ROBUST NODES Recommendations

DESIGN OF PHYSICAL SECURITY FOR NODES

IN OPEN NEUTRAL BROADBAND NETWORKS

Regional nodes, main municipal nodes,

area nodes and access nodes

ROBUST NODES

Recommendations

THE SWEDISH URBAN NETWORK ASSOCIATION

© TietoEnator Public & Healthcare AB Telephone 08-749 80 00

Fax 08-727 00 33

E-mail [email protected] www.tietoenator.se

Contents

C H A P T E R 1

Introduction 1

Background 1

Objective and target group 3

C H A P T E R 2

Network and nodes – orientation 5

Introduction 5

Network topology – network concepts 7

Node topology – node concepts 10

C H A P T E R 3

Threat profile – an orientation 13

Introduction 13

External threats 14

Internal threats 15

Risk and security analysis 15

Overall threat profile 16

C H A P T E R 4

Security measures - an orientation 17

Introduction 17

Areas for measures 20

C H A P T E R 5

Recommendations for regional

nodes 29

Design of premises 29

Mechanical burglary protection 31

Burglar alarm installation 32

Passage control 32

Fire alarm installation 33

Fire extinguishing equipment 33

Operations alarm 33

Environment and climate control 34

Electricity supply 34

Lightening protection 35

Recommendations for main

municipal nodes 36

Design of premises 36

Mechanical burglary protection 38

Burglar alarm installation 39

Passage control 39

Fire alarm installation 40

Fire extinguishing equipment 40

Operations alarm 40

Environment and climate control 41

Electricity supply 41

Lightening protection 42

EMC 42

C H A P T E R 7

Recommendations for area

nodes 43

Design of premises 43

Mechanical burglary protection 45

Burglar alarm installation 46

Passage control 46

Fire alarm installation 46

Fire extinguishing equipment 47

Operations alarm 47

Environment and climate control 47

Lightening protection 48

EMC 49

C H A P T E R 8

Recommendations for access

nodes 50

Design of premises 50

Mechanical burglary protection 52

Operations alarm 52

Environment and climate control 53

Electricity supply 53

Lightening protection 54

EMC 54

C H A P T E R 9

Governing statutes, ordinances,

regulations, etc. 55

A P P E N D I C E S

Appendix A 58

Example of cable inlet

Example of formulation of physical security declaration for:

Appendix B 59

Regional nodes

Appendix C 63

Main municipal nodes

Appendix D 67

Area nodes

Introduction

This section provides a brief background and purpose of the

Recommendations.

Background

new, open infrastructure for broadband communication is being developed in Sweden. Openness means that the actors who wish to utilise the infrastructure should be able to do so on equivalent technical, functional and commercial terms.

It is considered that the new infrastructure will be of fundamental strategic importance for the function and development of society. The objective must consequently be that the infrastructure that is created is suitable for the purpose and reliable. In order to achieve this guidelines are required for how the networks should be developed, maintained and operated. It must be possible to link networks together and for them to function as a cohesive whole regardless of the ownership structure. It should be possible for customers to choose different levels of service regarding quality, security and function between random points in the network. This means that the networks must be well-defined in all respects. Information about the quality, security and function of the networks and similarly the commercial terms must be available for everyone who wishes to use the networks.

In the current situation a large number of network owners are developing and operating broadband networks. There is no common system of rules governing how the networks should be developed, operated and maintained. This means that quality, security and function varies between the networks of the various network owners. Information about networks is often inadequate.

As a step in creating the preconditions for the development of networks that are suitable for the purpose and reliable, the Svenska Stadsnätsföreningen (the Swedish Urban Network Association) has taken the initiative to establish recommendations within the area of physical security of exchange points and nodes. The National Post and Telecom Agency (PTS) has supported the work with the production of the Recommendations. In this presentation, the term ‘node’ is used as a joint concept for both nodes and exchange points. The Recommendations have been approved by the various network owners.

Chapter

1

The Recommendations aim to increase physical security of nodes by indicating various security measures that should be implemented to eliminate or reduce serious threats to the primary function of the nodes.

Generally, it can be said that nodes can have different functions, strategic importance and threat profile. The starting point for the assessments relating to these parameters for an individual node is that suitable security measures can be implemented. In order to make it possible to issue general recommendations for security measures

for ‘all’ types of nodes, certain general assumptions must be made.

The starting point for the work in forming the Recommendations has been to find a general connection between function, strategic importance and threat profile. One clear such connection is found by studying the traffic in the network hierarchy. As traffic from the underlying nodes is gradually aggregated, the higher up one actually ascends within a network/node topology, the greater the requirements on function for the network and nodes. As the function requirements increase, the importance of the nodes simultaneously increases and thereby also the consequences should a threat become reality.

The starting point for the work in forming the Recommendations has consequently been that there is a link between the requirement for security measures for a node and the level at which the node is included in the network/node topology.

Generally, it can be said that nodes have different functions, strategic importance and threat profiles depending on what needs, customers and operations these nodes must satisfy, and similarly the hierarchical level that a node has in a network hierarchy, and finally where a node is geographically located.

Diagram 1.1 Nodes in the new IT infrastructure must be robust, i.e. tolerate being exposed to different kinds of stresses without the primary function being significantly affected.

Nodes of various kinds have therefore been defined based on the level at which the node is included in the network/node topology.

Proposals for security measures for various kinds of nodes have thereafter been prepared so that they :

- satisfy direct or indirect demands contained in applicable statutes, ordinances, standards and norms and the relevant parts of various sector body rules and instructions.

- from the commercial and social perspectives may be deemed justified.

Recommended security measures in this document provide general instructions on how the protection should be designed or what demands regarding properties or quality should be satisfied for a node of a particular type to be deemed secure. The Recommendations also provide guidance in certain cases on what deviations from the Recommendations may be acceptable.

It should be noted in particular that factors other than the level at which the node is included in the network/node topology may also be of decisive importance for what security measures need to be taken.

A security analysis should be conducted before assessing what kinds of security measures need to be implemented for an individual node of a particular type. On the basis of this analysis, an assessment is consequently made of whether the threats or risks to the node are of such a kind that deviations may be approved or necessary to implement in comparison with the proposed Recommendations.

