Grant Seiffert, president of the Telecommunications Industry Association (TIA), authored an article titled “Protecting the Communications Infrastructure” that appeared in a recent issue of The CIP Report, a monthly publication produced by the George Mason University School of Law Center for Infrastructure Protection and Homeland Security. As Seiffert states in the article, “One area currently facing security threats is cloud computing,” citing a National Institute of Standards and Technology (NIST) report identifying gaps for standards coverage related to the cloud. “In response to this report [U.S. Government Cloud Computing Technology Roadmap, Volume II – Useful Information for Cloud Adopters], TIA’s Engineering Committees are working on standards to close these security gaps,” Seiffert says. “Of particular, current interest is the infrastructure security for the cloud and for the infrastructure that connects people and devices to the cloud.”
He later explains that in February 2012, the TIA’s TR-42 Engineering Committee created a Task Group on Network Security “to identify and develop appropriate content to address this cloud security gap.” The group “is developing standards to combat four threats: intrusion, sabotage, vandalism and theft,” Seiffert states. He then points out several existing requirements and guidelines, within standards written by TR-42 subcommittees, which already address some of these issues.
For example, TIA-942 “provides requirements and guidelines for several security-related subjects involving data centers, which serve as the engines of the cloud,” Seiffert reports. “This document includes security-related requirements and guidelines appropriate for data centers on the placement of telecommunications spaces, architectural considerations, signage, cable routing, access points, supporting equipment and site selection.”
Seiffert then explains that while the NIST report puts focus on data centers, “prudence would dictate that similar guidance apply to the physical security for other types of premises where cloud access is of particular importance … Accordingly, the Task Group on Network Security is not limiting the focus of the discussions to data centers.” Furthermore, the group has pointed out installation guidelines in other existing standards—TIA-569 Telecommunications Pathways and Spaces, TIA-568-C.0 Generic Telecommunications Cabling for Customer Premises, TIA-568-C.1, Commercial Building Telecommunications Cabling Standard, and TIA-606 Administration Standard for Telecommunications Infrastructure—as examples of specifications that consider the protection of cabling infrastructure.
Additionally, the TR-42 Task Group on Network Security used a certain portion of the NIST report as a springboard for another path of consideration. The NIST report’s Clause 5 includes the statement: “The (perceived) lack of visibility and control over the IT assets often runs counter to the existing security policies and practices that assume complete organization ownership and physical security boundaries …” Seiffert explained that in response to this concern, the task group “has been discussing important aspects of physical security, including the recognition of unauthorized modifications or rerouting of a network path. The Task Group has developed recommendations related to how the telecommunications infrastructure design should be a component of the facility’s security plan.”
Seiffert further discloses that the task group “is developing guidelines for automated systems that should enhance the security of the cabling. The automated functions might include such features as detecting changes to patch cord placement, connection to inactive or open equipment ports, and interruption in signal traffic.” Guidelines already drafted by the task group also have recommendations for actions to be taken in response to any type of alarm condition. “These actions,” Seiffert notes, “These actions might include activating external device alarms and security video devices that feed detailed and useful information to appropriate personnel and systems. While these types of systems are already available in the market, the need for some minimum level of consistency in the services provided is essential to promote their deployment, operation and use.”