEST protected without factoring in its location and security in-depth status.

A few examples are:

• A SCIF space built into a larger space, with appropriate distances to uncleared personnel and with security in-depth may not need TEMPEST countermeasures like RF/EM foil designed into its specific construction plans to be considered TEMPEST.

• A government official owns a cabin deep in the woods and needs to use a classified computer. Security in-depth and other non-facility concerning countermeasures like controlled distances and filtered power and information systems for the device may be enough to meet the TEMPEST requirements without significant modifications to the cabin itself. Emanations are known to be decodable at around 100 meters. If the space is inaccessible to persons or devices not permitted inside this range and the device(s) utilized within the range are adequately protected, this could meet the TEMPEST requirements.

?

The term TEMPEST can be confusing. We regularly see it misused or misunderstood in facilities management, design, and construction. I hope this helps you understand the proper descriptions and usage while knowing how to translate its misuses. Possibly, it will merely help you ask the correct questions. Misunderstanding TEMPEST can cause facilities engineers, designers, and builders to make expensive assumptions or design at higher costs for customers (internal or external), increase labor costs, and add frustration to all parties. Thinking of TEMPEST as an encompassing thought process versus a method, a product, or a design, is a good start to having a successful project. ?

For more information about SCIFs, Cleanrooms, or other Advanced Technology design and construction, contact me at [email protected]

*This article was not written by A.I. Constructive criticism is always welcome.