View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Data Centre
September 30, 2016updated 05 Oct 2016 11:34am

Anatomy of a Data Centre Cyber-Attack through Mechanical & Electrical (M&E) Control Systems

Stopping attacks on data centre infrastructure

By Hannah Williams

The intensification of data centre failures and associated research indicates that the cybersecurity of data centre mechanical and electrical control and monitoring systems now more than ever has to be addressed.

Thus far, every data centre reviewed by i3 Solutions has had exposed vulnerabilities, including one confidential data centre hosting government high security information servers. Ed Ansett, founder of i3 Solutions Group cites the likely scenario of an attack:-

  1. Survey target via anonymous engine and metadata search
  2. Run vulnerability scan
  3. Select port(s)
  4. Run password decoder e.g. firewall, web browser router etc.
  5. Poll / search control or monitoring devices e.g. UPS, PDU, Chiller
  6. Alter protocol parameters e.g. order device shutdown or initiate denial of service

“When a device controller is compromised an attacker can take direct control of critical equipment causing it to malfunction or shutdown without warning. Similarly, monitoring devices are vulnerable to a denial of service that overload the control network.”

Modbus, BACnet and SNMP are the de facto protocols used by critical equipment such as Cooling Plant, Generators, Switchgear, Power Distribution Units and Uninterruptable Power Supplies. These protocols are vulnerable to cyber abuse due to weak authentication and/ or encryption.

There is a commonly held misconception that data centre control networks are air gapped. Faizel Lakhani, a pioneer of SCADA technology, told El Reg that air-gapping such systems would be a quixotic endeavour, at best.

“Most SCADA systems are theoretically air gapped but not really disconnected from the network” Lakhani explained. “There are ways to get around isolation either because systems are not set up properly or because that’s a test link in there or someone bridged the Wi-Fi network, to name a few examples.”

On 6th July 2016, the European Parliament issued a press release entitled Cybersecurity: MEPs back rules to help vital services resist online threats, stating that “Firms supplying essential services, e.g. for energy, transport, banking and health, or digital ones, such as search engines and cloud services, will have to improve their ability to withstand cyber-attacks under the first EU-wide rules on cybersecurity…”  The draft directive includes for punitive penalties for noncompliance [Article 17(1)].

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

One question that always comes up is – What is the overall extent and level of the threat to our data centres? This can only be addressed on a case by case basis. But research conducted from 2012 through 2014 indicated there were at least two million publicly accessible devices related to ICS (Industrial Control Systems) on the Internet at that time. The first dataset containing 500,000 ICS devices was sent to the ICS-CERT, the Cyber Emergency Response Team which is a division of the US Department of Homeland Security where it was determined that roughly 7,200 out of the 500,000 devices were critical infrastructure within the United States.

This is a global issue highlighting the fact that most data centres continue to be vulnerable to cyber-attack.

Topics in this article : , , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.