ISO 27001:2022 A 7.12 Cabling security

Uncategorized 6 Minutes

Most modern technologies would not function properly without cables such as fiber, network, or power cables.Cabling is more than just your CAT6e or CAT7 data cabling or your fibre, ISO27001 wants you to also consider power as well. Anything that is carrying data or that is supporting information services needs to be considered and protected from interception, interference, or damage. While cables are essential to the transmission of information assets, and to the provision of information services, they expose risks to the availability and confidentiality of information assets and also to continuity of business operations. These risks may arise from damage to, interception, or interference with these cables. Furthermore, personnel with access to these cables may accidentally cause damage. For example, cyber criminals with access to fiber cables can use simple techniques such as ‘bending the fiber’ to interrupt all network traffic, resulting in the loss of availability of information.Cabling security needs to be considered to reduce risks related to eavesdropping and data theft which is increased if your company uses a cable supplier. Attackers can tap into the cables, interfere with operations or steal data. Controls such as hiding the cables, protecting them in covers, monitoring for interference or using multiple lines for specific high-risk departments. Organisations aims to achieve two distinct purposes:

  • Protecting information assets carried via cables against unauthorized access, use, damage, or destruction by implementing appropriate measures;
  • Ensuring the continuity of business operations by maintaining the security of cables that carry information assets, power, and electricity.

Control

Cables carrying power, data or supporting information services should be protected from interception, interference or damage.

Purpose

To prevent loss, damage, theft or compromise of information and other associated assets and interruption to the organization’s operations related to power and communications cabling.

ISO 27002 Implementation Guidance

The following guidelines for cabling security should be considered:

  1. power and telecommunications lines into information processing facilities being underground where possible, or subject to adequate alternative protection, such as floor cable protector and utility pole; if cables are underground, protecting them from accidental cuts (e.g. with armored conduits or signals of presence);
  2. segregating power cables from communications cables to prevent interference;
  3. for sensitive or critical systems, further controls to consider include:
    • installation of armored conduit and locked rooms or boxes and alarms at inspection and termination points;
    • use of electromagnetic shielding to protect the cables;
    • periodical technical sweeps and physical inspections to detect unauthorized devices being attached to the cables;
    • controlled access to patch panels and cable rooms (e.g. with mechanical keys or PINs);
    • use of fiber-optic cables;
  4. labeling cables at each end with sufficient source and destination details to enable the physical identification and inspection of the cable.

Specialist advice should be sought on how to manage risks arising from cabling incidents or malfunctions.

Other information

Sometimes power and telecommunications cabling are shared resources for more than one organization occupying co-located premises.

Power and telecommunications cabling carrying data or supporting information services needs to be protected from interception, interference or damage. If power and network cables are not sited and protected adequately it is possible that an attacker may be able to intercept or disrupt communications or shut down power provision. Wherever possible, network and power cables should be underground or otherwise protected and separated in order to protect against interference. Depending on the sensitivity or classification of data it may be necessary to separate communications cables for different levels and additionally inspect termination points for authorized devices. The auditor will be visually inspecting the cables and if they are relevant to the level of classification/risk request evidence of visual inspection. Organisations take into account the following four criteria for compliance:

1.Telecommunications and power cables connected to the information processing facilities should be placed underground to the extent it is feasible. Furthermore, cables laid down in the underground should be protected against accidental cuts through suitable techniques such as armored conduits. If placing the cables underground is not possible, organisations can consider implementing alternative protective measures such as floor cable protectors and utility poles.
2. Power and communications cables should be segregated to eliminate the risk of interference.
3. Considering that cables connected to critical information systems present higher risks to the sensitive information assets and to business operations, organisations should consider putting in place the following controls:

  • Using armored conduit, installing locked rooms & boxes, and setting up alarm systems both at inspection and terminal points.
  • Applying electromagnetic shielding technique to prevent damage to cables.
  • Cables should be subject to inspections at regular intervals and to technical sweeps to ensure that no unauthorised device is connected to the cables.
  • Establishing access control procedures and measures for access to cable rooms and patch panels.
  • Using fibre-optic cables.

4. The source and destination details of each cable should be labelled at both the starting and endpoints of the cable so that the cable can be easily identified and inspected.
Furthermore, organisations are also advised to seek expert advice on how to manage risks that may arise from cable malfunctioning. Last but not the least, organisations should consider the risks related to the use of communications and power cables by more than one organisation when they are on shared premises.

Structured IT cabling is the design and installation of a cabling system that will support multiple hardware uses both today and any additional hardware added in the future. It is the foundation of network infrastructure and enables all data transmission and telephone service done through computer. Every business has some sort of structured cabling network, but they vary in size, organization, and capability. No matter how large your business is, having a seamlessly functional structured cabling network will save you and your employees a lot of trouble. Here are the top 4 reasons that structured cabling networks are critical for IT security.

  1. Compliance and Security:IT infrastructure is essentially the nucleus of the organization. It is where servers, switches, routers are located and every piece of hardware (computers, phones, printers, security cameras) is connected to them by various cabling. If these cables are not labeled and organized well it is very difficult to know what they are connected to. It will also be difficult to tell if an unauthorized person has made changes to your physical network. Having photos of cabling network on file for reference so it can be easily to identify changes and potentially identify why someone has made those changes. It is the simplest way to tell if someone is tampering with your network from a physical standpoint.
  2. Faster Speeds and Reliability; One of the most important things to any business is network stability and speed. There is nothing more frustrating that being on an important virtual meeting and having latency issues or drop-offs. Having a highly functional structured cabling network enables you and your employees to have trustworthy connection to the internet, and speed with locating important files stored on your network. If you have ever tried searching for a specific file and had to wait an extended period of time for it to be located, you may have some issues with your physical cabling system.
  3. More Effective Support and Troubleshooting: Technology by nature is ever changing and evolving and with this comes issues that need to be addressed. If your structured cabling network is poorly installed, organized, or labeled your support team will have a much tougher time identifying the issues you come across. This can lead to longer wait times to getting back to the task at hand, and even the need to reach out to 3rd parties for help.
  4. Cost Saving: Your structured cabling network can save you time and money. As we mentioned above, it is the nucleus of your organization and should be invested in on the front end, so you do not have to spend more money down the road to fix or even reinstall the entire network. If your employees are unable to be productive due to latency issues, drop-offs, and lost files you are losing money. If your support team needs to spend twice as much time locating the issue, you are losing money. Time is a resource that transfers directly to cost in the business world.

Power and telecommunications cabling that is in place to support information systems or transfer data should be protected from interception, interference, or damage. Your organization should use clearly identifiable cable markings to minimize potential handling errors, such as the accidental unplugging or movement of incorrect patching or network cables. Physical access to information system distribution and transmission lines should be controlled within your organization’s facilities (e.g., wiring closets, patch panels, network jacks, etc.). Physical network ports throughout your facilities should be disabled when there is not a continuous need for them to be active. Having a live network port outlet (e.g., in the lobby or reception area of your facilities), with no additional technical controls, could potentially provide a hacker or other bad actor direct access into your organization’s networks. Depending on the size of your organization and the number of information systems in use, cabling security controls may require a notable time investment to implement correctly. This is especially true if you are trying to make cables look less like a bowl of fettuccine and more like a well-organized field of corn. It is highly recommended to spend the time that is necessary to ensure cables are labeled and neatly organized to prevent unintentional, unforced errors. A short-term project to address cabling today, will help prevent countless issues tomorrow.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply