The IT equipment in your data center might be completely secure and reliable, but it could still be vulnerable to attack - through its power sources and cooling systems.
The idea of attack through embedded systems is not new. In 2010 it hit the headlines thanks to the Stuxnet malware which, it emerged, had been engineered to attack Iranian nuclear facilities through their industrial control systems.
Following Stuxnet, there was a flurry of concern that other systems - such as power stations, oil pipelines or water systems could be attacked. A lot of industrial systems had been put together with scant concern for security, it emerged, and were sometimes connected to public networks, or to other computer systems.
Cooling is a backdoor threat?
It’s been assumed that data centers aren’t subject to this trouble. The systems in the IT racks are normally built with security and reliability in mind, and supplied with power and cooling systems designed to support those systems no matter what.
Given the entire data center is built to house IT securely, you would think the place wouldn’t suffer from the kind of flaw that afflicted the less IT-aware utilities. Critical facilities expert Ed Ansett, chairman of consulting firm i3 Solutions, certainly thought so… until he noticed a wireless gateway attached to a hardware controller in a data center.
After further study, he believes the problem is more widespread than you might expect. UPS systems, power distribution equipment and cooling systems can all be controlled automatically, and may have backdoors that you are not aware of.
Historically, these systems are under the control of facilities management, not IT, so they may not have been installed with the same kind of information security awareness as the IT systems.
Subverting this machinery would not give access to the data in a facility, but it could potentially put it out of action - a kind of denial of service attack, maybe hitting an entire facility in order to get at one tenant.
It might also lead to extortion demands.
SCADA attacks may have been invisible or unnoticed in the past, but researchers say they are on the increase.
Optimized sites are more secure?
But the good news is that if you are optimizing your site, you are very likely adopting technology that should help you secure it.
If you have optimized your cooling and power systems, then you will have made sure they are modernized and upgraded, and under tight control so they operate efficiently. The IT mindset will have taken charge of the critical kit.
Critical systems that are managed for efficiency will have more remote monitoring and control enabled. That might increase the attack surface, by allowing more connections to outside systems. But in a well run data center the monitoring and control will be in use and under observation.
Lock down for efficiency - and it could help you lock in security as well.