With the increasing focus on Cyber Security, and the knowledge that state-sponsored actors and organised criminals are routinely and frequently targeting our information systems to both disrupt and take advantage, Future-tech feels that addressing this area from a data centre perspective would be useful.
Applications and ICT hardware that provide information and data collection that our society increasingly depends upon, are clearly seen as vulnerabilities, and we are regularly advised by multiple agencies including banks, governments and industry experts, to protect ourselves and our organisations from this risk.
What is less evident and less publicised, is the risk we face to the infrastructure underpinning our information systems, and the utilities we rely on that provide power and water to our data centres.
It is these critical infrastructures that might be considered more vulnerable than the information systems themselves.
IOT devices are significantly increasing the ‘Contact Surface’, and in many cases these simple devices are left with default configurations and passwords, yet are potentially open gateways to wider critical networks and control systems.
The Project SHINE (SHodan INtelligence Extraction) Findings Report, based on intelligence gathered from the SHODAN search engine between April 2012 and January 2014, highlighted this issue in great detail, but many weaknesses still exist, and new deployments are repeating mistakes of the past. The Shodan Search engine provides searching capabilities on internet-connected devices including IOT devices.
Attention is typically focused on ICT devices using TCP/IP etc. but this report specifically looked at building infrastructures (HVAC etc.), and concentrated on areas such as SCADA Systems and Building Automation Control, using protocols including MODBUS and BACNet.
The report concludes that ‘new regulations and legislation are needed to curb this behaviour, industry practices need to be modified, and diagnostic practices and configuration management schemes need to improve dramatically.’
The increasing use of IOT systems since 2014, for both monitoring and control in critical environments, has merely exacerbated this issue.
On the back of this and within the data centre sphere, some notable DCIM tools have also been exposed as having vulnerabilities. Some of the biggest suppliers in this area have fallen short of the expected security standards(Device42, Schneider, Sunbird, Vertiv), with vulnerabilities being exposed in the following publication by Cyble: https://blog.cyble.com/2022/01/27/data-centers-facing-risk-of-cyberattacks/
The conclusion from the publication is that ‘organisations spend billions of dollars to ensure the data centres do not face downtime and security breaches, yet there might be several security loopholes that adversaries could exploit.’
With the increased efforts in state sponsored cyber disruption, governments worldwide have started to publish warnings and guidelines to reduce the risks to our national critical infrastructures.
The UK National Cyber Security Centre (NCSC), in conjunction with Government Communications Headquarters (GCHQ) and Centre for the Protection of National Infrastructure (CPNI), has recognised this and recently published guidelines and recommendations for data centre operators and customers to help identify the issues involved, and offer practical advice and considered solutions to potential vulnerabilities.
This is not an unknown issue, with well-publicised attacks on utility infrastructures having caused disruption on several occasions. The vulnerabilities and protection required for ICT systems is generally well understood and generally addressed in an informed manner, however those within our critical infrastructure, that ultimately underpin our ICT systems, particularly those within data centres are less understood, and we are generally more exposed in this area.
One of the reasons is that those designing and managing critical supporting infrastructure in data centres (principally systems responsible for the delivery of power and cooling) are generally not aware of the issues involved or the potential threats posed. Typically neither outsourced or in-house Facilities Management providers will have the knowledge or expertise to identify or mitigate these vulnerabilities.
Future-tech is well aware of this area of risk, and has both the understanding, expertise and capability required to ensure these factors are taken into account and mitigated during both the design and operations phases of the data centre lifecycle.