Objective and target group

he objective of the Recommendations is to provide network owners with a clear picture of what measures it is necessary to implement with nodes from a security perspective in order to reduce threats and risks to an acceptable level. If necessary, network owners can make a ‘security declaration’ for their nodes by reporting how they satisfy the Recommendations.

Customers who wish to use resources in a network owner’s network should have access to the network owner’s security declarations for the nodes involved with the aim of ensuring that the nodes satisfy fundamental security requirements.

The target group for the document comprises persons with responsibility for the planning, project management, procurement, development and inspection of broadband networks and also network owners and service providers.

Security declaration for a particular node

9Sfskfdfsdfksdf 9Sfsdfdkfdkdfdf 9Dfsfdfsdffsdfsf 9Fsfsdfsdfsdfsd 9fsfssfsfss Recommedations 9Sfskfdfsdfksdf 9Sfsdfdkfdkdfdf 9Dfsfdfsdffsdfsf 9Fsfsdfsdfsdfsd 9fsfssfsfss Security declaration for a particular node

9Sfskfdfsdfksdf 9Sfsdfdkfdkdfdf 9Dfsfdfsdffsdfsf 9Fsfsdfsdfsdfsd 9fsfssfsfss Recommedations 9Sfskfdfsdfksdf 9Sfsdfdkfdkdfdf 9Dfsfdfsdffsdfsf 9Fsfsdfsdfsdfsd 9fsfssfsfss Recommedations 9Sfskfdfsdfksdf 9Sfsdfdkfdkdfdf 9Dfsfdfsdffsdfsf 9Fsfsdfsdfsdfsd 9fsfssfsfss

Diagram 1.2 It is recommended that network owners make a security declaration for their nodes, i.e. declare whether they satisfy the applicable Recommendations for the type of node in question. If deviations are made from the Recommendations, these should be documented and justified.

Network and nodes –

an orientation

This section provides a brief description of network and nodes.

Introduction

he new IT infrastructure which is currently being developed is created through co-sharing of existing IT infrastructure and newly built IT infrastructure.

It is important to clarify that the new IT infrastructure will in practice constitute a multitude of technologies that will together form a fine-mesh network.

The new feature is that, from having been a partially fragmented network profile comprising a multitude of networks that were only partially interrelated, there has instead been a gradual transformation into a more systemised network profile where most networks form a joint network structure.

The existing ‘fragmented’ IT infrastructure only enables a limited number of users in Sweden to use the network. The new IT infrastructure that is currently being

developed will in time enable all users in Sweden to use the network.

During a transitional period, the physical IT infrastructure forms a particular network and node topology that is linked together with the physical preconditions (the

limitations) for establishing communication in the network.

In the long term, in pace with the network becoming more fine-mesh, this network and node topology will gradually be replaced by a new topology where the physical preconditions allow more rational and flexible communications where the topology will have less importance.

Chapter

2

Diagram 2.1. Current network and node topology

Diagram 2.2. Future network and node topology. The importance of nodes and networks has changed.

The description of the network and node topology in the sections below is based on current preconditions, i.e. a limited development of IT infrastructure that in some respects ‘compels’ a strongly hierarchical topology.

Network topology - network concepts

he new IT infrastructure will, during a transitional period, be developed according to a network topology – network hierarchy as shown in the diagram below.

Network topology

National backbone networks

Interurban networks Local networks Regional networks Access networks Network topology

National backbone networks

Interurban networks

Local networks Regional networks

Access networks

Diagram 2.3 The uppermost level in the network topology comprises national

networks and the lowest level comprises access networks for connection of end-users.

Traffic volume, network capacity and demands for function and accessibility generally increase the higher up a network is placed in the network topology, and thereby also the strategic importance and the need for protection and security in the network.

The network at the higher levels in the network topology comprises optical cables while the network at the lower levels in practice is often realised with different technologies.

Networks may be owned by several different owners, but the common feature for all networks is that they should be open. Openness means that the actors who wish to utilise the networks should be able to do so on equivalent technical, functional and commercial terms.

One usually distinguishes between physical networks and logical networks. The physical networks comprise the physical infrastructure, while the logical networks comprise the communications routes that are defined by the operators (network operators or service operators). This means that a node that has a physical link to another node does not necessarily have to be logically connected to this point. National backbone networks

National backbone networks or national backbone networks are both concepts that are used for networks with very high network capacity and very high security

requirements. National backbone networks link together the various regions of a

country and are also linked to international networks. In Sweden the national backbone networks are owned by a few large network operators.

Diagram 2.4 National networks link together various regions throughout Sweden. National networks are also connected to international networks.

Regional networks

Regional networks or intermunicipal networks link together networks within a region which often comprise interurban networks in several municipalities. Regional

networks are in their turn connected upwards to national backbone networks and downwards to interurban networks in municipalities.

Diagram 2.5 Regional networks link together the municipal centres in a region. Regional networks are also linked to national backbone and interurban networks.

Interurban networks

Interurban networks link together districts within a municipality. Interurban networks are in their turn connected upwards to regional networks (intermunicipal networks) and downwards to local networks in districts or sparsely populated areas.

Diagram 2.6 Interurban networks link together areas within a municipality. Many links that will in time constitute redundancy between small districts (thin blue lines) are often only at the planning stage.

Local networks

Local networks are networks within various areas within a district or in a sparsely populated area. Local networks are in their turn connected upwards to interurban networks and downwards to access networks for users. The function of local networks is to constitute a basic broadband infrastructure that can in the long term satisfy a district’s or an area’s needs for broadband capacity. The local network will facilitate the establishment of cost-efficient termination solutions to reach subscribers by, for example, facilitating the use of existing and planned development of fibre networks, copper networks, cable television networks, radio-link networks and radio LAN.

Diagram 2.7 Local networks (light-blue lines) link together various areas within a district or areas in a sparsely populated area.

