INF.12 Cabling

Description

Introduction

Proper and standards-compliant cabling is the foundation for secure IT operations. A fundamental distinction must be made between electrotechnical cabling and IT cabling.

Electrotechnical cabling of IT systems and other devices encompasses all cables and distribution panels in the building from the feed-in point of the distribution network operator (DNO) to the connection points of end devices.

IT cabling within an institution encompasses all communication cables and passive components such as patching or splicing distributors and patch panels. It thus forms the physical foundation of internal communications networks. IT cabling extends from the handover points from an external network to the connection points of network participants. Handover points are, for example, the connection of a telecommunications company or the DSL connection of an internet service provider.

Despite this distinction, the fundamental requirements for both types of cabling are identical. Therefore, cabling within an institution should always be considered as a whole.

Objective

The objective of this building block is to protect the entire electrotechnical cabling and IT cabling against failure, manipulation, and disruption.

Scope and Modeling

The building block INF.12 Cabling is to be applied once to the cabling in buildings and rooms, in addition to the building block INF.1 General Building. The requirements of the building block are always to be applied to both IT cabling and electrotechnical cabling.

Threat Landscape

Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular relevance for the building block INF.12 Cabling.

Cable Fire

Cable fires can cause significant damage to an information domain. A cable fire causes, for example, short circuits or interrupts conductors. As a result, protective devices also fail. In addition, aggressive gases can be produced during cable fires depending on the insulation materials.

Inadequate Dimensioning of Cabling

When workplaces, server rooms, or data centers are planned, these plans are frequently oriented exclusively toward current demand. However, future new requirements often also demand additional capacity from the power network and data cables. This may become necessary, for example, when additional servers are deployed or technical standards change. Cabling can only be expanded to the extent permitted by the cables and cable trays already installed.

Insufficient Documentation of Cabling

If the exact location of cables is not known because they were insufficiently documented, these cables can be damaged during construction work outside or inside a building. Insufficient documentation also makes it more difficult to inspect and repair cables.

Furthermore, it cannot be assumed that all cables in the installation zones are installed in accordance with currently applicable standards.

Inadequately Protected Distribution Panels

Occasionally, power supply or data network distribution panels are installed unlocked in areas that are generally accessible. Unauthorized persons can open and manipulate such distribution panels, thereby causing power or data supply outages.

Cable Damage

The less protected a cable is routed, the greater the risk that it will be intentionally or unintentionally damaged. Damage not only causes direct connection outages, but can also lead to disruptions later on. Damaged insulation may not affect the functional properties of a cable until much later.

Voltage Fluctuations, Overvoltage, Undervoltage

Fluctuations in supply voltage can occur in all areas of networks. Extremely short and small events have little or no effect on IT systems. Larger fluctuations, however, lead to malfunctions. Connected systems can be damaged up to total failure. Destructive overvoltages can also occur.

Use of Poor-Quality Power Strips

The permanently installed sockets are often insufficient for the devices to be operated. To compensate, power strips are frequently used. However, if these power strips are of poor quality, they can become an ignition source and thus a major fire hazard.

In many cases, several power strips are connected in series to provide sockets for all devices. With such a series connection, there is a risk of overload. The result can be an incomplete short circuit with a high risk of fire.

Unauthorized Cable Connections

In some cases, cable connections are established between IT systems or other technical components that are not intended and are unauthorized. This can cause security problems or operational disruptions.

For example, such cable connections may allow unauthorized access to data networks, IT systems, information, or applications. Through unauthorized cable connections, information can also be transmitted to incorrect recipients. Furthermore, the connection can be disrupted.

Cable Impairment

The electrical signal transmission in communication cables can be negatively influenced by electrical and magnetic fields. A special form of this cable impairment is crosstalk. In this case, currents and voltages from neighboring conductors are transferred as interference signals to the communication cable.

Eavesdropping on and Manipulation of Cables

Eavesdropping attacks on data cables are an information security threat that should not be neglected. In principle, there are no eavesdrop-proof cables. Cables differ in quality only with regard to the effort required to eavesdrop on the line. Whether a cable is actually being eavesdropped on can only be determined with considerable measurement effort.

In addition, deliberate manipulation of cables up to their destruction represent a threat to the institution. Cable malfunctions can be deliberately induced with manipulative intent. Such manipulations often pursue the goal of disrupting IT operations or damaging the institution.

Requirements

The following are the specific requirements of the building block INF.12 Cabling. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO must always be involved in strategic decisions.

Additional roles are defined in the IT-Grundschutz Compendium. They should be filled where meaningful and appropriate.

Exactly one role should be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a specific requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural does not imply anything about the number of persons filling these roles.

Basic Requirements

The following requirements MUST be met as a priority for this building block.

