TIA security standard to cover broad ground

The work of the Network Security Task Group within the Telecommunications Industry Association's (TIA) TR-42 Engineering Committee has been ongoing for more than two years.

From the June, 2014 Issue of Cabling Installation & Maintenance Magazine

From specifying the protection methods for cabling pathways to requiring oversight of on-site material handling, the standard will bring some new requirements to the jobsite.

by patrick mclaughlin

The work of the Network Security Task Group within the Telecommunications Industry Association's (TIA; www.tiaonline.org) TR-42 Engineering Committee has been ongoing for more than two years. The group is set to reach its first major milestone on the way to developing a standard when this month the TR-42.1 Subcommittee as well as the overall TR-42 Committee are expected to approve a project authorization request (PAR) that will officially put it on the path to standardization. Once the PAR is approved, the specification will have an official TIA number designation (ANSI/TIA-XXXX) as well as a working title. TR-42 is scheduled to meet June 9 through 13, during which the PAR approval is expected to happen.

With more than two years of effort already behind it, the task group has a clear goal and objectives for the eventual standard, as well as a timeline for its completion. That timeline, which is subject to change, currently targets a late-2015 approval date.

Masood Shariff, senior systems engineer principal with CommScope (www.commscope.com), leads the Network Security Task Group. In an interview, he discussed the group's beginnings, its efforts to date and its intentions for the standard. Shariff confirmed that the task group's creation came at the request of TIA leadership in early 2012. The association's interactions with the federal government (TIA is headquartered in Arlington, VA) may have been an impetus for that request. Rather than create a set of standards, rules, or regulations by itself for itself, the government often looks to non-governmental organizations, like the TIA, to develop such specifications that can benefit the entire country.

"There are problems with security at all levels," Shariff said, "from hacking to breaking into systems, theft, sabotage and others. The federal government is sensitive to the holes that exist in security systems, and want to close as many of those holes as possible, for individuals as well as for itself." When TIA leadership requested the formation of a group within TR-42 to address security issues, the intent was "to improve overall security, whether it's an office building, a university, a federal building or any other," Shariff recalled.

Like a soldier

The concept of security is wide-ranging and can be difficult to succinctly describe. If there is a "security breach at Target," it could mean that someone broke a window at a local retail outlet after hours and walked away with thousands of dollars in merchandise. Or it could (and did) mean that the breach was digital, and tens of millions of credit and debit cards were compromised. The cabling industry concerns itself with both characterizations of security. A surveillance system within a retail store has a supporting cabling system. The data center through which credit-card information passes is loaded with cabling. Keeping those frames of reference and turning to the work of the Network Security Task Group, I asked Shariff if the standard under development will address A) cabling systems that support physical security-type applications like surveillance; B) cabling systems' role in the security of an organization's data through technologies like automated infrastructure management (AIM); and/or C) the physical security of cabling systems themselves, by such methods as placement in secure enclosures or otherwise closed pathways.

Shariff could have answered with a simple "yes," but thankfully chose to elaborate on the wide ground the standard will cover. He commented, "The telecommunications infrastructure inside a building is a very powerful entity. It can be compared to a soldier, whose first job is to protect self. Once a soldier is sure he is protected and secure, he looks around the environment and protects it. A telecom network in a building needs to protect itself so that it can continue to function. Secondly, it can protect its environment. Both forms of protection are critically important.

"Taking that telecom infrastructure and applying it to the rest of the building and campus is a broader notion that many have not explored fully. People are now starting to realize it is a pretty good central nervous system in the building that can sense, report, and alarm any event that might occur. It has been done in some ways; surveillance cameras are an example. Standalone monitoring systems and access-control systems are others."

These types of systems have been administered in a patchwork fashion, he explained, deployed as needed and most often not integrated. "That's the key-the integration of all the pieces that exist and have been built standalone in the past," he said. "The more integrated they become, the more intelligent the building gets." When these systems are integrated, building owners have the opportunity to take a proactive rather than reactive approach to security and take actions like putting countermeasures in effect before a security breach occurs.

Existing and new

One of the first actions of the task group was to gather countermeasure-type specifications that already exist in other TIA standards. "These were small pieces of standards, published as a few sentences here and there," Shariff explained. "Putting those pieces together brings attention to the security standards that are in place for a building. We created a chapter unifying these pieces." Among them was the requirement that pathways in a building have to be routed either in secure areas or, if in publicly accessible areas, in locked devices such as conduit, junction boxes, splice cases and others.

Once these already-existing security measures were gathered, the group looked at ways to further enhance security. "One was that we can use the cabling infrastructure to intelligently monitor events-not only for infrastructure but around infrastructure," he added. Intelligent infrastructure management systems play a part, particularly with their ability to go beyond the cabling crossconnect all the way to a network's end devices, comparing an installed devices' MAC address with an approved work order to ensure that what was installed was in fact approved. AIM systems provide even more capability, he noted.

As the task group worked to assemble the chapter of already-existing security-related specifications, the realization came that "security is a multi-layered beast," Shariff said. "Our approach has been to build the fundamental foundation at the lowest level-the physical level-for a security system. On that layer you add other layers." What has happened in many cases to this point, he further explained, is that "other layers got built without building the fundamental physical layer. With this standard we are basically creating a foundation and telling everyone to build on it. That layered approach is understood, supported and encouraged."

As for the physical layer, the working draft of the standard contains some nomenclature that may be new to TIA standards but are commonly used in federal-government circles. A prime example is protected distribution system (PDS). "PDS comes straight out of the military and security experts from government installations," Shariff said, also noting that the mock-ballot version of the standard already has gone to all branches of the United States military for comment. Several characteristics go into making a pathway a PDS. Shariff provided this example: "If you take two pieces of conduit, normally the connection between them would be transparent. But for that connection to be a PDS, the joint has to be a contrast color-red or black, for example-to make it visibly obvious from a distance if the conduit has been tampered with." Protecting against tampering is shaping up to be a significant part of the forthcoming standard.

In closing, Shariff noted that the in-draft standard emphasizes control and monitoring in multiple ways. "Everything has to be controlled and monitored, and that includes the materials that go into a building. From the time it arrives on-site it cannot be left unattended. The standard addresses the way materials are handled and installed. Vetting has not been part of the process to this point, but it is here," with the forthcoming standard, he said, noting that the current draft of the standard calls for vetted persons only on-site.

Like the soldier that protects self to ensure he or she can protect others and the environment, the coming standard from TIA covering security promises to hold value for those who rely on it.

Patrick McLaughlin is our chief editor.


Timeline for standard approval already established

Even though the efforts of the TIA's Network Security Task Group had not yet officially gained a Project Authorization Request (PAR) approval at the time of this writing, the group nonetheless has mapped out a timeline for the eventual publication of the standard-under-development.

The task group has earmarked standard-development milestones for each of the four TR-42 plenary meetings after June 2014's. It anticipates a Draft 1.0 TIA ballot to take place in October 2014, a Draft 2.0 ANSI ballot to take place in February 2015, a default ballot to take place in June 2015, and standard approval to take place in October 2014. Completed and in-development TIA standards can be purchased at: http://global.ihs.com/?rid=TIA-P.M.

More in IP Security & AV