What is a Protected Distribution System?

Government planners understood that for a PDS to be successful, it needed to be simple, cost effective and standardized across all government and military facilities. In 1996, the Committee on National Security Systems issued a policy document known as CNSSI 7003. This document is considered the single source of truth for PDS design, installation, maintenance, and inspection procedures to ensure national standards are rigorously maintained.

The document authors also realized that no system can prevent every type of attack and efforts to build such protections would be cost prohibitive. As such, a key pillar of the document is a PDS design philosophy that emphasizes detection over prevention. Instead of attempting the impossible task of making a pathway completely impenetrable, the instruction mandates a system that is designed to:

• A. significantly deter anyone from unauthorized physical access.
• B. make any attempt to tamper the carrier—reliably discovered due by an inspection.

Finally, the document also emphasizes that PDS are best suited for low and medium threat locations and is NOT recommended for use in high or critical threat locations. This is due to the high risk of unencrypted data being accessed before an inspection could conceivably detect a breach.

At this point you may be wondering why an organization would even bother constructing what is essentially a fortress around network infrastructure. Why not just use encryption? There are four reasons for this:

1. Expense: Encryption can have a greater total cost of ownership than a PDS. These devices are expensive to scale for the number needed across a campus.
2. Supply Issues: Because encryption is earmarked for the highest security information, device availability is constrained to critical locations.
3. Bandwidth Limitations: encryption limits network traffic which can impact critical missions with high data throughput (examples: real-time video streams, surveillance imagery, voice traffic or telemetry).
4. By Design: Remember that a PDS provides adequate protection based on the perceived threat levels.

It may be easy to simplify PDS as just a pipe, but It is important to remember that it is a system comprised of multiple components and procedures:

1. Connections: elbows, couplers, and other fittings that connect the conduit sections of the pathway.
2. Enclosures: secure boxes or panels that can be accessed frequently such as pull boxes, junction boxes and user drop boxes used for cable installation, branching or the termination endpoint such as a user workstation.
3. Locks: used to secure any enclosure.
4. Tamper Seals: used in conjunction with locks to provide evidence of unauthorized entry.
5. Sealing: connections or covers that are not accessed frequently must be secured with welds, epoxy or fusion.
6. Markings: the carrier must be clearly marked to aid inspection.
7. Inspection Ports: allows inspectors to observe the entire surface of the conduit as it passes an object like a wall.
   Data Cabling: the actual communication medium being protected such as copper wiring or fiber optic cabling.
8. Standard Operating Procedures: instructions governing maintenance, operation, inspection and procedures in the event of a breach.

Now that we understand the purpose of a PDS and its components, let’s dive into the different varieties of PDS, which are based on a combination of security risk assessments and the route of the PDS pathway.

There are two categories of PDS protection based on threat level and risk analysis.

Category 1 is called a simple carrier because it’s meant to be used inside highly secure, highly controlled access areas with a lower risk of a data breach. Since the area itself is well protected, the PDS carrier offers simple protection with lighter/thinner metal or even PVC pipe, which reduces costs and complexity.

Category 2 PDS is for riskier limited access areas. There are five specific types of Category 2 PDS which provide significant physical levels of security protection:

1. Hardened Carrier is thick metal tubing run between secure rooms.
2. Buried Carrier is placed deep underground to safely route data between two different buildings.
3. Suspended Carrier is elevated high in the air for short physical runs.
4. Alarmed Carrier uses highly advanced electronic monitoring to detect tiny vibrations or tampering, which is perfect for when humans can’t easily check the pipes every single day.
5. Continuously Viewed Carrier where the pipes literally have human eyes or dedicated cameras staring at them 24-7 each one of these is specifically engineered to neutralize a unique physical threat.

Before we can even think about laying down a protected pathway, we have to understand the spatial blueprint of a facility. Because the environment entirely dictates the security required. We can define a facility into three specific zones:

• Controlled Access Area (CAA) – The complete building or facility area under direct physical control within which unauthorized persons are denied unrestricted access and are either escorted by authorized persons or are under continuous physical or electronic surveillance.
• Limited Access Area (LAA) – The space surrounding a PDS within which PDS exploitation is not considered likely or where legal authority to identify and remove a potential exploitation exists.
• Uncontrolled Access Area (UAA) – The area external or internal to a facility over which no personnel access controls are or can be exercised or any area not meeting the definition of Controlled Access Area (CAA) or LAA.

Regarding access areas, CNSSI 7003 makes certain requirements very clear:

• A PDS must originate and terminate in a CAA.
• The security levels at the start and end must match the classification of data being carried by the PDS.
• A PDS cannot be used in an uncontrolled access area. CNSSI 7003 guidance recommends data passing through a UAA be encrypted.

The guidance for selecting a Category 1 or Category 2 PDS is based on three factors:

1. Classification (Confidential, Secret, Top Secret, and Sensitive Compartmented Information) of the data being transmitted.
2. The threat level where the PDS is installed (Low or Medium).
3. Type of access area that the PDS routes through (CAA, LAA or UAA).

Selecting the actual carrier type is based upon the physical conditions of the area the PDS traverses, the location of the PDS terminations, and the cost of implementation. The cost of implementing the PDS includes not only the cost of the initial installation, but also the recurring costs of inspection and maintenance.

We should also note that any PDS design must be approved by an Authorizing Official (AO).

A protected distribution system is only as secure as the highly trained eyes watching it. CNSSI 7003 policy mandates that inspectors actively assess the system for signs of penetration on a routine basis. A scratch on the paint, a slightly loose screw on a pull box, or a tamper seal that looks out of place. Security teams rely on a two inspection approaches:

Visual Inspections. Depending on the data classification, someone might literally have to physically walk the entire length of the pipeline every single day, even using mirrors to look at the back side of the pipes just to spot any physical changes. The frequency of inspections is based on the data classification level.

Technical Inspections. These are random verifications specifically designed to catch highly sophisticated tampering that a simple visual walk around might miss entirely. Certain electrical measurements taken after installation are used to compare new readings to detect tampering, even if the conduit looks untouched on the outside.