Cable management

Agencies should physically separate patch panels of different classifications by installing them in separate cabinets.

This will:

  • reduce or eliminate the chances of cross patching between the systems; and
  • reduce or eliminate the possibility of unauthorised personnel or personnel gaining access to classified system elements.

Where physical constraints demand patch panels of different classification are located in the same cabinet, agencies must:

  • provide a physical conductive barrier within the cabinet to separate patch panels;
  • ensure that only personnel cleared to the highest classification of the circuits in the panel have access to the cabinet; and
  • obtain approval from the relevant Accreditation Authority prior to installation.

A visible gap or non-conductive isolator between equipment cabinets, especially those of different classifications, will make any cross-cabling obvious and will simplify inspections for unauthorised or compromising changes.

Cable registers provide a source of information that assessors can view to verify compliance.  It tracks all cable management changes through the life of the system.

Cable colours for foreign systems in New Zealand facilities should be segregated and separated from other agency systems for security purposes. 

The host agency, the foreign system owner and the Accreditation Authority should agree on cable colours used.

Agencies should use different cable colours for foreign systems installed in New Zealand than those used for New Zealand systems.

The labelling principles and requirements outline provided in the NZISM sections 10.5 and 10.6.

  • labelling should be logical and consistent, across all locations, matching the project drawings.

  • the labelling scheme identifies any associated physical locations (building, room, cabinet, rack, port, etc.)

  • labelling is easily read, durable, and capable of surviving for the life of the component that was labelled.

  • the labelling system, and the identifiers used, are agreed upon by all stakeholders .

  • labelling is all-encompassing and includes cables, connecting hardware, conduits, firestops, grounding and bonding locations, racks, cabinets, ports, and telecommunications spaces.

Specific labelling requirements include:

  • all labels use a permanent identifier;

  • the labelling/numbering scheme is logical in its organisation, using alphanumeric characters for ease of reference.

  • each cable and each pathway is labelled on each end, and each label identifies the termination points of both ends of the cable. For long cable runs intermediate labelling is helpful and strongly recommended.

  • all labels are legible, defacement resistance, and have high adhesion characteristics and durability.

  • labels are placed so they can be read without disconnecting a cable.

  • labels for station connections may appear on the face plate.

  • all jack, connector, and block hardware are be labelled on either the outlet or panel.

  • all labels match with the any installation and maintenance records.

To facilitate cable management, maintenance and security cables and conduit should be colour-coded as shown in the table to indicate the classification of the data carried and/or classification of the compartmented data.

Classification

Cable colour

Compartmented Information   (SCI)

Orange/Yellow/Teal or other   colour

TOP SECRET

Red

SECRET

Blue

CONFIDENTIAL

Green

RESTRICTED and all lower classifications

Black

 

Regular cable inspections, are an important way of detecting tampering, damage, breakages or other anomalies, these should be carried out regularly with the frequency of inspections outlined in your agencies Security Plan.

This is particularly important in a shared facility, where higher threat levels exist or where threats are unknown.

It is important that any metal trays or metal catenary are earthed for both safety and to avoid creating any fortuitous conductors which can be technically exploited. 

Effective earthing depends on properly bonding all conductive elements of a cabinet, rack or case housing any equipment.  Bonding requires good mechanical and electrical connection between conductive elements through bolts and nuts and/or earth straps or jump leads.  Specialist bonding hardware is widely available from reputable electrical suppliers.

Standardising the layout of rack and cabinets facilitates maintenance, engineering changes and reduces risk of accidental cross-connects between systems. 

Separate RED/BLACK racks are easier to manage, build and maintain and reduce the opportunity for accidental or deliberate cross-connection of RED/BLACK systems. 

In the case of shared cabinets, they may also include UPS or other power supply equipment. RED/BLACK separations of equipment and cables should be maintained.  Agencies should arrange the installation of cabinets as follows:

  • RED equipment at the top;

  • BLACK equipment in the centre;

  • power equipment at the bottom.

Agencies should record equipment layouts and other relevant information on rack diagrams.

A power filter is a device placed between an external power source and electronic devices.  It is used to smooth the power supply and provide a degree of electrical isolation from the external power supply for connected electronic devices.  This reduces the opportunity for technical attack. 

Fibre optic cable is considered more secure than copper cables and provides electrical isolation of signals.  Fibre will also provide higher bandwidth and speed to allow a degree of future-proofing in network design.  Cable infrastructure costs are reduced as many more fibres can be run per cable diameter than wired cables. 

Cable management systems are designed to support the integration of systems across government facilities within New Zealand, assist maintenance and engineering changes and minimise the opportunity for tampering or unauthorised changes to cable systems.

Audio secure areas are designed to prevent audio conversation from being heard outside the walls.  Penetrating an audio secure area for cables in an unapproved manner can degrade this. 

Consultation with the Government Communications Security Bureau (GCSB) needs to be undertaken before any modifications are made to audio secure areas.

A non-shared facility is a facility occupied solely by a single agency.  A shared facility is a facility occupied by more than one agency.  A shared facility should have stricter physical and technical security controls than a non-shared facility.

The RED/BLACK concept is the separation of electrical and electronic circuits, devices, equipment cables, connectors, components and systems that transmit store or process national security information (RED) from non-national security information (BLACK).

The RED/BLACK concept should not be confused with the generic description HIGH/LOW or HIGH SIDE/LOW SIDE.  In this context, HIGH refers to systems classified CONFIDENTIAL and above and LOW refers to systems classified RESTRICTED and below.  While these concepts are similar and often used interchangeably, it is important to recognise that information does not usually change classification. The signal or transmission, however, may transit both RED and BLACK systems in order to reach its intended destination.

It is also important to note that systems carrying a particular classification may also carry information at all lower classifications but not any higher classifications.

Separation of RED/BLACK cables and related equipment with sufficient distance between them to prevent cross-contamination is a fundamental security requirement.