Access networks

These networks are used to connect individual customers or user groups. In practice, this means that the access network is used to connect everything from an individual household in a detached house to connection of major companies, hospitals, public authorities or entire residential and housing areas. The access networks can be realised with the assistance of several different technologies, for example fibre, copper, radio link, radio LAN, etc. Fibre-based access networks are called FTTX networks, (Fibre To The X-user). District node Access node Access networks District node Access node Access networks

Diagram 2.8 The end-user is connected to the new IT infrastructure via access networks to an access node in the local network.

Node topology – node concepts

he new IT infrastructure is developed according to a node topology as shown in the diagram.

Node topology

National nodes

Main municipal nodes

Area nodes Regional nodes

Property access-nodes

National backbone networks

Interurban networks

Local networks Regional networks

Access networks

Access nodes

Diagram 2.9 The new IT infrastructure has a node hierarchy as shown in the diagram. The uppermost level comprises national nodes and the very lowest level comprises those access nodes that are owned by the end-user (property access nodes). The node types encircled are covered by these Recommendations.

The various types of nodes are described in the section below.

Nodes generally

In the broadband networks there are exchange points that among other things are used for interconnection1 _{between the networks of different network owners and operators}

but also to connect end-users. The exchange points comprise technology spaces called nodes. Nodes can comprise spaces in rock shelter installations or buildings, free-standing technology sheds, containers, cabinets or wells.

End-user owned access nodes and networks comprising masts, cabinets, wells, ducting, etc. are not dealt with in this document.

There are also nodes that are not exchange points. These are primarily used to house equipment that boosts signals in networks where the network comprises very long physical lines, for example national networks.

The nodes contain connection points for the passive physical infrastructure and, depending on what function the node has, communications equipment – equipment to provide special services or other technical equipment for operation of the network. Certain types of nodes have space for so-called ‘co-location’, which enables different network owners, network operators or service providers to install their equipment and connect it to the network.

There is often equipment that is used for fixed telephony and mobile telephony in node spaces that are used for broadband communication.

National node

A node in a region, usually in a municipal centre, which is connected to several national backbone networks and international networks. Very high security requirements are placed on national nodes. It is usual for these to be built in rock shelters.

Diagram 2.10 It is usual that national nodes are placed in secure rock shelters. National nodes have the highest security requirements of all types of nodes.

Regional node

A node in a region, usually in a municipal centre, which is connected to a national backbone network, regional network (intermunicipal network), interurban network in the municipality and local network in the district.

Main municipal node

An area node, in a municipal centre, which is linked to a regional network (intermunicipal network), interurban network in its own municipality and local network in the district.

Area node

A node in a district that is linked to interurban networks and local networks. Access node

A node in an area in a district or sparsely populated area that is linked to a local network and an access network. An access node may also be owned by the end-user (property access node).

Threat profile – an

orientation

This section provides a brief description of various kinds of threat to nodes.

Introduction

he threat profile for the electronic communications systems has been analysed by both private network owners and various public instances that are

responsible for national security in various crises situations.

The National Post and Telecom Agency (PTS) writes in its strategy document ‘Robust electronic communications’:

Chapter

3

T

“The threat profile has changed. Conceivable armed attacks by another State appear to be increasingly limited and remote. On the other hand, the possibilities of sabotage, terrorist attack and major accidents have come into the foreground. The great increase in use of different kinds of electronic communications, not least computer communications and the extension of the Internet, result in society becoming

increasingly dependent upon the secure functioning of communications. The technical systems that are used for communications are becoming increasingly complex and interlinked and integrate on a large scale sound, pictures and data in digital form on the same channels. Dependency upon electricity is great. The disabling of vital parts of communications can have major implications for society.

The great changes of threats, technology and dependency of society mean that it is necessary to develop the work with protecting electronic communications. Sweden is to a great extent dependent upon efficient and secure electronic communications. Reliability, sustainability and accessibility need to be ensured, not least when society is exposed to difficult pressures. This protection must be designed so that it

corresponds to contemporary threats and what we can anticipate for the future, to the rapid technical development in the field and to increasing numbers of services that are dependent upon secure functioning communications.

The strategy that is presented provides a new orientation for the work that PTS, as the responsible authority, intends to conduct during the forthcoming years to ensure the need for reliability, sustainability and accessibility with electric communications in the event of crises, times of alert and war.”

Diagram 3.1 PTS Report: PTS-ER-2003:13, Robust electronic communications, Strategy for the years 2003 – 2005.

Unanimity prevails between both network owners and for example the National Post and Telecom Agency that the disablement of vital parts of the electronic

communications systems can have major implications for society.

The threat profile for nodes can be broken down into external threats and internal threats.

External threats

xternal threats include threats that affect the function of the node, ‘from outside’.

Diagram 3.2 There are many different kinds of external threat (threats that come from outside) to nodes, for example fire, burglary, sabotage.

The diagram below shows different kinds of external threat. The threat level for the different kinds of threat varies from time to time and from place to place. The threat level for individual threats can be described in terms of low, normal and high threat level. Threat level High Low Normal • Burglary

• Fire (e.g. forest fire, arson) • Flooding (e.g. torrential rain, high

water level of lakes and watercourses)

• Power supply (e.g. electricity disruption, lightening, voltage variations)

• Sabotage • HPM • EMC

• Logical attacks (not dealt with in this recommendation)

Diagram 3.3 It is possible to determine the threat level for different kinds of external threat. The threat level can be described in terms of low, normal and high threat level.

Internal threats

he group internal threats includes threats that affect the node ‘from within’.

Diagram 3.4 There are many different kinds of internal threat (threats that come from within) to nodes, for example fire, theft, sabotage, environment and climate and ‘insider threats’.

The diagram below shows different kinds of internal threat. The threat level for different kinds of threat varies from time to time and from place to place. The threat level for individual threats can be described in terms of low, normal and high threat level. Threat level High Low Normal • Theft or sabotage of equipment/connection • Fire

• Flooding (leakage from heating, water and drainage systems)

• Heating

• Information access

Diagram 3.5 It is possible to determine the threat level for different kinds of internal threat. The threat level can be described in terms of low, normal and high threat level.

Risk and security analysis

he threat profile to an individual node should be surveyed by a risk and security analysis. The risk and security analysis should comprise all individual categories of threat within the group external threats and internal threats. The result of the risk and security analysis comprises an important basis for decisions concerning which security measures are necessary to implement for an individual node.

