Modern data center infrastructure management (DCIM) platforms and other new tools put more power in the hands of facility managers.
As a result, data centers are becoming faster, more scalable, and more efficient. But with this comes a greater risk of cyberattacks against physical infrastructure.
Earlier this year, researchers at cybersecurity firm Cyble found more than 20,000 instances of data center infrastructure management systems exposed to the Internet.
Attackers who are able to get access to DCIM systems can manipulate cooling systems, for example, which can cause servers to overheat and suffer damage. They can also disrupt backup processes or upload malicious backup files. If uninterruptible power supply systems have dashboards accessible over the Internet, then attackers can turn off the UPS.
"When it comes to data center infrastructure, our approach is – if it’s connected, it’s a potential vulnerability," said Chris Caruso, CISO at Cyxtera Technologies, global data center and colocation provider.
And it's just not its own systems that data centers must keep an eye on, Caruso said.
"Providers must also work closely with third-party vendors to ensure those partners are doing their best to protect their systems and networks," he noted.
It is also important for managers to stay on top of the latest developments in cybersecurity, he said, since "the threat landscape is always evolving."
Data center managers can get threat intelligence from various sources, he said, including the Cybersecurity and Infrastructure Security Agency (CISA).
The new threat of wipers
Russia's invasion of Ukraine has introduced a new wave of threats, called wipers.
According to security researchers at ESET, attacks such as HermeticWiper and IsaacWiper pretend to be ransomware, but then instead of decrypting files when the ransom is paid, everything is destroyed.
"These types of threats are oftentimes focused on the servers and computers in a data center but many other types of devices that data centers rely on could be impacted," said Shawn Taylor, vice president for threat defense at Forescout Technologies, a cybersecurity firm. "They include uninterruptible power systems, HVAC controllers and physical security devices such as badge readers and IP cameras."
These types of devices can be highly vulnerable due to underlying flaws in the communications stacks these devices rely on to perform their function, he added.
Forescout's Vendere Labs' global cyber intelligence dashboard shows that UPS systems are among the riskiest devices out there today.
In fact, just last week CISA issued a joint alert with the Department of Energy warning against threat actors attacking internet-connected UPS devices, often through unchanged usernames and passwords.
To guard against such attacks, CISA recommends surveying the data center environment for UPS and similar systems and removing management interfaces from the Internet.
If the device must be accessible, then the agency recommends that data centers deploy compensating controls. For example, the devices can be put behind a virtual private network. CISA also suggests that data centers enforce the use of multi-factor authentication and use strong, long passwords or passphrases.
The agency also recommends checking whether the username and password are still set to the factory default. Apparently, that's a common thing.
But there are many other devices and components that could be accessible over the web, Taylor said, including HVAC and physical security systems.
Often, this access is there so that vendors and manufacturers can remotely support or patch them, he said. "Data centers need to know at all times which of their systems are exposed to the Internet."
Physical infrastructure often a blind spot for cybersecurity
Data center cybersecurity teams typically focus on the security of the networks, servers, and other technology infrastructure.
That scope needs to be expanded, said Nasser Fattah, North America steering committee chair at Shared Assessments, a consortium of companies that provide tools and certification for third-party risk management.
"This overall data center inventory needs to be all-inclusive," he said, "including power, HVAC, fire suppression system, UPS, CCTV, et cetera, because these solutions may be connected to the IT and data network, in one form or another, which can become an unauthorized access point."
Today, data centers use smart, connected devices for everything from temperature monitoring to surveillance, all of which can be exploited to cause disruptions and outages, he added.
"To exacerbate matters, often IoT devices are not included in the patch cycle, leaving them vulnerable to exploits," Fattah said.
In fact, many IoT devices don't even have upgradable firmware, said Charles Everette, director of cyber advocacy at Deep Instinct, a cybersecurity vendor. "Or upgrades have not been developed nor pushed out in favor of replacing it with just a new device or hardware by manufacturers."
This means that the IoT devices quickly become obsolete, he said, and security risks and flaws grow as they age.
"These devices are commonly hijacked and weaponized for multiple different cyber attacks," Everette added. "I have personally seen instances where third-party vendors were given access to provide maintenance or technical assistance to these devices, inadvertently giving them access to critical protected production environments due to improper security and network segmentation. We have even seen where third-party vendors have access for monitoring through a separate device via radio, satellite, or cell phone, which then allows backdoor access into these protected environments."
These types of scenarios create a cyber criminal’s paradise, he said. The door is literally left wide open.
In fact, according to last summer's SANS 2021 OT/ICS Cybersecurity Survey, 70% of respondents rated the risk to their OT environment as high or severe, up from 51% in 2019.
The biggest OT and ICS risks? Ransomware and other financially-motivated crime, followed by state-sponsored attacks.
In addition, the lack of visibility into OT and ICS environments meant that 48% of respondents didn't even know whether they had suffered a cybersecurity incident in the previous year – up from 42% in 2019.
The biggest cybersecurity challenge, according to the survey, was the difficulty of integrating legacy OT technologies with modern IT systems.
The single biggest initial attack vector was external remote services, at 37%, followed by exploits of public-facing applications at 33%, and Internet-accessible devices at 29%.
Spearphishing attachments were in fourth place, at 27%.
But there has been some progress made. According to the survey, 51% of compromises are now detected within 24 hours, up from 36% in 2019.