According to many people, data is the new oil. Industries such as insurance, finance, retail, etc. depend on massive amounts of data from multiple data centers. However, what happens if you can’t get to your data because the data center infrastructure or servers have been damaged and are unusable?
Data is merely a series of ones and zeros that are created, transported, and stored in servers using mission critical control systems. As an example, control systems include power systems such as Uninterruptible Power Supplies (UPSs) and Power Distribution Units (PDUs) to provide the electricity that creates the data and the cooling systems used to store the data in servers at safe temperatures, and process sensors and controllers to measure and adjust temperatures to keep the data safe in the servers. The ability of adversaries to use cyber and/or physical attacks against these power and cooling systems, sensors, or controllers can alter or destroy those ones and zeros, rendering their value to nothing.
In the past few years, buildings and data centers have been using insecure building control system devices (https://www.controlglobal.com/blogs/unfettered/lack-of-iot-hvac-control-system-cyber-security-and-potential-real-world-impacts) and network protocols with minimal to no cyber security. Insecure protocols include Simple Network Management Protocol (SNMP), BACNet, serial Modbus, and Bluetooth. Yet, given these significant cyber security limitations, the focus of data center cyber security has been primarily on the software and data in the data center and secondarily building controller connections to the Internet not the cyber vulnerable control devices. Because of the lack of control system cyber forensics, data center shutdowns have not been identified as potentially being cyber-related. However, data center and building control systems have been compromised in cyber incidents as documented in https://www.controlglobal.com/blogs/unfettered/data-centers-have-been-damaged-and-they-are-not-being-adequately-cyber-secured/. As is now known, Russian intelligence services compromised the UPS in the communication center in the 2015 cyberattack against the Ukrainian power grid. UPSs are used in all buildings and data centers. Additionally, IT network hacks such as SolarWinds may not be targeting building and data center systems as the primary attack vector but can still compromise the physical integrity of data centers and building control systems.
Because of the need to address data center control system cyber security, Bob Hunter of Alpha Guardians and I have written a chapter for the 2021 Data Center Handbook on data center control system cyber security. This is an important addition to the field of data center integrity as it focuses on what has been missing to date. Wiley has released the purchase page for the 2021 Data Center Handbook with availability expected after May 1, 2021
