28
Qwest's Critical Infrastructure Secure Cabinet Hector Rojo, Manager Federal Programs – Large Scope July 11, 2011
Qwest's Critical Infrastructure Secure Cabinet
Hector Rojo, Manager Federal Programs – Large Scope
July 11, 2011
INTERNAL USE ONLY
Overview
Form, fit and function of
telecommunication cabinets
designed IAW MIL-STD-188-125
requirements
Cabinets meet or exceed all
requirements
Three designs
• CS, a single width (standard 19”
equipment rack space) cabinet
• DW, a double width cabinet
• DP, a deeper, single width
cabinet that also meets
TEMPEST requirements
CS Cabinet
DW Cabinet
DPCabinet
INTERNAL USE ONLY
KEY FEATURES• HEMP-survivable rack form factor enclosure for critical electronic equipment
• Double or single racks; 19 or 23 inch rack mount; front and/or rear doors
• Fully compliant with MIL-STD-188-125-1/2;TEMPEST VERSION to 10GHz
available as well
• A& B Power Bus Compatible
• AC or DC Power; Up to 10kW
• Conducted penetrations (only power) –filters reduce residuals to within
MILSTD-188-125-1 limits
• Automatic Built-in Test Equipment (ABITE) to provide real-time status of SE
• Can be designed/built to customer‟s specifications
• Both steel and aluminum versions available
• Can also be designed/built/tested to meet TEMPEST requirements
• NEBS and Zone 4 Compliant
INTERNAL USE ONLY
Cabinet Fabrication (Continued)
INTERNAL USE ONLY
Acceptance Testing
INTERNAL USE ONLY
Prepainted Assemblies
INTERNAL USE ONLY
DW Cabinets (Continued)
INTERNAL USE ONLY
Finished Cabinets
INTERNAL USE ONLY
Mission Equipment Integration
Performed under subcontract by Linkmont in Denver
integration facility
All cabinets finalized for deployment in this facility
INTERNAL USE ONLY
MIL-STD-188-125 Verification Testing
Conducted in shielded enclosure in
Denver facility
Includes pulsed current injection and
shielding effectiveness testing
Final certification that cabinets meet all
MIL-STD-188-125 requirements
Typical shielding effectiveness
measurement:
0
5 0
1 0 0
1 5 0
2 0 0
1 04
1 05
1 06
1 07
1 08
1 09
M IL -S T D -1 8 8 -1 2 5 -1 S E R e q u ire m e n tM e a s u re m e n t R a n g eF ro n t H o rF ro n t V e r
F re q u e n c y (H z )
Sh
ield
ing
Eff
ective
ne
ss
(d
B)
Margin
0
5 0
1 0 0
1 5 0
2 0 0
1 04
1 05
1 06
1 07
1 08
1 09
M IL -S T D -1 8 8 -1 2 5 -1 S E R e q u ire m e n tM e a s u re m e n t R a n g eF ro n t H o rF ro n t V e r
F re q u e n c y (H z )
Sh
ield
ing
Eff
ective
ne
ss
(d
B)
Margin
Automated Built-in Test Equipment
(ABITE)
INTERNAL USE ONLY
Automatic Built in Test – Objectives and Tasks
Overall Primary Objective – Monitor Shielded Article Condition
• Evaluate the Shielding Effectiveness of an EM Barrier consistently with the
techniques as defined in MIL-STD-188-125
• Monitor incoming Power Protection
• Monitor Alarms as applicable
Primary Task Elements
• ABITE SE Test system cannot interfere with Local functions
- Virtually no external emissions – dictates an internal transmitter
- Internal transmitter kept at lowest possible power level
• Design must be robust and can scale to multiple applications (i.e. various
alarms)
• Remote control and data monitoring
• Install system into HEMP equipment cabinet with transport equipment and
functionality
- Includes packaging to fit in available space
ABITE System Concept
Shielded
Cabinet
ABITE
Transmitter
ABITE Receiver
Receiver
Cabinet
(unshielded)
SE measurement Is the comparison of the transmitted signal versus the received signal over the required frequency range
INTERNAL USE ONLY
ABITE Production Configuration
Production version of the ABITE includes the following:
• Transmit Function
- One rack mount shelf (not a full shelf)
- Less than 2U‟s of cabinet space (1U = 1.75”) (not including the antenna)
- Absolutely no impact on the operation of the equipment within the cabinet
- Interface to a router serial port for signal generator control
- Disable switch for door
• Receive Function
- Allows the flexibility to have a “real” spectrum analyzer available during maintenance
- rack shelf mounted
- Meets dynamic range requirements (-10dBm input compression, <-110 dBm/Hz noise
floor – input terminated/thermal)
- MOV monitoring via optical sensors
- 35 dB selectable attenuation
- 2 antenna control
- Extensive security features
INTERNAL USE ONLY
ABITE Operational Software
Production version of the ABITE includes HMI/Control software
- Remotely hosted in NOC
- IP-based network design – all IP devices mapped identically thru router
- All control executed through secure router via telenet control
- Operator entry for site IP configuration
- Drill-down architecture for site status with applicable indicators
– Data graph and archive at lowest level
- Look up table for site specific calibration
- Interference mitigation algorithm
- SNMP reporting to NOC
INTERNAL USE ONLY
ABITE Details
• Frequency agile (compensates for
ambient background)
• Operates over internet
• Does not require personnel at the
operational site
Remote NCC Control
LAN
RF Amplifier (1 Watt)
Spectrum Analyzer
Signal Generator
Communication Fiber links
Receive
antenna
(isotropic)
HEMP Cabinet
Serial
Driver
SP2T
Switch
LAN/Fiber
LAN/Fiber
35 dB
Variable
attenuator
PC SerialPort
Receive
antenna
(isotropic)
INTERNAL USE ONLY
ABITE System Production Components
Transmitter Tray
Transmitter Power Tray
Mounted in Shielded Cabinet
Receiver Power Tray
Receiver RF Tray
Spectrum Analyzer
Mounted in Unshielded Cabinet
INTERNAL USE ONLY
ABITE – Conclusions
Successfully developed/deployed Shielding Effectiveness ABITE
system within operational shielded cabinet requirements
System is frequency agile to operate in and interference RF
environment
• Detects and compensates for strong signal effect
• Detects and compensates for in-band spurious signals
Scalable to multiple applications to include alarms and other monitoring
Extremely low risk design implementation
Software developed for secure, remote command and control via the
internet
• NOC personnel can monitor the health and wealth of
each system
Container Security
Presents
July 2011
INTERNAL USE ONLY
20
PulseCode™ Lock
PulseCode™ Key
Technology Overview
PulseCode™ Lock technology is a highly secure lock with no keyhole and requiring no direct contact between lock and key to operate. With no keyhole there is no point from which it can be compromised by picking or tampering.
PulseCode™ Lock technology is the transmission of data through solid materials by a sequence of discrete mechanical knocks, or pulses. The intervals between pulses contain an encrypted code that is the opening combination of the lock.
The opening code can transfer through solids including metal, wood or glass. This enables the lock to be mounted on the inside of a door, concealing it from the outside and making it impossible to detect or vandalize.
The opening code is encrypted and has billions of combinations. It includes a randomly generated portion of the sequence so it never uses the same exact code twice. This makes it impossible to imitate the key even by recording and makes the locking system extremely secure.
