Today, when high-profile cyberattacks are in the news on a regular basis, is it time the data center industry came together on a common set of security standards for physical infrastructure, the power and cooling systems all our digital lives depend on so much? Many players in the industry think it is.
Last month, power management company Eaton announced that its network and gateway cards have received cybersecurity certifications from the International Electrotechnical Commission and UL (formerly Underwriters Laboratories). The company claims it's the first in its industry to comply with both the IEC and UL certifications.
This is a sign that the vendors providing technology for data center infrastructure are starting to take cybersecurity seriously.
"Traditionally, as it relates to physical infrastructure, security has been an afterthought," said Anuj Goel, co-founder and CEO at Cyware Labs. But as more and more infrastructure is exposed to the internet, physical infrastructure now faces the same kind of cyber risk as other parts of the data center. "This digital transformation has left companies more exposed to bad actors, who in turn are increasingly attacking this vulnerable flank," said Goel.
As a result, there is now an overwhelming consensus among vendors for the need for tighter standards, he said.
As vendors mull better standards, many data center managers (their customers) don't always put security first when it comes to physical infrastructure, said Shantanu Mirajkar, CTO for India operations at Clairvoyant. The problem is often structural.
"The reason why these facilities are often disregarded when it comes to cybersecurity is that most of these physical infrastructure facilities follow a separate functional flow," he said. They are kept out of the corporate information network loop. "When we think of cybersecurity, we need to think beyond just information technology systems that access and manage data."
Power systems, backup generators, air conditioning, connectivity, and other areas of operational technology are just as vulnerable as the IT systems they support – and are increasingly interconnected with IT.
"There has always been a strange disconnect between physical and IT security in most organizations," agreed Saurabh Sharma, VP at Virsec Systems, a San Jose-based cybersecurity company. Different groups are in charge, and they use different technology.
"Clearly there should be similar standards between physical security products – which often directly connect to IT systems, and IT systems which increasingly control physical industrial equipment," he said.
Eaton isn't the only company paying attention to cybersecurity, Sharma said. Schneider Electric, Rockwell Automation, and ABB are also stepping up. Rockwell, for example, announced in November that it received the ISA/IEC 62443-2-4 certification.
If data center infrastructure security is your thing, check out this session at Data Center World, which is taking place this March in San Antonio:
Wednesday, 18 March 2020 10:20am - 11:20am
Physical vs. Cybersecurity: Working Together to Better Protect Data Centers
Presented by: Bruno Riegl, Managing Member, RFID Collect
Many Standards, Little Uniformity in Their Application
According to Cyware’s Goel, the International Society of Automation IEC 62443 standard (the standard embraced by Eaton) specifies security requirements for industrial control system products and their components. That's where manufacturers should all be starting: at a base minimum. Customers who buy equipment that meets this standard have an assurance of a strong security posture, he said.
In addition to the standards from IEC and UL, there are standards from NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) and NIST (National Institute of Standards and Technology). The European Union Agency for Cybersecurity (ENISA) also has cybersecurity standards for physical infrastructure.
But the IEC 62443 standard is the most robust available, James McQuiggan, security awareness advocate at KnowBe4, said. The scrutiny and maturity levels of this standard are much higher than those of other organizations.
It can be confusing to navigate all the different frameworks and compliance is currently voluntary. Data centers operating in highly regulated industries have to comply with their specific cybersecurity requirements, but there is no universal, required set of standards for securing physical infrastructure.
Maybe it's time for that to change – and if the industry doesn't step up and address this growing security threat, government regulators will step in.
There are already uniform and mandatory standards in place for other industries (such as HIPAA for health care and PCI for payment processing), and something similar is needed for security of data center physical infrastructure, said Marty Puranik, CEO at Atlantic.Net, a Florida-based data center and cloud provider.
"First it would offer interoperability of all vendors who adhere to the standard," he said. "Secondly, it would allow the community to get in front of legislation crafted by regulators, which may not be as effective as rules crafted by the industry itself."
Plus, vendors would be able to differentiate themselves based on quality, and not just on price, he said.
Puranik suggested that a working group with input from vendors and from the data center community could draft these standards.
One possible direction could be like the one taken by the International Society of Automation, which last summer launched the Global Cybersecurity Alliance to advance cybersecurity readiness and awareness in critical infrastructure facilities and processes. ISA is the group that originally developed the IEC 62443 standard.
Schneider, Rockwell, Honeywell, Johnson Controls, Claroty, and Nozomi Networks were the founding members of the Global Cybersecurity Alliance. Last week, the group announced 23 new member companies and released a guide to implementing the ISA/IEC 62443 standards.
Another industry effort underway is the Operational Technology Cyber Security Alliance, launched in Zurich in October. Its founding members include ABB, Check Point Software, BlackBerry Cylance, Forescout, Fortinet, Microsoft, Mocana, NCC Group, Qualys, SCADAFence, and Splunk.
Unfortunately, cybersecurity in today's interconnected world is only as good as its weakest link, and voluntary, industry-led efforts will always be vulnerable to market realities. Security costs money, and there will always be companies who won't fix problems until they're forced to.
However, lacking specific regulations aimed directly at physical infrastructure, regulations similar in reach and disruptiveness to Europe's GDPR and California's CCPA could soon fill the void. They could require data center operators to comply with best practices selected by the regulators and impose stiff fines for violations.
Infrastructure security should be a critical part of every data center's overall cybersecurity posture, and enterprises will be forced to pay attention.
Standards like IEC 62443 and the new industry groups can help find the way toward the best practices that enterprises and vendors should be adopting.