Data centers are built to support operations that are highly available and reliable, and security is a key element of data center operations to help ensure critical operations are protected. But when it comes to cybersecurity, all network-connected devices, including those devices that are not typically thought of as data network equipment, are potential vulnerability points.
Examples include systems related to building automation, security video surveillance, card reader access control, and energy management systems. It is important to consider where those building infrastructure systems interface with the cyber world because now there are remote accessible control points that can affect facility mission, monitoring sensors that can be used by outsiders to gain operational intelligence, and communication paths that may facilitate access to sensitive data systems.
The first step in a good cyber defense is understanding and improving your current security offense. Before making knee-jerk reactions to remedy perceived risks, take a step back and develop a methodical approach to ensure security solutions are not only effective, but also reasonable and justifiable. By working through the following five-step process, it’s possible to develop a comprehensive security plan that considers all the risks in a meaningful way.
STEP ONE: COMPLETE A BUILDING SYSTEMS SURVEY
First, it’s important to document and diagram the data center’s existing systems to know exactly which are being used and how they communicate with each other and the outside world. While this building systems survey may seem obvious or unnecessary, all too often the way systems are believed to be implemented does not match how they are actually executed in the field. Even if these building control systems are believed to be isolated without internet connectivity, it is important to validate this assumption.
The survey should identify the electronic components of each of the building’s various systems as well as how the systems talk to external components — the location where they are often most vulnerable to cyber-attack. For example, a hacker may attempt to compromise an energy management system with a remote management port in order to use it as a vector to gain access to the operations network. Knowing what systems exist and how they work together gives the facility owner/operator the overview needed to implement prudent security measures.
STEP TWO: IDENTIFY WHAT NEEDS TO BE PROTECTED
Next, determine what parts of the organization may be targets for attack. For data centers this is generally assumed to be data and computing assets as well as personnel. But, critical assets also include those equipment and resources that are important for availability/reliability such as generators, cooling, fuel reserves, etc. Also, consider whether the overall building is considered a target, or if it is a multi-tenant data center, whether specific tenants may be targets.
STEP THREE: IDENTIFY THE THREAT
A variety of security threats may affect data center facilities. Understanding those potential threats means there’s an opportunity to implement appropriate countermeasures to address attack opportunities and minimize impact.
Perhaps most likely is the criminal threat. Criminals may be intent on theft of equipment or data, sabotage, espionage, or extortion. Other threats that should be considered include: hackers seeking a technical challenge, disgruntled persons seeking some form of retribution, or possibly a cause-driven activist or terrorist organization.
STEP FOUR: CHARACTERIZE POTENTIAL IMPACTS
A spectrum of security events that could occur can be categorized as either a physical or a cyber event. Security or facility departments typically handle physical events (such as assault or theft) and IT departments are generally responsible for cyber events (such as network intrusions). But systems that actively monitor sensors or control equipment, so-called cyber-physical systems (CPS) straddle both these areas and organizations must establish a framework responsible for managing these cases.
CPS risks now have physical world consequences and the spectrum of conceivable impacts run the gamut from annoyance to hazardous, such as someone being able to remotely turn lights on or off to altering the temperature in a conditioned space, disabling or damaging equipment, or modifying security system operation. For data centers, these events can potentially impact facility operations, as well as the organization’s client reputation.
STEP FIVE: ADDRESS THE VULNERABILITIES
Finally, research the products and systems that the organization uses to understand the vulnerabilities and potential solutions that exist. It’s important to work with systems manufacturers to discuss security patches and updates as well as best practices for system use and implementation. Several publically-accessible databases catalogue vulnerabilities for all kinds of devices, including operating systems, software, and hardware. Some comprehensive options are the National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures database (CVE).
Once the products themselves have been addressed, it’s time to evaluate their implementation. No matter how secure a product is, if it isn’t properly installed it can still pose a security threat. Analysis of implementation should include a review of network segmentation, use of firewalls, external connectivity, modifications, and upgrades as needed. Be sure to test products as they are received, maintain a healthy business relationship with vendors, and make sure manufacturers adhere to necessary security policies.
ESTABLISH A SECURITY MAINTENANCE PROGRAM
These measures are not one-time actions. To complement and optimize the efforts of the five-step process, a security maintenance program must be established to ensure that audits are regularly run to test the system and that patches and updates are implemented across all networks, both on a regular basis and as necessary. Where systems log events, those logs should be reviewed to identify and assess unauthorized or suspicious activity.
Evaluating and maintaining the security of a facility’s systems is a time consuming and costly effort. But engaging knowledgeable security and building controls experts who understand the complexities of the data center environment can help in developing a comprehensive security program that considers this five-step process as a start, followed by continuous vigilance to ensure that the facility remains secure.
Evaluating risk to determine where resources should be focused
Vulnerability to cyber attack can occur at multiple levels within an organization. To determine an organization’s total risk of attack — and pinpoint where security resources should be focused — analyze how likely an event is to occur, the effectiveness of security measures, and the extent of impact that the event will have on the business. Here are the steps to evaluate this risk:
Assign values for likelihood, effectiveness, and impact
Calculate risk based on those values
Rank results and prioritize risks
Consider each proposed mitigation strategy or measure to be implemented
Recalculate risk with each proposed strategy/measure
Assess which strategy/measure yields the best improvement
Weigh improvement versus implementation cost for each strategy/measure
Prioritize improvements based on budget, schedule, and organizational importance