Data centers may be at risk from embedded systems, an attack vector which is normally seen as a risk affecting critical infrastructure, according to Ed Ansett, a leading expert on critical facilities.

A lot of attention has focused on the possibility that attackers could break into industrial and uitility system through embedded systems, but not many people have spotted that data centers are also vulnerable, said Ansett, chairman of consulting firm i3 Solutions. in an exclusive interview with DatacenterDynamics.

i3 focuses on specialist IT and critical facilities consulting, and produced an influential research study for the Singapore government, advising on how to reduce the energy consumption of data centers in Singapore, an island nation which imports practically all its energy needs.

The forgotten threat vector

Ansett realized the danger from embedded systems when he stumbled upon a wireless gateway attached to a hardware controller in a data center, he told us.

While cyber-attacks on embedded systems are not new, they are typically seen as a risk for critical infrastructure such as energy and utilities, and not data centers, said Ansett.

His warning to secure embedded controllers in data centers is a highly concerning one, considering how seriously the industry takes even the smallest reduction in availability. For example, a limited outage during a scheduled maintenance at Equinix’s SG1 data center in Singapore late last year caused waves in the local data center scene, before investigations revealed it was caused by customers using wrong use of power plugs.

So what are some devices that a cyber attacker could plausibly interfere with in the data center? The list of components that incorporate vulnerable or inadequately protected embedded subsystems is a long one, according to Ansett, and includes cooling systems, generators, switchgear, motor control centers, universal power supplies (UPS) or batteries connected to servers. In addition, air conditioning systems could also be targeted, including plumbing systems to circulate chilled liquid around the data center, and even fire and security systems.

“They comprise programmable logic controllers (PLC), distributed control systems (DCS), supervisory controls, data acquisition (SCADA) systems, and other software-based plant control systems,” explained Ansett, who noted that a successful cyber attack could result in the loss of power or cooling to the data center—a disaster of the highest order.

Other experts back Ansett: “While data centers are being assessed through TVRA [Threat, Vulnerability and Risk Analysis] and various international standards such as ISO27001, there seems to be little emphasis on security threat vectors via PLC/SCADA angle,” Leonard Ong, a professional advocacy committee member at ISACA, an international professional association focused on IT governance, told Datacenter Dynamics. 

Examining the motives

While there appears to be a potential opportunity for cyber attackers to disrupt the data center, are there any motives to even target them in the first place? After all, the vast majority of these facilities are multi-tenanted, with a heavy veil of secrecy surrounding the actual locations of most data center deployments.

But while mounting a directed attack against an organization’s data center seems like more trouble than it is worth, some attacks have an agenda of causing widespread disruption. In  this situation, Ong observed that cyber attackers might well aim for the lowest-hanging fruit.

“In general, there are targeted and general cyber attacks. In the former, careful research is typically carried out and an attack is designed specifically to generate the most impact for a specific target,” explained Ong. “For general cyber attacks, the target may not be as important as carrying out a successful attack hence, finding an easier target would be common.”

We spoke separately with Wong Ka Vin, the managing director of 1-Net in Singapore, who highlighted a number of possible motivations that may drive such cyber attackers. One intriguing possibility is the potential for data centers to be targeted as part of modern warfare by a hostile state. In a world where the economy is increasingly reliant on digital commerce and constant connectivity, the ability to bring down data centers could severely disrupt critical business operations and even erode national confidence.

Moreover, there is also the possibility of criminal elements attempting to hold a data center operator to a ransom, which isn’t such so far-fetched when one considers how “ransomware” malware that encrypts important business files and holds them in thrall for a payment has been afflicting desktop and even corporate storage devices for some years now.

Securing the data center

While cloud service providers, telecommunication providers and the enterprise can be expected to implement the appropriate security defenses on the network and compute aspect of their IT infrastructure, practically all of them are reliant on data center operators to manage their power and cooling. Should these fail, catastrophic failure of IT services is likely to be only moments away. With this in mind, what are some measures that data center operators can put in place to protect their facilities against cyber attacks?

A first step towards securing the data center may be the implementation of IT discipline into the management of network and control systems used by embedded devices, suggested Wong. And rather than working on the assumption that these devices are inviolable because they are hosted on standalone networks, it may be a better idea to draft out appropriate mitigation strategies to deal with malware or cyber attackers that somehow breach this network.

In addition, preemptive measures that can be implemented may include the security hardening of the control systems used to manage embedded devices, and also employing engineers who are security-trained and fully cognizant about the security implications of a lackluster approach. “Usually, these [control systems] are put together by building managers and M&E engineers who may not be aware of the [security] threat,” explained Wong.

Finally, data center operators should also consider adopting security standards designed for industrial automation and control systems. Ansett suggested starting with the ISA/IEC 62443 series of standards that are aimed at industrial control systems, and to apply them to data center control systems.

“Fortunately the protection solutions are not new. The industrial control systems industry has been dealing with the threat of cyber-attacks on such things as nuclear power plant, aviation, chemical, oil and gas for the last ten years or so,” said Ansett. “So the methods of protection used by these industries can be applied to data center embedded systems.“

For now, Ansett says i3 Solution is working on a white paper on how data centers can implement countermeasures to effectively protect their embedded systems.