T

The Recommendations provide general instructions for how security for different kinds of nodes should be designed. The risk and security analysis can result in an individual node deviating from the Recommendations both upwards and downwards within approved limits, depending on the form of the threat profile.

The risk and security analysis should be redone when changes occur in the network or the node gains a different importance or the threat profile changes.

Overall threat profile

he threat profile to a node constitutes a balance of individual external and internal threat factors. On the basis of this threat profile, changes can be made both upwards and downwards in the Recommendations.

Hög Låg High Low External threats Internal threats High Low Normal Threat level O v eral l assessmen t o f exte rna l an d inte rnal th rea ts High Low Normal Threat level

Diagram 3.6 The external threat level and internal threat level can be aggregated to ascertain the overall threat level for a node.

Security measures – an

orientation

This section provides an overall description of how threats can

basically be identified and reduced with the assistance of security

measures.

Introduction

ecurity measures are directed towards eliminating or reducing the risk of external or internal threats occurring. Measures may also be aimed at delaying the occurrence of a threat. Depending on the function, strategic importance and threat profile of the node, the security measures (the protection) should be adapted to a level that is justified commercially and from the public perspective. If too stringent demands are imposed on security measures for an individual node in relation to the relevant threat profile or in relation to the importance of the node in the

network, it will cost an unnecessary amount of money to establish and maintain the security measures. If demands imposed are instead too low, this may have very great consequences both for the customers who use the network and for the network owners.

The consequence of, for example, a fire, sabotage or a power disruption can, unless necessary security measures are implemented, be that traffic that passes the node entirely or partially will cease. A large number of customers in the network will thereby not be able to use the network, and vital public functions will be cut off from communications, etc. The network owners may have to pay damages or lose revenue through traffic not functioning according to customer contracts.

Security measures therefore, in practice, represent a balance between relevant threat profile, the importance of the node and the cost of implementing security measures.

Chapter

4

THREAT IMPORTANCE THREAT IMPORTANCE

SECURITY MEASURE

Diagram 4.1 The security measures that are implemented represent a balance between the relevant threat, the importance of the node and the cost of the security measure.

Various kinds of threat have been dealt with in the preceding section. As regards the evaluation of the importance of a node, we can see from the example above that this depends on the consequences that arise should a threat become reality.

It is obvious that a functional disruption of a national node, through which a large part of the national and also international traffic is channelled, will have greater

consequences because it influences a significantly greater number of customers than if a small area node is adversely affected by a functional disruption.

How can one express the importance of a node in concrete terms?

The diagram below shows some of the important parameters affecting the importance of a node. Importance Very im-portant Less im-portant High Low Normal

Parameters that affect the importance of a node

• Level and function in the node hierarchy

• Traffic volume

• Type of traffic (telecom, Television etc.)

• SLA - requirements • Publicly vital

Diagram 4.2 How important or significant a node is depends upon several different factors or parameters.

The Recommendations regarding the formulation of security of nodes contained in this document are based on an assessed normal = average threat profile and normal

This thus means that if a recommended security measure is implemented for a

particular type of node, a normal = average security level is achieved for the node in question.

Depending on the threat profile in question and the importance of the node, an adaptation of the recommended security measures may need to be implemented. The risk and security analysis can therefore result in the requirement for security measures within individual areas of measures being enhanced or reduced in relation to the Recommendations.

-

-

-

-

-

-

-

-+

+

+

+

+

+

+

+

Area for measures

Recommended measures Enhanced requirements for measures Reduced requirements for measures

Diagram 4.3 The risk and security analysis can result in enhanced or reduced requirements for security measures in relation to the Recommendations depending on the threat profile in question and the importance of the node.

The threat profile against nodes comprises, as stated previously, external threats and internal threats. This thus means that the security measures that need to be

implemented are directed at averting, reducing or delaying the occurrence of external threats and internal threats.

EXTERNAL THREATS EXTERNAL SECURITY MEASURES INTERNAL THREATS INTERNAL SECURITY MEASURES EXTERNAL THREATS EXTERNAL SECURITY MEASURES INTERNAL THREATS INTERNAL SECURITY MEASURES

Diagram 4.4 Depending on the external and internal threats in question, appropriate external and internal security measures should be taken. The starting point is always the recommended security measures.

Areas for measures

he security measures proposed in this Recommendation are divided into a number of areas for measures according to the diagram below.

AREAS FOR MEASURES

• Design of premises

• Mechanical burglary protection • Burglary alarm installation • Passage control

• Fire alarm installation • Fire extinguishing equipment • Operations alarm

• Environment and climate control • Electricity supply

• Lightening protection • EMC

Diagram 4.5 The security measures are divided into a number of areas for measures. For each area of measures there are Recommendations on how the security should normally be designed for different types of nodes, but also in some cases the deviations that are allowed.

Several areas for measures comprise protection against both internal and external threats. A brief description of the scope of the respective area for measures is given in the section below.

Design of premises

Introduction

Area for measures – Design of premises – based on sector agreements and comprises recommendations for the following security measures:

General recommendations

• Choice of site for node building • Design of node building

• Signs for node building • Drawbar and lifting eyes

• Panic or emergency exit device • Elevated thresholds

• Fire protection

• Space for reserve power plant • Design of ducting

• Laying of network and electric cables • Cables in node spaces

• Potential equalization

Heating, water and drainage installations

• Heating, water and drainage pipes • Backwater valve for floor drains • Automatic closure of water pipes • Room coolers

Protective devices for cables and equipment

• Protective devices for cable inlets

• Arrangement of optical cable in buildings • Protection of cables within and outside the

fenced perimeter

• Protection of cross-connection points and/or equipment racks

The EBR publication Optical cable networks can be requisitioned from www.ebr.nu

Mechanical burglary protection

Introduction

Area for measures – Mechanical burglary protection – is based on the regulatory framework Mechanical burglary protection – SSF 200:3. The regulatory framework in question has been prepared by the Swedish Insurance Federation on the assignment of the insurance companies. The responsibility for the regulatory framework has now transferred from the Swedish Insurance Federation to the Swedish Theft-Prevention Association (SSF). The regulatory framework constitutes a form of de facto standards within the area.

The regulatory framework is based on a division of the requirements for burglary protection into various protection classifications and provides detailed instructions on how mechanical burglary protection should be designed for various classes of protection.

Mechanical burglary protection means physical/mechanical measures that are implemented to prevent unauthorised entry into node spaces.

Division of burglary protection into protection classes

Requirements for burglary protection are, according to the conditions of the insurance companies, divided into three protection classes. Protection class 1 is the lowest and protection class 3 is the highest.

Special conditions that apply for operations with primary orientation towards desirable property

Protection class 3

Special conditions that apply for operations with a greater amount of desirable property than class 1 Protection class 2

General conditions that apply for operations with no or small amount of desirable property

Protection class 1

Special conditions that apply for operations with primary orientation towards desirable property

Protection class 3

Special conditions that apply for operations with a greater amount of desirable property than class 1 Protection class 2

General conditions that apply for operations with no or small amount of desirable property

Protection class 1

Upon an overall assessment of which protection class should apply, the insurance company may in some cases impose further requirements for the protection of the insured premises. The requirements should always be viewed as a general minimum requirement within the respective protection class. It is often a good rule to enhance the level of protection further by reinforcing the burglary protection.

Instructions for protection for various protection classes

The regulatory framework Mechanical burglary protection – SSF 200:3. imposes detailed demands on burglary protection for the protection classes 1, 2 and 3 within the following areas:

Enclosing surfaces

• Walls

• Floor (joists) • Ceiling/roof

• Door, entrance and hatch • Window and glass sections

Locks and fittings

• Locks and fittings for door, entrance and hatch

• Locks and fittings for window • Fire ventilator • Lock system Entry protection • Stop barriers • Fire ventilator • Other opening

• Special protection of window against forcible entry

Area protection – fenced areas

• Are parts of area protection

Mechanical burglary protection – SSF 200:3 can be requisitioned from

the Swedish Theft-Prevention Association’s (SSF) office, telephone +46 8 – 783 74 50. A current schedule of SSF norms is available on SSF’s website, address www.stoldskydd.se

Burglar alarm installation

Introduction

Area for measures – Burglar alarm installation – is based on the regulatory framework Project planning and installation of burglary alarm installation – SSF

130:6. The current regulatory framework has been prepared by the Swedish Insurance

Federation on the assignment of the insurance companies. The responsibility for the regulatory framework has now transferred from the Swedish Insurance Federation to the Swedish Theft-Prevention Association (SSF). The regulatory framework

constitutes a form of de facto standards within the area.

Rules for division of alarms into alarm classifications

The rules in SSF 130:6 classify alarm installations into three alarm classifications depending on the need of protection for the property that is monitored by the alarm. The requirements relate to project planning, installation and

documentation.

The alarm classifications described correspond in principle to the security levels 1, 2 and 3 of SS-EN50131-1 with the alternatives stated in the tables included in the standard.

Alarm monitoring should be designed as shell protection

supplemented with internal burglary protection (partial protection). The alarm monitoring should comprise all spaces in the object except for WC, shower or windowless spaces less than 4m2

Alarm class 3

Alarm monitoring should be designed as shell protection

supplemented with internal burglary protection (partial protection)

Alarm class 2

Alarm monitoring should be designed as internal burglary protection (partial protection) Alarm class 1

Alarm monitoring should be designed as shell protection

supplemented with internal burglary protection (partial protection). The alarm monitoring should comprise all spaces in the object except for WC, shower or windowless spaces less than 4m2

Alarm class 3

Alarm monitoring should be designed as shell protection

supplemented with internal burglary protection (partial protection)

Alarm class 2

Alarm monitoring should be designed as internal burglary protection (partial protection) Alarm class 1

Supplements to SSF 130:6

Some supplements to SSF 130:6 have been made in the following respects:

• Transfer of burglar alarm • Instructions for handling alarms • Local alarm in the event of burglary

Other

Project planning and installation of burglar alarm installation – SSF 130:6

provides instructions relating to general requirements, project planning and installation, trimming and testing, training, trial operation period, documentation, the obligations of the installation owner and auditing inspection.

Project planning and installation of burglar alarm installations – SSF 130:6. can be requisitioned from the Swedish Theft-Prevention

Association’s (SSF) office, telephone +46 8 – 783 74 50. A current schedule of SSF norms is available on SSF’s website, address

www.stoldskydd.se

Passage control

Introduction

Area for measures – Passage control – is based entirely on sector agreements and comprises recommendations for the following sub-areas:

Passage control system

• Design of passage control

• Control and configuration of passage control system

• Access

• Building for reserve power plant

• Fuel-filling hatch for reserve power plant

Fire alarm installation

Introduction

Area for measures – Fire alarm installation – is based on the regulatory framework Rules for automatic fire alarm installation – SBF 110:6. The current regulatory framework has been prepared by the Swedish Insurance Federation on the assignment of the insurance companies. The responsibility for the regulatory framework has now transferred from the Swedish Insurance Federation to the Swedish Fire Protection Association (SBF). The regulatory framework constitutes a form of de facto standards within the area.

Division of fire alarm installation depending on scope of monitoring

According to SBF 110:6 Rules for automatic fire alarm installation, the scope of detector monitoring should satisfy one of the three alternatives shown below:

1 Complete monitoring of building

This alternative means that all space in the building is supplied with detectors subject only to the exceptions stated in SBF 110:6, Sections 3.3.3 and 3.1.4 2 Complete

monitoring of one or more fire cells

This alternative means that all space in the monitored fire cells are supplied with detectors subject only to the exceptions stated in SBF 110:6, Sections 3.3.3 and 3.1.4

The fire cells monitored should be separated into at least fire resistance class El 60 against those parts of the building that do not have monitoring)

3 Monitoring with scope SBF 110:6, Appendix A

This alternative means that a simplified detector monitoring for small objects according to 1.1 and 1.6 in Appendix A should be satisfied for this scope to be allowed to be used

Supplements to SBF:110

Supplements to SBF 110:6 have been made in the following respects:

• Transfer of fire alarm • Fire indication

• Activation of central fire extinguishing equipment

Other

SBF 110:6 Rules for automatic fire alarm installation provides instructions

concerning material, planning, installation, installer’s certificate, inspection, testing, maintenance and care of a fire alarm installation.

Rules for automatic fire alarm installation – SBF 110:6 can be

requisitioned from the Swedish Fire Protection Association’s (SBF) office, telephone +46 8 – 588 474 00. A current schedule of SBF norms is available on SBF’s website, address www.svbf.se. Fire extinguishing equipment

Introduction

Area for measures – Fire extinguishing equipment – is based on sector agreements and comprises recommendations for the following sub-areas:

Fire extinguishing equipment

• Central fire extinguishing equipment • Hand-held fire extinguishers

Operations alarm

Introduction

Area for measures – Operations alarm – is based on sector agreements and comprises recommendations in the following sub-areas:

Operations alarm

• Design of operations alarm • Transfer of operations alarm

Environment and climate control

Introduction

Area for measures – Environment and climate control – is based on sector agreements and comprises recommendations for the following sub-areas:

Environment and climate control

• Design of air treatment system • Design of cooling plant

• Design of emergency cooling plant

Electricity supply

Introduction

Area for measures – Electricity supply – is based on sector agreements and comprises recommendations for the following sub-areas:

Electricity supply

• General recommendations • Electrical system

• Earthing and potential equalization of computer equipment

• Reserve power plant

• External power outlet for reserve power • Uninterruptible power supply

• External electricity outlet

Lightening protection

Introduction

Area for measures – Lightening protection – There are currently no general standards that can be recommended, but work is in progress to produce these.

EMC

Introduction

Area for measures – EMC – Installed equipment should satisfy applicable standards for CE marking according to the EU-EMC directive.

Recommendations for

regional nodes

Recommendations for how security for regional nodes shall be designed

are provided in this section

he Recommendations for security for regional nodes are divided into a number of areas for measures. In the section below, instructions are provided for how the security measures should be designed for the respective area for measures.

Design of premises

Choice of site for node building: The site for a node building should be chosen so

that termination with several network owners is as good as possible, and so that as risk-free an environment2 _{as possible is achieved.}

Design of node building: To avoid a node being disabled due to corrosive gases or

water vapour penetrating the node building, for example in connection with a fire, its structure should be sealed.

Signs for node building: The prescribed signs outside a node building should be

limited so that interest for the node is kept at the lowest level possible. There shall be no signs naming owner, etc., though signs that state the telephone number where the public can call if anything abnormal is observed may be displayed.

Drawbar and lifting eyes: In order to prevent malicious damage to a node building

or adjacent building comprising a container or the like, any drawbar and lifting eyes should be removed. There is otherwise a risk that malicious damage can occur by the node building being lifted or pulled from its site with a crane or the like.

Chapter

5

Panic or emergency exit device: Doors constituting escape routes should be

equipped with a panic or emergency exit device. This also applies to buildings adjacent to a node building.

Elevated thresholds: All node spaces should be supplied with elevated thresholds, if

there is a risk of flooding.

Fire protection in node building: The node building should satisfy at least

fire-resistance grade EI60, but should be adapted to the rescue service’s callout time.

Space for reserve power plant: In the case of new or rebuilding of node spaces, the

need of premises/space for a reserve power plant should be taken into account.

Design of ducting: In order to maintain good order, all cables should be drawn in

cable trays or under a raised computer floor.

Laying of network and electric cables: To avoid mistakes and disruptions, all

network and electric cabling should lie in separate ducting (trays or baskets) or shared trays with a separation shielding plate.

Cables in node spaces: Cables in node spaces may under no circumstances be

halogen-based.

Potential equalisation: All metal parts in technology spaces should be potential

equalised.

Heating, water and drainage installations

Heating, water and drainage pipes: The technology space in a node space should

not contain crossing pipes (heating, water or drainage pipes).

Backwater valve for floor drains: In spaces where there is a floor drain, the floor

drain shall be fitted with backwater valves to prevent flooding by water penetrating up through the floor drain.

Automatic closure of water pipes: In spaces where there are water pipes and/or there

is a system for water-borne cooling, there shall be automatic closure of water pipes to prevent flooding.

Room coolers: Room coolers should be placed and designed so as to eliminate the

risk of leakage or condensation on equipment.

Protective devices for cables and equipment

Protective devices for cable inlets: Node buildings in the form of sheds erected

on-site, containers or buildings which do not have a concrete base and where there is a risk that incoming and outgoing cabling may in various ways be exposed to malicious

damage or sabotage, should be supplied with a protective device that prevents/impedes malicious damage to cabling.

The protection of cables between the ground and the underside floor should be completely cover ‘all around’ the cables and be made of 1.5 mm steel plate and be buried at least 25 cm or in an equivalent way. See example of design of protective devices for cable inlets in Appendix A.

Arrangement of optical cable in node building: Optical cables that are intended for

outdoor use and that do not satisfy the requirement for limited fire spread may be laid a maximum of 5 metres within a node building. In addition, all optical cable should be equipped with flame-retardant material.

Protection of cables within and outside the fenced perimeter: To be designed in

accordance with the instructions contained in the EBR publication Optical cable

networks.

Protection of cross-connection points and/or equipment racks: The node owner’s

own communications equipment, cross-connection points and equipment for supply of the node (power supply, climate equipment, etc.) should be, as regards premises, separate from other operators who in some form lease space from the node owner. Only the node owner should have access to this kind of space.

Operators who lease space for fitting of their own equipment cabinets or lease space for location of equipment in equipment cabinets that are owned by the node owner, are themselves responsible for the protection of their own cross-connection points and equipment.

Mechanical burglary protection

Mechanical security protection should be designed in accordance with the Swedish Theft-Prevention Association’s (SSF) rules for Mechanical burglary protection – SSF

200:3, protection class 3.

Note: The preconditions for assistance from the police or guards in the event of burglary should be taken into account in connection with the detailed design planning of the mechanical burglary protection.

Deviations permitted

Outer door: An outer door should be supplied with a door closer. A powered lock

should be fitted, which means that the door will no longer satisfy the requirements for protection class 3.

Tip: The mechanical protection contained in walls is significantly

improved by a loose plate being inserted between two insulation layers in the wall. The inner wall can, for instance, comprise plywood. In the event of mechanical malicious damage from the outside, the plate flexes and in this way makes it more difficult to penetrate through the wall.

Burglar alarm installation

To be designed in accordance with the Swedish Theft-Prevention Association’s (SSF) rules for Project planning and installation of burglar alarm installation s– SSF 130:6, alarm class 3.

Supplements to SSF 130:6

Transfer of burglar alarm: Transferred to operations centre and/or security

company. A burglar alarm is transferred via two independent communication routes to the alarm-receiving organisation without delay.

Local alarm in the event of burglary: A buzzer signal shall sound as warning before

the burglar alarm connects (30 seconds).

Passage control

Design of passage control system: Regional nodes should be supplied with passage

control systems with log function. Registration should be made of both inward and outward passage.

Control and configuration of passage control system: Should be possible to do this from operations monitoring centre.

Access: It is recommended that there is a combination of card and code for access to a

node.

Building for reserve power plant: Should be supplied with passage control. Fuel-filling hatch for reserve power plant: Should be supplied with lock.

)

Fire alarm installation

To be designed in accordance with the Swedish Fire Protection Association’s (SBF) rules: Rules for automatic fire alarm installation – SBF 110:6. The alarm installation should be dimensioned for complete monitoring of the node building.

Supplements to SBF 110:6

Transfer of fire alarm: Transferred to operations centre and fire brigade/alarm

centre. The alarm is transferred to the alarm-receiving organisation without delay.

Fire indication: There should be a possibility to transfer the fire alarm indication –

so-called ‘pre-alarm’. The purpose of this is to inform/warn personnel at the operations centre that there is a risk of fire.

Activation of central fire extinguishing equipment: See section Fire extinguishing

equipment.

Fire extinguishing equipment

Central fire extinguishing equipment: A regional node should be supplied with

central fire extinguishing equipment. It should be possible to activate central fire extinguishing equipment by a fire alarm and/or measures by personnel at the operations monitoring centre.

Hand-held fire extinguisher: A hand-held fire extinguisher of the type CO2

extinguisher of at least 6 kg should be adjacent to the inside of the external door to the node space. Premises or buildings for reserve power plants should be supplied with dry powder extinguishers.

Operations alarm

Design of operations alarm: Besides technical alarms from communications

equipment, which are not dealt with in this Recommendation, different kinds of operations alarm from the node should be transferred to the operations monitoring centre. It should be possible to divide operations alarms into the categories A-, B- and C-alarms (indications) depending on the priority of the alarm.

Transfer of operations alarm: A-alarm transferred to operations centre without

delay.

Environment and climate control

Design of air treatment system: Climate requirements should be adapted to the

operational requirements for the respective equipment housed within the node.

Design of cooling plant: Regional nodes should have a cooling system and should

have two redundant systems. The dimensioned room temperature in technology spaces should be 20 degrees -5/+ 4 degrees.

Emergency cooling plant: Should exist in the form of an independent cooling plant

(based on water cooling).

Electricity supply

General recommendations: The applicable high-voltage regulations ELSÄK FS

1999:5 with relevant supplements and amendments should be complied with.

Electrical system: 230/400V, which is a five-wire system (TN-S system) and

supplied with earth fault monitoring. Zero and protective conductors are connected at the supply point. Performed as A-, B-systems with separate groups in the power distribution panel.

Earthing and potential equalisation of computer equipment: Arranged according to SS-EN-50310.

Reserve power plant: A regional node should be supplied with a reserve power plant

and the desired requirement is two redundant reserve power plants which are each dimensioned on the basis of the power need of the node. The volume for fuel tanks for a reserve power plant should be dimensioned for 100 % loading for at least 48 hours.

External power outlets for reserve power: The installation should have external

power outlets for reserve power. If this is available, there should be an earthing point connected to the outlet for reserve power. The outlet for connection of reserve power should be dead when the node is unmanned.

Uninterruptible power supply: A regional node should be supplied with an

uninterruptible power supply (UPS). UPS should supply priority equipment and be constantly connected between the network /reserve power plant and the load.

UPS has the following tasks:

To constitute a filter and protect priority installations

To bridge exchange times between network operation and reserve power plant operation

To maintain functions for priority installations in the event of an interruption of network and reserve power

UPS installations are dimensioned and designed on the basis of requirements of durability and accessibility

Guideline values for UPS operation:

UPS operation at a regional node with two (2) reserve power plant units (redundant): 1 hour.

UPS operation at a regional node with one (1) reserve power plant unit: 4 hours. At an installation that does not have a reserve power plant, the UPS operation is dimensioned at 8 hours.

External electricity outlets: There should not normally be other kinds of live

electricity outlets on the outside of the node except the connection for reserve power. In those cases where there are, for example, engine heater outlets, these should be controlled by a timer from the inside of the node building, alternatively be relay controlled from an unlocking function for the outer door. An engine heater outlet should be dead when it is not being used by authorised personnel.

Lightening protection

General recommendations: There are currently no general standards that can be

recommended, but work is in progress to produce these.

EMC

General recommendations: Installed equipment should satisfy applicable standards

Recommendations for

main municipal nodes

Recommendations for how security for main municipal nodes shall be

designed are provided in this section

he Recommendations for security for main municipal nodes are divided into a number of areas for measures. In the section below, instructions are provided for how the security measures should be designed for the respective area for measures.

Design of premises

Choice of site for node building: The site for a node building should be chosen so

that termination with several network owners is as good as possible, and so that as risk-free an environment3 _{as possible is achieved.}

Design of node building: To avoid a node being disabled due to corrosive gases or

water vapour penetrating the node building, for example in connection with a fire, its structure should be sealed.

Signs for node building: The prescribed signs outside a node building should be

limited so that interest for the node is kept at the lowest level possible. There shall be no signs naming owner, etc., though signs that state the telephone number where the public can call if anything abnormal is observed may be displayed.

