Tempest / Data Security
What Is Tempest / Data Security?
TEMPEST is a signals intelligence discipline and a set of security standards concerned with the unintentional leakage of sensitive information through electromagnetic, acoustic, and other emanations produced by electronic equipment during normal operation. The name originated as a classified U.S. government codename; it is now used both for the threat itself (the interception of compromising emanations) and for the countermeasure standards designed to suppress those emanations below detectable levels. TEMPEST sits at the intersection of electronic engineering, cryptography, and physical security, and it applies wherever equipment processes information that must remain confidential.
The fundamental vulnerability is that digital equipment cannot avoid radiating energy. Every switching transistor, display pixel update, and data bus transaction produces electromagnetic fields that propagate beyond the equipment housing. An adversary positioned near the target, or at greater distances with sensitive receivers, can capture these signals and reconstruct the original data, often without any software vulnerability being involved and without leaving evidence of the intrusion. A detailed technical discussion is available in the Federation of American Scientists eprint archive on TEMPEST, which traces the public history of the discipline and its legal treatment across multiple jurisdictions.
Compromising Emanations
Compromising emanations are unintentional radio frequency, optical, or acoustic signals that carry information about the data being processed by a device. Cathode ray tube monitors were historically the most vulnerable source: they emit broadband radiation that allows the video signal to be reconstructed from distances up to one kilometer using a directional antenna and a receiver tuned to the display's sweep frequency. Modern flat-panel displays and high-speed digital buses present similar risks, though at different frequency profiles. Research published in Applied Sciences describes contemporary measurement methodologies for profiling compromising emanations across device classes, including keyboards, USB interfaces, and power supply circuits. Acoustic emanations from mechanical components such as cooling fans and hard drive actuators represent an additional, lower-bandwidth channel that can leak information about computation patterns.
Countermeasures and Shielding
TEMPEST countermeasures fall into three categories: shielding, filtering, and distance. Shielding involves enclosing sensitive equipment in a Faraday cage, a metallic enclosure that attenuates outgoing electromagnetic fields by tens of decibels. Filtering suppresses emanations conducted along power lines and cables, which act as antennas; ferrite cores, line filters, and fiber-optic signal converters are common implementations. Distance operates as a passive countermeasure: the power of an emitted signal decreases with the square of the distance from the source, so increasing the separation between sensitive equipment and the security perimeter reduces interceptability. TEMPEST-qualified equipment must pass laboratory tests demonstrating that its emissions fall below specified thresholds across defined frequency ranges.
Standards and Policy
The U.S. government's TEMPEST standards are administered jointly by the National Security Agency (NSA) and the Department of Defense. Published guidance is limited: most emission limits and test procedures remain classified, and declassified versions of TEMPEST test standards are heavily redacted. The NATO SDIP-27 series of standards establishes TEMPEST requirements for equipment used in allied military and government networks, defining three protection levels (A, B, and C) based on proximity to the equipment and the assumed capability of the adversary. Commercial entities handling classified contracts or operating in physically exposed environments are expected to procure equipment certified to these levels and to implement facility controls aligned with the IEEE standards on electromagnetic compatibility, which address controlled-environment EMC testing methods that overlap with TEMPEST evaluation practice.
Applications
TEMPEST security has applications in a range of high-assurance environments, including:
- Classified government and military communications facilities
- Financial trading floors and secure data centers handling sensitive transactions
- Diplomatic missions and intelligence agency installations
- Industrial control systems for critical infrastructure protection
- Research laboratories handling proprietary or export-controlled information