Whitepaper Analysis: Critical national digital infrastructure starts with data centre hubs and is vital to the safe running of the digital economy, but huge vulnerabilities exist
Data centres are part of the critical infrastructure for the global economy. Yet they are open to attack because of software vulnerabilities in the industrial control systems which manage these facilities. Within five years every data centre will be audited for the security of its electrical control systems. This will be huge for owners, operators and users of data centres.
Building management systems (BMS) need control systems to run all types of buildings from office Skyscrapers to Airports to Hospitals. National infrastructure such as transport and power systems are also managed through control systems. But often these control systems have been not designed with cybersecurity in mind and this critical infrastructure is vulnerable to attack.
In engineering terms a data centre has long been known as a ‘mission critical environment’. That is an environment which cannot be allowed to fail. But while much of the data centre focus for security has been around the physical, i.e. keeping the wrong people out, and protecting the IT through firewalls, network access control and anti-virus, here too there exist cybersecurity risks due to poor control systems security.
Data Centre MEP Control Systems (DCCS) have largely been overlooked by IT Cyber Security due to a lack of familiarity. The term DCCS encompasses all control systems which govern data centre MEP control systems. DCCS does not just refer to centralised systems such as the BMS, it also includes all addressable MEP devices within the data centre.
Data centre professionals are very aware of the financial and reputational costs of downtime due to system performance issues. In almost every sector survey, facility uptime and availability are the most significant drivers of investment. Today, however, it is the increasing cyber security threat that the industry needs to focus upon.
While many organizations have developed stringent security processes for IT systems, this is not the case for DCCS. MEP controllers frequently have no authentication, authorisation, virus protection or security patches associated with SCADA (supervisory control and data acquisition), PLCs (programmable logic controllers), RTUs (remote terminal units), BMS (building management systems) and other addressable controllers often found in cooling plant, PDUs, UPS, generators, switchgear and static switches.
The cyber security protection of these devices cannot be left to the equipment manufacturers alone, since it may not be in their commercial interest to highlight known vulnerabilities. It therefore falls upon the data centre owner to take action.
The problem with DCCS in the data centre is one of ownership. From a technical perspective it falls outside normal IT and MEP security domain expertise. This is because the fundamental issue involves the use of Industrial Control Systems (ICS) equipment by various MEP systems.
The good news is, this apparently new type of cyber security threat is well known to the Industrial Control Systems (ICS) industry, due to their experience of cyber attacks over the last 10 years or so, and the existence of organizations such as Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
In 2014, ICS-CERT (ics-cert.us-cert.gov) received 159 reports involving vulnerabilities in control systems components. Many more incidents occur that go unreported. Authentication, buffer overflow, and denial-of-service vulnerabilities were the most common vulnerability types.
Target’s loss of 70 million customers Personal Identifiable Information (PII) and 40 million credit and debit card details or credentials in 2013 began with the theft of credentials of Target’s HVAC contractor.
The cyber security techniques used within the ICS industry can be adapted and applied to data centres. The bad news is that so far ICS cyber security knowledge is yet to be transferred to the IT and MEP engineers. In fact, there is even a question whether the data centre industry is paying attention to the proverbial hole in the fence, or observing the warnings and lessons learned and experience of the ICS community. Therefore, currently there is a profound risk to data centre availability.
It is not just the risk to data and financial security which is highlighted. To heighten causes for concern, Joel Langill, Chief Security Officer and Control System Cyber Security Specialist at SCADAhacker has described incidents where human life has been lost as a result of industrial cyber security incidents. These include occasions when programmable devices have failed to communicate, synonymous with an IT denial of service (DoS) and a man-in-the-middle (MITM) attack.
At a Stanford University lecture on the Cyber Security of Industrial Control Systems Joe Weiss, a control systems expert with more than 35 years of experience quotes Ralph Langner stating that with four lines of code he can take control of any controller.
As technology becomes increasingly embedded in practically every aspect of our society, the impact of DCCS attacks that disrupt, disable and shut down MEP critical systems now have much wider reaching implications. Unsurprisingly, some regulators have started to act.
On the 9th November 2015, the New York State Department of Financial Services (NYDFS) issued a letter to Federal and State Financial Regulators on Potential New NYDFS Cyber Security Regulation Requirements for Financial Institutions. The NYDFS said "There is a demonstrated need for robust regulatory action in the cyber security space, and the Department is now considering a new cyber security regulation for financial institutions." Amongst the list of areas to be addressed the NYDFS includes "physical security and environmental controls." This means all MEP control systems must be audited and any vulnerabilities addressed.
Irrespective of any mandatory rulings it makes sense to incorporate a Data Centre Control Systems Audit (DCCS Audit) within an overall IT security plan. Whilst some organizations begin to realise the threat and audit their data centres for DCCS vulnerabilities the majority still remain vulnerable to cyber attacks.