The intensification of data centre failures and associated research indicates that the cybersecurity of data centre mechanical and electrical control and monitoring systems now more than ever has to be addressed.
Thus far, every data centre reviewed by i3 Solutions has had exposed vulnerabilities, including one confidential data centre hosting government high security information servers. Ed Ansett, founder of i3 Solutions Group cites the likely scenario of an attack:-
- Survey target via anonymous engine and metadata search
- Run vulnerability scan
- Select port(s)
- Run password decoder e.g. firewall, web browser router etc.
- Poll / search control or monitoring devices e.g. UPS, PDU, Chiller
- Alter protocol parameters e.g. order device shutdown or initiate denial of service
“When a device controller is compromised an attacker can take direct control of critical equipment causing it to malfunction or shutdown without warning. Similarly, monitoring devices are vulnerable to a denial of service that overload the control network.”
Modbus, BACnet and SNMP are the de facto protocols used by critical equipment such as Cooling Plant, Generators, Switchgear, Power Distribution Units and Uninterruptable Power Supplies. These protocols are vulnerable to cyber abuse due to weak authentication and/ or encryption.
There is a commonly held misconception that data centre control networks are air gapped. Faizel Lakhani, a pioneer of SCADA technology, told El Reg that air-gapping such systems would be a quixotic endeavour, at best.
“Most SCADA systems are theoretically air gapped but not really disconnected from the network” Lakhani explained. “There are ways to get around isolation either because systems are not set up properly or because that’s a test link in there or someone bridged the Wi-Fi network, to name a few examples.”
On 6th July 2016, the European Parliament issued a press release entitled Cybersecurity: MEPs back rules to help vital services resist online threats, stating that “Firms supplying essential services, e.g. for energy, transport, banking and health, or digital ones, such as search engines and cloud services, will have to improve their ability to withstand cyber-attacks under the first EU-wide rules on cybersecurity…” The draft directive includes for punitive penalties for noncompliance [Article 17(1)].
One question that always comes up is – What is the overall extent and level of the threat to our data centres? This can only be addressed on a case by case basis. But research conducted from 2012 through 2014 indicated there were at least two million publicly accessible devices related to ICS (Industrial Control Systems) on the Internet at that time. The first dataset containing 500,000 ICS devices was sent to the ICS-CERT, the Cyber Emergency Response Team which is a division of the US Department of Homeland Security where it was determined that roughly 7,200 out of the 500,000 devices were critical infrastructure within the United States.
This is a global issue highlighting the fact that most data centres continue to be vulnerable to cyber-attack.