In the rush to secure networks, servers, and endpoint devices many organizations overlook the risks hidden in the physical infrastructure necessary to keep data centers operating.
Power supplies, heating and cooling systems, even security systems themselves can all be entry points for both determined threat actors and casual attackers who scan the internet for insecure access points.
One of the most high-profile attacks in recent times, the Target breach, involved a third-party HVAC provider.
"The bad guys are going after anything that's open and available," said Bob Hunter, founder and CEO at AlphaGuardian Networks.
Take, for example, rack power distribution units. Since data center administrators need to know what's going on with the power to their servers, the PDUs typically offer either local or remote monitoring, but the security on these systems is extremely weak.
Hackers can get in and hijack systems for ransom, or, more frequently and insidiously, keep their access a secret in order to steal data or compute cycles.
"If you had the goose who laid the golden egg, would you use that goose to lay one egg or a thousand?" said Hunter.
Network segmentation is a good security principle, he added, but it only serves to slow down attackers, not stop them completely.
"Segmentation is a speed bump," he said. "In the Target break, the building management system was on a physically separate network from the data itself, so they had to jump from one to the other. It took a while to do that, but at the end of the day, they were able to do it."
Hackers can also attack data center infrastructure in order to divert attention from other attacks, as a political statement against the data center operator or against one of the companies using that data center, said Mitch Kavalsky, director of security governance and risk at Sungard Availability Services.
And the people responsible for infrastructure security are often busy with other tasks, such as maintaining data center operations, he added.
"To add additional complexity, the industrial control systems were not designed with security in mind," said Niall Browne, CSO at Domo, a business intelligence company. "They often have default passwords and have not been patched in years, as the manufacturer was slow to release upgrades, or the customer was hesitant to deploy them for fear of causing a service interruption to critical functions."
This gives attackers a treasure trove of options, he said. For example, they can turn on sprinklers to destroy thousands of servers, modify energy systems to cause a fire or explosion, or disable locks, alarms, and cameras.
The physical infrastructure underlying data centers is similar to that of industrial facilities, said Andrey Nikishin, head of future technologies projects at Kaspersky Lab.
"We see many successful targeted or massive unintentional attacks on such connected facilities -- with only a tenth of the incidents disclosed in the press," he said. "It's easier to take down a data center by damaging the cooling system than by attacking each of its servers."
Nikishin recommends that data centers use network segmentation, provide security training to their employees, and roll out network monitoring tools specifically to look for infrastructure attacks.
Monitoring tools can benefit not just the data center operators, but also the customers of those data centers.
For example, AlphaGuardian's security technology can help protect the racks of customers using colocation facilities when they might not have the technical expertise to do so themselves.
"Our customers have different levels of security expertise," said Joe Strayer, president at Integral Solutions Group, a colocation and cloud services company based in Spartanburg, South Carolina. "[AlphaGuardian's] RackGuardian creates automated security protection for each rack benefiting both our customers and Integral Solutions Group."
Retail colocation facilities deal with a variety of customers, said AlphaGuardian's Hunter.
"They're giving them rack space and cage space but don't know what their competency is for security," he said. "The customer leaves their back doors open and gets hacked; that can shut down the entire data center eventually."
It's one of the biggest vulnerabilities in the data center, Hunter said.
"Everyone wants remote access to the PDUs, because they want to remotely reboot their PDUs if the server goes down," he said.
Ponemon Institute recently released a survey of risk professionals, in which 97 percent said that unsecured internet-enabled devices could be catastrophic for their organizations.
The survey was sponsored by Shared Assessments Program, an industry risk management group.
"If it has an IP address, it can be hacked and needs to be secured," said Mike Jordan, senior director at consulting firm The Santa Fe Group. "You can slap an IP address on anything these days. Data center infrastructure is no exception, and it makes subcontracting support of data center infrastructure like HVAC, security cameras, and power management more compelling."
However, only 9 percent of survey respondents said they were fully aware of all the physical devices in their environment that were connected to the internet.