Drawbar and lifting eyes: In order to prevent malicious damage to a node building

or adjacent building comprising a container or the like, any drawbar and lifting eyes should be removed. There is otherwise a risk that malicious damage can occur by the node building being lifted or pulled from its site with a crane or the like.

3 _{See Chapters 3 and 4}

6

Panic or emergency exit device: Doors that may constitute escape routes should be

equipped with a panic or emergency exit device. This also applies to buildings adjacent to a node building.

Elevated thresholds: All node spaces should be supplied with elevated thresholds, if

there is a risk of flooding.

Fire protection in node buildings: The node building should satisfy at least

fire-resistance grade EI60, but should be adapted to the rescue service’s callout time.

Space for reserve power plant: In the case of new or rebuilding of node spaces, the

need of premises/space for a reserve power plant should be taken into account.

Design of ducting: In order to maintain good order, all cables should be drawn in

cable trays or under a raised computer floor.

Laying of network and electric cables: To avoid mistakes and disruptions, all

network and electric cabling should lie in separate ducting (trays or baskets) or shared trays with a separation shielding plate.

Cables in node spaces: Cables in node spaces may under no circumstances be

halogen-based.

Potential equalisation: All metal parts in technology spaces should be potential

equalised.

Heating, water and drainage installations

Heating, water and drainage pipes: The technology space in a node space should

not contain crossing pipes (heating, water or drainage pipes).

Backwater valve for floor drains: In spaces where there is a floor drain, the floor

drain shall be fitted with backwater valves to prevent flooding by water penetrating up through the floor drain.

Automatic closure of water pipes: In spaces where there are water pipes and/or there

is a system for water-borne cooling, there shall be automatic closure of water pipes to prevent flooding.

Room coolers: Room coolers should be placed and designed so as to eliminate the

risk of leakage or condensation on equipment.

Protective devices for cables and equipment

Protective devices for cable inlets: Node buildings in the form of sheds erected

damage or sabotage, should be supplied with a protective device that prevents/impedes malicious damage to cabling.

The protection of cables between the ground and the underside floor should be completely cover ‘all around’ the cables and be made of 1.5 mm steel plate and be buried at least 25 cm or in an equivalent way. See example of design of protective devices for cable inlets in Appendix A.

Arrangement of optical cable in node building: Optical cables that are intended for

outdoor use and that do not satisfy the requirement for limited fire spread may be laid a maximum of 5 metres within a node building. In addition, all optical cable should be equipped with flame-retardant material.

Protection of cables within and outside the fenced perimeter: To be designed in

accordance with the instructions contained in the EBR publication Optical cable

networks.

Protection of cross-connection points and/or equipment racks: The node owner’s

own communications equipment, cross-connection points and equipment for supply of the node (power supply, climate equipment, etc.) should be, as regards premises, separate from other operators who in some form lease space from the node owner. Only the node owner should have access to this kind of space.

Operators who lease space for fitting of their own equipment cabinets or lease space for location of equipment in equipment cabinets that are owned by the node owner, are themselves responsible for the protection of their own cross-connection points and equipment.

Mechanical burglary protection

Mechanical security protection should be designed in accordance with the Swedish Theft-Prevention Association’s (SSF) rules for Mechanical burglary protection – SSF

200:3, protection class 3.

Note: The preconditions for assistance from the police or guards in the event of burglary should be taken into account in connection with the detailed design planning of the mechanical burglary protection.

Deviations permitted

Outer door: An outer door should be supplied with a door closer. A powered lock

should be fitted, which means that the door will no longer satisfy the requirements for protection class 3.

Tip: The mechanical protection contained in walls is significantly

improved by a loose plate being inserted between two insulation layers in the wall. The inner wall can, for instance, comprise plywood. In the event of mechanical malicious damage from the outside, the plate flexes and in this way makes it more difficult to penetrate through the wall.

Burglar alarm installation

To be designed in accordance with the Swedish Theft-Prevention Association’s (SSF) rules for Project planning and installation of burglar alarm installations – SSF 130:6, alarm class 3.

Supplements to SSF 130:6

Transfer of burglar alarm: Transferred to operations centre and/or security

company. A burglar alarm is transferred to the alarm-receiving organisation without delay.

Local alarm in the event of burglary: A buzzer signal shall sound as warning before

the burglar alarm connects (30 seconds).

Deviations permitted

Spaces for personnel: Spaces for personnel do not need to have alarms.

Passage control

Design of passage control system: Main municipal nodes should be supplied with

passage control systems with log function. Registration should be made of both inward and outward passage.

Control and configuration of passage control system: Should be possible to do this from operations monitoring centre.

Access: It is recommended that there is a combination of card and code for access to a

node.

)

Building for reserve power plant: Should be supplied with passage control. Fuel-filling hatch for reserve power plant: Shall be supplied with lock.

Fire alarm installation

To be designed in accordance with the Swedish Fire Protection Association’s (SBF) rules: Rules for automatic fire alarm installation – SBF 110:6. The alarm installation should be dimensioned for complete monitoring of the node building.

Supplements to SBF 110:6

Transfer of fire alarm: Transferred to operations centre and fire brigade/alarm

centre. The alarm is transferred to the alarm-receiving organisation without delay.

Fire indication: There should be a possibility to transfer the fire alarm indication –

so-called ‘pre-alarm’. The purpose of this is to inform/warn personnel at the operations centre that there is a risk of fire.

Activation of central fire extinguishing equipment: See section Fire extinguishing

equipment.

Fire extinguishing equipment

Central fire extinguishing equipment: A main municipal node should be supplied

with central fire extinguishing equipment. It should be possible to activate central fire extinguishing equipment by a fire alarm and/or measures by personnel at the

operations monitoring centre.

Hand-held fire extinguishers: A hand-held fire extinguisher of the type CO2

extinguisher of at least 6 kg should be adjacent to the inside of the external door to the node space. Premises or buildings for reserve power plants should be supplied with dry powder extinguishers.

Operations alarm

Design of operations alarm: Besides technical alarms from communications

equipment, which are not dealt with in this Recommendation, different kinds of operations alarm from the node should be transferred to the operations monitoring