is required, leaky-feeder systems can be considered to extend coverage along drifts and shafts. Appropriate environmental ratings should be selected for network hardware, cabinets, junction boxes, and enclosures. Finally, for emergency communications, providing dual power supplies with UPS is advisable, along with maintaining field spares with proven configurations to enable quick restoration. • Underground rail requires continuous service, with passenger safety as the top priority. The primary risks include flooding, smoke, power dips, vibrations, and increased failure and tamper risks due to public proximity. To mitigate these risks, providing two independent routes helps ensure that a single cut or flooded duct does not isolate a station or split the entire network. It is important to keep optical fiber backbones well separated from traction power using solid bonding and grounding, and prioritize resilience for public address/passenger information systems (PA/PIS), emergency phones, and train-control interfaces, as recommended based on the mentioned risks. A connection to the backoffice should be ensured with a redundant path design. • Education campuses are typically large, mixed-use estates that often experience frequent room changes and face security issues with unsecured internet of things (IoT) and shadow IT, including theft, misuse, and outages during peak times. These problems are often made worse by legacy wiring and power infrastructure. It is important to segment networks by role and use (such as student, staff, guest, and facilities), keeping labs and operational technology separate from campus IT. • Airports are multi-tenant, safety-critical operations that span various types of buildings, such as terminals, piers, concourses, the tower, and hangars, with strict boundaries and complex interdependencies (airport operational database [AODB], PA/PIS, closed-circuit TV [CCTV], and building automation systems [BAS]).
It is important to design with redundant controllers/links and diverse inter-terminal routes; enforce strong segmentation so airline tenant networks are separate from airport operations and OT (e.g., baggage, HVAC) and public/retail systems; as well as set vendor guardrails (e.g., hardening guides, unique credentials, complete handover).
tunnel niches; using good lighting and targeted CCTV to discourage tampering. Education campuses should prevent access to restricted spaces and deter tampering in either public or controlled areas. Locking risers and ceiling hatches, running corridor routes in conduit, and using port blockers and device brackets are helpful measures. Additionally, controlling contractor access with check-in, time-limited badges, escorts, and simple after-hours permits should be considered, while ICT design should consider the connection to physical security devices. Airports have long had a critical need to control physical access due to the risks posed to passengers. Telecommunications spaces need to be properly protected, and conduits and cabling to critical access control equipment should be designed with considerations for the installation of CCTV systems and access control devices. Critical rooms and pathways should be hardened by using reinforced doors and frames, tamper-evident rack seals, armored optical fiber in secured risers and rooftops, lockable handholes, and anti-climb measures on exterior ladders. C. NETWORK ARCHITECTURE Network architecture is a detailed plan for devices, applications, and users to connect and communicate. It defines what gets connected, through which pathways and locations, under what rules (e.g. segmentation, security controls, priorities), and how the system remains operational should something fail. It begins by listing the equipment that needs to be connected, deciding where it will be placed (e.g., rooms, cabinets, field locations), and identifying the telecommunications spaces that will host and interconnect it. From there, it specifies how it will be connected—highlighting which links are backbone (between spaces/buildings) and which are horizontal (from spaces to endpoints). With locations and pathways established, devices are grouped into zones (e.g., OT, IT, tenant), and controlled boundaries (e.g., firewalls and access control lists) are set between them. A key challenge is aligning with the client from the beginning. Design choices and client requirements should be integrated early because any gaps can
weaken system security. Some measures that can be considered are:
• Segment logically and physically. Where risk is high, add physical separation—dedicated switches, separate uplinks, and diverse paths. In some cases (e.g., airports, military units, critical infrastructure), it could be required to even separate telecommunications spaces to protect the critical network elements. • Consider the type of service required; if cloud services are in scope, network equipment requirements and space will differ from on-premises deployment. • For OT networks, consider the Purdue Model. While the model is not a silver bullet, it is a layered, data-flow view that will help clarify logical and physical segmentation, required connections, and security zones. IEC 62443 is the recommended resource to guide this work.
B. PHYSICAL SECURITY Physical security must suit the site. It should prevent access to dangerous or restricted areas, protect ICT from tampering, keep safety-critical services operational, and support daily operations. For underground mines, physical security must include protecting ICT and supporting security in high-risk areas such as shafts, pump rooms, explosive zones, and logistics. Table stakes would be to badge or lock shafts, telecommunications rooms, and field cabinets as well as sending door or tamper alerts to mine control. In addition, designers would be expected to restrict access, route, and mark conduits or trays to avoid vehicle paths and rock-fall zones. CCTV would need to be installed anywhere needed to provide feeds for operations and safety. In underground rail, physical security focuses on keeping the public away from hazards and ensuring vital systems stay online. For example, using rated, lockable platform and tunnel cabinets with tamper- and hold-open alarms and placing them out of passenger flow with CCTV monitoring. Additional security measures include locking track hatches and
D. NETWORK PERIMETER SECURITY Network perimeter security is an area that the system designer might not be able to influence directly.
I
I
42
ICT TODAY
October/November/December 2025
43
Made with FlippingBook - Online catalogs