In September 2016, OVH was hit by a 1TBps distributed denial of service (DDoS) attack using 145,000 connected cameras. In October 2016, the domain name service provider Dyn was also hit by a DDoS attack, also using connected cameras and poorly secured devices.
So will we have data centers promoting big data to all their customers, when having to be disconnected themselves?
A pivotal time
It is a pivotal time for IoT platforms and devices. Gartner puts the IoT platform on its way to the ‘peak of inflated expectations’ in its 2016 hype cycle for emerging technologies. The famous ‘trough of disillusionment’ may be coming. If IoT wants to get out of there quickly, it will have to prove that connecting devices won’t spell disaster for the facilities they are installed in. Although security and accessibility are at odds with each other, history has shown us that accessibility always wins, so the question is therefore not so much whether IoT will become a mature technology, but if we can make it a secure technology, how secure and under what timeframe?
We can dream of a future where the connection between devices and systems will be 100 percent secure. If we take a look at the constant fight in the last years between IT security and hackers, I think it is reasonable to consider that this dream will be our common target, but not our daily reality. We will need to play constant catch-up with potential attacks.
We’ll need to make sure first that manufacturers take cyber security seriously in the design of their products
I mentioned security cameras in the examples above, for the irony of it, but all connected devices in a Data Center present a risk, from HVAC systems to circuit breakers.
We’ll need to make sure first that devices’ manufacturers take cyber security seriously in the design of their products. They will be pushed in this direction by a slew of regulations that will come their way, but some will be faster than others. Let’s also assume we will be more security-conscious and that we will for instance change the factory password on these devices. Still they won’t be 100 percent secure.
The devices will be connected to a system, probably the buliding management system (BMS) or one of its subsystems. The BMS will be connected to the datacenter infrastructure management (DCIM) system, which will interact with the IT service management (ITSM) system and so on, and the suppliers and operators will need to walk this fine line between security and accessibility. Some risk will also have to be finally accepted.
So if the risk is there, the question is how to mitigate it?
You need a methodology
You will need a holistic methodology, and stop thinking in silos inside a Data Center: starting by identifying the potential threats, then protecting the accessible points as much as technology and usage will allow you to. You will also need to have means of detecting an occurrence of a cyber security event, have a plan to respond to all different events you can imagine, and finally define a plan to recover should the attack be successful. As technology will progress, new risks and new opportunities to protect yourself will appear, and you will need to have a technology watch in place and revisit the above cycle on a regular basis.
But maybe the single most important factor in ensuring you stay on top of cyber security risks is to have the C-level of your organization standing fully behind this process. Only then will you be able to change sustainably your company culture towards cyber security risks and implement it in a life cycle management approach.
Laurent Tognazzi is Global Head for data centers slutions and services at Siemens.