PulseCode VAULT™
Access Control Software
INTERNAL USE ONLY
Summary Benefits for ISO Container Security
Better security with secure remote
access control using Master Lock’s VAULT software
No “back door” breaching
Nothing on the outside to tamper or compromise
The Container Housing & Security Door Bolt is
specifically designed to enable mounting on hollow
steel ISO Container doors with thru bolts providing
over 5,000 lbs of holding force
Successfully meets ISO Intermodal Specifications
IRAD 2011
821.2001 – Site P
8201.2003 – Transformer Hardening
INTERNAL USE ONLY
Summary of 2011 Projects
8201.2001 Site P
– Objective
• Install and evaluate alternative hardening techniques (188-125 Special
Protective Measures) on an unhardened commercial telecom site
– Expected Results
• SPM surge and field coupling suppressors installed
• Field coupling reduced up to 10x
• Site P withstood 10x CWI SPM Verification test protocol
8201.2003 Transformer Protection
– Objective
• Design and test 188-125 E1 and E2 transient protection to medium voltage
secondary power
transformers
– Expected Results
• A 12.47kV transformer successfully protected and tested to a MIL STD
188.125.1 Appendix B PCI Verification Test
INTERNAL USE ONLY
Site P 188-125 Hardening Demonstration
Objective:
• Demonstrate a cost effective (<5%)
installation at Site P by performing a
full 188-125 verification test
Need:
• Unhardened TELCO sites limit
endurability of new cabinets to battery
life only
• Total site hardening to 188-125 = $M‟s
per site
• Need less expensive methodology
• Special Protective Measures (SPM) in
188-125 protocols need to be
evaluated for TELCO sites
Technical Approach:
• Use EMI/EMC emissions control
technology (ferrites suppressors) in
reverse to limit HEMP coupling
• Install surge suppressors to handle
residual coupling
• Pulse at full 188-125 10x CWI levels and
demonstrate that no failures occur
Expected Results:
Site P successfully SPM tested with
no failures
Site P CWI testing shows an average of
85% reduction in coupled Currents
INTERNAL USE ONLY
Requirements and Costs
Global Barrier Shield ~ Site P Cost Estimated at $2.1M
– Would require basic demolition and rebuilding of entire structure
– 80+dB welded steel shield
– 100dB CORCOM filters
– Acceptance Testing/Verification Testing
– Would not need Telco Cabinet (Saves ~$30 - $60k per cabinet)
Alternative Approach ~ Site P Cost (In volume) ~ $100-$130k –
– MIL-STD-188-125 Special Protective Measures for Endurable Systems
• Surge Suppression
• Ferrites
• Transformer E1, E2 and E3 Long Line Protection
– MIL-STD-188-125 Full Compliance for Survivable Systems
• Telco Rack – Single Wide, Double Wide or DP
INTERNAL USE ONLY
Transformer Hardening
Objective:
Demonstrate a solution to protecting
transformers from E1, E2 (and
lightning)
Need:
Medium voltage distribution transformers
are vulnerable to EMP and currently
unprotected
Lead time for replacement is 6 months –
from China
Not enough diesel fuel or trucks to keep
facilities running for 6 months
No one has ever looked at medium
voltage issues before
Technical Approach:
Evaluate Medium Voltage surge
suppressor technology to E1, E2
Evaluate Harmonic and Reactive Power
Capacitors technology to E1, E2
Marry the two technologies and evaluate
Full scale test on real transformer at full
voltage
Expected results
Protection and test technology for
12.47kV transformer evaluated
Test bed with prototype hardening
installed and tested
Protection and test technology
successfully demonstrated
INTERNAL USE ONLY
Transformer Hardening „Live
Test‟
Description:
480V Generator is connected to Step-Up Transformer.
Step-Up transformer steps up voltage from 480V to12470V.
E1 1k/5k Pulser is connected to XRMR Hardening Kit.
XRMR Hardening Kit is connected to individual phases,Phase A, Phase B and Phase C,
of Step-Up and Step-Down transformers.
Step-Up transformer is connected to Step-Down transformer Step-transformer steps
down transformer. Down voltage from 12470V to 208V.
Step-Down transformer is connected to Load Bank.
Load Bank balances each phase at 208V.
Transients from E1 1k/5k pulser are injected into XRMR
Hardening Kit which is connected to each individual power phase.
10 CM shots at each level 1000A, 1800A, and 3600A were injected with the intention
of hitting the top of a phase peak.
10 CM shots at each level, and at a 5000A transient level, were also injected.
INTERNAL USE ONLY
Objective:
To determine if arc breakdown on the primary side of the medium voltage distribution
(Step-Down) transformer occurs.
Expected Conclusion:
No arc breakdown on the primary side of the Step-Down transformer will occurr during
„Live Test‟..
Transformer Hardening „Live
Test‟
