Jonathan Newell finds out from TÜV SÜD Product Service about Tempest testing for military equipment to ensure critical information doesn’t leak out across enemy lines.
Names can be misleading and none moreso than the Tempest testing of military equipment, a name that implies action, high energy and conflict. In reality, Tempest testing is much more aligned to everyday electronic compliance testing, such as EMC and is performed in the same laboratory complexes as consumer electronic equipment.
Originally created by the National Technical Authority for Information Assurance (CESG), which is now part of the National Cyber Security Centre, the purpose of Tempest testing is to overcome the vulnerabilities of classified information held or transmitted by military equipment.
If signals, which originate and escape from military equipment such as IT equipment, communication systems and vehicles processing classified information, there is the possibility of unauthorised people, including enemy forces, picking up those signals and retrieving the sensitive information being carried by them. The result is a new battlefield on which the defence forces are fighting. They’re no longer just facing men and machines but also increasingly the agents of cyber and electronic warfare.
The word Tempest is used in military circles to describe electromagnetic signals emanating from equipment, systems and entire mobile platforms and which can result in the recovery of sensitive information from a distance. As a result, NATO introduced a Tempest certification and testing programme to address the vulnerability of classified information, ensuring energy from IT equipment, communication systems and military platforms is not accessible to eavesdroppers.
More than EMC
Tempest testing is therefore more along the lines of cyber security certification than EMC validation, although there are aspects of both involved.
However, unlike EMC testing, Tempest is less interested in the level of these emissions than the data that’s being carried by them. As far as Tempest is concerned, it isn’t a concern if a product or platform emits radio waves or interferes with other products, but rather if someone from outside can see classified data within those emissions. The National Cyber Security Centre (NCSC) Tempest service therefore helps manufacturers to understand how vulnerable their ICT system is to unintentionally emitting classified information and then ensures that appropriate countermeasures are put in place for the level of risk.
According to test and certification body, TÜV SÜD Product Service, Tempest certification enables manufacturers of electronic equipment, which handles classified information, to supply the military and secure government organisations throughout NATO and Europe. This equipment can be anything such as IT, communications systems, crypto products, worn/personal systems and even printers, as well as entire platforms such as ships, aeroplanes and land vehicles.
The Tempest certification is based on testing which demonstrates conformity with verifiable and repeatable standards specified by NCSC, which represents NATO in the UK. The Tempest testing service therefore enables manufacturers of electronic products, which are intended to handle classified information, to be added to the UK Approved Products list.
The Tempest Certification Scheme relates to the NCSC implementation of the NATO standard SDIP-55, and seeks to achieve assurance based on compliance at every stage of a product’s life, from its initial design onwards. It supports the UK Government’s UK Cyber Strategy, also ensuring that Tempest services comply with the European Union’s IASG4-04 standard.
Manufacturers wishing to have their product or mobile platform (such as military vehicle or ship) certified must work with an NCSC accredited test facility such as TÜV SÜD Product Service, which can issue Tempest product certificates on behalf of NCSC. The scheme enables these accredited Tempest Test Facilities to certify Tempest products on behalf of NCSC.
The NCSC Tempest Platform Accreditation Scheme has been developed to provide comprehensive, but not exhaustive, Tempest testing for first of type military platforms (ships, land vehicles and aircraft), to ensure Tempest risks are identified in order to enable correction or mitigation of the risk prior to entry into service. The first of type test plans and reports are scrutinised by NCSC before accreditation is awarded.
In order to be accredited, and to verify its performance, a test facility must submit a facility qualification report to NCSC every three years. Test engineers must also have their qualifications revalidated by NCSC every three years.
There are three CESG (NCSC) documents which relate to Tempest and Electromagnetic Security (EMS), which can be referenced by both test laboratories and manufacturers to support them in their work.
The IA Implementation Guide No 14 (IG14) gives practical guidance to support users with understanding the CESG Good Practice Guide No 14, as well as the NATO Military Committee Communication and Information Systems Security and Evaluation Agency (SECAN) Document and Information Publications policy for testers (specifically SDIP-27 testing of equipment and SDIP-29 installation of equipment). IG14 also interprets SDIP-27 for UK national use.
The CESG Good Practice Guide No 14 (GPG14) assists anyone involved in managing risks and accrediting ICT systems, as well as those involved in their design and installation, to manage emissions security. GPG14 supports Her Majesty’s Government’s Security Policy Framework, which states that departments and agencies must follow specific government procedures to manage the risk posed by eavesdropping and electromagnetic emanations.
The IA Busy Reader’s Guide No 17 aims to help readers achieve a more pragmatic approach to managing risks associated with electromagnetic vulnerabilities. It does this by clarifying risk management considerations for electromagnetic vulnerabilities and how these support technical risk assessment and treatment processes outlined in the supplement to HMG IA Standard Nos 1 & 2 (Supplement), Technical Risk Assessment and Risk Treatment.
Broadly speaking, the tests consider how close people can get to the equipment in question and how it will be used. For example, is it held within a secure room, or an embassy to which members of the public can get quite close? If it is the latter, there may be a risk that an individual could use an antenna outside the embassy to pick-up what is on a laptop screen within the building.
NCSC qualified engineers will examine a manufacturer’s product against the Tempest standard, using NCSC accredited equipment. However, while CFTCS testing ensures that a new product is tested thoroughly for Tempest emanations, it is only performed on one product sample. Consequently, to ensure that the build standard remains consistent throughout the product’s production, Tempest Production Assurance testing (TPAT) is carried out on samples from the production run of the product to ensure that the Tempest integrity is maintained.
As well as submitting products for testing by an accredited laboratory, manufacturers must also undergo regular NCSC Tempest production audits to maintain certification for their equipment.
(Based on material contributed by Jean-Louis Evans, Managing Director of TÜV SÜD Product Service)