A data center failure now has wider reaching consequences than ten years ago. Amidst the responsibility to mitigate cyber-attack risks, it’s imperative to be aware of what those risks are and their full implications.
Whilst the focus remains on IT cyber security the M&E systems are open to attack. There is still a lack of awareness regarding M&E data center vulnerabilities despite the ICS (Industrial Control Systems) experience. In part attributable to the perception that data center M&E systems are air-gapped, the issues exists because it concerns M&E firmware and therefore falls neatly between IT and Engineering.
In the article “Is your data center prepared for an attack on its MEP control systems” (DCD, March 2016), I suggested it will be mandatory for every enterprise and government data center to be cyber security M&E audited. The same article cited potential new cyber security regulations affecting physical security and environmental controls.
Financial services legislation affecting us all
cyber security legislation 23 NYCRR 500 adopted by The New York State Department of Financial Services (NYDFS) took effect on 1st March 2017.
The new rules apply to any financial services company operating under Banking Law, Insurance Law or Financial Services Law operating within the State of New York (with limited exemptions) inclusive of non-US entities.
Companies will have until 28th August 2017 to implement a cyber security Program and Policy. In particular section 500.03, clause (j) refers to physical security and environmental controls. Firmware used by environmental control systems is vulnerable for three reasons:
- The systems fall into the domain M&E engineering rather than IT cyber security. As such governance affecting protection of these systems does not receive the same degree of attention as other aspects of cyber security.
- Access to the firmware for patching or other modifications is carried out by third party suppliers.
- Control and monitoring system protocols e.g. MODBUS, BACnet and SNMP v3, are vulnerable to malicious attack due to their weak or often non-existent encryption and authentication since they pre-date cyber security per se as an issue.
Defensive infrastructure
The regulation states that the cyber security policy (addressing clauses inclusive of physical security and environmental controls) is based on a risk assessment. The irregularity is that although companies have one year from the effective date to undertake a risk assessment, the cyber security policy it underpins is due promptly.
As a minimum, data centers that host financial services will have to act urgently to undertake an audit of the vulnerabilities affecting their M&E control and monitoring systems.
New legislation to be set out by governments in 2017
The UK Government issued a Cyber Security Regulation and Incentives Review in December 2016 which states it is separately considering additional regulation for critical sectors. Under the Network and Information Security (NIS) Directive operators of key digital services such as cloud service providers could be subject to additional risk management and reporting requirements.
Elsewhere the Singapore Government will introduce a new cyber security Act this year requiring “Critical Information Infrastructures (CII) owners and operators to take responsibility for securing their systems and networks. This includes complying with policies and standards, conducting audits and risk assessments, and reporting cyber security incidents.” (Singapore’s cyber security Strategy 2016, Cyber Security Agency of Singapore)
Identifying vulnerabilities within the M&E systems is the first step organisations need to take to comply with the initial stage of the new legislation.
Ed Ansett is co-founder and chairman of i3 Solutions Group