[BreachExchange] Is Your Data Center Power System Protected from Cyberattacks?

[Destry Winant]

https://www.datacenterknowledge.com/security/your-data-center-power-system-protected-cyberattacks

When data center managers think about cybersecurity, they usually
think about protecting their IT infrastructure and their data. And
when they think about ensuring the security of their power supplies,
they think about alternate power sources, as well as restricting
physical access to their power infrastructure.

Generators, uninterruptable power supplies, and power distribution
units all help to maintain and control the power that runs the data
centers. But they rarely pay enough attention to the cybersecurity
controls on their power systems, even though these systems are proving
to be vulnerable to cyberattacks.

And, ironically, some of the systems used to protect infrastructure
may themselves pose security risks.

"The majority of power equipment in the data center can be remotely
controlled and configured," Bob Pruett, security field solutions
executive at SHI International, a New Jersey-based technology services
company, told Data Center Knowledge in an interview. "So, a malicious
bad actor could take control of these devices and interrupt the power
to a data center or a specific device on your network."

Some of these control systems could fall into the category of the
Internet of Things. Industrial IoT devices are part of a data center's
invisible infrastructure, in the gray area between facility management
and cybersecurity, hard to find, hard to manage, and hard to secure.

Attacks against IoT devices increased by 100 percent last year,
according to a report by San Francisco-based cybersecurity vendor
Darktrace. According to a survey last year by the SANS Institute, only
40 percent of companies apply and maintain patches and updates to
protect IIoT devices, and 56 percent said that difficulties in
patching are one of their greatest security challenges. In addition,
almost 40 percent said they had problems finding, tracking, and
managing these devices.

Attackers are taking notice.

The highest-profile attacks have been against national power
infrastructure, like the 2015 and 2016 attacks against the Ukrainian
electrical grid.

"Attacks on industrial environments have become mainstream," Justin
Fier, director of cyber intelligence and analysis at Darktrace, told
us. "With several nation-states providing warnings in 2018 about
ongoing targeting of their energy grids, 2019 looks set for increasing
numbers of high-profile cyberattacks on our critical infrastructure."

In the past, criminals tended to use hijacked IoT devices to power
botnets, but once infected the devices can be used for a number of
malicious purposes.

In most types of attacks, cybersecurity teams can isolate traffic or
even entire compromised systems. But industrial controls are a special
case. "Within industrial control systems, isolating traffic or systems
is rarely an option and real-time patches are not viable," Eddie
Habibi, CEO at PAS Global, an industrial control systems security
company, said.

If the devices and computers controlling a data center's power supply
have been compromised, taking them down could turn off power to the
entire facility. "Important critical infrastructure sectors are gated
in their ability to apply the proper patches," Habibi said.

Meanwhile, the infected machines could pose dangers to the rest of a
data center's networks. "This has the potential to create a huge
problem such as WannaCry or other similar ransomware attacks," he
said.

Since these devices offer an entry point into a data center's
networks, they need to be managed and protected with the same
diligence as its servers, SHI International's Pruett said. There are
several approaches data centers can take to secure these control
systems.

Micro-segmentation, for example, can block all traffic to a device
except for authorized traffic, he said. "In some cases, this means
that each device will have its own logical – as opposed to physical –
network."

There are also specialized network access control solutions for power
grids, he said, which actively block unauthorized traffic on a
network. "There are general NAC solutions which can also be
effective."

When a data center operator is purchasing new devices, security should
be part of due diligence. "Make sure that passwords can be changed,
systems can be updated, and the settings of the IoT devices are taken
into account," he said.

Sometimes, there might not be a choice, and a data center has to use
what's available. "If there are risks with the device, plan for them
ahead of time," Pruett said. For every risk, there's should be
compensating control. "For example, if the IoT management interface
cannot use encryption, try to have the traffic encrypted over a
tunnel."

There's another reason to be particularly careful about protecting
access to power systems. Attackers who get control over a data
center's power supply can shut down a data center – but they can also
cause a power surge that destroys equipment.

Something similar happened, though by accident, in 2017 to a British
Airways data center. A technician reportedly overrode the controls to
an uninterruptible power supply, causing a power outage that lasted a
few minutes. Then they turned it back on again in a way that created a
power surge that caused physical damage to equipment. British Airways
sued CBRE, the data center management firm it alleged was responsible
for the problem. The two companies reached a settlement earlier this
month.