I’m going to make a prediction: within the next five years it will be mandatory for every enterprise and government data center to be cyber security MEP audited. The reason for this is that data center MEP (mechanical, electrical and plumbing) Control Systems (DCCS) have largely been overlooked due to a lack of familiarity.
The term DCCS encompasses all control systems which govern data center MEP control systems. DCCS does not just refer to centralized systems such as the BMS, it also includes all addressable MEP devices within the data center.
Hole in the fence
Data center professionals are very aware of the financial and reputational costs of downtime due to system performance issues. In almost every sector survey, facility uptime and availability are the most significant drivers of investment. Today, however, it is the increasing cyber security threat that the industry needs to focus upon.
While many organizations have developed stringent security processes for IT systems, this is not the case for DCCS. MEP controllers frequently have no authentication, authorization, virus protection or security patches associated with SCADA, PLCs, RTUs, BMS and other addressable controllers often found in cooling plant, PDUs, UPS, generators, switchgear and static switches.
The cyber security protection of these devices cannot be left to the equipment manufacturers alone, since it may not be in their commercial interest to highlight known vulnerabilities. It therefore falls upon the data center owner to take action.
The problem with DCCS in the data center is one of ownership. From a technical perspective it falls outside normal IT and MEP security domain expertise. This is because the fundamental issue involves the use of Industrial Control Systems (ICS) equipment by various MEP systems.
The good news
The good news is, this apparently new type of cyber security threat is well known to the Industrial Control Systems (ICS) industry, due to their experience of cyber-attacks over the last 10 years or so, and the existence of organizations such as Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
In 2014, ICS-CERT (ics-cert.us-cert.gov) received 159 reports involving vulnerabilities in control systems components. Many more incidents occur that go unreported. Authentication, buffer overflow, and denial-of-service vulnerabilities were the most common vulnerability types.
Target’s loss of 70 million customers Personal Identifiable Information (PII) and 40 million credit and debit card details or credentials in 2013 began with the theft of credentials of Target’s HVAC contractor.
The cyber security techniques used within the ICS industry can be adapted and applied to data centers. The bad news is that so far ICS cyber security knowledge is yet to be transferred to the IT and MEP engineers. In fact, there is even a question whether the data center industry is paying attention to the proverbial hole in the fence, or observing the warnings and lessons learned and experience of the ICS community. Therefore, currently there is a profound risk to data centre availability.
It is not just the risk to data and financial security which is highlighted. To heighten causes for concern, Joel Langill, Chief Security Officer and Control System Cyber Security Specialist at SCADAhacker has described incidents where human life has been lost as a result of industrial cyber security incidents. These include occasions when programmable devices have failed to communicate, synonymous with an IT denial of service (DoS) and a man-in-the-middle (MITM) attack.
At a Stanford University lecture on the Cyber Security of Industrial Control Systems Joe Weiss, a control systems expert with more than 35 years of experience quotes Ralph Langner stating that with four lines of code he can take control of any controller.
What is to be done
As technology becomes increasingly embedded in practically every aspect of our society, the impact of DCCS attacks that disrupt, disable and shut down MEP critical systems now have much wider reaching implications. Unsurprisingly, some regulators have started to act.
On the 9th November 2015, the New York State Department of Financial Services (NYDFS) issued a letter to Federal and State Financial Regulators on Potential New NYDFS Cyber Security Regulation Requirements for Financial Institutions. The NYDFS said “There is a demonstrated need for robust regulatory action in the cyber security space, and the Department is now considering a new cyber security regulation for financial institutions.” Amongst the list of areas to be addressed the NYDFS includes “physical security and environmental controls.” This means all MEP control systems must be audited and any vulnerabilities addressed.
Irrespective of any mandatory rulings it makes sense to incorporate a Data Centre Control Systems Audit (DCCS Audit) within an overall IT security plan. Whilst some organizations begin to realize the threat and audit their data centers for DCCS vulnerabilities the majority still remain vulnerable to cyber-attacks.
Ed Ansett is co-founder and chairman of i3 Solutions Group, specialising in data centre design and MEP critical systems risk analysis.