Analysis: Experts advise on how to start building defences.
Following on from the threats, how to secure the data centre and the NCI is the next step. When it comes to the data centre, successful protection and operation of relies on understanding and managing people, processes, technology and the physical environment in which it operates, according to Catalin Cosoi, chief security strategist at Bitdefender.
"Continuous, reliable monitoring of a data centre’s operating parameters and regular vulnerability assessment are two very important protective measures, as well as data sharing between governments and industries regarding cross-sector risk analysis."
Cyber security techniques used within the ICS industry can be adapted and applied to data centres, Ed Ansett, chairman at data centre design and MEP critical systems risk analysis company i3 Solutions Group, recently told CBR.
On the other hand, Ansett alerted to the fact that so far ICS cyber security knowledge is yet to be transferred to the IT and MEP engineers.
"Whilst some organisations begin to realise the threat and audit their data centres for Data Centre MEP Control Systems (DCCS) vulnerabilities the majority still remain vulnerable to cyber attacks," he said.
As electric and nuclear power plants are hacked, the data centre industry has lessons to learn from these incidents.
According to James Maude, senior security engineer at Avecto, NCI shows the clear need for isolation and least privilege in terms of who is able to access the site’s IT systems. "It should not be the case that an attacker can gain access to critical systems via a phishing email attachment."
He told CBR: "Allowing unknown content from the internet to execute in the same context as critical data or systems, especially those that are potentially vulnerable, is a recipe for disaster.
"Highly sensitive systems, such as data centres, should be air-gapped where necessary and no control systems should ever be directly public facing."
The NCI threat can be reduced with the use of upgraded CSCs
Overall, protecting NCI comes down to critical security controls (CSC), a baseline of high-priority information security measures and controls that can be applied across an organisation in order to improve its cyber defence.
Some of the controls included in CSCs are inventory of authorised and unauthorised devices and software, secure configurations for hardware and software on mobile devices, laptops, workstations and servers, and malware defences.
When it comes to data centres specifically, the general approach to protection is one of ‘defence in depth’ by creating successive layers of security measures, such that the facility is protected by numerous security controls, designed so that the failure of a single group of protective controls does not necessarily compromise the entire data centre.
According to the CPNI, the protection approach should start with a threat and risk assessment, linked to an operational requirement the purpose of which is to ensure that the business needs are correctly understood.
These in turn allow a layered defence model to be derived from a rigorous analysis of security requirements driven by a formal risk and threat assessment model.
The protection strategy should take into account other key factors throughout its lifecycle from construction through to operational delivery of the business requirement and be reviewed regularly.
In the end, successful protection and operation of a data centre rests on understanding and managing
the complex relationship between people, processes, technology and the physical environment in which they operate.
However, speaking to CBR, Garry Sidaway, VP security strategy at NTT Com Security said that the risk of a cyber attack is not going away and critical systems such as SCADA and ICS are not becoming less vulnerable to attack.
"It is still very much the responsibility of the industry to continuously monitor and control its own systems and IT environment, train and educate its employees and do everything possible to reduce the risk of cyber attack."
He said that the first step in controlling risk is to actually understand the current risk exposure across all areas of the business and prioritising the areas on which it is critical to focus.
Chris McIntosh, CEO ViaSat UK, told CBR that the security approach should be the same to all incidents no matter who is attacking.
"In order for companies to truly secure their infrastructure they need to start from the assumption that they have already been compromised to some extent and from there take the necessary actions and precautions.
"By ‘compromised’, I include situations where network devices (such as routers, hubs and gateways) have some form of malware or defect that has existed from before they were even installed into the network.
"This is known as supply chain contamination and there are many reported incidences of this kind of threat worldwide. Another type of inside attack is the either inadvertent or malicious activities of company insiders or employees."
When industrial control systems meet IT
When it comes to actually merge the IT and OT infrastructure, such as ICS, this completely depends on the organisation’s security policies.
Says Jay Abdallah, EMEA director of cyber security services at Schneider Electric, to successfully merge the two environments, we need to understand the risk profile of each subsequent network.
"For example, the IT network is always deemed a high risk network due to its connection to the outside world, where the process network is assigned a lower risk," he told CBR.
That said, however, the criticality of these networks is reversed. The process network has an extremely high criticality rating, whereas the business network has a moderate criticality rating.
Abdallah said that once an organisation identifies the risk and criticality ratings, followed by granular subsystem ratings, controls can be adjusted accordingly.
"Our top recommendation is to isolate the two networks from one another, but utilise the IT technologies in a secure manner wherever possible for update purposes.
"Endpoint protection updates, patch updates, or secure alarms / historian data sharing (unidirectional) are some examples of where these two networks can converge."
These environments’ fragile state is also set to gain one more addition that will create a bigger security headache to all, including data centre operators.
With the appearance of M2M communications and IIoT, data centres are being geared with a whole new level of connectivity but at the same time attractive entry doors to hackers.
Abdallah said that putting sensors and other technologies on the critical infrastructure systems has not widened the attack vector for hackers any more than a system without the sensors in place would have, if done in a secure and controlled manner.
"The sensors and other technical security controls actually give plant administrators more visibility into their networks, which can significantly reduce the risk by cutting the incident response time drastically.
"These controls also add multiple layers of defence on the critical infrastructure components themselves, making the attack more difficult to carry out."
What are the dangers of not dealing with threats?
In the case these attacks are indeed carried out, the end scenario could be one of death and high amounts of money and business lost.
An attack against a data centre has the power to spark chaos across any industry and even cause fatalities.
So said i3’s Ansett who has told the data centre industry that it still has a long way to go when it comes to making hubs downtime-proof.
"It is only a matter of time until failure in our industry starts killing people," he said.
The loss or compromise of a major corporate data centre could have a disastrous economic impact or cause significant reputational damage across the economy as customers and trading partners are affected by the failure of the organisation.
According to the Ponemon Institute, the financial cost of a data centre outage in 2016 has shoot up 38% since 2010.
The average cost is now $740,357, or $8,851 per minute. In 2010, this was $505,502, representing $5,600 for every 60 seconds.
Between 2010 and 2016, the higher total cost of an unplanned outage rose from $680,711 to $946,788.
Fabio Invernizzi, Sales Director, Data Protection, Software, Dell EMEA, told CBR: "Recovery should be planned, predictable and controlled.
"Being able to recover data in a timely fashion is all based around ensuring that the chosen data protection platform complies to a key set of service levels (SLAs) based on the criticality of application and data."
As the data centre industry expands its footprint, it is becoming ever more urgent that these national critical infrastructures get the needed recognition from all industries and governments in order to avoid a major scale future cyber disaster.