INF.12.A1 Selection of Suitable Cable Types (B) [IT Operations, Facility Management]

When selecting cable types, it MUST be examined what transmission properties are required. Relevant standards and regulations MUST be observed. Environmental conditions during operation and installation MUST also be taken into account. With regard to environmental conditions, the following factors MUST be taken into account:

• temperatures,
• cable routing paths,
• tensile forces during installation,
• the type of installation, and
• the distance between the endpoints and possible sources of interference.

INF.12.A2 Planning of Cable Routing (B) [IT Operations, Facility Management]

Cables, cable routing paths, and cable trays MUST be adequately dimensioned from a functional and physical standpoint. Future needs MUST be factored in — for example, sufficient space for possible technical expansion in cable conduits and trays. When jointly routing IT and power cabling in one tray, crosstalk between individual cables MUST be prevented. Care MUST be taken to route IT cabling and electrotechnical cabling with the standards-compliant separation distance. Identifiable sources of hazard MUST be avoided.

INF.12.A3 Professional Installation (B) [IT Operations, Facility Management]

Cabling installation work MUST be carried out expertly and carefully. All relevant standards MUST be observed during installation. The proper execution of cabling MUST be checked by a qualified person at all stages. When materials are delivered, it MUST be checked whether the correct cables and connection components have been delivered. Care MUST be taken that the installation does not cause damage. Furthermore, cable routing paths MUST be chosen so that damage to installed cables through normal use of the building is excluded.

INF.12.A4 EMC-Compatible Power Supply (B) [Facility Management]

The power supply MUST be EMC (electromagnetic compatibility) compliant. For this purpose, the power distribution network MUST be constructed as a TN-S system. When constructing and operating the power distribution network, the separation distances recommended in the applicable standards MUST be maintained as far as possible. Precautions MUST be taken against radiation from outside, radiation from the power cable, and for detecting equalization currents.

Standard Requirements

Together with the basic requirements, the following requirements represent the state of the art for this building block. They SHOULD generally be met.

INF.12.A5 Requirements Analysis for Cabling (S) [IT Operations, Facility Management]

In principle, the requirements that influence a future-proof, needs-based, and economical implementation of cabling SHOULD be analyzed. In this requirements analysis, an estimate SHOULD first be made of what the short-term use of cabling within the institution will look like. Building on this, the longer-term development of use SHOULD be estimated. Furthermore, the protection objectives of availability, integrity, and confidentiality MUST also be considered in the requirements analysis for cabling.

INF.12.A6 Acceptance of Cabling (S) [IT Operations, Facility Management]

An acceptance process SHOULD exist for cabling. Cabling SHOULD always be accepted when all tasks to be carried out (possibly within the scope of a milestone) have been completed. The executing parties SHOULD have reported the tasks as completed and ready for acceptance. Also, the checks by the contracting institution SHOULD not have revealed any unacceptable deficiencies. The acceptance date SHOULD be chosen so that the acceptance checks can be prepared in sufficient time. The contracting party MUST provide written proof no later than at the acceptance date that all standards and regulations applicable to the trade have been complied with. At acceptance, the actual scope of services MUST be verified. A checklist SHOULD be prepared for the acceptance record. The acceptance record MUST be legally bindingly signed by the participants and persons responsible. The record MUST form part of the internal cabling documentation.

INF.12.A7 Surge Protection (S) [Facility Management]

Every electrically conducting network SHOULD be protected against surges. A corresponding surge protection concept MUST be developed for this purpose in accordance with the applicable standards. Standby generators (SG) and uninterruptible power supplies (UPS) MUST be included in the surge protection concept.

INF.12.A8 Removal and Deactivation of No Longer Required Cables (S) [IT Operations, Facility Management]

When cables are no longer needed, they SHOULD be professionally and completely removed. After cables have been removed, fire barriers MUST be professionally sealed.

Cables that are currently no longer needed but can sensibly remain in place as a reserve with the existing technology in an operational state SHOULD be maintained in an operational condition. Such cables MUST at minimum be appropriately labeled at the endpoints.

In principle, an overview of cables that are no longer needed SHOULD be compiled. The documentation SHOULD indicate which cables have been removed or deactivated.

INF.12.A9 Fire Protection in Cable Trays (S) [Facility Management]

Cable trays SHOULD be adequately dimensioned. Cable trays SHOULD have adequate ventilation and air extraction.

INF.12.A10 Documentation and Labeling of Cabling (S) [IT Operations, Facility Management]

An institution SHOULD ensure that it has both internal and external documentation for its cabling. The internal documentation MUST contain all records of the installation and operation of the cabling. The internal documentation SHOULD be prepared and maintained comprehensively enough to best support operation and its further development. The external documentation (labeling of connections to support operation) of the cabling SHOULD be kept as neutral as possible.

Every change in the network SHOULD be documented. An interim or working version of the documentation SHOULD be updated immediately, i.e., on the same day. The master documentation MUST be updated no later than 4 weeks after completion of the respective work. It SHOULD be examined whether document management can be used for the documentation. The documentation SHOULD be regularly reviewed and updated. All technical facilities documented within the scope of cabling MUST be checked for documentation compliance no later than after 4 years.

INF.12.A11 Neutral Documentation in Distribution Panels (S) [IT Operations, Facility Management]

In each distribution panel, there SHOULD be documentation reflecting the current status of patching and line assignments. The documentation in the distribution panel MUST enable safe switching.

The documentation in the distribution panel SHOULD be kept as neutral as possible. The documentation in the distribution panel SHOULD only include existing and active connections as well as incoming reserve cables. Where possible, no indications SHOULD be given of how cables are being used. ONLY such information SHOULD be provided that is explicitly required. All further information SHOULD be recorded in revision documentation.

INF.12.A12 Inspection of Electrotechnical Systems and Existing Connections (S) [IT Operations, Facility Management]

All electrical systems and operating equipment SHOULD be regularly inspected in accordance with DGUV Regulation 3 and in accordance with the implementation instructions cited in § 5 Inspection. All irregularities identified MUST be documented without delay. Identified irregularities MUST be reported without delay to the responsible organizational units. The responsible organizational units MUST remedy the identified irregularities in a timely enough manner to exclude any risk to persons. The availability of the electrical systems and operating equipment MUST be ensured to the required extent.

INF.12.A13 Avoidance of Electrical Ignition Sources (S) [Facility Management]

The use of private electrical equipment within an institution SHOULD be clearly regulated. All electrical equipment MUST be inspected and declared safe by a qualified electrician before use. The use of power strips SHOULD be avoided as far as possible. Missing sockets SHOULD be professionally retrofitted by a qualified electrician.

Requirements for High Protection Needs

The following are exemplary proposals for requirements for this building block that go beyond the level of protection representing the state of the art. The proposals SHOULD be considered when protection needs are elevated. The specific determination is made within an individual risk analysis.

INF.12.A14 A-B Power Supply (H) [Facility Management]

It SHOULD be examined whether instead of a single-circuit power supply, a dual-circuit A-B supply SHOULD be created to supply important IT components and other consumers. The operational capability of the power supply SHOULD be permanently monitored by appropriate technical facilities.

INF.12.A15 Physical Protection of Cabling (H) [IT Operations, Facility Management]

For all rooms in a building — especially in rooms with public traffic and in areas that are difficult to oversee — consideration SHOULD be given to securing cables and distribution panels against unauthorized access. In any case, the number and scope of locations where energy supply equipment and data network access points are accessible to unauthorized persons SHOULD be kept as low as possible.

INF.12.A16 Use of Cabinet Systems (H) [Facility Management]

Electrotechnical connections and distribution panels SHOULD be set up in or installed in cabinet systems. When dimensioning cabinet systems, expected growth over the planned deployment period SHOULD be taken into account.

INF.12.A17 Redundancy for IT Cabling (H) [IT Operations]

It SHOULD be examined whether a redundant primary IT cabling SHOULD be created that is routed via independent trays. Likewise, it SHOULD be examined whether connections to IT or telecommunications providers SHOULD be designed redundantly. With high or very high availability requirements, it SHOULD be considered whether to design secondary and tertiary cabling redundantly in the relevant buildings. Redundantly designed sections of secondary cabling SHOULD be routed in different fire sections. If redundant cabling is used, its functionality SHOULD be regularly checked.

Additional Information

Good to Know

The German Institute for Standardization formulates requirements relevant to cabling. These are the following standards:

• DIN 4102, Fire behavior of building materials and components
• DIN IEC 60364, Erection of low-voltage installations
• IEC 62305, Information note: Lightning protection standards DIN EN 62305 / VE 01805-305:2006
• IN VDE 0100, Erection of low-voltage installations
• DIN VDE 0105-100, Operation of electrical installations
• DIN 41494, Design of electronic equipment
• DIN EN 50173, Information technology – Generic cabling systems
• DIN EN 50174, Information technology – Cabling installation
• DIN EN 50310:2017-02, Application of equipotential bonding and earthing in buildings with information technology equipment
• DIN EN 50346:2010-02, Information technology – Cabling installation – Testing of installed cabling
• DIN IEC 60297, Design of electronic equipment

The German Social Accident Insurance (BGW) has published further regulations for electrotechnical cabling in DGUV Regulation 3: “Elektrische Anlagen und Betriebsmittel, Unfallverhütungsvorschrift.”

The International Organization for Standardization (ISO) provides requirements for IT cabling in standard ISO/IEC 11801:2002-09 “Information technology – Generic cabling for customer premises.”