There’s an odd dichotamy that comes with discussions on cyber security - on the one hand, the importance of taking every practical step possible to prevent a breach is reiterated; on the other, commentators note that if someone really wants to hack you, they will be able to, and, it’s likely that your own government already has.
In a series of talks at DCD Zettastructure in London, cyber security professionals shared tips, anecdotes and fears on the topic of security in the data center.
“The thing I find interesting is that we seem to make the same mistakes over and over again. I don’t know why that is,” Ronald Hahn of engineering firm AECOM said.
“So we’ve got to break the habit of how we view security today - if we don’t make some changes and understand the direction of where we need to go, we’ll suffer some lasting consequences.”
In his view, “the hardest single thing to do is change human behavior.” People need to not look at cyber security as simply a matter of “1s and 0s in the digital domain,” he said.
“I’m going to tell you that I don’t care how good your cyber security is - If you’re only focused on the digital domain, you are doomed to failure.”
The true issue is that there are “all these other interconnected things [inside a data center] that are critical to enabling that data center to run - all of which, by the way, have vulnerabilities. All of these are potential access points. As you look at what you’re doing on your physical security side, at you look at what you’re doing on the digital security side, beyond the IT stack, you have to look at what you’re doing on the wireless side. How are you moving the data?
“You’ve probably got hundreds, if not thousands, of sensors all collecting data, all moving data - how are we collecting it? How are we moving it? It’s about understanding that path.”
Ed Ansett, of i3 Solutions, concurred: “I think people in the data center industry don’t realize just how vulnerable data centers are.
“There are people who aren’t even aware they have a problem. I was one of those people a few years ago.”
He said that every time his company has “been tasked to get into a data center, whether they’ve been airgapped or not, we’ve got in. Every time.”
Rich Johanning of AECOM explained how he gets into a data center when hired for a pen test: “The first thing I do when we get hired to do pen testing on a data center is buy rack space in that data center.
“I walk in with a laptop and I now have access to everybody’s networks because they’re all on the same network. They might be segmented out, but there’s no provisions in place to say ’hey, why has Rich been sitting over there for hours, and all he has done is play on his laptop?’ I have been able to do that for four hours at a time. I have been able to pivot to a bunch of places.”
As for Ansett: “I don’t need to do anything fancy, get inside your data center with a vendor and plug something in. I just need to stand outside. I can shut down your data center every week, ruin your reputation. I am not kidding.”
This is something that may already be happening, the International Atomic Energy Agency’s Head of Security Infrastructure Massimiliano Falcinelli told DCD: “There are times someone pays someone to take down a data center to harm the reputation of a competitor, we just don’t hear about it.”
Having worked in an industry far more used to the idea of cyber attacks on critical infrastructure, Falcinelli painted a rather bleak picture: “The reality we should think about is what has changed in the last 4/5 years - the massive amount of information - not just social media, but the dark net, the amount of information on tricks, on security holes.
He continued: “Engineers/hackers like to share information on how to get into systems. It’s there, on Pastebin, and elsewhere.”
He added: “I strongly believe there are people with the ability and tools to seriously damage critical infrastructure, but they just don’t want to. Different countries are preparing for cyber war. I think they are preparing for it, but they are not using it, they are ready to do it in a massive way.
“We see many attacks where people are just preparing.”
Those in the Industrial Control System field have had to deal with the issue of cyber attacks on infrastructure for over a decade, most notably with events like the Stuxnet attack.
“You just cannot fathom how far behind data centers are,” Ansett said. “We’re at ground zero.”
Since Stuxnet, attacks have become more dangerous, said Barak Perelman of cyber security firm Indegy. While Stuxnet was relatively targeted, he pointed to 2013/14’s Dragonfly attack, which affected more than a thousand energy companies because it simply spread everywhere, beyond whoever was the original target.
“If I own an ICS facility, even if it wasn’t the target, it is vulnerable, because the same exact industrial controller exists within a nuclear power plant as a chiller or a water treatment plant,” he said.
The problem is that, even though those in facilities such as nuclear power plants have had to confront security issues for over a decade, most industrial controllers “were not designed with cyber security in mind, they were built in the ’80s, there was no cyber security, they were built to trust instructions. Typically they are the most vulnerable part of a system,” Perelman said.
“The main focus of sophisticated cyber attacks deal with the programming and logic of PLCs themselves - that way, for example, there may be a limit on temperature controls, which could be switched off, allowing a chiller be taken offline and a data center to overheat.”
There are things data center operators can do - “Be very careful with your naming convention,” Jack Pouchet, VP of Market Development at Emerson Network Power, said. “Don’t call your generator ‘generator,’ use a unique naming convention.”
For Ansett, the important thing to do is to understand what is actually inside your data center: “There’s what you know is connected to the Internet, and there’s what you don’t know is connected to the Internet.
“Third party vendor back doors - did you know that SNMP cards in UPS systems have an undisclosed port number that is used by a manufacturer in Taiwan to access the SNMP card?
Falcinelli agreed. He told DCD: “First thing, simply do an assessment of security status, security posture. We ask people to do it, and they find so many holes, often they find that there’s already someone on the network.”
He also advised not just employing people who knew cyber security intimately, but ‘strong’ people who can go to their boss who say ‘you won’t have access until we get this, do this, and change this.’”
One must also ask whether they truly trust their employees, Urs Iten, director of global portfolio management of Siemens’ data centers, said. “They might do something by accident, they might even do something on purpose.”
Falcinelli shared one story on an engineer who was unwittingly used in an attack: “There was an attack on an air gap network, they hacked the home WiFi of a guy they knew would bring his home laptop to work and connect it to check his email. They targeted him.”
Such attacks will be difficult to deal with, but one important step companies should take is to minimize who has access to what in the company, AECOM’s Hahn said. “You have to have tough conversations on whether that person needs access.”