When data center managers think about cybersecurity, they usually think about protecting their IT infrastructure and their data. And when they think about ensuring the security of their power supplies, they think about alternate power sources, as well as restricting physical access to their power infrastructure.
Generators, uninterruptable power supplies, and power distribution units all help to maintain and control the power that runs the data centers. But they rarely pay enough attention to the cybersecurity controls on their power systems, even though these systems are proving to be vulnerable to cyberattacks.
And, ironically, some of the systems used to protect infrastructure may themselves pose security risks.
"The majority of power equipment in the data center can be remotely controlled and configured," Bob Pruett, security field solutions executive at SHI International, a New Jersey-based technology services company, told Data Center Knowledge in an interview. "So, a malicious bad actor could take control of these devices and interrupt the power to a data center or a specific device on your network."
Some of these control systems could fall into the category of the Internet of Things. Industrial IoT devices are part of a data center's invisible infrastructure, in the gray area between facility management and cybersecurity, hard to find, hard to manage, and hard to secure.
Attacks against IoT devices increased by 100 percent last year, according to a report by San Francisco-based cybersecurity vendor Darktrace. According to a survey last year by the SANS Institute, only 40 percent of companies apply and maintain patches and updates to protect IIoT devices, and 56 percent said that difficulties in patching are one of their greatest security challenges. In addition, almost 40 percent said they had problems finding, tracking, and managing these devices.
Attackers are taking notice.
The highest-profile attacks have been against national power infrastructure, like the 2015 and 2016 attacks against the Ukrainian electrical grid.
"Attacks on industrial environments have become mainstream," Justin Fier, director of cyber intelligence and analysis at Darktrace, told us. "With several nation-states providing warnings in 2018 about ongoing targeting of their energy grids, 2019 looks set for increasing numbers of high-profile cyberattacks on our critical infrastructure."
In the past, criminals tended to use hijacked IoT devices to power botnets, but once infected the devices can be used for a number of malicious purposes.
In most types of attacks, cybersecurity teams can isolate traffic or even entire compromised systems. But industrial controls are a special case. "Within industrial control systems, isolating traffic or systems is rarely an option and real-time patches are not viable," Eddie Habibi, CEO at PAS Global, an industrial control systems security company, said.
If the devices and computers controlling a data center's power supply have been compromised, taking them down could turn off power to the entire facility. "Important critical infrastructure sectors are gated in their ability to apply the proper patches," Habibi said.
Meanwhile, the infected machines could pose dangers to the rest of a data center's networks. "This has the potential to create a huge problem such as WannaCry or other similar ransomware attacks," he said.
Since these devices offer an entry point into a data center's networks, they need to be managed and protected with the same diligence as its servers, SHI International's Pruett said. There are several approaches data centers can take to secure these control systems.
Micro-segmentation, for example, can block all traffic to a device except for authorized traffic, he said. "In some cases, this means that each device will have its own logical – as opposed to physical – network."
There are also specialized network access control solutions for power grids, he said, which actively block unauthorized traffic on a network. "There are general NAC solutions which can also be effective."
When a data center operator is purchasing new devices, security should be part of due diligence. "Make sure that passwords can be changed, systems can be updated, and the settings of the IoT devices are taken into account," he said.
Sometimes, there might not be a choice, and a data center has to use what's available. "If there are risks with the device, plan for them ahead of time," Pruett said. For every risk, there's should be compensating control. "For example, if the IoT management interface cannot use encryption, try to have the traffic encrypted over a tunnel."
There's another reason to be particularly careful about protecting access to power systems. Attackers who get control over a data center's power supply can shut down a data center – but they can also cause a power surge that destroys equipment.
Something similar happened, though by accident, in 2017 to a British Airways data center. A technician reportedly overrode the controls to an uninterruptible power supply, causing a power outage that lasted a few minutes. Then they turned it back on again in a way that created a power surge that caused physical damage to equipment. British Airways sued CBRE, the data center management firm it alleged was responsible for the problem. The two companies reached a settlement earlier this month.