Cyber security - the words are on everyone’s lips as the public starts to realize the problems that come with having large amounts of personal data kept in one place. But there is more to security than protecting the private details of human beings.
The past few years have seen more and more security breaches at companies that act as trusted repositories for personal data. In 2017, a breach at Equifax leaked the Social Security numbers, addresses and dates of birth of millions of US citizens. These details are unlikely to change, and in certain instances they can be used for identity theft - for example, fraudulently obtaining credit cards and opening bank accounts.
This has happened often enough for businesses to understand the importance of cyber security, but another battleground is emerging. It also needs tight control and smart policies to keep intruders at bay. This arena is in danger of being overlooked, because instead of data, attackers are targeting machines which are normally taken for granted.
This extends beyond IT
In the past, there were two separate worlds of business technology: Information Technology (IT) and Operational Technology (OT). Most people are familiar with IT - servers, switches, storage hardware and everything related to digital information - but OT is a lesser known realm.
OT is grounded in the material world; it is the technology which manages physical processes through monitoring and control of devices such as pumps, valves and motors.
In the last decade, these two different worlds have begun to merge. The rapid expansion of the Internet of Things (IoT) means OT environments are now becoming digitally connected and remotely controlled. Pumps and air conditioning units are instrumented with sensors and access points and this means they are now open to new attack vectors - some of them, the same as those which have been plaguing the IT world for years.
The data center industry, which underlies so much of our daily lives, has been pioneering the integration of IT and OT - and it is therefore one of the first sectors where these new risks are being uncovered.
Most data center facilities will control power usage, airflow and cooling through a plant which is managed using the SCADA (Supervisory Control And Data Acquisition) system architecture. SCADA uses computers, networks and graphical user interfaces for process management, whilst making use of peripherals like PLCs (programmable logic controllers) and PID (proportional-integral-derivative) controllers to interface with the machinery.
In practice, large SCADA systems function in a very similar way to distributed control systems, and use several interfaces throughout the facility. These systems can work on multiple sites through large scale processes, over short and long distances.
SCADA is currently the most widespread industrial control system - and this in turn raises concerns that it could become the target of cyber terrorism.
Industrial control systems have been moving from proprietary technologies to more open and standardized solutions, like those used in IT. They have also been increasingly connected to corporate networks and the Internet. These two factors leave such systems vulnerable to attack vectors typically found within computer network security.
The risk is that data centers may have focused too much attention on their IT, while OT has become a blind spot.
“While many organizations have developed stringent security processes for IT systems, this is not the case for [industrial control systems],” Ed Ansett, chairman of I3 Solutions, told DCD. “MEP controllers frequently have no authentication, authorization, virus protection or security patches associated with SCADA, PLCs, RTUs, BMS and other addressable controllers often found in cooling plants, PDUs, UPS, generators, switchgear and static switches.”
The OT industry will have to learn a lesson which the IT industry learnt 20 years ago: it is not enough to leave cyber security to the manufacturer. Applying updates to products requires investment and all too often, manufacturers, when left to themselves, prefer to simply cover up vulnerabilities, as it is not in their interest to make such discoveries public.
Despite this fact, certain types of vulnerabilities are widely known within the industrial control systems community, and the data center owner is not alone in dealing with them. The ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) publishes known attacks and responses; in 2016, it received 305 reports involving unique vulnerabilities in control system components, the majority of them taken down through techniques like buffer overflows and DDoS (distributed denial of service) attacks - which are, again, very similar to attacks used on traditional computer networks.
You can run data centers, but you can’t hide them
Security researchers are concerned that the OT community has taken a “security through obscurity” approach to SCADA systems, trusting in physical separation of their networks. Engineers have believed that SCADA networks are secure because they have have proprietary interfaces and are not connected to external networks.
These assumptions are no longer true - and if we dig deep, the list of potential threats to SCADA systems today is practically endless. These systems can be accessed physically by unauthorized parties, and changes can be made - accidentally or intentionally - through virus infections, malware hidden inside software upgrades, or through other threats residing on networks the system is connected to.
In many cases, the control protocol lacks any form of encryption, allowing intruders to simply modify parameters through network commands. Furthermore, the SCADA user may believe that the control system network is closed off because a VPN is applied to the IT systems involved, completely disregarding the possibility of physical access to the SCADA network switches.
The attacks that target these systems are similar to the ones found in IT security, but the same cannot be said about the detection and prevention methods. In a computer network, a vulnerability scanner could be used to quickly and efficiently discover hosts on a network, establish what services they are running, and which vulnerabilities are open.
However, techniques like port scanning, device fingerprinting and host probing will sometimes lock the hardware, disrupt running processes and cause erroneous readings. Industrial control systems manage machinery that must always be online. Even if they shut a device down for a couple of seconds, these techniques are not fit for SCADA.
The ICS vendors have begun addressing serious vulnerabilities, and suggest approaching SCADA security with a defense strategy based on common IT practices. Vendors have also started to address unauthorized access, by developing specialized industrial firewalls for TCP/IP based control networks and external monitoring and recording of SCADA equipment. For legacy SCADA systems, a ‘bump-in-the-wire’ methodology is applied - devices that offer the means of authentication and AES encryption.
As well as vendors, regulators have also taken notice of the existence of these threats. In March 2017, Cyber Security Legislation 23 (NYCRR500) was adopted by the New York State Department of Financial Services. This gave companies until 28 August 2017 to implement a cyber security program and policy - and section 500.03, clause (j), specifically referred to physical and environmental controls security.
It’s not at all clear how many organizations have taken this seriously. Ansett told DCD: “As a minimum, data centers that host financial services will have to act urgently to undertake an audit of the vulnerabilities affecting their M&E control and monitoring systems.”
It is not just the US that sees the need for regulation in this sector. The UK Government is due to set out similar regulations shortly, and other countries will follow.
This article appeared in the April/May issue of DCD Magazine. Subscribe to the digital and print editions here: